Hi,

 

I’am tunning mod_security 1.8.7 in Red Hat 3.0 Upgrade 5 (2.4.21-32.ELsmp) + apache 2.0.54 + webmail (uebimiau)

 

From my own webmail, if when sending a message, in the body the message, appears a chain introduced in the file of configuration, the message is rejected. For example:

 

In file mod_security.conf:

 

SecFilterDefaultAction "deny,log,status:403"

. . . . .

. . . . .

Secfilter /bin/chmod

 

In the body of mail message

“this is a example for the string /bin/chmod”

 

This generates following log.

 

========================================

UNIQUE_ID: jFn6LMCoyZgAABlCGDoAAAAr

Request: 192.168.207.1 - - [28/Oct/2005:10:48:06 +0200] "POST /webmail/newmsg.php HTTP/1.0" 403 220

Handler: php-script

----------------------------------------

POST /webmail/newmsg.php HTTP/1.0

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: https://correo.pruebas.es/webmail/newmsg.php?pag=1&folder=inbox&sid={4361E2260EA50-4361E2261386F-1130488358}&tid=0&lid=0

Accept-Language: es

Content-Type: application/x-www-form-urlencoded

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)

Host: correo.cajamar.es

Content-Length: 363

Cache-Control: no-cache

Cookie: {4361E2260EA50-4361E2261386F-1130488358}=%7B4361E2260EA50-4361E2261386F-1130488358%7D

mod_security-message: Access denied with code 403. Pattern match "/bin/chmod" at POST_PAYLOAD

mod_security-action: 403

 

363

tipo=send&is_html=true&sid=%7B4361E2260EA50-4361E2261386F-1130488358%7D&lid=0&tid=0&folder=inbox&sig=Tomas+Hidalgo%3Cbr+%2F%3E%0D%0A%28c%29+2005&textmode=&to=thidalgo@tecnologia.cajamar.es&cc=&bcc=&subject=prueba3&body=%3CBR%3Een+el+cuerpo+del+mensaje+aparece+la+palabra+%2Fbin%2Fchmod%3CBR%3E--%3CBR%3ETomas+Hidalgo%3CBR%3E%28c%29+2005%3CBR%3E%3CBR%3E&priority=3

 

HTTP/1.0 403 Forbidden

Content-Length: 220

Connection: close

Content-Type: text/html; charset=iso-8859-1

 

Questions:

 

1)       it is possible to avoid that mod_security does not verify the body of the message?

2)       He is coherent to use mod_security with a webmail? I have not found any positive or negative reference

 

Many thanks for you help.

 

 

 

Tomás Hidalgo Salvador

thidalgo@tecnologia.cajamar.es

Dpto. Sistemas Unix

DSF Almariya

Almeria – Andalucia - Spain