On 4/26/06, Ivan Ristic <ivan.ristic@gmail.com > wrote:

Also, can you try executing some other script that is not PHP? PHP has
some built-in security "logic" (need I say that it's faulty?) that
attempts to detect if it's run as a CGI script (and then stops
executing if it does).

If you increase the debug log level you might get more information
about the execution.

Thanks. I just finished trying a bash script to send me an email. It looks like this:


/bin/mail -s "My subject" dbrieck@xxxxx.com <<EOF
This is a test email.


It's permissions are:

[root@cp mod_sec]# ls -l report-attack.sh
-rwxr-xr-x    1 root     root           93 Apr 26 10:34 report-attack.sh

The permissions on /bin/mail are:

[root@cp mod_sec]# ls -l /bin/mail
-rwxr-xr-x    1 root     mail        66492 Jun 24  2001 /bin/mail

Again, I have no problems doing this from the command line, it's just when mod_sec tries to do it. Our apache is not chrooted nor are we using the mod_sec chroot path.

I increased the dubug level to 9 and there were no error messages, just it's normal stuff. Another interesting thing I noticed was that the error code returned is 403, but it should be 500 as the default is set:

# By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction "deny,log,status:500"

Any ideas why it would be giving a different error code for this rule with an exec on it as well? Here is the entire entry from the audit log:

Request: REMOVED xx.xx.xx.xx - - [26/Apr/2006:10:33:55 -0400] "GET /index.php?act=rssout&amp;id=1&/
bin/davetest HTTP/1.1" 403 219 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20060308 Firefox/1.
5.0.2" RE@E0woBlkYAAEUAj4k "-"
Handler: mod_gzip_handler
GET /index.php?act=rssout&amp;id=1&/bin/davetest HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q= 0.5
Cache-Control: max-age=0
Connection: keep-alive
Keep-Alive: 300
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20060308 Firefox/

mod_security-message: Access denied with code 403. Pattern match "/bin/davetest" at REQUEST_URI [severity "EMERGENCY"]
mod_security-action: 403
mod_security-executed: /usr/local/mod_sec/report- attack.sh

HTTP/1.1 403 Forbidden
Keep-Alive: timeout=10, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

Thanks for your help, I'm really at a loss to the problem.

(resending this because i didn't hit reply to all)