Re: [mod-security-users] trac .sql file extension question
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] trac .sql file extension question
|
From: Chris C. <fc...@cn...> - 2008-01-28 18:16:07
|
Thanks Ryan,
This worked like a charm. I understand the logic better as well now.
On Mon, 2008-01-28 at 12:37 -0500, Ryan Barnett wrote:
> > -----Original Message-----
> > From: mod...@li... [mailto:mod-
> > sec...@li...] On Behalf Of Chris
> Cuevas
> > Sent: Monday, January 28, 2008 12:24 PM
> > To: modsec users
> > Subject: [mod-security-users] trac .sql file extension question
> >
> > Hi all,
> >
> > I have a trac site with mod_security that I maintain and I need to
> allow
> > some .sql files to be downloaded. With the core rules enabled I
> receive
> > the following error
> >
> > Message: Access denied with code 500 (phase 2). Pattern match "\
> > \.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|
> > ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|
> > i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|
> > l(?:icx|nk|og)|\\w{0,5}~|webinfo|ht[rw]|xs[dx ..." at
> > REQUEST_BASENAME.[id "960035"] [msg "URL file extension is restricted
> by
> > policy"][severity "CRITICAL"]
> >
> > I'm assuming this is triggered by the file extension .sql on these
> > files. What I would like to do is allow .sql files from a certian
> > directory to be downloaded; as these files are part of the database
> > migration for a new version of the project. What I've tried is adding
> > the following rules to modsecurity_crs_15_customrules.conf.
> >
> > SecRule REQUEST_URI "^/database/migrations/*.sql"
> > "chain,log,pass,ctl:ruleEngine=Off"
> > SecRule REQUEST_BASENAME "sql" "pass"
> >
> [Ryan Barnett] I would not recommend using the "ctl:ruleEngine=Off"
> action in this context as it would disable all other security checks
> (which may open you up to other attacks). The main issue is that you
> don't want that one rule to trigger for ".sql" file in that one
> directory, right? I would suggest the following -
> http://www.modsecurity.org/blog/archives/2007/02/handling_false.html
>
> Put this in your modsecurity_crs_60_customrules.conf file -
>
> <Location "/database/migrations/">
> SecRuleRemoveById 960035
>
> SecRule REQUEST_BASENAME
> "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|o
> l|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?
> :d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ys)|l(?:icx|nk|o
> g)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" \
> "t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL
> file extension is restricted by policy', severity:'2',id:'1'"
> </Location>
>
> This rule set will disable the current Core Rule ID 960035 for that
> directory. I will then apply a new rule with an updated RegEx (that
> excludes the check for the .sql extension).
>
> > I think I'm close I'm just missing something. Could anyone point me
> in
> > the right direction?
> [Ryan Barnett] The main problem with your test chained rule was that was
> using the "pass" action which only passes on the current rule. You
> probably were thinking more along the lines of "allow." Test out my
> example rule above and let me know if it works for you.
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
--
+==================================================================+
| Christopher Cuevas |
| FCLA Open Systems Group |
| fclcac (at) cns (dot) ufl (dot) edu |
+------------------------------------------------------------------+
gpg fingerprint = CB8E B1B5 43DE 94C9 AFA8 8E89 6B1F 3546 87E0 DCF0
|