Re: [mod-security-users] Disable mod security only for Magento admin path - mod_rewrite issue?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Am 21.02.2015 um 14:55 schrieb Fernando Sandiego:
> Harald,
>
> I´ll tell you the IDs but I think it doesnt make any difference to the fact that disabling these only for the admin backend does not work with the way I tried or the way you mentioned. The reason why I wanted to disable modsecurity only for the admin path is that the path is really cryptic and secret. And I would need to check every functionality in the backend to ensure that no false positives are popping up and I wanted to accept the risk due to the mitigating security measures. Nevertheless as requested these IDs get triggered when I edit a Magento Block and save it:

i asked for an ordinary apache error log entry looking like that below 
and the *most interesting part* is (phase 1) or (phase 2)

if it are phase 1 rules you have no chance to disable them as i repeatly 
mentioned and you need to change that rules to phase:2 nad the reason is 
simply that phase:1 hits long before <Location> is processed

[Sat Feb 21 15:21:02.507822 2015] [:error] [pid 6269] [client 
65.49.14.55] ModSecurity: Access denied with code 400 (phase 1). String 
match "ARGS:sid" at MATCHED_VAR. [file 
"/etc/httpd/modsecurity.d/99_protected_vars.conf"] [line "7"] [id "131"] 
[msg "out of range"] [data "ARGS:sid"] [hostname "****"] [uri 
"/index.php"] [unique_id "VOiUTgoAAAYAABh9wxYAAAAB"]

> modsecurity_crs_41_sql_injection_attacks.conf - id "981231" - "SQL Comment Sequence Detected."
> 2x modsecurity_crs_41_sql_injection_attacks.conf - id "950901" - "SQL Injection Attack: SQL Tautology Detected."
> modsecurity_crs_41_sql_injection_attacks.conf - id "981248" - "Detects chained SQL injection attempts 1/2"
> modsecurity_crs_41_sql_injection_attacks.conf - id "981240" - "Detects MySQL comments, conditions and ch(a)r injections"
> modsecurity_crs_41_xss_attacks.conf - id "973338" - "XSS Filter - Category 3: Javascript URI Vector"
> modsecurity_crs_41_xss_attacks.conf - id "958034" "Execution error - PCRE limits exceeded (-8): (null)"
> modsecurity_crs_41_xss_attacks.conf - id "973300" - "Possible XSS Attack Detected - HTML Tag Handler"
> modsecurity_crs_41_xss_attacks.conf - id "973302" - "Execution error - PCRE limits exceeded (-8): (null)."
> modsecurity_crs_41_xss_attacks.conf - id "973304" - "XSS Attack Detected"
> modsecurity_crs_41_xss_attacks.conf - id "973306" - "XSS Attack Detected"
> modsecurity_crs_41_xss_attacks.conf  - id "973326" - Execution error - PCRE limits exceeded (-8): (null).
> modsecurity_crs_41_xss_attacks.conf  - id "973335" - Execution error - PCRE limits exceeded (-8): (null).
> modsecurity_crs_41_xss_attacks.conf  - id "973334" - Execution error - PCRE limits exceeded (-8): (null).
> modsecurity_crs_41_xss_attacks.conf  - id "973344" - Execution error - PCRE limits exceeded (-8): (null).
> modsecurity_crs_41_xss_attacks.conf  - id "973332" - Execution error - PCRE limits exceeded (-8): (null).
> modsecurity_crs_41_xss_attacks.conf  - id "973316" - Execution error - PCRE limits exceeded (-8): (null).
> modsecurity_crs_41_xss_attacks.conf  - id "950020" - Execution error - PCRE limits exceeded (-8): (null).
> 2x modsecurity_slr_46_sqli_attacks.conf - id "2019299" - "SLR: Land Down Under (LDU) index.php c Parameter SQL Injection"
> modsecurity_slr_46_sqli_attacks.conf - id "2034459" - "SLR: WF-Snippets Module for XOOPS index.php c Parameter SQL Injection"
> modsecurity_slr_46_sqli_attacks.conf - id "2034459" - "SLR: WF-Snippets Module for XOOPS index.php c Parameter SQL Injection"
> 2x modsecurity_slr_46_sqli_attacks.conf - id "2034473" - "SLR: wfquotes Module for XOOPS index.php c Parameter SQL Injection"
> modsecurity_slr_46_sqli_attacks.conf - id "2034473" - "SLR: wfquotes Module for XOOPS index.php c Parameter SQL Injection"
> 2x modsecurity_slr_46_sqli_attacks.conf - id "2035424" - "SLR: PNphpBB2 Module for PostNuke index.php c Parameter SQL Injection"
> 2x modsecurity_slr_46_sqli_attacks.conf - id "2040206" - "SLR: EvilBoard index.php c Parameter SQL Injection"
> 2x modsecurity_slr_46_sqli_attacks.conf - id "2049501" - "SLR: YourFreeWorld Shopping Cart Script index.php c Parameter SQL Injection"
> 2x modsecurity_slr_46_sqli_attacks.conf - id "2049598" - "SLR: YourFreeWorld Shopping Cart Script index.php c Parameter SQL Injection"
> 2x modsecurity_slr_46_sqli_attacks.conf - id "2052476" - ..
> modsecurity_slr_46_sqli_attacks.conf - id "2061347"
> modsecurity_slr_46_sqli_attacks.conf - id "2061347"
> 2x modsecurity_slr_46_sqli_attacks.conf - id "2064697"
> 2x modsecurity_slr_46_sqli_attacks.conf - id "2095842"
> 4x modsecurity_slr_46_sqli_attacks.conf - id "2030829"
> 3x modsecurity_slr_46_sqli_attacks.conf - id "2040207"
> 4x modsecurity_slr_46_sqli_attacks.conf - id "2052122"
> 4x modsecurity_slr_46_sqli_attacks.conf - id "2059190"
> modsecurity_slr_46_sqli_attacks.conf - id "2059190"
> modsecurity_crs_60_correlation.conf - id "981204"
>
> Am 20.02.2015 um 20:15 schrieb Reindl Harald <h.r...@th...>:
>
>> you need at least post the rule-id's and pase which hit!
>> they are usually in the apache error log
>>
>> Am 20.02.2015 um 20:01 schrieb Fernando Sandiego:
>>> Harald,
>>>
>>> thanks for your response. Even if I try to remove some of the false positives only with the ID your example does unfortunately not work.
>>>
>>> Best regards
>>> Fernando
>>>
>>> Am 20.02.2015 um 17:26 schrieb Reindl Harald <h.r...@th...>:
>>>
>>>>
>>>> Am 20.02.2015 um 17:11 schrieb Fernando Sandiego:
>>>>> I want to disable modsecurity only for the administration interface of Magento (e-commerce software) but somehow it seems to be a little bit more complicated than expected... I use CRS rules and the commercial rules from Trustwave and both have a lot of problems when I use the administration interface.
>>>>>
>>>>> Due to mod_rewrite the admin interface has the path: https://www.domain.com/index.php/fancysecretpath/
>>>>> mod_rewrite redirects all requests to index.php via .htaccess which is mandatory for my website setup.
>>>>> Rule in .htaccess:
>>>>> RewriteRule .* index.php [L]
>>>>>
>>>>> I created a whitelist file, loaded it after all the other rules (CRS and commercial Trustwave rules). I tried the following to disable modsecurity only for the Magento admin interface path:
>>>>>
>>>>> <LocationMatch “/index.php/fancysecretpath/”>
>>>>>      SecRuleEngine Off
>>>>> </LocationMatch>
>>>>>
>>>>> Unfortunately this doesnt work. I still get a lot of errors. The errors I get from the audit_log also indicate that I selected the correct path although I think this might be an issue due to the mod-rewrite...:
>>>>
>>>> do not try to disable modsec completly for the admin backend, in that case you can remove mod_security completly
>>>>
>>>> * normally modsec logs are also in the access log mentioning
>>>>   the rule and phase
>>>> * i miss that information in your whole post
>>>> * phase 1 rules can't be disabled that easy
>>>>
>>>>
>>>> something like below works on a RHEL7 server with magento for all phase 2 rules and since you did not mention what rules hit i can only guess that these are out of the rules we removed completly years ago because too much trouble
>>>>
>>>> <LocationMatch "^/index\.php/admin/(.*)/">
>>>> SecRuleRemoveById 12345
>>>> </LocationMatch>