[Mod-security-rules] UPM (Universal Password Manager) and ModSecurity
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[Mod-security-rules] UPM (Universal Password Manager) and ModSecurity
|
From: Davide M. <da...@ms...> - 2018-02-05 15:01:03
|
Hi Friends, I'm using on my VPS, UPM (Universal Password Manager: http://upm.sourceforge.net/), all works fine (upload, sync, delete, etc) except on Android. Adrian, the UPM developer has made two php script to put on the same directory: https://github.com/adrian/upm-swing/tree/master/server/http. The problem is that enabling ModSecurity version: libapache2-modsecurity 2.8.0-3 modsecurity-crs 2.2.9-1 itstoptheuploadscript (upload.php), here the log: [Sun Feb 04 13:12:05.641064 2018] [:error] [pid 27440] [client 1.2.3.4] ModSecurity: Multipart parsing error (init): Multipart: Invalid boundary in C-T (characters). [hostname "www.mydomain.org"] [uri "/xyz/upload.php"] [unique_id "GAKgHkFRgJKOhHIjHUHgffhh"] [Sun Feb 04 13:12:06.153142 2018] [:error] [pid 27440] [client 1.2.3.4] ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity/modsecurity.conf"] [line "61"] [id "200002"] [msg "Failed to parse request body."] [data "Multipart: Invalid boundary in C-T (characters)."] [severity "CRITICAL"] [hostname "www.mydomain.org"] [uri "/xyz/upload.php"] [unique_id "GAKgHkFRgJKOhHIjHUHgffhh"] Obviously I've absolutely no intention to disable ModSecurity, so I wondered though how permit *only* the *upload.php* execution, in short, the safest way. The first way I've found was to insert on .htaccess, where I've set the Apache2 Password Authentication too: SecRuleRemoveById 200002 or: <LocationMatch "/(deletefile\.php|upload\.php)"> SecRuleRemoveById 200002 SecRequestBodyAccess Off </LocationMatch> or: <IfModule security2_module> SecRuleRemoveById 200002 </IfModule> but but in each of these modes all upload process are blocked. So I've added on my specific domain VirtualHost config file: <LocationMatch /xyz/upload.php> SecRuleEngine Off </LocationMatch> Finally, so I'm able to sync from desktop and from Android too. My question is (since we are talking about a password management software): *Is such an approach safe enough?* Many many thanks! Davide Italy -- n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e |
