Re: [mod-security-users] modsecurity on http-https redirect on apache
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] modsecurity on http-https redirect on apache
|
From: Christian F. <chr...@ne...> - 2021-03-18 08:08:14
|
Hey Franz, ModSec works in multiple phases and the redirect is relatively early. In fact Mod_rewrite works in two phases IIRC and here it is faster than ModSec. The rule in question runs in phase 2 and that's relatively late. You have 3 options: - Forget about it. I mean who cares since the attack can not affect you due to the redirect anyways. - Implement the redirect in ModSecurity in ModSec phase 2 after the Core Rule Set include. (-> custom rule) - Move the Redirect into the VH or potentially into the container if that is possible (have not done this in years). That might force apache to execute it later and ModSec comes first. But you need to test this. Best, Christian On Thu, Mar 18, 2021 at 08:54:18AM +0100, Franz Angeli wrote: > Hi, > > Sorry but i'm new on modsecurity, i've installed a Debian apache > server with modsecurity with no custom rules for testing/learning. > > If i try to use: > > curl https://www.example.test/index.html?exec=/bin/bash > > all working fine with: > > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > <html><head> > <title>403 Forbidden</title> > </head><body> > <h1>Forbidden</h1> > <p>You don't have permission to access this resource.</p> > </body></html> > > and on modsecurity log: > > Message: Warning. Matched phrase "bin/bash" at ARGS:exec. [file > "/etc/modsecurity/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] > [line "518"] [id "932160"] [msg "Remote Command Execution: Unix Shell > Code Found"] [data "Matched > > > on the same server i've configured a simple http to https redirection > Redirect / https://www.example.test/ > > with redirect the same test fail: > > redirects acts before modsecurity? How can i solve this? > > Thanks in advance > > Franz > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
