Re: [mod-security-users] Upgrade to owasp-coreruleset 4.13.0
Brought to you by:
victorhora,
zimmerletw
From: Monah B. <mon...@gm...> - 2025-04-06 13:19:03
|
No custom rules. What I did is I renamed my owasp 4.13.0 to a different folder and moved my owasp crs 4.8.0 back to its original folder, restarted apache and from another machine typed the following: curl -I https://osisolutions.net/index.php?f=/../../../../../etc/passwd root@waf:/usr/local/etc/modsecurity # tail -f /var/log/httpd/osisolutions-error_log [Sun Apr 06 09:10:54.062738 2025] [security2:error] [pid 47174] [client 71.126.165.145:53450] ModSecurity: Warning. Pattern match "(?i)(?:[/\\\\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:\\\\.(?:%0[01]|\\\\?)?|\\\\?\\\\.?|%(?:2( ..." at REQUEST_URI_RAW. [file "/usr/local/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "53"] [id "930100"] [msg "Path Traversal Attack (/../) or (/.../)"] [data "Matched Data: /../ found within REQUEST_URI_RAW: /index.php?f=/../../../../../etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/4.8.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "osisolutions.net"] [uri "/index.php"] [unique_id "Z_J9XgOebQ1Fdmj9nC2ctgAAAAA"] [Sun Apr 06 09:10:54.063066 2025] [security2:error] [pid 47174] [client 71.126.165.145:53450] ModSecurity: Warning. Pattern match "(?i)(?:[/\\\\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:\\\\.(?:%0[01]|\\\\?)?|\\\\?\\\\.?|%(?:2( ..." at ARGS:f. [file "/usr/local/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "53"] [id "930100"] [msg "Path Traversal Attack (/../) or (/.../)"] [data "Matched Data: /../ found within ARGS:f: /../../../../../etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/4.8.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "osisolutions.net"] [uri "/index.php"] [unique_id "Z_J9XgOebQ1Fdmj9nC2ctgAAAAA"] [Sun Apr 06 09:10:54.063240 2025] [security2:error] [pid 47174] [client 71.126.165.145:53450] ModSecurity: Warning. Pattern match "(?:(?:^|[\\\\x5c/;])\\\\.{2,3}[\\\\x5c/;]|[\\\\x5c/;]\\\\.{2,3}(?:[\\\\x5c/;]|$))" at REQUEST_URI. [file "/usr/local/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "86"] [id "930110"] [msg "Path Traversal Attack (/../) or (/.../)"] [data "Matched Data: /../ found within REQUEST_URI: /index.php?f=/../../../../../etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/4.8.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "osisolutions.net"] [uri "/index.php"] [unique_id "Z_J9XgOebQ1Fdmj9nC2ctgAAAAA"] [Sun Apr 06 09:10:54.063389 2025] [security2:error] [pid 47174] [client 71.126.165.145:53450] ModSecurity: Warning. Pattern match "(?:(?:^|[\\\\x5c/;])\\\\.{2,3}[\\\\x5c/;]|[\\\\x5c/;]\\\\.{2,3}(?:[\\\\x5c/;]|$))" at REQUEST_URI. [file "/usr/local/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "86"] [id "930110"] [msg "Path Traversal Attack (/../) or (/.../)"] [data "Matched Data: /../ found within REQUEST_URI: /index.php?f=/../../../../../etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/4.8.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "osisolutions.net"] [uri "/index.php"] [unique_id "Z_J9XgOebQ1Fdmj9nC2ctgAAAAA"] Went and reverted back my owasp 4.13.0 folder and ran the same curl command and got [Sun Apr 06 09:12:38.731325 2025] [security2:error] [pid 47228] [client 71.126.165.145:57026] ModSecurity: Access denied with code 500 (phase 1). Operator EQ matched 0 at TX. [file "/usr/local/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf"] [line "64"] [id "901001"] [msg "CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions"] [severity "CRITICAL"] [ver "OWASP_CRS/4.13.0"] [tag "OWASP_CRS"] [hostname "osisolutions.net"] [uri "/index.php"] [unique_id "Z_J9xiNCfPcpnd_qywN4xQAAAAA"] On Sun, Apr 6, 2025 at 9:08 AM <az...@po...> wrote: > Are you using any custom rules or CRS modifications? > > > > > > Citát Monah Baki <mon...@gm...>: > > > Hi Ervin, > > > > Here is he output > > root@waf:/usr/local/etc/apache24 # grep -A12 900990 > > /usr/local/etc/modsecurity/owasp-modsecurity-crs/crs-setup.conf > > "id:900990,\ > > phase:1,\ > > pass,\ > > t:none,\ > > nolog,\ > > tag:'OWASP_CRS',\ > > ver:'OWASP_CRS/4.13.0',\ > > setvar:tx.crs_setup_version=4130" > > > > As far as my apache using > > /usr/local/etc/apache24/modules.d/280_mod_security.conf, I am sure > because > > if I were to comment > > LoadModule unique_id_module libexec/apache24/mod_unique_id.so > > LoadModule security2_module /usr/local/modsecurity/lib/mod_security2.so > > > > I get > > > > root@waf:/home/mbaki # apachectl restart > > Performing sanity check on apache24 configuration: > > AH00526: Syntax error on line 97 of > > /usr/local/etc/modsecurity/owasp-modsecurity-crs/crs-setup.conf: > > Invalid command 'SecDefaultAction', perhaps misspelled or defined by a > > module not included in the server configuration > > > > Thanks > > Monah > > > > On Sun, Apr 6, 2025 at 4:54 AM Ervin Hegedüs <ai...@gm...> wrote: > > > >> Hi Monan, > >> > >> > >> On Sat, Apr 05, 2025 at 04:02:09PM -0400, Monah Baki wrote: > >> > > >> > ls /usr/local/etc/modsecurity/owasp-modsecurity-crs > >> > crs-setup.conf > >> > >> as Christian wrote this is very strange. > >> > >> Anyway, > >> > >> are you sure your engine use this file? > >> > >> > cat /usr/local/etc/apache24/modules.d/280_mod_security.conf > >> > >> could you replace this line: > >> > >> > IncludeOptional > >> /usr/local/etc/modsecurity/owasp-modsecurity-crs/crs-setup.conf > >> > >> by this one: > >> > >> Include /usr/local/etc/modsecurity/owasp-modsecurity-crs/crs-setup.conf > >> > >> so just remote the "Optional" string. > >> > >> And could you show us the output of this command? > >> > >> grep -A12 900990 > >> /usr/local/etc/modsecurity/owasp-modsecurity-crs/crs-setup.conf > >> > >> > >> Thanks, > >> > >> > >> a. > >> > >> > >> > >> _______________________________________________ > >> mod-security-users mailing list > >> mod...@li... > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >> http://www.modsecurity.org/projects/commercial/rules/ > >> http://www.modsecurity.org/projects/commercial/support/ > >> > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |