Re: [mod-security-users] Problem executing PHP script as filter action
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Problem executing PHP script as filter action
|
From: David B. Jr. <db...@gm...> - 2006-04-26 15:32:59
|
On 4/26/06, Ivan Ristic <iva...@gm...> wrote: > > > Also, can you try executing some other script that is not PHP? PHP has > some built-in security "logic" (need I say that it's faulty?) that > attempts to detect if it's run as a CGI script (and then stops > executing if it does). > > If you increase the debug log level you might get more information > about the execution. > Thanks. I just finished trying a bash script to send me an email. It looks like this: #!/bin/bash /bin/mail -s "My subject" db...@xx... <<EOF This is a test email. EOF It's permissions are: [root@cp mod_sec]# ls -l report-attack.sh -rwxr-xr-x 1 root root 93 Apr 26 10:34 report-attack.sh The permissions on /bin/mail are: [root@cp mod_sec]# ls -l /bin/mail -rwxr-xr-x 1 root mail 66492 Jun 24 2001 /bin/mail Again, I have no problems doing this from the command line, it's just when mod_sec tries to do it. Our apache is not chrooted nor are we using the mod_sec chroot path. I increased the dubug level to 9 and there were no error messages, just it'= s normal stuff. Another interesting thing I noticed was that the error code returned is 403, but it should be 500 as the default is set: # By default log and deny suspicious requests # with HTTP status 500 SecFilterDefaultAction "deny,log,status:500" Any ideas why it would be giving a different error code for this rule with an exec on it as well? Here is the entire entry from the audit log: =3D=3D4124522d=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Request: REMOVED xx.xx.xx.xx - - [26/Apr/2006:10:33:55 -0400] "GET /index.php?act=3Drssout&id=3D1&/ bin/davetest HTTP/1.1" 403 219 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1= ; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1. 5.0.2" RE@E0woBlkYAAEUAj4k "-" Handler: mod_gzip_handler ---------------------------------------- GET /index.php?act=3Drssout&id=3D1&/bin/davetest HTTP/1.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=3D0.9 ,text/plain;q=3D0.8,image/png,*/*;q=3D0.5 Accept-Charset: ISO-8859-1,utf-8;q=3D0.7,*;q=3D0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=3D 0.5 Cache-Control: max-age=3D0 Connection: keep-alive Cookie: REMOVED Host: REMOVED Keep-Alive: 300 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2 mod_security-message: Access denied with code 403. Pattern match "/bin/davetest" at REQUEST_URI [severity "EMERGENCY"] mod_security-action: 403 mod_security-executed: /usr/local/mod_sec/report- attack.sh HTTP/1.1 403 Forbidden Keep-Alive: timeout=3D10, max=3D99 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=3Diso-8859-1 --4124522d-- Thanks for your help, I'm really at a loss to the problem. (resending this because i didn't hit reply to all) |
