Re: [mod-security-users] mod_security blocking many PHPMyAdmin functions

[Kai S. <mai...@co...>]

Ivan Ristic wrote on Mon, 22 May 2006 09:56:32 +0100:

Thanks for your answer!

> Surely you mean to say your ModSecurity *configuration* blocks the 
> PHPMyAdmin pages? :) 

Well, ultimately it is mod_security, but you are right, it's of course,
how it is configured ;-) I took the rules from 
http://www.gotroot.com/mod_security+rules, but don't use all of them.
I removed the blacklist ones and similar stuff, since they took too 
much memory for my taste. I also commented out one or two rules from 
the other files. I didn't change anything else or added my own rules.

> Rule IDs are applied either to rules (single line) or rule chains 
> (multiple lines). Rule 300016 is a chained rule thus exclusion applies 
> to the second line too. 

That's what I thought, too. But since it didn't seem to do this in this 
case I wasn't sure and I'm very new to mod_security. Maybe it's just a 
different rule that gets triggered and I'm looking at the wrong one. 
(yes, see below)

>  
> BTW, you should exclude all rules related to SQL Injection in order to 
> get PHPMyAdmin to work properly. 

Yes, I understand that. I had hoped that's already been done in the rules 
from gotroot. At least it's got started by excluding tbl_change.php.

> What is the error message that you get?

I can't reproduce the problem with "tbl_change.php" at the moment, but 
I get it with sql.php from PHPMyAdmin. I tried to add that page to the 
exclusions (exclude.conf), but this did't work. So, here we go:

> mod_security-message: Access denied with code 406. Pattern match
> "select.+from" at REQUEST_URI [severity "EMERGENCY"]
> mod_security-action: 406

The match is correct, it contains a "select ... from" statement. (BTW, no other
method to find the correct rule than searching for the pattern, right?)

The only match for this is in rules.conf:

> SecFilterSelective REQUEST_URI "!(/forum/posting\.php)"
> "chain,id:300016,rev:1,severity:2,msg:'Generic SQL injection
> protection'"
> SecFilterSelective ARGS
> "(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)"

(I don't see that "msg" anywhere, though. It's not in the audit.log and 
not in the HTTP error page. Shouldn't it get logged instead of or in 
addition to the message quoted above at least to the audit log?)

Ok, it's not this rule that hit. That also explains why the message wasn't
noted above. I searched all the rules files but I didn't search the main 
mod_security.conf that (I think) came with mod_security. 
There are these rules:
    # Very crude filters to prevent SQL injection attacks
     SecFilter "delete[[:space:]]+from"
     SecFilter "insert[[:space:]]+into"
     SecFilter "select.+from"
and it's the last one that gets triggered.
It seems all three rules are encompassed by the SQL Injection rules in 
rules.conf as quoted in my first posting. So, if I keep rules.conf I
could probably delete those three, right?

I added an exclusion for sql.php now and that seems to work.
If I wanted to add an exclusion for the simple rule above I would do this like that:
SecFilter "select.+from" "id:uniqueid,rev:x,severity:x,msg:'message'"
is that correct?

BTW, while viewing over the documentation I found some links to your webkreator.com
site and read some of the old PHP articles. However, the Techniques section doesn't show
the single articles, there seems to be some error with the template.

I'm now trying to understand how the chaining works. Documentation doesn't say anything
about finishing it so I suppose the chaining works only for the next line after the 
chain action? Is it limited to one line or can I add more lines to a chain by
adding the chain action to all of them except the last one? A brief look over the
gotroot rules doesn't reveal any chains over more than two lines, so more lines are 
either not supported or not necessary in most cases.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com