mod-security-developers Mailing List for ModSecurity (Page 28)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-developers — Development discussion about mod_security
You can subscribe to this list here.
| 2006 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(8) |
Aug
(2) |
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2009 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(9) |
Sep
|
Oct
(1) |
Nov
|
Dec
(3) |
| 2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
(12) |
Mar
(42) |
Apr
(68) |
May
(30) |
Jun
(50) |
Jul
(17) |
Aug
(3) |
Sep
(5) |
Oct
(7) |
Nov
(3) |
Dec
(4) |
| 2012 |
Jan
(11) |
Feb
(11) |
Mar
(37) |
Apr
|
May
(21) |
Jun
(21) |
Jul
(12) |
Aug
(41) |
Sep
(19) |
Oct
(31) |
Nov
(24) |
Dec
(10) |
| 2013 |
Jan
(12) |
Feb
(18) |
Mar
(3) |
Apr
(8) |
May
(35) |
Jun
(5) |
Jul
(38) |
Aug
(5) |
Sep
(2) |
Oct
(4) |
Nov
(11) |
Dec
(6) |
| 2014 |
Jan
(3) |
Feb
(12) |
Mar
(11) |
Apr
(18) |
May
(2) |
Jun
(1) |
Jul
(11) |
Aug
(5) |
Sep
|
Oct
(15) |
Nov
(13) |
Dec
(9) |
| 2015 |
Jan
(2) |
Feb
(8) |
Mar
(7) |
Apr
(3) |
May
|
Jun
(1) |
Jul
(1) |
Aug
(1) |
Sep
(11) |
Oct
(14) |
Nov
(4) |
Dec
(1) |
| 2016 |
Jan
(11) |
Feb
(19) |
Mar
(20) |
Apr
(6) |
May
(3) |
Jun
(17) |
Jul
(5) |
Aug
|
Sep
(7) |
Oct
(2) |
Nov
(2) |
Dec
(12) |
| 2017 |
Jan
(4) |
Feb
(1) |
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
(3) |
Oct
(1) |
Nov
|
Dec
(15) |
| 2018 |
Jan
(13) |
Feb
(2) |
Mar
(14) |
Apr
(9) |
May
|
Jun
(6) |
Jul
(3) |
Aug
(1) |
Sep
(3) |
Oct
|
Nov
(13) |
Dec
(1) |
| 2019 |
Jan
(2) |
Feb
(9) |
Mar
(28) |
Apr
(4) |
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
|
Nov
|
Dec
(2) |
| 2020 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(3) |
Aug
|
Sep
(4) |
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
(10) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2024 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(4) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Alan S. <ala...@ac...> - 2012-08-13 14:38:47
|
Ok, I'll see your patch and give a return to you!!! Thanks!!! Regards, Alan On Monday, August 13, 2012 at 7:37 AM, yorkng zhuo wrote: > hi Alan, > thanks for reply. i will post patch on the list gradually,just my opinion, maybe not a bug. > > Regards, > > Yorkng > On Sat, Aug 11, 2012 at 8:45 AM, Alan Silva <ala...@ac... (mailto:ala...@ac...)> wrote: > > Hi Zhuo, > > > > I'm one of NGINX mod security developers, please sent your patch directly for me or on the list for review > > > > Regards, > > > > Alan > > > > > > On Friday, August 10, 2012 at 5:47 AM, yorkng zhuo wrote: > > > > > > > hi, all > > > i am testing modsecurity for nginx(source from the svn),i found many bugs in it, i want to commit patch, but JIRA haven't the project (mod for nginx),how can i? > > > ------------------------------------------------------------------------------ > > > Live Security Virtual Conference > > > Exclusive live event will cover all the ways today's security and > > > threat landscape has changed and how IT managers can respond. Discussions > > > will include endpoint security, mobile security and the latest in malware > > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > > > > _______________________________________________ > > > mod-security-developers mailing list > > > mod...@li... (mailto:mod...@li...) > > > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > > > ModSecurity Services from Trustwave's SpiderLabs: > > > https://www.trustwave.com/spiderLabs.php > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > mod-security-developers mailing list > > mod...@li... (mailto:mod...@li...) > > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > > ModSecurity Services from Trustwave's SpiderLabs: > > https://www.trustwave.com/spiderLabs.php > |
|
From: Bill R. <con...@ho...> - 2012-08-13 14:30:15
|
I can confirm that setting the App Pool setting of "Enable 32-Bit Applications" to True does work. Thanks for your help guys. Bill From: gwr...@ho... To: mod...@li... Date: Fri, 10 Aug 2012 18:37:32 -0700 Subject: Re: [Mod-security-developers] [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2 I have a fix for this issue. There were a number of underallocations in IIS module leading to nondeterministic heap corruptions. The 32-bit version worked for me with this specific rule, but given the nature of the bug nothing is guaranteed. Greg > > > From: Bill Roemhild [mailto:con...@ho...] > > > Sent: Friday, August 10, 2012 9:38 AM > > To: Greg Wroblewski (SPARROW); Ryan Barnett > > Cc: owa...@li... > > Subject: RE: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2 > > > > > Maybe I should be asking if anyone else has been able to get this to work. > > ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ mod-security-developers mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-developers ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php |
|
From: yorkng z. <yor...@gm...> - 2012-08-13 10:37:30
|
hi Alan, thanks for reply. i will post patch on the list gradually,just my opinion, maybe not a bug. Regards, Yorkng On Sat, Aug 11, 2012 at 8:45 AM, Alan Silva <ala...@ac...> wrote: > Hi Zhuo, > > I'm one of NGINX mod security developers, please sent your patch directly > for me or on the list for review > > Regards, > > Alan > > On Friday, August 10, 2012 at 5:47 AM, yorkng zhuo wrote: > > hi, all > i am testing modsecurity for nginx(source from the svn),i found many bugs > in it, i want to commit patch, but JIRA haven't the project (mod for > nginx),how can i? > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
|
From: yorkng z. <yor...@gm...> - 2012-08-13 10:23:53
|
hello all,
i'm testing ModSecurity nginx at ubuntu 12.04, nginx version 1.1.20
when i use curl like this: curl http://localhost/secret, then the nginx
worker process crash. i use gdb debug it, trouble spots is here
2.7-iis-nginx/nginx/modsecurity/ngx_http_modsecurity_module.c
----------------------------------------
392 ngx_http_read_request_body(req, ngx_http_dummy_payload_hander);
393 *ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request body:
%s", req->request_body->bufs);*
394
395 if(status == DECLIEND)
----------------------------------------
*when GET request have no body, the req->request_body->bufs is undefined,
like this:*
-----------------------------------------
Starting program: /opt/modsec-2.7-iis-nginx/sbin/nginx
[Thread debugging using libthread_db enabled]
Breakpoint 1, ngx_http_modsecurity_access_handler (req=0x942100)
at
/home/yorkng/project/svn/nginxsec/branch/nsafe/src/addon/2.7-iis-nginx/nginx/modsecurity/ngx_http_modsecurity_module.c:392
warning: Source file is more recent than executable.
392 ngx_http_read_request_body(req, ngx_http_dummy_payload_handler);
(gdb) p req->request_body->bufs
Cannot access memory at address 0x8
(gdb)
------------------------------------------
my resolve patch is bellow:*
*--- nginx/modsecurity/ngx_http_modsecurity_module.c (revision 2018)
+++ nginx/modsecurity/ngx_http_modsecurity_module.c (working copy)
@@ -390,19 +390,25 @@
ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "status: %d",
status);
ngx_http_read_request_body(req, ngx_http_dummy_payload_handler);
- ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request body: %s",
req->request_body->bufs);
+ if (req->headers_in.content_length) {
+ ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request body:
%s", req->request_body->bufs);
+ }
+ else {
+ ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request body: ");
+ }
if(status == DECLINED)
{*
*
|
|
From: Breno S. <bre...@gm...> - 2012-08-11 23:13:16
|
Hello, Anybody running modsecurity under Sun OS ? Want to make sure the build system is working. Thanks Breno |
|
From: Alan S. <ala...@ac...> - 2012-08-11 02:18:16
|
Yes, I will merging and testing with my changes and repass for 2.7 branch. [ ]'s Alan On Friday, August 10, 2012 at 10:34 PM, Greg Wroblewski wrote: > We managed to show for the Black Hat that nginx version is certainly possible and our prototype could do a few things, but it still is in an experimental stage. > > We could certainly use some help in bringing it to a usable state. I think that we will add nginx version to JIRA eventually, but for now if you could share your changes we would merge them next week (while merging all versions into a single 2.7 branch). > > Greg > > > Message: 3 > > Date: Fri, 10 Aug 2012 16:47:03 +0800 > > From: yorkng zhuo <yor...@gm... (mailto:yor...@gm...)> > > Subject: [Mod-security-developers] how can i Involved in the project > > that modsecurity for nginx > > To: mod...@li... (mailto:mod...@li...) > > Message-ID: > > <CAKV5U6=Vxzbcp8QS=cdehj=LRP...@ma... (mailto:LRP...@ma...)> > > Content-Type: text/plain; charset="utf-8" > > > > hi, all > > i am testing modsecurity for nginx(source from the svn)?i found many bugs > > in it, i want to commit patch, but JIRA haven't the project (mod for > > nginx),how can i? > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > mod-security-developers mailing list > mod...@li... (mailto:mod...@li...) > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > > |
|
From: Greg W. <gwr...@ho...> - 2012-08-11 01:37:40
|
I have a fix for this issue. There were a number of underallocations in IIS module leading to nondeterministic heap corruptions. The 32-bit version worked for me with this specific rule, but given the nature of the bug nothing is guaranteed. Greg > > > From: Bill Roemhild [mailto:con...@ho...] > > > Sent: Friday, August 10, 2012 9:38 AM > > To: Greg Wroblewski (SPARROW); Ryan Barnett > > Cc: owa...@li... > > Subject: RE: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2 > > > > > Maybe I should be asking if anyone else has been able to get this to work. > > |
|
From: Greg W. <gwr...@ho...> - 2012-08-11 01:34:13
|
We managed to show for the Black Hat that nginx version is certainly possible and our prototype could do a few things, but it still is in an experimental stage. We could certainly use some help in bringing it to a usable state. I think that we will add nginx version to JIRA eventually, but for now if you could share your changes we would merge them next week (while merging all versions into a single 2.7 branch). Greg > Message: 3 > Date: Fri, 10 Aug 2012 16:47:03 +0800 > From: yorkng zhuo <yor...@gm...> > Subject: [Mod-security-developers] how can i Involved in the project > that modsecurity for nginx > To: mod...@li... > Message-ID: > <CAKV5U6=Vxzbcp8QS=cdehj=LRP...@ma...> > Content-Type: text/plain; charset="utf-8" > > hi, all > i am testing modsecurity for nginx(source from the svn)?i found many bugs > in it, i want to commit patch, but JIRA haven't the project (mod for > nginx),how can i? |
|
From: Alan S. <ala...@ac...> - 2012-08-11 00:46:08
|
Hi Zhuo, I'm one of NGINX mod security developers, please sent your patch directly for me or on the list for review Regards, Alan On Friday, August 10, 2012 at 5:47 AM, yorkng zhuo wrote: > hi, all > i am testing modsecurity for nginx(source from the svn),i found many bugs in it, i want to commit patch, but JIRA haven't the project (mod for nginx),how can i? > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > mod-security-developers mailing list > mod...@li... (mailto:mod...@li...) > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > > |
|
From: Bill R. <con...@ho...> - 2012-08-10 18:58:37
|
Moving.
From: RBa...@tr...
To: Gre...@mi...; con...@ho...; BP...@tr...
CC: owa...@li...
Date: Fri, 10 Aug 2012 13:11:16 -0500
Subject: Re: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2
Should probably move this discussion to the mod-security-developers list and then report back a fix.
--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader
From: "Greg Wroblewski (SPARROW)" <Gre...@mi...>
Date: Fri, 10 Aug 2012 12:38:14 -0500
To: Bill Roemhild <con...@ho...>, Ryan Barnett <rba...@tr...>, Breno Silva Pinto <BP...@tr...>
Cc: "owa...@li..." <owa...@li...>
Subject: RE: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2
I see a problem. Even when permissions are correct, the code reads the file, but then it crashes.
Breno,
This is all happening in:
staticint
msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg)
with crash:
> libapr-1.dll!apr_pool_cleanup_kill(apr_pool_t * p, const void * data, int (void *)* cleanup_fn) Line 2270 C
libapr-1.dll!apr_file_close(apr_file_t * file) Line 501 C
ModSecurityIIS.dll!msre_op_pmFromFile_param_init(msre_rule * rule, char * * error_msg) Line 1384 C
Here:
while (c) {
#if APR_POOL_DEBUG
/* Some cheap loop detection to catch a corrupt list: */
if (c == c->next
|| (c->next && c == c->next->next)
|| (c->next && c->next->next && c == c->next->next->next)) {
abort();
}
#endif
if (c->data == data && c->plain_cleanup_fn == cleanup_fn) {
ç CRASH
I cannot figure out what’s wrong, but I’ll keep looking.
Greg
From: Bill Roemhild [mailto:con...@ho...]
Sent: Friday, August 10, 2012 9:38 AM
To: Greg Wroblewski (SPARROW); Ryan Barnett
Cc: owa...@li...
Subject: RE: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2
Maybe I should be asking if anyone else has been able to get this to work.
From:
con...@ho...
To: gre...@mi...;
rba...@tr...
Date: Fri, 10 Aug 2012 08:47:39 -0700
CC: owa...@li...
Subject: Re: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2
There is not an entry listed in the event log for a missing file.
I gave "IIS AppPool\DefaultAppPool" full control over the data files as I'm using IIS 7.5. Same result.
I also tried adding "Network Service", even through I'm pretty sure that is wrong. Still no love.
Bill
From:
Gre...@mi...
To: RBa...@tr...;
con...@ho...
CC: owa...@li...
Subject: RE: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2
Date: Thu, 9 Aug 2012 23:21:55 +0000
This is really an APR bug (we should report it or create a workaround), but the problem is in the file permissions. Read access to everyone is not
enough, proper ACLs must be set as well.
When the file does not exist this error gets logged in the event log:
Syntax error in config file c:\inetpub\wwwroot\test.conf, line 47: Error creating rule: Could not open phrase file "c:\inetpub\wwwroot\modsecurity_35_scanners.data":
The system cannot find the file specified.
So you can see when it’s a permission issue or a path issue.
Greg
From: Ryan Barnett
[mailto:RBa...@tr...]
Sent: Thursday, August 9, 2012 2:45 PM
To: Bill Roemhild
Cc: owa...@li...; Greg Wroblewski (SPARROW)
Subject: Re: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2
You might want to try and specify a full path to the .data file.
--
Ryan Barnett
Researcher Lead
Trustwave - SpiderLabs
On Aug 9, 2012, at 5:39 PM, Bill Roemhild <con...@ho...> wrote:
I've been playing around with modsecurity 2.7.0-RC2 for IIS along with the OWASP rules. When running any rule set that calls for a data file through @pmFromFile the application pool crashes.
I've given read access to 'Everyone' on the data files being read without success. Anyone else run into this problem?
Rule:
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_scanners.data" \
"phase:2,rev:'2.2.5',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
Crash:
w3wp.exe
7.5.7601.17514
4ce7afa2
libapr-1.dll
1.4.5.0
500eaf34
c0000005
00000000000099f8
1e08
01cd7675752af369
c:\windows\system32\inetsrv\w3wp.exe
C:\Windows\system32\inetsrv\libapr-1.dll
b4147ab9-e268-11e1-82b3-4437e66c2115
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owa...@li...
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient,
you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy
the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list
Owa...@li... https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic
or hard copy format.
|
|
From: Delta Y. <del...@gm...> - 2012-08-10 10:26:25
|
Please post your patches on the list, so others can review it. 2012/8/10 yorkng zhuo <yor...@gm...>: > hi, all > i am testing modsecurity for nginx(source from the svn),i found many bugs in > it, i want to commit patch, but JIRA haven't the project (mod for nginx),how > can i? > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php |
|
From: yorkng z. <yor...@gm...> - 2012-08-10 08:47:13
|
hi, all i am testing modsecurity for nginx(source from the svn),i found many bugs in it, i want to commit patch, but JIRA haven't the project (mod for nginx),how can i? |
|
From: Breno S. P. (JIRA) <no...@mo...> - 2012-08-07 17:44:35
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-326?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Breno Silva Pinto resolved MODSEC-326.
--------------------------------------
Resolution: Fixed
Done. Thanks
> SecRuleUpdateTargetById
> -----------------------
>
> Key: MODSEC-326
> URL: https://www.modsecurity.org/tracker/browse/MODSEC-326
> Project: ModSecurity
> Issue Type: Bug
> Security Level: Normal
> Components: Rules
> Affects Versions: 2.7.0
> Environment: Ubuntu
> Reporter: Jerome Freilinger
> Assignee: Breno Silva Pinto
> Priority: High
> Fix For: 2.7.0
>
> Attachments: patch.txt
>
> Original Estimate: 30 minutes
> Remaining Estimate: 30 minutes
>
> The SecRuleUpdateTargetById command is mixing up the rule list of all phases.
> The line 120 in apache2/re.c "rules[j++] = rules[i];" is copying the pointer of some rules to the beginning of the rules-array without paying attention to the chains of the rules.
> What is the purpose of this line? For me line 120 should be removed.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
|
From: Parthasarathi K. <par...@ya...> - 2012-08-07 04:01:18
|
If the rule file contains SecAuditLog and provides the file name and there is no SecAuditLogStorageDir( it is not mandatory) , it creates audit.log as the directory instead of creating that as the index file. SecRuleEngine On SecAuditEngine On SecAuditLogType concurrent SecAuditLog audit.log SecAuditLogParts ABCFHZ The behaviour is different when SecAuditLog ./audit.log. The issue is with file_dirname(msr->mp, "audit.log")function. it returns "audit.log", where as file_dirname(msr->mp, "./audit.log" ) correctly returns "." as the directory. Should not it return "." even on file_dirname(msr->mp, "audit.log") ? Thanks Partha |
|
From: Greg W. <gwr...@ho...> - 2012-08-03 18:25:37
|
Please follow the installation steps and troubleshooting described here: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#Installation_for_Microsoft_IIS Greg |
|
From: Breno S. P. (JIRA) <no...@mo...> - 2012-08-03 10:46:35
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Breno Silva Pinto resolved MODSEC-324.
--------------------------------------
Resolution: Fixed
> ModSecurity: Loaded PCRE do not match with compiled!
> ----------------------------------------------------
>
> Key: MODSEC-324
> URL: https://www.modsecurity.org/tracker/browse/MODSEC-324
> Project: ModSecurity
> Issue Type: Bug
> Security Level: Normal
> Affects Versions: 2.6.7
> Environment: CentOS 6 x86_64, Apache 2.4.2
> Reporter: Boris Senker
> Assignee: Breno Silva Pinto
> Fix For: 2.6.7
>
>
> I can't figure this out, had it working flawlessly with httpd 2.2 and --with-pcre=/usr...
> [root@om SPECS]# rpm -qa|grep pcre
> pcre-devel-7.8-4.el6.x86_64
> pcre-7.8-4.el6.x86_64
> [root@om SPECS]# rpm -qf /lib64/libpcre.so.0
> pcre-7.8-4.el6.x86_64
> [root@om SPECS]#
> root@om SPECS]# ldd `which httpd` |grep pcre
> libpcre.so.0 => /lib64/libpcre.so.0 (0x00007f2a23b18000)
> [root@om SPECS]# ldd /etc/httpd/modules/mod_security2.so|grep pcre
> libpcre.so.0 => /lib64/libpcre.so.0 (0x00007fe8ee185000)
> [root@om SPECS]#
> httpd.spec: --with-pcre=/usr/bin/pcre-config \
> mod_security-art.spec: -with-pcre=/usr/bin/pcre-config
> [Thu Aug 02 22:57:12.000927 2012] [:notice] [pid 30453:tid 140488856004416] ModSecurity: APR compiled version="1.4.6"; loaded version="1.4.6"
> [Thu Aug 02 22:57:12.000934 2012] [:notice] [pid 30453:tid 140488856004416] ModSecurity: PCRE compiled version="7.08"; loaded version="7.8 2008-09-05"
> [Thu Aug 02 22:57:12.000942 2012] [:warn] [pid 30453:tid 140488856004416] ModSecurity: Loaded PCRE do not match with compiled!
> httpd.conf:
> LoadFile /usr/lib64/libpcre.so
> LoadModule security2_module lib64/httpd/modules/mod_security2.so
> [root@om SPECS]# rpmbuild -ba mod_security-art.spec > modsec
> + umask 022
> + cd /root/rpmbuild/BUILD
> + LANG=C
> + export LANG
> + unset DISPLAY
> + cd /root/rpmbuild/BUILD
> + rm -rf modsecurity-apache_2.6.7
> + /usr/bin/gzip -dc /root/rpmbuild/SOURCES/modsecurity-apache_2.6.7.tar.gz
> + /bin/tar -xvvf -
> + STATUS=0
> + '[' 0 -ne 0 ']'
> + cd modsecurity-apache_2.6.7
> + /bin/chmod -Rf a+rX,u+w,g-w,o-w .
> + echo 'Patch #0 (asl3-logging.patch):'
> + /bin/cat /root/rpmbuild/SOURCES/asl3-logging.patch
> + /usr/bin/patch -s -p1 --fuzz=0
> + echo 'Patch #1 (waf-label.patch):'
> + /bin/cat /root/rpmbuild/SOURCES/waf-label.patch
> + /usr/bin/patch -s -p1 --fuzz=0
> + exit 0
> + umask 022
> + cd /root/rpmbuild/BUILD
> + cd modsecurity-apache_2.6.7
> + LANG=C
> + export LANG
> + unset DISPLAY
> + CFLAGS='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
> + export CFLAGS
> + CFLAGS='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
> + export CFLAGS
> + CXXFLAGS='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
> + export CXXFLAGS
> + FFLAGS='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -I/usr/lib64/gfortran/modules'
> + export FFLAGS
> + ./configure --build=x86_64-unknown-linux-gnu --host=x86_64-unknown-linux-gnu --target=x86_64-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --disable-pcre-match-limit --disable-pcre-match-limit-recursion -with-pcre=/usr/bin/pcre-config
> + make -j8
> re_actions.c: In function 'msre_action_ctl_execute':
> re_actions.c:1061: warning: unused variable 'updated_rule'
> msc_multipart.c: In function 'validate_quotes':
> msc_multipart.c:35: warning: pointer targets in passing argument 1 of 'strlen' differ in signedness
> /usr/include/string.h:399: note: expected 'const char *' but argument is of type 'unsigned char *'
> msc_multipart.c:42: warning: pointer targets in passing argument 2 of 'log_escape_nq' differ in signedness
> msc_util.h:72: note: expected 'const char *' but argument is of type 'unsigned char *'
> msc_multipart.c: In function 'multipart_parse_content_disposition':
> msc_multipart.c:185: warning: pointer targets in passing argument 2 of 'validate_quotes' differ in signedness
> msc_multipart.c:23: note: expected 'unsigned char *' but argument is of type 'char *'
> msc_multipart.c:202: warning: pointer targets in passing argument 2 of 'validate_quotes' differ in signedness
> msc_multipart.c:23: note: expected 'unsigned char *' but argument is of type 'char *'
> msc_multipart.c:227: warning: format '%d' expects type 'int', but argument 5 has type 'size_t'
> acmp.c:258: warning: 'acmp_clone_node_no_state' defined but not used
> + exit 0
> + umask 022
> + cd /root/rpmbuild/BUILD
> + '[' /root/rpmbuild/BUILDROOT/mod_security-2.6.7-2.1.art.x86_64 '!=' / ']'
> + rm -rf /root/rpmbuild/BUILDROOT/mod_security-2.6.7-2.1.art.x86_64
> ++ dirname /root/rpmbuild/BUILDROOT/mod_security-2.6.7-2.1.art.x86_64
> + mkdir -p /root/rpmbuild/BUILDROOT
> + mkdir /root/rpmbuild/BUILDROOT/mod_security-2.6.7-2.1.art.x86_64
> + cd modsecurity-apache_2.6.7
> + LANG=C
> + export LANG
> + unset DISPLAY
> + rm -rf /root/rpmbuild/BUILDROOT/mod_security-2.6.7-2.1.art.x86_64
> + mkdir -p /root/rpmbuild/BUILDROOT/mod_security-2.6.7-2.1.art.x86_64//etc/httpd/modsecurity.d/
> + mkdir -p /root/rpmbuild/BUILDROOT/mod_security-2.6.7-2.1.art.x86_64//etc/httpd/conf.d/
> + install -D -m755 apache2/.libs/mod_security2.so /root/rpmbuild/BUILDROOT/mod_security-2.6.7-2.1.art.x86_64//usr/lib64/httpd/modules/mod_security2.so
> + install -D -m644 /root/rpmbuild/SOURCES/00_mod_security.conf /root/rpmbuild/BUILDROOT/mod_security-2.6.7-2.1.art.x86_64//etc/httpd/conf.d/00_mod_security.conf
> + /usr/lib/rpm/find-debuginfo.sh --strict-build-id /root/rpmbuild/BUILD/modsecurity-apache_2.6.7
> 1947 blocks
> + /usr/lib/rpm/check-buildroot
> + /usr/lib/rpm/redhat/brp-compress
> + /usr/lib/rpm/redhat/brp-strip-static-archive /usr/bin/strip
> + /usr/lib/rpm/redhat/brp-strip-comment-note /usr/bin/strip /usr/bin/objdump
> + /usr/lib/rpm/brp-python-bytecompile
> + /usr/lib/rpm/redhat/brp-python-hardlink
> + /usr/lib/rpm/redhat/brp-java-repack-jars
> + umask 022
> + cd /root/rpmbuild/BUILD
> + cd modsecurity-apache_2.6.7
> + DOCDIR=/root/rpmbuild/BUILDROOT/mod_security-2.6.7-2.1.art.x86_64/usr/share/doc/mod_security-2.6.7
> + export DOCDIR
> + rm -rf /root/rpmbuild/BUILDROOT/mod_security-2.6.7-2.1.art.x86_64/usr/share/doc/mod_security-2.6.7
> + /bin/mkdir -p /root/rpmbuild/BUILDROOT/mod_security-2.6.7-2.1.art.x86_64/usr/share/doc/mod_security-2.6.7
> + cp -pr CHANGES LICENSE README.TXT modsecurity.conf-recommended doc /root/rpmbuild/BUILDROOT/mod_security-2.6.7-2.1.art.x86_64/usr/share/doc/mod_security-2.6.7
> + exit 0
> + umask 022
> + cd /root/rpmbuild/BUILD
> + cd modsecurity-apache_2.6.7
> + rm -rf /root/rpmbuild/BUILDROOT/mod_security-2.6.7-2.1.art.x86_64
> + exit 0
> [root@om SPECS]#
> rpmbuild -ba httpd.spec:
> ...
> ...
> ...
> ...
> checking for APR-util... yes
> checking for x86_64-unknown-linux-gnu-gcc... gcc
> checking whether the C compiler works... yes
> checking for C compiler default output file name... a.out
> checking for suffix of executables...
> checking whether we are cross compiling... no
> checking for suffix of object files... o
> checking whether we are using the GNU C compiler... yes
> checking whether gcc accepts -g... yes
> checking for gcc option to accept ISO C89... none needed
> checking how to run the C preprocessor... gcc -E
> checking for gcc option to accept ISO C99... -std=gnu99
> checking for pcre-config... /usr/bin/pcre-config
> configure: Using external PCRE library from /usr/bin/pcre-config
> setting PCRE_INCLUDES to ""
> setting PCRE_LIBS to "-lpcre"
> The server wasn't tainted by source installs, crystal clean
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
|
From: Breno S. <bre...@gm...> - 2012-08-03 00:21:22
|
True. I will consider work with %s.
On Thu, Aug 2, 2012 at 6:53 PM, Peter Heimann <hei...@we...> wrote:
> On 08/03/2012 01:04 AM, Breno Silva wrote:
> > I reverted it.
> >
> > Are you sure your idea will prevents 8.2 and 8.02 are considered equal ?
> > Let me check in the lib pcre history if 8.2 means (two) or twenty :)
>
> As far as I can see, there hasn't been a version 8.2.
>
> For all versions up to PCRE 7.9, the minor version did not have leading
> zeroes, and the ModSecurity 2.6.6 comparison is correct. The original
> ModSecurity 2.6.7 code adds a leading zero in these cases, and breaks
> the comparison ("7.9" turned into "7.09", although the version _is_
> identical).
>
> For PCRE 8.00, 8.01, 8.02 my previous proposal does not fix the problem
> completely. Futhermore, we don't know whether PCRE will use versions
> 9.0, 9.1, 9.2, ... or 9.00, 9,01, 0.02, ... in the future.
>
> As the PCRE code itself uses string concatenation to build the
> pcre_version() return string, I feel we need to do away with "%d" and
> use string operations as well:
>
> pcre_vrs = apr_psprintf(mp,"%s.%s ", PCRE_MAJOR, PCRE_MINOR);
>
> (This will still produce a warning for PCRE prerelease versions, though.)
>
> --
> Peter Heimann
>
|
|
From: Peter H. <hei...@we...> - 2012-08-02 23:53:24
|
On 08/03/2012 01:04 AM, Breno Silva wrote:
> I reverted it.
>
> Are you sure your idea will prevents 8.2 and 8.02 are considered equal ?
> Let me check in the lib pcre history if 8.2 means (two) or twenty :)
As far as I can see, there hasn't been a version 8.2.
For all versions up to PCRE 7.9, the minor version did not have leading
zeroes, and the ModSecurity 2.6.6 comparison is correct. The original
ModSecurity 2.6.7 code adds a leading zero in these cases, and breaks
the comparison ("7.9" turned into "7.09", although the version _is_
identical).
For PCRE 8.00, 8.01, 8.02 my previous proposal does not fix the problem
completely. Futhermore, we don't know whether PCRE will use versions
9.0, 9.1, 9.2, ... or 9.00, 9,01, 0.02, ... in the future.
As the PCRE code itself uses string concatenation to build the
pcre_version() return string, I feel we need to do away with "%d" and
use string operations as well:
pcre_vrs = apr_psprintf(mp,"%s.%s ", PCRE_MAJOR, PCRE_MINOR);
(This will still produce a warning for PCRE prerelease versions, though.)
--
Peter Heimann
|
|
From: Breno S. <bre...@gm...> - 2012-08-02 23:10:03
|
Let me check in the lib pcre history if 8.2 means (two) or twenty :) On Thu, Aug 2, 2012 at 6:04 PM, Breno Silva <bre...@gm...> wrote: > I reverted it. > > Are you sure your idea will prevents 8.2 and 8.02 are considered equal ? > > Thanks > > Breno > > > On Thu, Aug 2, 2012 at 4:08 PM, Peter Heimann <hei...@we...> wrote: > >> >> Breno Silva wrote: >> > Can you send me your warning message ? >> > >> > We applied it to avoid version mismatch like 8.2 == 8.02 >> >> Example warning (5.0 compiled in and loaded): >> >> [notice] ModSecurity: PCRE compiled version="5.00"; loaded version="5.0 >> 13-Sep-2004" >> [warn] ModSecurity: Loaded PCRE do not match with compiled! >> >> pcre_version() is implemented as >> XSTRING(PCRE_MAJOR.PCRE_MINOR PCRE_DATE) >> >> I propose to use in ModSecurity: >> >> pcre_vrs = apr_psprintf(mp,"%d.%d ", PCRE_MAJOR, PCRE_MINOR); >> >> (note the space, which prevents that "8.2 " and "8.20" are considered >> equal). >> >> -- >> Peter Heimann >> > > |
|
From: Breno S. <bre...@gm...> - 2012-08-02 23:04:29
|
I reverted it. Are you sure your idea will prevents 8.2 and 8.02 are considered equal ? Thanks Breno On Thu, Aug 2, 2012 at 4:08 PM, Peter Heimann <hei...@we...> wrote: > > Breno Silva wrote: > > Can you send me your warning message ? > > > > We applied it to avoid version mismatch like 8.2 == 8.02 > > Example warning (5.0 compiled in and loaded): > > [notice] ModSecurity: PCRE compiled version="5.00"; loaded version="5.0 > 13-Sep-2004" > [warn] ModSecurity: Loaded PCRE do not match with compiled! > > pcre_version() is implemented as > XSTRING(PCRE_MAJOR.PCRE_MINOR PCRE_DATE) > > I propose to use in ModSecurity: > > pcre_vrs = apr_psprintf(mp,"%d.%d ", PCRE_MAJOR, PCRE_MINOR); > > (note the space, which prevents that "8.2 " and "8.20" are considered > equal). > > -- > Peter Heimann > |
|
From: Breno S. <bre...@gm...> - 2012-08-02 22:56:13
|
Hello everybody, I applied a patch in ModSecurity 2.6.7 to fix a pcre mismatch warning message, but it is not the best way to make it. So since this is a minor issue i decided to revert it and build a new tarball and upload it again in SourceForge. Thanks for your comprehension. Breno Silva On Wed, Aug 1, 2012 at 8:47 AM, Breno Silva <bre...@gm...> wrote: > The ModSecurity Development Team is pleased to announce the availability > of ModSecurity 2.6.7 Release. > > The stability of this release must be good and it includes some bug fixes. > We added a new ctl:ruleRemoveTargetById to replace ctl:ruleUpdateTargetById > that will be removed from the code soon. > Please see the release notes included into CHANGES file. > > For known problems and more information about bug fixes, please see the > online ModSecurity Jira. > Please report any bug to mod...@li.... > > Thanks > > Breno Silva > |
|
From: Peter H. <hei...@we...> - 2012-08-02 21:08:56
|
Breno Silva wrote:
> Can you send me your warning message ?
>
> We applied it to avoid version mismatch like 8.2 == 8.02
Example warning (5.0 compiled in and loaded):
[notice] ModSecurity: PCRE compiled version="5.00"; loaded version="5.0
13-Sep-2004"
[warn] ModSecurity: Loaded PCRE do not match with compiled!
pcre_version() is implemented as
XSTRING(PCRE_MAJOR.PCRE_MINOR PCRE_DATE)
I propose to use in ModSecurity:
pcre_vrs = apr_psprintf(mp,"%d.%d ", PCRE_MAJOR, PCRE_MINOR);
(note the space, which prevents that "8.2 " and "8.20" are considered
equal).
--
Peter Heimann
|
|
From: Breno S. <bre...@gm...> - 2012-08-02 13:24:50
|
Can you send me your warning message ?
We applied it to avoid version mismatch like 8.2 == 8.02
Thanks
Breno
On Thu, Aug 2, 2012 at 2:20 AM, Peter Heimann <hei...@we...> wrote:
> The PCRE version check produces spurious warnings
> (x.0 does not match x.00).
>
> % diff modsecurity-apache_2.6.6/apache2/mod_security2.c
> modsecurity-apache_2.6.7/apache2/mod_security2.c
> 87c87
> < pcre_vrs = apr_psprintf(mp,"%d.%d", PCRE_MAJOR, PCRE_MINOR);
> ---
> > pcre_vrs = apr_psprintf(mp,"%d.%02d", PCRE_MAJOR, PCRE_MINOR);
>
> The comparison in line 93
> if (strstr(pcre_version(),pcre_vrs) == NULL) {
> fails for single-digit minor versions.
>
> I think the change in line 87 should be reverted.
>
> --
> Peter Heimann
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
|
|
From: Peter H. <hei...@we...> - 2012-08-02 07:20:20
|
The PCRE version check produces spurious warnings
(x.0 does not match x.00).
% diff modsecurity-apache_2.6.6/apache2/mod_security2.c
modsecurity-apache_2.6.7/apache2/mod_security2.c
87c87
< pcre_vrs = apr_psprintf(mp,"%d.%d", PCRE_MAJOR, PCRE_MINOR);
---
> pcre_vrs = apr_psprintf(mp,"%d.%02d", PCRE_MAJOR, PCRE_MINOR);
The comparison in line 93
if (strstr(pcre_version(),pcre_vrs) == NULL) {
fails for single-digit minor versions.
I think the change in line 87 should be reverted.
--
Peter Heimann
|
|
From: Breno S. <bre...@gm...> - 2012-08-01 13:47:46
|
The ModSecurity Development Team is pleased to announce the availability of ModSecurity 2.6.7 Release. The stability of this release must be good and it includes some bug fixes. We added a new ctl:ruleRemoveTargetById to replace ctl:ruleUpdateTargetById that will be removed from the code soon. Please see the release notes included into CHANGES file. For known problems and more information about bug fixes, please see the online ModSecurity Jira. Please report any bug to mod...@li.... Thanks Breno Silva |
10 messages has been excluded from this view by a project administrator.
