mod-security-users Mailing List for ModSecurity (Page 541)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users — General discussion about mod_security
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
| 2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
| 2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
| 2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
| 2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
| 2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(5) |
Dec
(3) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
(12) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: <li...@32...> - 2006-02-03 18:48:47
|
Hello, I just had an attempt made on my server to exploit it. The user was able to upload a folder call .sgurz into the tmp folder, this folder had 2 files, boink and .boink2. I do not think it did anything except use up all the apache processes. What would the filer need to be in order to block this type of attack in the future? TIA -Mike |
|
From: Ivan R. <iv...@we...> - 2006-02-03 13:00:35
|
Alex Strawman wrote: > Nope, i believe the viewstate is < 4096, however when combined with > the rest of the header it sometimes falls outside that size and gets > truncated, without really telling the user it did so. > having said that i havn't turned the debugging up to max to see if it > informs so in the logfile. From I could read about ASP.NET the view state is transported via variable "__VIEWSTATE". The multipart header length limit should not affect this way of transport. Do you have something like "Error processing request body: Multipart: part header line over XXXX bytes long" in your Apache error log? If you don't - then something else is the problem. Get me the messages from ModSecurity that you do have and I may be able to tell you more. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com |
|
From: Alex S. <ale...@gm...> - 2006-02-03 10:20:20
|
Nope, i believe the viewstate is < 4096, however when combined with the rest of the header it sometimes falls outside that size and gets truncated, without really telling the user it did so. having said that i havn't turned the debugging up to max to see if it informs so in the logfile. Alex On 2/3/06, Ivan Ristic <iv...@we...> wrote: > Alex Strawman wrote: > > Hi, > > > > Re your response from 9/1/2006, this also affects ASP.NET when in > > proxy mode, as the VIEWSTATE variable can be 4096 characters at times. > > The size of data is not limited. You could only experience > problems if the variable name itself is more than 4096 > bytes long. Is this the case? > > -- > Ivan Ristic, Technical Director > Thinking Stone, http://www.thinkingstone.com > |
|
From: Ivan R. <iv...@we...> - 2006-02-03 09:21:22
|
Alex Strawman wrote: > Hi, > > Re your response from 9/1/2006, this also affects ASP.NET when in > proxy mode, as the VIEWSTATE variable can be 4096 characters at times. The size of data is not limited. You could only experience problems if the variable name itself is more than 4096 bytes long. Is this the case? -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com |
|
From: Alex S. <ale...@gm...> - 2006-02-03 05:19:13
|
Hi, Re your response from 9/1/2006, this also affects ASP.NET when in proxy mode, as the VIEWSTATE variable can be 4096 characters at times. can this be made a configurable option? i understand the need to limit this, to prevent new bof attacks against web servers etc, but it would be nice to know exactly what having a 8096 byte buffer does to the rest of the mod_security internals. Alex ------------ Gerwin Krist -|- Digitalus Webhosting wrote: Heya, Customers of us using phpmyadmin are getting a 406 error, the log file says= : Error processing request body: Multipart: part header line over 1024 bytes long No clue what this mean, anyone? The size of multipart/form-data part headers is limited. These headers are normally very simple so I find it very unusual the limit has been triggered. You can change this limit yourself by editing the line that says: #define MULTIPART_BUF_SIZE 1024 To make sure it is not a bug of some kind, please increase the limit to 4096 and record one request using the audit log. Thanks! -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com Tel: +44 20 8141 2161, Fax: +44 87 0762 3934 |
|
From: Ivan R. <iv...@we...> - 2006-02-02 20:42:26
|
Harald Volz wrote: > Hi > I am using the last version (1.9.2) and have problems with the german > "umlaut" and other special charactes in URL and other Headerparts. > SecFilterCheckUnicodeEncoding On SecFilterCheckUnicodeEncoding should be "off" in your case. > Header Problem 2: strange Agent coming from japanese site.... > Request: ourserver requestor - - [01/Feb/2006:11:18:10 +0100] "GET > /favicon.ico HTTP/1.0" 302 230 "-" "\xf0\x05\xe1\x07X9\xb > 5\x05\x08" - "-" > User-Agent: ð^Eá^GX9µ^ > mod_security-message: Access denied with code 400. Error validating > header value (User-Agent): Invalid character detected [5] This message is not consistent with "SecFilterForceByteRange 1 255", ie should not happen. Did you use a different configuration when you got that error? -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com |
|
From: Harald V. <har...@un...> - 2006-02-02 19:59:44
|
Hi I am using the last version (1.9.2) and have=20 problems with the german "umlaut" and other=20 special charactes in URL and other Headerparts. To fix this I added SecFilterCheckURLEncoding On SecFilterCheckUnicodeEncoding On SecFilterForceByteRange 1 255 but this does not help as shown below Any hints? Regards Harald URL-Problem 1 (umlaut =F6 in URL) Request: ourserver requestor - -=20 [02/Feb/2006:13:48:55 +0100] "GET=20 /pictures/m%F6nche.jpg HTTP/1.1" 302 230=20 "http://ourserver/photoarch.html" "Mozilla/4.0=20 (compatible; MSIE 5.0; Windows 98; DigExt)" - "-" Handler: proxy-server ---------------------------------------- GET /pictures/m%F6nche.jpg HTTP/1.1 mod_security-message: Access denied with code=20 400. Error normalising REQUEST_URI: Invalid=20 Unicode encoding: invalid byte value mod_security-action: 400 Content-Type: text/html; charset=3Diso-8859-1 URL-Problem 2 (umlaut =E4 in URL, Spaces) ---------------------------------------- GET=20 /kurse/FMPro?-db=3Durzkurse&-lay=3Dkurseweb&-format=3DSuch_ErgebnisseT.htm&-= error=3DSuchen_Fehler.htm&-sortfield=3DDatum&Themengebiet=3DInterdisziplin%e= 4res%20Lernen&F_Abgelaufen=3D0&Gesperrt=3Doffen&-token=3DInterdisziplin%e4re= s%20Lernen&-find=20 HTTP/1.1 mod_security-message: Access denied with code=20 400. Error normalising REQUEST_URI: Invalid=20 Unicode encoding: invalid byte value Content-Type: text/html; charset=3Diso-8859-1 Header-Problem1: (umlaut =FC in Useragent) Request: ourserver requestor - -=20 [02/Feb/2006:11:34:10 +0100] "GET /some.pdf HTTP/1.0" 30 2 230=20 "http://www.google.de/search?hl=3Dde&q=3DZyklisch+Phosphorylierung&spell=3D1= "=20 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT=20 5.1; Schiller-Gymnasium Sch\xfcler; Schiller-=20 Gymnasium Lehrer; .NET CLR 1.0.3705)" - "-" Handler: proxy-server ---------------------------------------- GET /some.pdf HTTP/1.0 Via: 1.0 S4 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;=20 Windows NT 5.1; Schiller-Gymnasium Sch=FCler;=20 Schiller- Gymnasium Lehrer; .NET CLR 1.0.3705) Host: ourserver mod_security-message: Access denied with code=20 400. Error validating header value (User-Agent):=20 Invalid Unicode encoding: invalid byte value Content-Type: text/html; charset=3Diso-8859-1 Header Problem 2: strange Agent coming from japanese site.... Request: ourserver requestor - -=20 [01/Feb/2006:11:18:10 +0100] "GET /favicon.ico=20 HTTP/1.0" 302 230 "-" "\xf0\x05\xe1\x07X9\xb 5\x05\x08" - "-" User-Agent: =F0^E=E1^GX9=B5^ mod_security-message: Access denied with code=20 400. Error validating header value (User-Agent): Invalid character detected= [5] |
|
From: Ivan R. <iv...@we...> - 2006-02-02 16:08:25
|
Peter wrote: > > Not meaning to take up your time or that of others here, is there a URL > where I can read up on Tomcat, learn about the commands I can embed in > web.xml and where I can learn the differences between what I would put in > web.xml vs. what I would use htaccess for? > > Looking forward to some heady weekend reading :) (Sarcasm intended!) Tomcat lives at http://tomcat.apache.org/. It appears to be well documented. I believe this is what you are after: http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com |
|
From: Peter <pet...@co...> - 2006-02-02 14:17:33
|
On Thu, 02 Feb 2006 13:17:07 +0000, Ivan Ristic wrote: > Peter wrote: >> I received this back from my hosting provider: >> >> "Thank you for giving us that information. It appears that the >> investigation is complete. We have determined that you are having >> problems with password protection with your .xls files because you can >> not password protect the .xls file extension with an .htaccess file in >> our shared hosting environment, as it is processed by Tomcat." >> >> Any ideas to circumvent this? Thx > > Circumvent - no. Solve the problem - possibly. If you are in control of > your own web.xml you can configure another authentication layer in > Tomcat. > > Of course, the real question is why do they have such a confusing setup > in the first place. A major point of having Apache in front of > application servers is to use its facilities. It makes no sense to me to > forward requests to application servers before authentication phase > takes place. Thank you. It did not make sense to me, but I am a novice at this. Yes, I do have control over web.xml. Currently, only my error page is in it. <?xml version="1.0" ?> <web-app> <error-page> <error-code>404</error-code> <location>/errorpage.html</location> </error-page> </web-app> Not meaning to take up your time or that of others here, is there a URL where I can read up on Tomcat, learn about the commands I can embed in web.xml and where I can learn the differences between what I would put in web.xml vs. what I would use htaccess for? Looking forward to some heady weekend reading :) (Sarcasm intended!) |
|
From: Ivan R. <iv...@we...> - 2006-02-02 13:32:24
|
De Vries, Richard wrote: > I had several issues compiling mod_security 1.9.2 against apache 2.2.0 > on Solaris 9 (sparc), but resolved most of them …. Except one: > > > > $ /usr/local/apps/apache/bin/apxs -cia mod_security.c > > /usr/local/apr/build-1/libtool --silent --mode=compile gcc -prefer-pic > -DSOLARIS2=9 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -g -O2 -pthreads > -I/usr/local/apache2/include -I/usr/local/apr/include/apr-1 > -I/usr/local/apr/include/apr-1 -I/usr/local/include -c -o > mod_security.lo mod_security.c && touch mod_security.slo > > mod_security.c: In function `sec_debug_log': > > mod_security.c:6132: `__builtin_va_alist' undeclared (first use in this > function) > > mod_security.c:6132: (Each undeclared identifier is reported only once > > mod_security.c:6132: for each function it appears in.) > > apxs:Error: Command failed with rc=65536 > > . > > Has anyone seen/experienced this error before? Unfortunately I don't have access to Solaris systems to try to compile myself. There's no such thing as "__builtin_va_alist" in mod_security.c but the name is probably coming from an expanded macro "va_list". I don't have an idea why the macro (from stdarg.h) is incorrectly expanded. Perhaps "man va_start" could give you an idea. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com |
|
From: Ivan R. <iv...@we...> - 2006-02-02 13:17:42
|
Peter wrote: > I received this back from my hosting provider: > > "Thank you for giving us that information. It appears that the > investigation is complete. We have determined that you are having problems > with password protection with your .xls files because you can not password > protect the .xls file extension with an .htaccess file in our shared > hosting environment, as it is processed by Tomcat." > > Any ideas to circumvent this? Thx Circumvent - no. Solve the problem - possibly. If you are in control of your own web.xml you can configure another authentication layer in Tomcat. Of course, the real question is why do they have such a confusing setup in the first place. A major point of having Apache in front of application servers is to use its facilities. It makes no sense to me to forward requests to application servers before authentication phase takes place. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com |
|
From: Peter <pet...@co...> - 2006-02-02 11:26:28
|
I received this back from my hosting provider: "Thank you for giving us that information. It appears that the investigation is complete. We have determined that you are having problems with password protection with your .xls files because you can not password protect the .xls file extension with an .htaccess file in our shared hosting environment, as it is processed by Tomcat." Any ideas to circumvent this? Thx |
|
From: De V. R. <Ric...@bm...> - 2006-02-02 03:11:25
|
I had several issues compiling mod_security 1.9.2 against apache 2.2.0
on Solaris 9 (sparc), but resolved most of them .... Except one:
=20
$ /usr/local/apps/apache/bin/apxs -cia mod_security.c
/usr/local/apr/build-1/libtool --silent --mode=3Dcompile gcc -prefer-pic
-DSOLARIS2=3D9 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -g -O2 -pthreads
-I/usr/local/apache2/include -I/usr/local/apr/include/apr-1
-I/usr/local/apr/include/apr-1 -I/usr/local/include -c -o
mod_security.lo mod_security.c && touch mod_security.slo
mod_security.c: In function `sec_debug_log':
mod_security.c:6132: `__builtin_va_alist' undeclared (first use in this
function)
mod_security.c:6132: (Each undeclared identifier is reported only once
mod_security.c:6132: for each function it appears in.)
apxs:Error: Command failed with rc=3D65536
.
Has anyone seen/experienced this error before?
=20
Thank you,
=20
Richard
|
|
From: Ivan R. <iv...@we...> - 2006-02-01 14:07:17
|
CASTELLE Thomas wrote: > Well, I looked quickly on the Internet and it seems that it could happen > with IE-specific websites : > http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/reference/events.asp Yes, but that would already be handled with onSelect[[:space:]]*= I don't think the second part =[[:space:]]*onSelect is needed. > Two other questions : > - Do you think you'll provide a simple tool to automatically download > new rulesets, compare them with the ones in production, detect changes > and integrate them in the production environment, like the > "rule-du-jour" script for spamassassin ? I don't have any immediate plans. It's like this: I can either choose to work on ModSecurity itself or on the related utilities. ModSecurity wins every time. I appreciate that it's not easy to start contributing to ModSecurity because of the complexities involved but it'd be really nice to see someone step up and work on the related utilities. (Also I am not sure there is a need for something like that because I don't see the generic rules changing often.) > - Do you know if a modsecurity log analysis tool exists ? One that could > generate a human-readable report daily with the different events > detected or blocked ? No, but I am working on a commercial tool for real-time log aggregation and reporting at the moment. A beta should be available in the next couple of weeks. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com Tel: +44 20 8141 2161, Fax: +44 87 0762 3934 |
|
From: CASTELLE T. <tca...@ge...> - 2006-02-01 13:11:42
|
Well, I looked quickly on the Internet and it seems that it could = happen with IE-specific websites : http://msdn.microsoft.com/library/default.asp?url=3D/workshop/author/dht= ml/ref erence/events.asp Two other questions :=20 - Do you think you'll provide a simple tool to automatically download = new rulesets, compare them with the ones in production, detect changes and integrate them in the production environment, like the "rule-du-jour" = script for spamassassin ? - Do you know if a modsecurity log analysis tool exists ? One that = could generate a human-readable report daily with the different events = detected or blocked ? Thanks very much for your help ! Regards, Thomas. -----Message d'origine----- De=A0: Ivan Ristic [mailto:iv...@we...]=20 Envoy=E9=A0: mercredi 1 f=E9vrier 2006 13:23 =C0=A0: CASTELLE Thomas Cc=A0: mod...@li... Objet=A0: Re: [mod-security-users] mod_security rules feature request + production tools ? CASTELLE Thomas wrote: > Hello everybody, >=20 > The new mod_security rules project is a great thing. It is more = generic > than the gotroot.com files, and the files are smaller (which is, I > think, good for performance). >=20 > However, I have 2 small modification requests : >=20 > - Could you add "id" and "rev" meta-data to each rules, so that we = can > exclude specific rules when the protected website matches false > positives. > It could also allow us to run automatic updates by detecting new = rules > or changes on existing rules. Yes. That's mostly the reason while the rules are still in beta. As soon as I assign IDs to them they will be moved to production status. > - Could you modify the "JavaScript event handlers" rules, because it > seems too generic to me. > > Couldn't : > "SecFilterSelective ARGS "onSelect"" > be instead : > "SecFilterSelective ARGS > "onSelect[[:space:]]*=3D|=3D[[:space:]]*onSelect" >=20 > For instance, some of our websites matches this because of > "http://blablabla/test?task=3DValidationSelection" Makes sense. Which case would =3D[[:space:]]*onSelect" match? --=20 Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com Tel: +44 20 8141 2161, Fax: +44 87 0762 3934 |
|
From: Ivan R. <iv...@we...> - 2006-02-01 12:21:31
|
CASTELLE Thomas wrote: > Hello everybody, > > The new mod_security rules project is a great thing. It is more generic > than the gotroot.com files, and the files are smaller (which is, I > think, good for performance). > > However, I have 2 small modification requests : > > - Could you add "id" and "rev" meta-data to each rules, so that we can > exclude specific rules when the protected website matches false > positives. > It could also allow us to run automatic updates by detecting new rules > or changes on existing rules. Yes. That's mostly the reason while the rules are still in beta. As soon as I assign IDs to them they will be moved to production status. > - Could you modify the "JavaScript event handlers" rules, because it > seems too generic to me. > > Couldn't : > "SecFilterSelective ARGS "onSelect"" > be instead : > "SecFilterSelective ARGS > "onSelect[[:space:]]*=|=[[:space:]]*onSelect" > > For instance, some of our websites matches this because of > "http://blablabla/test?task=ValidationSelection" Makes sense. Which case would =[[:space:]]*onSelect" match? -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com Tel: +44 20 8141 2161, Fax: +44 87 0762 3934 |
|
From: CASTELLE T. <tca...@ge...> - 2006-02-01 12:03:03
|
Hello everybody, The new mod_security rules project is a great thing. It is more generic than the gotroot.com files, and the files are smaller (which is, I think, good for performance). However, I have 2 small modification requests : - Could you add "id" and "rev" meta-data to each rules, so that we can exclude specific rules when the protected website matches false positives. It could also allow us to run automatic updates by detecting new rules or changes on existing rules. - Could you modify the "JavaScript event handlers" rules, because it seems too generic to me. Couldn't : "SecFilterSelective ARGS "onSelect"" be instead : "SecFilterSelective ARGS "onSelect[[:space:]]*=|=[[:space:]]*onSelect" For instance, some of our websites matches this because of "http://blablabla/test?task=ValidationSelection" Thanks for your help, Regards, Thomas. |
|
From: Peter <pet...@co...> - 2006-01-31 16:19:12
|
(this message was previously submitted, but I since joined the mail list, so the mods can ignore the pending post) My .htaccess file for a directory... AuthType Basic AuthUserFile /home/content/pwfile AuthGroupFile /dev/null AuthName "Restricted Area" Require user peter My web hosting service uses Apache 1.3, and I have an issue which is curious. With the above, any attempt to access an html page, or the directory results in the proper username/password challenge. However, if a user tried to access certain files directly (assuming they know the names), sometimes a password challenge is NOT presented. For example, if a user types: http://mysecure.dir/myfile.html he will get a username/password challenge and http://mysecure.dir/myfile.gif he will get a challenge BUT http://mysecure.dir/myfile.jpg will not get challenged and the browser presents options for opening or downloading the file! No password challenge. Same with http://mysecure.dir/myfile.xls or http://mysecure.dir/myfile My question is, is this expected behavior? How can I tell which filetypes will bypass AUTH security? Are there specific commands I can add to .htaccess? I even tried deny all in <Files *>, but still I am offered a download choice. Sorry if this post does not belong here, but I do appreciate any feedback and suggestions. The hosting company is "investigating" after being able to reproduce the error. |
|
From: Ryan B. <rcb...@gm...> - 2006-01-30 22:11:48
|
Add in "ServerSignature Off" to the httpd.conf file to remove that footer message from error pages.. -- Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On 1/30/06, kiran k <kir...@ya...> wrote: > > > Thanks, I should have paid more attention on error string duh.. > > I was able to monitor server script, for deny I get forbidden page with (= Apache/2.0.55 > (Unix) Server at 192.168.1.10 Port 80), I would like to avoid this, is > there any thing else other than deny:redirect so that it just shows it > blocked no more info about apache version. Thanks, > > > > > > > *Alon Agmon <aa...@we...>* wrote: > > Hi , > Mod_proxy should be used as: > > ProxyPass / http://192.168.1.30/ > ProxyPassReverse / http://192.168.1.30*/* <http://192.168.1.30/> > > Note the last slash. > > > > ------------------------------ > *From:* mod...@li... [mailto: > mod...@li...] *On Behalf Of *kiran k > *Sent:* Monday, January 30, 2006 7:02 AM > *To:* mod...@li... > *Subject:* [mod-security-users] as reverse proxy > > > Hi: > > I set it up exactly as described in the article. Basic test went fine, i= e > when I access http:192.168.1.10 (which is proxy), it went to 192.168.1.30= . > > > When I try access server scripts (ie > http://192.168.1.10/cgi-bin/modsec-test.pl) I get proxy error, like below= . > What is missing ? Why DNS lookup for ipaddr ? > > > > The proxy server received an i nvalid response from an upstream server. > The proxy server could not handle the request *GET /cgi-bin/modsec-test.p= l<http://192.168.1.10/cgi-bin/secprise.pl> > *. > Reason: *DNS lookup failure for: 192.168.1.30cgi-bin* > > Configuration: > > <VirtualHost 192.168.1.10> > > ServerName localhost > ProxyRequests Off > ProxyPass / http://192.168.1.30 > ProxyPassReverse / http://192.168.1.30 > > > SecFilterEngine DynamicOnly > SecFilterCheckURLEncoding On > </VirtualHost> > > > > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > ------------------------------ > Do you Yahoo!? > With a free 1 GB, there's more in store with Yahoo! Mail.<http://us.rd.ya= hoo.com/mail_us/taglines/mailstorage/*http:/mail.yahoo.com/> > > > ------------------------------ > Yahoo! Autos<http://us.rd.yahoo.com/evt=3D38381/+ylc=3DX3oDMTEzcGlrdGY5BF= 9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDMWF1dG9z/*http://autos.yahoo.com/inde= x.html+>. > Looking for a sweet ride? Get pricing, reviews, & more on new and used ca= rs. > > > |
|
From: kiran k <kir...@ya...> - 2006-01-30 22:00:42
|
Thanks, I should have paid more attention on error string duh..
I was able to monitor server script, for deny I get forbidden page with ( Apache/2.0.55 (Unix) Server at 192.168.1.10 Port 80), I would like to avoid this, is there any thing else other than deny:redirect so that it just shows it blocked no more info about apache version. Thanks,
Alon Agmon <aa...@we...> wrote: v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} Hi ,
Mod_proxy should be used as:
ProxyPass / http://192.168.1.30/
ProxyPassReverse / http://192.168.1.30/
Note the last slash.
---------------------------------
From: mod...@li... [mailto:mod...@li...] On Behalf Of kiran k
Sent: Monday, January 30, 2006 7:02 AM
To: mod...@li...
Subject: [mod-security-users] as reverse proxy
Hi:
I set it up exactly as described in the article. Basic test went fine, ie when I access http:192.168.1.10 (which is proxy), it went to 192.168.1.30.
When I try access server scripts (ie http://192.168.1.10/cgi-bin/modsec-test.pl) I get proxy error, like below. What is missing ? Why DNS lookup for ipaddr ?
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /cgi-bin/modsec-test.pl.
Reason: DNS lookup failure for: 192.168.1.30cgi-bin
Configuration:
<VirtualHost 192.168.1.10>
ServerName localhost
ProxyRequests Off
ProxyPass / http://192.168.1.30
ProxyPassReverse / http://192.168.1.30
SecFilterEngine DynamicOnly
SecFilterCheckURLEncoding On
</VirtualHost>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------
Do you Yahoo!?
With a free 1 GB, there's more in store with Yahoo! Mail.
---------------------------------
Yahoo! Autos. Looking for a sweet ride? Get pricing, reviews, & more on new and used cars. |
|
From: Francois B. <fra...@gm...> - 2006-01-30 21:35:33
|
> > FYI unless you have an existing mod_security configuration to upgrade > (and even with that) upgrading mod_security is a 30-second operation. Not really - We have mod_security compiled straight into Apache, so it's no= t just a question of compiling a new module and dropping in on the server, we have to recompile our entire Apache setup which (I'm being told) is a fairl= y complicated process, and right now the SysAdmin is too busy to help me... Avoid launching a script if possible. If you don't those attacking > you will be able to create dozens of processes per second simply > by sending many requests in parallel. > > A better idea is to pipe the error log to a single inspecting > process (like httpd-guardian). Hmmm, that probably would be better; I'd have to parse the log to find only the entries I'm interested in, (since I don't want to block valid users behind proxies) but I'd be less susceptible to getting flooded with forking processes. You should even be able to create a nice page to show to the > blacklisted users. Already planned! As well as sending an alert to the syslog so that we know what's happening.... which i believe your script already does. Thanks Ivan! -- > Ivan Ristic, Technical Director > Thinking Stone, http://www.thinkingstone.com > Tel: +44 20 8141 2161, Fax: +44 87 0762 3934 > |
|
From: Ivan R. <iv...@we...> - 2006-01-30 21:01:22
|
Francois Boulanger wrote: > Hi all! I'd like your input on this... > > I was asked to protect one of our websites against brute-force attempts; > We need to know if an IP adress is making repetitive login requests to > our site. I'm using Apache 1.3.33 and mod_security 1.7. on Solaris 9 - > And no, we do not have time to upgrade to a more recent Apache or > mod_security version :-( FYI unless you have an existing mod_security configuration to upgrade (and even with that) upgrading mod_security is a 30-second operation. > Here's what i'm thinking of doing : > > 1 - use mod_security to inspect POST contents of requests > 2 - create a rule to launch a script every time the POST contains a > specific login field (Ex : UserID or password). This will allow me to > obtain all the IP adresses of people who attempt to log-in. Avoid launching a script if possible. If you don't those attacking you will be able to create dozens of processes per second simply by sending many requests in parallel. A better idea is to pipe the error log to a single inspecting process (like httpd-guardian). > What do you think? Probably not the ideal solution, but it should work - > considering we're short on time and need a solution fast, without > relying on firewall or IDS systems. You should even be able to create a nice page to show to the blacklisted users. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com Tel: +44 20 8141 2161, Fax: +44 87 0762 3934 |
|
From: Francois B. <fra...@gm...> - 2006-01-30 20:34:45
|
Hi all! I'd like your input on this... I was asked to protect one of our websites against brute-force attempts; We need to know if an IP adress is making repetitive login requests to our site. I'm using Apache 1.3.33 and mod_security 1.7. on Solaris 9 - And no, we do not have time to upgrade to a more recent Apache or mod_security version :-( Apache is used as a proxy in front of our multiple app servers= . Because of this, and for different reasons which I won't discuss here, I need to rely solely on Apache to implement my solution. Here's what i'm thinking of doing : 1 - use mod_security to inspect POST contents of requests 2 - create a rule to launch a script every time the POST contains a specifi= c login field (Ex : UserID or password). This will allow me to obtain all the IP adresses of people who attempt to log-in. 3 - The script launched would be a modified version of Ivan's "httpd-guardian" perl script (modified to parse environment variables instead of a log file entry.) 4 - Upon detecting that a user has exceeded X number of login attempts in a= n amount of time, httpd-guardian would call a script to block the offending I= P address. 5 - The blocking script would likely be a modified version of Ivan's "blacklist" perl script (modified to manage a list of disallowed IP adresse= s in an .htaccess file for Apache to use.) 6 - A crontab entry would call the "blacklist" script every X minutes to remove stale IP adresses from the .htaccess file. What do you think? Probably not the ideal solution, but it should work - considering we're short on time and need a solution fast, without relying o= n firewall or IDS systems. Got a better idea? Any input is welcome! Thanks. Francois |
|
From: Alon A. <aa...@we...> - 2006-01-30 05:35:10
|
Hi ,=20
Mod_proxy should be used as:
=20
ProxyPass / http://192.168.1.30 <http://192.168.1.30/> /
ProxyPassReverse / http://192.168.1.30/ <http://192.168.1.30/> =20
=20
Note the last slash.
=20
=20
=20
________________________________
From: mod...@li...
[mailto:mod...@li...] On Behalf Of
kiran k
Sent: Monday, January 30, 2006 7:02 AM
To: mod...@li...
Subject: [mod-security-users] as reverse proxy
=20
=20
Hi:
=20
I set it up exactly as described in the article. Basic test went fine,
ie when I access http:192.168.1.10 (which is proxy), it went to
192.168.1.30.=20
=20
When I try access server scripts (ie
http://192.168.1.10/cgi-bin/modsec-test.pl) I get proxy error, like
below. What is missing ? Why DNS lookup for ipaddr ?
=20
=20
=20
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET
/cgi-bin/modsec-test.pl <http://192.168.1.10/cgi-bin/secprise.pl> .=20
Reason: DNS lookup failure for: 192.168.1.30cgi-bin
=20
Configuration:
=20
<VirtualHost 192.168.1.10>
=20
ServerName localhost
ProxyRequests Off
ProxyPass / http://192.168.1.30 <http://192.168.1.30/>=20
ProxyPassReverse / http://192.168.1.30 <http://192.168.1.30/>=20
=20
=20
SecFilterEngine DynamicOnly
SecFilterCheckURLEncoding On
</VirtualHost>
=20
=20
=20
=20
=20
=20
=20
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around=20
http://mail.yahoo.com=20
________________________________
Do you Yahoo!?
With a free 1 GB, there's more in store with Yahoo! Mail.
<http://us.rd.yahoo.com/mail_us/taglines/mailstorage/*http:/mail.yahoo.c
om/>=20
|
|
From: kiran k <kir...@ya...> - 2006-01-30 05:02:33
|
Hi:
I set it up exactly as described in the article. Basic test went fine, ie when I access http:192.168.1.10 (which is proxy), it went to 192.168.1.30.
When I try access server scripts (ie http://192.168.1.10/cgi-bin/modsec-test.pl) I get proxy error, like below. What is missing ? Why DNS lookup for ipaddr ?
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /cgi-bin/modsec-test.pl.
Reason: DNS lookup failure for: 192.168.1.30cgi-bin
Configuration:
<VirtualHost 192.168.1.10>
ServerName localhost
ProxyRequests Off
ProxyPass / http://192.168.1.30
ProxyPassReverse / http://192.168.1.30
SecFilterEngine DynamicOnly
SecFilterCheckURLEncoding On
</VirtualHost>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------
Do you Yahoo!?
With a free 1 GB, there's more in store with Yahoo! Mail. |
139 messages has been excluded from this view by a project administrator.
