Thread: [mod-security-users] False positive troubleshooting
Brought to you by:
victorhora,
zimmerletw
From: Russell C. <rcl...@gm...> - 2009-01-24 21:09:39
|
I'm using mod_auth_form (http://comp.uark.edu/~ajarthu/mod_auth_form/) to control access to a web site directory with authentication against a MySQL database. But modsecurity gives me a false positive on this rule when anyone tries to log in: SecRule REQUEST_URI_RAW ^\w+:/ "phase:2,t:none,deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',id:'960014',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS'" Here's the log entry (domain and directory masked): [23/Jan/2009:22:52:44 --0500] [www.domain.com/sid#953d098][rid#976df20][/directory][2] Warning. Pattern match "^\w+:/" at REQUEST_URI_RAW. [file "/usr/local/apache/conf/modsecurity/modsecurity_crs_20_protocol_violations.conf"] [line "76"] [id "960014"] [msg "Proxy access attempt"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/PROXY_ACCESS"] Here, also masked, is the URL for the login page; it's when the user submits his credentials that the false positive arises ("400 Bad Request"): http://www.domain.com/login.php?orig_loc=http%3A%2F%2Fwww.domain.com%2Fdirectory## I changed "deny" to "pass" and set debugLogLevel to 9, which gave me about 3,000 lines of stuff that I can't begin to figure out. Any ideas on where to start fixing this? Is it the query string in the URL that's triggering this? Environment is Apache 2.2, PHP 5.2.6, modsecurity v2.5.7, all via cPanel Easy::Apache v3.2.0, modsecurity core rules v1.6.1 |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2009-01-24 22:15:05
|
-----Original Message----- From: Russell Clemings [mailto:rcl...@gm...] Sent: Saturday, January 24, 2009 4:10 PM To: mod...@li... Subject: [mod-security-users] False positive troubleshooting I'm using mod_auth_form (http://comp.uark.edu/~ajarthu/mod_auth_form/) to control access to a web site directory with authentication against a MySQL database. But modsecurity gives me a false positive on this rule when anyone tries to log in: SecRule REQUEST_URI_RAW ^\w+:/ "phase:2,t:none,deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',id:'960014',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS'" Here's the log entry (domain and directory masked): [23/Jan/2009:22:52:44 --0500] [www.domain.com/sid#953d098][rid#976df20][/directory][2] Warning. Pattern match "^\w+:/" at REQUEST_URI_RAW. [file "/usr/local/apache/conf/modsecurity/modsecurity_crs_20_protocol_violations.conf"] [line "76"] [id "960014"] [msg "Proxy access attempt"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/PROXY_ACCESS"] Here, also masked, is the URL for the login page; it's when the user submits his credentials that the false positive arises ("400 Bad Request"): http://www.domain.com/login.php?orig_loc=http%3A%2F%2Fwww.domain.com%2Fdirectory## I changed "deny" to "pass" and set debugLogLevel to 9, which gave me about 3,000 lines of stuff that I can't begin to figure out. Any ideas on where to start fixing this? Is it the query string in the URL that's triggering this? [Ryan Barnett] Is the actual request this - GET http://www.domain.com/login.php?orig_loc=http%3A%2F%2Fwww.domain.com%2Fdirectory## HTTP/1.1 Please send a santitize audit log as it will be easier to trouble-shoot if we have the full request headers. |
From: Russell C. <rcl...@gm...> - 2009-01-25 00:55:01
|
It's actually in a "refresh" header, I guess: --b962795d-A-- [24/Jan/2009:19:40:05 --0500] SXu05c86pu8AAEarHpUAAAAD 76.20.91.180 4161 207.58.166.239 80 --b962795d-B-- GET /directory/ HTTP/1.1 Host: www.domain.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.domain.com/login.php Cookie: __utma=225184133.1946259836.1230004092.1230004092.1230004092.1; __utmz=225184133.1230004092.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); uid=username; sid=T0t9mzRX403L9Sx2m42Cj35121OPB2nQ; mt_commenter=krQRMlvzm7f7vMR3kZjEX7yyYWTPp6EfBEzaQXaw; commenter_name=%28Display%20Name%20not%20set%29; commenter_id=1%3A%272%27%2C%273%27%2C%274%27%2C%275%27%2C%276%27%2C%277%27%2C%278%27%2C%279%27%2C%2710%27%2C%2711%27%2C%2712%27%2C%2713%27%2C%2714%27%2C%2715%27%2C%2717%27; PHPSESSID=bb6bdf9a0876655a04f7c50a9dbeaca0 --b962795d-F-- HTTP/1.1 200 OK Refresh: 1801;url=/login.php?orig_loc=http%3A%2F%2Fwww.domain.com%2Fdirectory%2F Accept-Ranges: bytes Content-Length: 11952 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html --b962795d-H-- Message: Warning. Pattern match "^\w+:/" at REQUEST_URI_RAW. [file "/usr/local/apache/conf/modsecurity/modsecurity_crs_20_protocol_violations.conf"] [line "76"] [id "960014"] [msg "Proxy access attempt"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/PROXY_ACCESS"] Apache-Handler: default-handler Stopwatch: 1232844005296458 230209 (3340 4920 19468) Producer: ModSecurity for Apache/2.5.7 (http://www.modsecurity.org/); core ruleset/1.6.1. Server: Apache --b962795d-K-- SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,status:400,chain,t:none,deny,log,auditlog,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION" SecRule "REQUEST_URI_RAW" "@rx ^\\w+:/" "phase:2,status:400,t:none,pass,log,auditlog,msg:'Proxy access attempt',severity:2,id:960014,tag:PROTOCOL_VIOLATION/PROXY_ACCESS" SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,deny,status:406,chain,t:none,log,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:4" SecAction "phase:2,status:406,nolog,skipAfter:959009" SecAction "phase:2,status:406,nolog,skipAfter:959007" SecAction "phase:2,status:406,nolog,skipAfter:959904" SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite" "phase:2,status:406,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,nolog,skip:1" SecAction "phase:2,status:406,nolog,skipAfter:959906" SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer" "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedown onkeypress asfunction: onclick .fromcharcode background-image: .cookie ondragdrop onblur x-javascript mocha: onfocus javascript: getparentfolder lowsrc onresize @import alert onselect script onmouseout onmousemove background application .execscript livescript: getspecialfolder vbscript iframe .addimport onunload createtextrange onload <input" "phase:2,status:406,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,skip:1" SecAction "phase:2,status:406,nolog,skipAfter:959005" SecAction "phase:2,status:406,nolog,skipAfter:950006" --b962795d-Z-- On Sat, Jan 24, 2009 at 1:52 PM, Ryan Barnett <Rya...@br...> wrote: > -----Original Message----- > From: Russell Clemings [mailto:rcl...@gm...] > Sent: Saturday, January 24, 2009 4:10 PM > To: mod...@li... > Subject: [mod-security-users] False positive troubleshooting > > I'm using mod_auth_form (http://comp.uark.edu/~ajarthu/mod_auth_form/) > to control access to a web site directory with authentication against > a MySQL database. But modsecurity gives me a false positive on this > rule when anyone tries to log in: > > SecRule REQUEST_URI_RAW ^\w+:/ > "phase:2,t:none,deny,log,auditlog,status:400,msg:'Proxy access > attempt', severity:'2',id:'960014',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS'" > > Here's the log entry (domain and directory masked): > [23/Jan/2009:22:52:44 --0500] > [www.domain.com/sid#953d098][rid#976df20][/directory][2] Warning. > Pattern match "^\w+:/" at REQUEST_URI_RAW. [file > "/usr/local/apache/conf/modsecurity/modsecurity_crs_20_protocol_violations.conf"] > [line "76"] [id "960014"] [msg "Proxy access attempt"] [severity > "CRITICAL"] [tag "PROTOCOL_VIOLATION/PROXY_ACCESS"] > > Here, also masked, is the URL for the login page; it's when the user > submits his credentials that the false positive arises ("400 Bad > Request"): > http://www.domain.com/login.php?orig_loc=http%3A%2F%2Fwww.domain.com%2Fdirectory## > > I changed "deny" to "pass" and set debugLogLevel to 9, which gave me > about 3,000 lines of stuff that I can't begin to figure out. Any ideas > on where to start fixing this? Is it the query string in the URL > that's triggering this? > > [Ryan Barnett] Is the actual request this - > GET http://www.domain.com/login.php?orig_loc=http%3A%2F%2Fwww.domain.com%2Fdirectory## HTTP/1.1 > > Please send a santitize audit log as it will be easier to trouble-shoot if we have the full request headers. > |
From: Ofer S. <of...@sh...> - 2009-01-24 22:40:40
|
I think that this is a bug in Core Rule Set. Rule 960014 is meant to inspect only the URL, but REQUEST_URI_RAW includes also the query parameters. Rule 960014 is also flawed since the RFC does allow the host name to be specified in the URI; checking for an open proxy should check also that the host specified is not local. In your case I would make sure that your server is not proxying anything and disable the rule using SecRuleRemoveById. ~ Ofer Ofer Shezaf [sh...@xi..., +972-54-4431119, www.xiom.com] -----Original Message----- From: Russell Clemings [mailto:rcl...@gm...] Sent: Saturday, January 24, 2009 11:10 PM To: mod...@li... Subject: [mod-security-users] False positive troubleshooting I'm using mod_auth_form (http://comp.uark.edu/~ajarthu/mod_auth_form/) to control access to a web site directory with authentication against a MySQL database. But modsecurity gives me a false positive on this rule when anyone tries to log in: SecRule REQUEST_URI_RAW ^\w+:/ "phase:2,t:none,deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',id:'960014',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS'" Here's the log entry (domain and directory masked): [23/Jan/2009:22:52:44 --0500] [www.domain.com/sid#953d098][rid#976df20][/directory][2] Warning. Pattern match "^\w+:/" at REQUEST_URI_RAW. [file "/usr/local/apache/conf/modsecurity/modsecurity_crs_20_protocol_violations.c onf"] [line "76"] [id "960014"] [msg "Proxy access attempt"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/PROXY_ACCESS"] Here, also masked, is the URL for the login page; it's when the user submits his credentials that the false positive arises ("400 Bad Request"): http://www.domain.com/login.php?orig_loc=http%3A%2F%2Fwww.domain.com%2Fdirec tory## I changed "deny" to "pass" and set debugLogLevel to 9, which gave me about 3,000 lines of stuff that I can't begin to figure out. Any ideas on where to start fixing this? Is it the query string in the URL that's triggering this? Environment is Apache 2.2, PHP 5.2.6, modsecurity v2.5.7, all via cPanel Easy::Apache v3.2.0, modsecurity core rules v1.6.1 ---------------------------------------------------------------------------- -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Appliances, Rule Sets and Support: http://www.modsecurity.org/breach/index.html |
From: Ofer S. <sh...@xi...> - 2009-01-25 08:27:00
|
Hi Russell, The rule matches REQUEST_URI_RAW and not the RESPONSE refresh header. The match is actually in the initial access to the "/directory/" URL. You probably related it to the "login.php" URL because this is what you saw on the browser after the redirection to "login.php". Why does it happen? On my system running the same mod_security and rule set its does not happen, so my guess is that it has to be something with mod_auth_form: it may change the request URI before mod_security examines it to include a host specification, which is valid but flagged by the "proxy access" rule. The debug log you created may help in understanding that and I would look at it if you sent it (privately or on the list), but my recommendation remains: make sure that your server is not proxying anything and disable the rule using SecRuleRemoveById One apology: I said that the "proxy access" rule is flawed as would match request parameters. I should have known it doesn't considering that I wrote this rule - it matches the beginning of the buffer and therefore would not match request parameters. ~ Ofer Ofer Shezaf [sh...@xi..., +972-54-4431119, www.xiom.com] -----Original Message----- From: Russell Clemings [mailto:rcl...@gm...] Sent: Sunday, January 25, 2009 2:47 AM To: Ryan Barnett Cc: mod...@li... Subject: Re: [mod-security-users] False positive troubleshooting It's actually in a "refresh" header, I guess: --b962795d-A-- [24/Jan/2009:19:40:05 --0500] SXu05c86pu8AAEarHpUAAAAD 76.20.91.180 4161 207.58.166.239 80 --b962795d-B-- GET /directory/ HTTP/1.1 Host: www.domain.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.domain.com/login.php Cookie: __utma=225184133.1946259836.1230004092.1230004092.1230004092.1; __utmz=225184133.1230004092.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none ); uid=username; sid=T0t9mzRX403L9Sx2m42Cj35121OPB2nQ; mt_commenter=krQRMlvzm7f7vMR3kZjEX7yyYWTPp6EfBEzaQXaw; commenter_name=%28Display%20Name%20not%20set%29; commenter_id=1%3A%272%27%2C%273%27%2C%274%27%2C%275%27%2C%276%27%2C%277%27%2 C%278%27%2C%279%27%2C%2710%27%2C%2711%27%2C%2712%27%2C%2713%27%2C%2714%27%2C %2715%27%2C%2717%27; PHPSESSID=bb6bdf9a0876655a04f7c50a9dbeaca0 --b962795d-F-- HTTP/1.1 200 OK Refresh: 1801;url=/login.php?orig_loc=http%3A%2F%2Fwww.domain.com%2Fdirectory%2F Accept-Ranges: bytes Content-Length: 11952 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html --b962795d-H-- Message: Warning. Pattern match "^\w+:/" at REQUEST_URI_RAW. [file "/usr/local/apache/conf/modsecurity/modsecurity_crs_20_protocol_violations.c onf"] [line "76"] [id "960014"] [msg "Proxy access attempt"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/PROXY_ACCESS"] Apache-Handler: default-handler Stopwatch: 1232844005296458 230209 (3340 4920 19468) Producer: ModSecurity for Apache/2.5.7 (http://www.modsecurity.org/); core ruleset/1.6.1. Server: Apache --b962795d-K-- SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,status:400,chain,t:none,deny,log,auditlog,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION" SecRule "REQUEST_URI_RAW" "@rx ^\\w+:/" "phase:2,status:400,t:none,pass,log,auditlog,msg:'Proxy access attempt',severity:2,id:960014,tag:PROTOCOL_VIOLATION/PROXY_ACCESS" SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,deny,status:406,chain,t:none,log,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:4" SecAction "phase:2,status:406,nolog,skipAfter:959009" SecAction "phase:2,status:406,nolog,skipAfter:959007" SecAction "phase:2,status:406,nolog,skipAfter:959904" SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Re ferer" "@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite" "phase:2,status:406,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceCommen ts,t:compressWhiteSpace,t:lowercase,nolog,skip:1" SecAction "phase:2,status:406,nolog,skipAfter:959906" SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Re ferer" "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedown onkeypress asfunction: onclick .fromcharcode background-image: .cookie ondragdrop onblur x-javascript mocha: onfocus javascript: getparentfolder lowsrc onresize @import alert onselect script onmouseout onmousemove background application .execscript livescript: getspecialfolder vbscript iframe .addimport onunload createtextrange onload <input" "phase:2,status:406,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhite Space,t:lowercase,nolog,skip:1" SecAction "phase:2,status:406,nolog,skipAfter:959005" SecAction "phase:2,status:406,nolog,skipAfter:950006" --b962795d-Z-- On Sat, Jan 24, 2009 at 1:52 PM, Ryan Barnett <Rya...@br...> wrote: > -----Original Message----- > From: Russell Clemings [mailto:rcl...@gm...] > Sent: Saturday, January 24, 2009 4:10 PM > To: mod...@li... > Subject: [mod-security-users] False positive troubleshooting > > I'm using mod_auth_form (http://comp.uark.edu/~ajarthu/mod_auth_form/) > to control access to a web site directory with authentication against > a MySQL database. But modsecurity gives me a false positive on this > rule when anyone tries to log in: > > SecRule REQUEST_URI_RAW ^\w+:/ > "phase:2,t:none,deny,log,auditlog,status:400,msg:'Proxy access > attempt', severity:'2',id:'960014',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS'" > > Here's the log entry (domain and directory masked): > [23/Jan/2009:22:52:44 --0500] > [www.domain.com/sid#953d098][rid#976df20][/directory][2] Warning. > Pattern match "^\w+:/" at REQUEST_URI_RAW. [file > "/usr/local/apache/conf/modsecurity/modsecurity_crs_20_protocol_violations.c onf"] > [line "76"] [id "960014"] [msg "Proxy access attempt"] [severity > "CRITICAL"] [tag "PROTOCOL_VIOLATION/PROXY_ACCESS"] > > Here, also masked, is the URL for the login page; it's when the user > submits his credentials that the false positive arises ("400 Bad > Request"): > http://www.domain.com/login.php?orig_loc=http%3A%2F%2Fwww.domain.com%2Fdirec tory## > > I changed "deny" to "pass" and set debugLogLevel to 9, which gave me > about 3,000 lines of stuff that I can't begin to figure out. Any ideas > on where to start fixing this? Is it the query string in the URL > that's triggering this? > > [Ryan Barnett] Is the actual request this - > GET http://www.domain.com/login.php?orig_loc=http%3A%2F%2Fwww.domain.com%2Fdirec tory## HTTP/1.1 > > Please send a santitize audit log as it will be easier to trouble-shoot if we have the full request headers. > ---------------------------------------------------------------------------- -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Appliances, Rule Sets and Support: http://www.modsecurity.org/breach/index.html |