mod-security-users

[mod-security-users] Directory traversal directive not working

[<lde...@ne...>]

Hi,

  I am testing mod_security with 2.0.48 on Solaris 8.
mod_security as been setup as a DSO.
My problem is that the very simple directory traversal directive ( below)
does not work:
SecFilter "\.\./"

The other directives preventing SQL injection or XSS work fine for me.
I have configured mod_security to return a HTTP 500 error and i am testin=
g
the directory traversal directly from the command line with the runtest.p=
l
script.
Exemple:
./run-test.pl webserver1:666 ./03-evasion-traversal.test

I get a HTTP error of 404 instead of 500.

Here 's the request received in the log file:
[08/Jan/2004:18:20:25 +0100] 17.30.5.160 SSLv3 DHE-RSA-AES256-SHA "GET
/cgi-bin/dummy/../modsec-test.pl/keyword HTTP/1.0" 4954
( Just to show it has not been altered between the client and the server)

Note that I have tested the request through a SSL tunnel because Apache
only listens on a SSL port.

Running mod_security in debug mode gives me this:
[08/Jan/2004:18:31:08 +0100]
[webserver1/sid#188130][rid#21a528][/cgi-bin/modsec-test.pl/keyword]
Checking signature "\.\./" at THE_REQUEST

It's strange cause I don't see any  "regex_result: 17 is_allow: 0"
that i see for the other rules. Exemple:
[08/Jan/2004:18:31:08 +0100]
[webtest1/sid#188130][rid#21a528][/cgi-bin/modsec-test.pl/keyword]
check_sig_against_string: string
: /cgi-bin/modsec-test.pl/keyword regex_result: 17 is_allow: 0

Am i missing something?

Thanks in advance,
Luc

Here 's my complete configuration

############################################################

# Turn the filtering engine On or Off
 SecFilterEngine On

# Make sure that URL encoding is valid
 SecFilterCheckURLEncoding On

# Only allow bytes from this range ( ASCII caracters from 32 to 126)
# Avoid some of the buffer overflow attacks
 SecFilterForceByteRange 32 126

# Default action for security filters
 SecFilterDefaultAction "deny,log,status:500"

# Mask the signature of the server
 SecServerSignature "Microsoft-IIS/6.0"

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
 SecAuditEngine RelevantOnly

# The name of the audit log file
 SecAuditLog /var/log/httpd/audit_log

# SecFilterDebugLog /var/log/httpd/modsec_debug_log
# SecFilterDebugLevel 0

# Should mod_security inspect POST payloads
 SecFilterScanPOST On
 SecFilterSelective THE_REQUEST "///"
 SecFilterSelective THE_REQUEST "/\.\.\.\."

# Prevent path traversal (..) attacks
 SecFilter "\.\./"

# WEB-MISC Apache Chunked-Encoding worm attempt
 SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA"

# WEB-MISC WEB-INF access
 SecFilterSelective THE_REQUEST "/WEB-INF"

# WEB-MISC weblogic view source attempt
 SecFilterSelective THE_REQUEST "\.js\x70"

# Weaker XSS protection but allows common HTML tags
 SecFilter "<( |\n)*script"

# Prevent XSS atacks (HTML/Javascript injection)
 SecFilter "<(.|\n)+>"

# Prevent SQL injection attacks
 SecFilter "delete[[:space:]]+from"
 SecFilter "insert[[:space:]]+into"
 SecFilter "select.+from"

Re: [mod-security-users] Directory traversal directive not working

[Ivan R. <iv...@we...>]

> I am testing mod_security with 2.0.48 on Solaris 8.
> mod_security as been setup as a DSO.
> My problem is that the very simple directory traversal directive ( below)
> does not work:
> SecFilter "\.\./"
 >
 > ...
>  
> Am i missing something?

   The Apache is normalizing the path before mod_security
   gets to it (you can see it in the debug log if you increase
   the verbosity of the log). If you try something like:

   /cgi-bin/modsec-test.pl?p=123/../456

   it will work. Apache only normalizes the data on the
   left hand of the question mark character.

   For some time now I've been thinking whether to move
   mod_security processing into an earlier stage but there
   are so many advantages and disadvantages that I haven't
   made the decision yet.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]