Thread: [mod-security-users] ByteRange Filter not acting as expected.
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: N N. <nan...@ne...> - 2003-11-19 00:14:42
|
There are 2 requests in question, both of which should be blocked by the byterange filter. Even if it weren't for the byterange filter, the "/scripts" filter should've caught it. At least that's how it looks to my untrained eyes. Interestingly enough, only the second one gets caught(406) by mod_security. Does something really stand out here that didnt catch my eye? I have attached relevant portions of the logs/configs. Need more info ? Please ask. -Nair /var/log/httpd/access_log: 209.xxx.xxx.xxx - - [18/Nov/2003:10:38:08 -0900] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 353 209.xxx.xxx.xxx - - [18/Nov/2003:10:38:08 -0900] "GET /errors/error.css HTTP/1.1" 200 473 209.xxx.xxx.xxx - - [18/Nov/2003:10:38:35 -0900] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.1" 406 353 209.xxx.xxx.xxx - - [18/Nov/2003:10:38:35 -0900] "GET /errors/error.css HTTP/1.1" 200 473 (END) /var/log/httpd/sec_audit_log: ======================================== Request: 209.xxx.xxx.xxx - - [[18/Nov/2003:10:38:35 --0900]] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.1" 406 353 Handler: (null) ---------------------------------------- GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.1 Host: www.mydomain.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/* ;q=0.1 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive mod_security-message: Invalid character detected HTTP/1.1 406 Not Acceptable Accept-Ranges: bytes Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=ISO-8859-1 (END) /var/log/httpd/sec_debug_log: ... [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81bcec0][/errors/404.html] Filtering off for a subrequest. [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81bcec0][/errors/404.html] sec_pre: Filtering off for a subrequest. [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81bdd00][/errors/include/top.html] Filtering off for a subrequest. [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81bdd00][/errors/include/top.html] sec_pre: Filtering off for a subrequest. [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81bdd00][/errors/include/bottom.html] Filtering off for a subrequest. [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81bdd00][/errors/include/bottom.html] sec_pre: Filtering off for a subrequest. [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81bcec0][/errors/404.html] sec_logger: start [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81bcec0][/errors/404.html] Audit log: ignoring a non-relevant request [content-type=text/html] [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Checking with per-dir-config [:null][/errors/error.css] [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] read_post_payload: skipping a non-POST request [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Checking signature "^/[Ss][Cc][Rr][Ii][Pp][Tt][Ss]?" at THE_REQUEST [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Checking signature "^/[Mm][Ss][Aa][Dd[Cc]" at THE_REQUEST [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Checking signature "_[Vv][Tt][Ii]_[Bb][Ii][Nn]" at THE_REQUEST [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Checking signature "_[Mm][Ee][Mm]_[Bb][Ii][Nn]" at THE_REQUEST [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Checking signature "[Ww][Ii][Nn][Nn][Tt]" at THE_REQUEST [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Checking signature "/etc/password" at THE_REQUEST [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Checking signature "\.\./" at THE_REQUEST [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Checking signature "<( |\n)*script" at THE_REQUEST [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Checking signature "<(.|\n)+>" at THE_REQUEST [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] sec_pre: scan_output = -1 [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] sec_pre: Output filtering off here. [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] sec_logger: start [18/Nov/2003:10:38:08 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Audit log: ignoring a non-relevant request [content-type=text/css] [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81bbcf8][/scripts/..Á ../winnt/system32/cmd.exe] Checking with per-dir-config [:null][/scripts/..Á ../winnt/system32/cmd.exe] [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81bbcf8][/scripts/..Á ../winnt/system32/cmd.exe] Invalid character detected [193] [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81bd6f8][/errors/406.html] Filtering off for a subrequest. [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81bd6f8][/errors/406.html] sec_pre: Filtering off for a subrequest. [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81bdd00][/errors/include/top.html] Filtering off for a subrequest. [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81bdd00][/errors/include/top.html] sec_pre: Filtering off for a subrequest. [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81bdd00][/errors/include/bottom.html] Filtering off for a subrequest. [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81bdd00][/errors/include/bottom.html] sec_pre: Filtering off for a subrequest. [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81bd6f8][/errors/406.html] sec_logger: start [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Checking with per-dir-config [:null][/errors/error.css] [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] read_post_payload: skipping a non-POST request [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Checking signature "^/[Ss][Cc][Rr][Ii][Pp][Tt][Ss]?" at THE_REQUEST [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Checking signature "^/[Mm][Ss][Aa][Dd[Cc]" at THE_REQUEST [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Checking signature "_[Vv][Tt][Ii]_[Bb][Ii][Nn]" at THE_REQUEST [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Checking signature "_[Mm][Ee][Mm]_[Bb][Ii][Nn]" at THE_REQUEST [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Checking signature "[Ww][Ii][Nn][Nn][Tt]" at THE_REQUEST [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Checking signature "/etc/password" at THE_REQUEST [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Checking signature "\.\./" at THE_REQUEST [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Checking signature "<( |\n)*script" at THE_REQUEST [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Checking signature "<(.|\n)+>" at THE_REQUEST [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] sec_pre: scan_output = -1 [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] sec_pre: Output filtering off here. [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] sec_logger: start [18/Nov/2003:10:38:35 --0900] [www.mydomain.com/sid#80b8308][rid#81b7ce8][/errors/error.css] Audit log: ignoring a non-relevant request [content-type=text/css] ... (END) ======================================================================================================================================================== OS: Linux - RH 8.0 based ( kernel.org 2.4.20 with cryptoloop patch ) mod_security: mod_security_1.7.3 ( compiled from source as a dynamic module ) Server version: Apache/2.0.48 ( compiled from source ) cc: gcc version 3.2 20020903 (Red Hat Linux 8.0 3.2-7) glibc: 2.3.2 /etc/httpd/conf/httpd.conf: ... <IfModule mod_security.c> SecFilterEngine On SecFilterCheckURLEncoding On SecServerResponseToken On # The audit engine works independently and # can be turned On of Off on the per-server or # on the per-directory basis SecAuditEngine RelevantOnly SecAuditLog /var/log/httpd/sec_audit_log SecFilterDebugLog /var/log/httpd/sec_debug_log SecFilterDebugLevel 3 SecFilterScanPOST On # Action to take by default SecFilterDefaultAction "deny,log,status:406" # Disallow by byterange SecFilterForceByteRange 32 126 # stupid CodeRed/Nimda bots. Usual stuff, don't log. SecFilter "^/[Ss][Cc][Rr][Ii][Pp][Tt][Ss]?" "deny,nolog,status:406" SecFilter "^/[Mm][Ss][Aa][Dd[Cc]" "deny,nolog,status:406" SecFilter "_[Vv][Tt][Ii]_[Bb][Ii][Nn]" "deny,nolog,status:406" SecFilter "_[Mm][Ee][Mm]_[Bb][Ii][Nn]" "deny,nolog,status:406" SecFilter "[Ww][Ii][Nn][Nn][Tt]" "deny,nolog,status:406" # Prevent OS specific keywords SecFilter /etc/password # Prevent path traversal (..) attacks SecFilter "\.\./" # Weaker XSS protection but allows common HTML tags SecFilter "<( |\n)*script" # Prevent XSS atacks (HTML/Javascript injection) SecFilter "<(.|\n)+>" </IfModule> ... ... (END) http://www.mydomain.com/server-info: ... Module Name: mod_security.c Content handlers: none Configuration Phase Participation: Create Directory Config, Merge Directory Configs, Create Server Config Request Phase Participation: Fixups, Logging ... ... Current Configuration: SecFilterEngine On SecFilterCheckURLEncoding On SecServerResponseToken On SecAuditEngine RelevantOnly SecAuditLog /var/log/httpd/sec_audit_log SecFilterDebugLog /var/log/httpd/sec_debug_log SecFilterDebugLevel 3 SecFilterScanPOST On SecFilterDefaultAction "deny,log,status:406" SecFilterForceByteRange 32 126 SecFilter "^/[Ss][Cc][Rr][Ii][Pp][Tt][Ss]?" "deny,nolog,status:406" SecFilter "^/[Mm][Ss][Aa][Dd[Cc]" "deny,nolog,status:406" SecFilter "_[Vv][Tt][Ii]_[Bb][Ii][Nn]" "deny,nolog,status:406" SecFilter "_[Mm][Ee][Mm]_[Bb][Ii][Nn]" "deny,nolog,status:406" SecFilter "[Ww][Ii][Nn][Nn][Tt]" "deny,nolog,status:406" SecFilter /etc/password SecFilter "\.\./" SecFilter "<( |\n)*script" SecFilter "<(.|\n)+>" ... (End) |
|
From: Ivan R. <iv...@we...> - 2003-11-19 00:35:21
|
> Interestingly enough, only the second one gets caught(406) by > mod_security. Does something really stand out here that didnt catch my eye? It's Apache. If it finds an encoded / character (using %2f) it returns a 404 early in the request processing phase, and before it reaches mod_security. Try these two: http://www.modsecurity.org/documentation/index.html http://www.modsecurity.org/documentation%2findex.html Some Web servers (IIS, I believe) would return the same document for both requests. Whisker uses this Apache behavior to fingerprint it. I've thought of making mod_security modify this behavior, but I'm not quite sure about it yet. ... BTW. mod_security rules are case insensitive. Your rule: SecFilter "[Ww][Ii][Nn][Nn][Tt]" should be equivalent to SecFilter "winnt" Also, if the string appears only in the URL (and not POST), you should consider using SecFilterSelective REQUEST_URI "winnt" as it is more efficient. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
|
From: N N. <nan...@ne...> - 2003-11-19 00:53:09
|
iv...@we... wrote: > >> Interestingly enough, only the second one gets caught(406) by >> mod_security. Does something really stand out here that didnt catch >> my eye? > > > It's Apache. If it finds an encoded / character (using %2f) it > returns a 404 early in the request processing phase, and before > it reaches mod_security. > > Try these two: > > http://www.modsecurity.org/documentation/index.html > http://www.modsecurity.org/documentation%2findex.html > > Some Web servers (IIS, I believe) would return the same document > for both requests. Whisker uses this Apache behavior to fingerprint > it. > > I've thought of making mod_security modify this behavior, > but I'm not quite sure about it yet. > > ... > > BTW. mod_security rules are case insensitive. Your rule: > > SecFilter "[Ww][Ii][Nn][Nn][Tt]" > > should be equivalent to > > SecFilter "winnt" > > Also, if the string appears only in the URL (and not POST), > you should consider using > > SecFilterSelective REQUEST_URI "winnt" > > as it is more efficient. Whoa. That was a super-fast response, Ivan. As you can see, I'm playing around with the beginner example rules ( pasted from the web ) since I installed it y'day. Thanks for your suggestions. Sounds like I have some more reading to do ;) before I can become a power user. Understood. Over and out. |
Thanks for helping keep SourceForge clean.
X