Thread: [mod-security-users] Problem with url parsing
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Kin <lu...@gm...> - 2005-03-22 10:43:33
|
First of all: sorry for my english. Ten days ago, after a "replacement", my provider has installed (or updated? i don't know) mod_security. But there are some problem now. In my discussion forum, people get lots of error 403 (forbidden). I think the problem are this filters: # WEB-ATTACKS /bin/ps command attempt SecFilter "/bin/ps" # WEB-ATTACKS ps command attempt #SecFilterSelective THE_REQUEST "ps" chain #SecFilter\x20" "deny,log" # WEB-ATTACKS /usr/bin/id command attempt SecFilterSelective THE_REQUEST "/usr/bin/id" chain SecFilter "\x20" "deny,log" # WEB-ATTACKS echo command attempt SecFilterSelective THE_REQUEST "/bin/echo" chain SecFilter "\x20" "deny,log" # WEB-ATTACKS kill command attempt SecFilterSelective THE_REQUEST "/bin/kill" chain SecFilter "\x20" "deny,log" # WEB-ATTACKS chmod command attempt SecFilterSelective THE_REQUEST "/bin/chmod" chain SecFilter "\x20" "deny,log" # WEB-ATTACKS chgrp command attempt SecFilterSelective THE_REQUEST "/chgrp" chain SecFilter "\x20" "deny,log" # WEB-ATTACKS chown command attempt #SecFilter "/chown" #SecFilter "\x20" # WEB-ATTACKS chsh command attempt SecFilter "/usr/bin/chsh" # WEB-ATTACKS tftp command attempt SecFilterSelective THE_REQUEST "tftp" chain SecFilter "\x20" "deny,log" # WEB-ATTACKS /usr/bin/gcc command attempt SecFilterSelective THE_REQUEST "/usr/bin/gcc" chain SecFilter "\x20" "deny,log" # WEB-ATTACKS gcc command attempt SecFilterSelective THE_REQUEST "gcc\" chain SecFilter "x20-o" "deny,log" # WEB-ATTACKS /usr/bin/cc command attempt SecFilterSelective THE_REQUEST "/usr/bin/cc" chain SecFilter "\x20" "deny,log" # WEB-ATTACKS cc command attempt #SecFilterSelective THE_REQUEST "cc" chain #SecFilter "\x20" # WEB-ATTACKS /usr/bin/cpp command attempt SecFilterSelective THE_REQUEST "/usr/bin/cpp" chain SecFilter "\x20" "deny,log" # WEB-ATTACKS cpp command attempt SecFilterSelective THE_REQUEST "cpp" chain SecFilter "\x20" "deny,log" # WEB-ATTACKS /usr/bin/g++ command attempt SecFilterSelective THE_REQUEST "/usr/bin/g\+\+" chain SecFilter "\x20" "deny,log" # WEB-ATTACKS g++ command attempt SecFilterSelective THE_REQUEST "g\+\+\x20" chain SecFilter "\x20" "deny,log" # WEB-ATTACKS bin/python access attempt SecFilterSelective THE_REQUEST "bin/python" chain SecFilter "\x20" "deny,log" # WEB-ATTACKS python access attempt #SecFilter "python\x20" # WEB-ATTACKS bin/tclsh execution attempt SecFilter "bin/tclsh" # WEB-ATTACKS tclsh execution attempt SecFilter "tclsh8\x20" # WEB-ATTACKS bin/nasm command attempt SecFilter "bin/nasm" # WEB-ATTACKS nasm command attempt SecFilter "nasm\x20" # WEB-ATTACKS /usr/bin/perl execution attempt SecFilter "/usr/bin/perl" # WEB-ATTACKS perl execution attempt #SecFilterSelective THE_REQUEST "perl" chain #SecFilter "\x20" "deny,log" #curl protection SecFilter "curl\x20" # WEB-ATTACKS traceroute command attempt SecFilterSelective THE_REQUEST "traceroute" chain SecFilter "\x20" "deny,log" # WEB-ATTACKS ping command attempt SecFilterSelective THE_REQUEST "/bin/ping" chain SecFilter "\x20" "deny,log" # WEB-ATTACKS netcat command attempt #SecFilter "nc\x20" # WEB-ATTACKS nmap command attempt #SecFilter "nmap\x20" # WEB-ATTACKS X application to remote host attempt SecFilter "\x20-display\x20" # WEB-ATTACKS mail command attempt SecFilterSelective THE_REQUEST "/bin/mail" chain SecFilter "\x20" "deny,log" # WEB-ATTACKS /bin/ls command attempt SecFilterSelective THE_REQUEST "/bin/ls" chain SecFilter "\x20" "deny,log" # WEB-ATTACKS /etc/inetd.conf access SecFilter "/etc/inetd\.conf" log,pass # WEB-ATTACKS /etc/motd access SecFilter "/etc/motd" log,pass # WEB-ATTACKS conf/httpd.conf attempt SecFilter "conf/httpd\.conf" log,pass And in particular: # WEB-ATTACKS ps command attempt #SecFilterSelective THE_REQUEST "ps" chain #SecFilter\x20" "deny,log" # WEB-ATTACKS cc command attempt #SecFilterSelective THE_REQUEST "cc" chain #SecFilter "\x20" # WEB-ATTACKS perl execution attempt #SecFilterSelective THE_REQUEST "perl" chain #SecFilter "\x20" "deny,log" I copy and past this after a quick serch on google, I not take them from my server config. The problem is that when user of the bullettin board try to send message with a "cc ", "ps ", "perl " in it, they got a 403 error. For example if i try to send the message: "Disable caps lock key" It return an error for the "ps " "perl is a great lenguage" (403 forbidden) "1, 2, 3, ecc ecc" (403 forbidden) (ecc is "etc" in italian and is used very often) "ps (post scriptum): bla bla bla" (403 forbidden) It's a big problem for me, what I can do with this???? please let me know something |
|
From: Ivan R. <iv...@we...> - 2005-03-22 11:03:27
|
Kin wrote: > First of all: sorry for my english. > > Ten days ago, after a "replacement", my provider has installed (or updated? > i don't know) mod_security. But there are some problem now. > > In my discussion forum, people get lots of error 403 (forbidden). > I think the problem are this filters: > > ... > > I copy and past this after a quick serch on google, I not take them from my > server config. > > The problem is that when user of the bullettin board try to send message with a > "cc ", "ps ", "perl " in it, they got a 403 error. > > For example if i try to send the message: > "Disable caps lock key" > > It return an error for the "ps " > > "perl is a great lenguage" (403 forbidden) > > "1, 2, 3, ecc ecc" (403 forbidden) > (ecc is "etc" in italian and is used very often) > > "ps (post scriptum): bla bla bla" (403 forbidden) > > It's a big problem for me, what I can do with this???? > please let me know something Complain to your hosting provider. Some people seem to think they can just copy anything they find on the Internet, put it into httpd.conf, and magically solve all their security problems. (I don't know if this is the case with your provider but it sure sounds like it is.) ModSecurity can solve problems only when people know what they are doing. To create a secure hosting environment one must design systems for security. It's not the easiest job in the world, but it isn't rocket science either. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
Thanks for helping keep SourceForge clean.
X