mod-security-users

RE: [mod-security-users] Directive SecUploadApproveScript

[Tomas H. S. <thi...@te...>]

Ivan Ristic wrote:

>  SecUploadApproveScript does not support a custom action list yet.
>  (I've added your request to my TODO list too).
>
>  Try something like this (just an idea, I haven't tried it myself):
>
>  <Location /path/to/your/upload/script>
>      SecFilterDefaultAction ...
>      SecUploadApproveScript ...
>  </Location>

I have test the following option in my apache. It has not worked.  :-(
Also I have proven the same configuration without the option of =
SecFilterInheritance.
The mod_security-action would have to be 444, instead of 403.

a)
<Directory "/myscripts">
    SecFilterInheritance Off
    SecFilterDefaultAction "pass,log,status:444"
    SecUploadApproveScript /myscripts/verificar_upload_webmail.pl
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

b)
<Location "/myscripts">
    SecFilterInheritance Off
    SecFilterDefaultAction "pass,log,status:444"
    SecUploadApproveScript /myscritps/verificar_upload_webmail.pl
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Location>

The log:

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
UNIQUE_ID: kf7FOMCoyZgAAEUGB28AAAAJ
Request: 192.168.207.1 - - [04/Nov/2005:13:37:37 +0100] "POST =
/webmail/upload.php?sid=3D{436B52D24EDEE-436B52D253C10-1131107026} =
HTTP/1.1" 403 220
Handler: php-script
----------------------------------------
POST /webmail/upload.php?sid=3D{436B52D24EDEE-436B52D253C10-1131107026} =
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, =
application/x-shockwave-flash, application/vnd.ms-excel, =
application/vnd.ms-powerpoint, application/msword, */*
Referer: =
https://correo.test.es/webmail/upload.php?sid=3D{436B52D24EDEE-436B52D253=
C10-1131107026}&tid=3D0&lid=3D0
Accept-Language: es
Content-Type: multipart/form-data; =
boundary=3D---------------------------7d5239e1604bc
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; =
InfoPath.1)
Host: correo.test.es
Content-Length: 882
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: =
{436B52D24EDEE-436B52D253C10-1131107026}=3D%7B436B52D24EDEE-436B52D253C10=
-1131107026%7D
mod_security-message: Error verifying files: File =
"/tmp/20051104-133736-192.168.207.1-clam.cab" rejected by the approver =
script "/myscripts/verificar_upload_webmail.pl"
mod_security-action: 403

57
[@file:20051104-133736-192.168.207.1-request_body-EYLTfT]

HTTP/1.1 403 Forbidden
Content-Length: 220
Connection: close
Content-Type: text/html; charset=3Diso-8859-1


The apache error-log:

[Fri Nov 04 13:37:37 2005] [error] [client 192.168.207.1] mod_security: =
Access denied with code 403. Error verifying files: File =
"/tmp/20051104-133736-192.168.207.1-clam.cab" rejected by the approver =
script "/myscripts/verificar_upload_webmail.pl" [hostname =
"correo.test.es"] [uri =
"/webmail/upload.php?sid=3D{436B52D24EDEE-436B52D253C10-1131107026}"] =
[unique_id kf7FOMCoyZgAAEUGB28AAAAJ]

Many thanks for you help.


Tom=E1s Hidalgo Salvador
thi...@te...
Dpto. Sistemas Unix
Tlf.: 2333
DSF Almariya

RE: [mod-security-users] Directive SecUploadApproveScript

[Tomas H. S. <thi...@te...>]

Thanks Ivan!!!

I am going to make the tests with more tranquillity. Too much work!

To you I will maintain informed...  ;-)

Many thanks for you help.



Tom=E1s Hidalgo Salvador
thi...@te...
Dpto. Sistemas Unix
Tlf.: 2333
DSF Almariya

-----Mensaje original-----
De: Ivan Ristic [mailto:iv...@we...]=20
Enviado el: viernes, 04 de noviembre de 2005 14:22
Para: Tomas Hidalgo Salvador
CC: mod...@li...
Asunto: Re: [mod-security-users] Directive SecUploadApproveScript

Tomas Hidalgo Salvador wrote:
> Ivan Ristic wrote:
>=20
>> SecUploadApproveScript does not support a custom action list yet.
>> (I've added your request to my TODO list too).
>>
>> Try something like this (just an idea, I haven't tried it myself):
>>
>> <Location /path/to/your/upload/script>
>>     SecFilterDefaultAction ...
>>     SecUploadApproveScript ...
>> </Location>
>=20
> I have test the following option in my apache. It has not worked.  :-(
> Also I have proven the same configuration without the option of =
SecFilterInheritance.
> The mod_security-action would have to be 444, instead of 403.
>=20
> a)
> <Directory "/myscripts">
>     SecFilterInheritance Off
>     SecFilterDefaultAction "pass,log,status:444"
>     SecUploadApproveScript /myscripts/verificar_upload_webmail.pl
>     Options FollowSymLinks
>     AllowOverride None
>     Order allow,deny
>     Allow from all
> </Directory>

  "status" only works if it is used together with "deny". If you
  use "pass" ModSecurity won't do anything about a problem it
  encounters.

--=20
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] Directive SecUploadApproveScript

[Ivan R. <iv...@we...>]

Tomas Hidalgo Salvador wrote:
> Ivan Ristic wrote:
> 
>> SecUploadApproveScript does not support a custom action list yet.
>> (I've added your request to my TODO list too).
>>
>> Try something like this (just an idea, I haven't tried it myself):
>>
>> <Location /path/to/your/upload/script>
>>     SecFilterDefaultAction ...
>>     SecUploadApproveScript ...
>> </Location>
> 
> I have test the following option in my apache. It has not worked.  :-(
> Also I have proven the same configuration without the option of SecFilterInheritance.
> The mod_security-action would have to be 444, instead of 403.
> 
> a)
> <Directory "/myscripts">
>     SecFilterInheritance Off
>     SecFilterDefaultAction "pass,log,status:444"
>     SecUploadApproveScript /myscripts/verificar_upload_webmail.pl
>     Options FollowSymLinks
>     AllowOverride None
>     Order allow,deny
>     Allow from all
> </Directory>

  "status" only works if it is used together with "deny". If you
  use "pass" ModSecurity won't do anything about a problem it
  encounters.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org