mod-security-users

[mod-security-users] more on clamAV and mod_security

[Justin G. <web...@sw...>]

hi,

I gave another shot to this setup, on a different server using apache2, modsec 1.9 (stable) and PHP.
This server only serves a webmail system - SquirrelMail.

The script works OK here, no su_exec or permissions problems.
If I upload an attachment to the message in SM, it gets scanned OK.
When I hit the "Send" button to actually have the message sent, I get 500 error.
Look like modsec thinks I'm uploading a file again and looks for an uploaded file again.

This is the error from audit_log:

mod_security-message: Access denied with code 500. Error verifying files: File 
"/tmp/webfiles/20051123-025721-XXX.XXX.XXX.XXX-" rejected by the approver script "/var/www/cgi-bin//modsec-clamscan.pl"

(no file name is after the dash)

please advise if this can be sorted out.

After all, what application needs this feature more than a Webmail system? :)

thanks,
	Justin

Re: [mod-security-users] more on clamAV and mod_security

[Ivan R. <iv...@we...>]

Justin Grindea wrote:
> hi,
> 
> I gave another shot to this setup, on a different server using apache2,
> modsec 1.9 (stable) and PHP.
> This server only serves a webmail system - SquirrelMail.
> 
> The script works OK here, no su_exec or permissions problems.
> If I upload an attachment to the message in SM, it gets scanned OK.
> When I hit the "Send" button to actually have the message sent, I get
> 500 error.
> Look like modsec thinks I'm uploading a file again and looks for an
> uploaded file again.
> 
> This is the error from audit_log:
> 
> mod_security-message: Access denied with code 500. Error verifying
> files: File "/tmp/webfiles/20051123-025721-XXX.XXX.XXX.XXX-" rejected by
> the approver script "/var/www/cgi-bin//modsec-clamscan.pl"
> 
> (no file name is after the dash)

  That looks like the script is rejecting an empty file (which
  it should not do). Can you increase the debug log level to at
  least 2, try that again, and then look in the debug log for
  a line that begins with "Approver script said:"?

  What did the approver script say?

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] more on clamAV and mod_security

[Ivan R. <iv...@we...>]

Justin Grindea wrote:
> hi,
> 
> [23/Nov/2005:19:46:47 +0200]
> [XXX/sid#810a3c8][rid#8248ee0][/src/compose.php][2] Approver script
> said: 0 Unable to parse clamscan output
> [/tmp/webfiles/20051123-194646-xxx.xxx.xxx.xxx-: Empty file]
>
> ...
>
> maybe empty files can be ignored and modsec can check if return is 1 or
> anything else?

  It's supposed to work that way. They appear to have changed the
  format of the error message.

  Try chaning this line (in modsec-clamav.pl):

  if ($error_message =~ m/: Empty file\.$/) {

  to

  if ($error_message =~ m/: Empty file$/) {

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org