Thread: [mod-security-users] Inspecting uploaded file
Brought to you by:
victorhora,
zimmerletw
From: Torsten L. <Tor...@co...> - 2007-07-16 20:57:21
|
Hi all, I'm using mod security with ClamAV to inspect uploaded files. The daemon = of ClamAV 'clamd' runs under a different user as the apache is installed = in, but the same group. To make sure that ClamAV has access to the files = extracted, I added a 'chmod 644' before running clamd on the file. Normally everything works fine, but there are some case then clamd says = 'Access denied' and the upload gets denied. This happens very rarely and = only if it is a multipart request, but there is no file upload included. = My suspicion is that mod security recognizes that there is no file = upload or other things and hence does not save the file to disk, but = calls anyway the rule to inspect the file. Or maybe the file is still = somehow in use by mod security then calling clamd? Does anyone have an idea what could be the reason, and maybe how to = implement a workaround? Thank you, Torsten |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-07-16 22:11:04
|
You may want to take a look at the 1.9 documentation sections for the file upload scanning - http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/modsec urity-manual.html#N1083F. There is an example PERL script to help with integration with ClamAV and it includes an error message portion to handle EMPTY files. While Mod 2.0 introduced the @inspectFile operator, most of this info is still valid. =20 One thing you might want to do is to change your current rule to first check the Content-Length for a body size >0 before you run the inspectFile operator w/ClamAV. =20 Hopefully this helps. =20 --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 =20 ________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of Torsten Lunze Sent: Monday, July 16, 2007 4:57 PM To: mod...@li... Subject: [mod-security-users] Inspecting uploaded file =20 =20 Hi all, I'm using mod security with ClamAV to inspect uploaded files. The daemon of ClamAV 'clamd' runs under a different user as the apache is installed in, but the same group. To make sure that ClamAV has access to the files extracted, I added a 'chmod 644' before running clamd on the file. Normally everything works fine, but there are some case then clamd says 'Access denied' and the upload gets denied. This happens very rarely and only if it is a multipart request, but there is no file upload included. My suspicion is that mod security recognizes that there is no file upload or other things and hence does not save the file to disk, but calls anyway the rule to inspect the file. Or maybe the file is still somehow in use by mod security then calling clamd? Does anyone have an idea what could be the reason, and maybe how to implement a workaround? Thank you, Torsten=20 |