mod-security-users

[mod-security-users] mod_security blocking many PHPMyAdmin functions

[Kai S. <mai...@co...>]

mod_security blocks many of the PHPMyAdmin actions/pages 
(different pages on different PHPMyAdmin pages). There's
already a rule that excludes some rules for applying to 
PHPMyAdmin. But it's not enough. How can I expand that?

#PhpMyadmin
<LocationMatch "/tbl_change.php">
   SecFilterRemove 300016
</LocationMatch>

mod_security still blocks this page, probably because it doesn't
exclude all possible matches. It seems to apply to the line below
(from rules.conf) with "id:300016".
It's not clear to me if it applies to the next line as well. It's 
obviously the next line that triggers the blocking because there's a
"select from" statement in the URL (many of the PHPMyAdmin URLs contain complete
SQL queries). How can I exclude that next line for this page as well?

#Generic SQL sigs
SecFilterSelective ARGS "(or.+1[[:space:]]*=[[:space:]]1|(or 1=1|'.+)--')" "id:300014,rev:1,severity:2,msg:'Generic SQL 
injection protection'"
SecFilterSelective ARGS 
"((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" 
"id:300015,rev:1,severity:2,msg:'Generic SQL injection protection'"
SecFilterSelective REQUEST_URI "!(/forum/posting\.php)" "chain,id:300016,rev:1,severity:2,msg:'Generic SQL injection 
protection'"
SecFilterSelective ARGS "(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)"


Kai

Re: [mod-security-users] mod_security blocking many PHPMyAdmin functions

[Ivan R. <iva...@gm...>]

On 5/22/06, Kai Schaetzl <mai...@co...> wrote:
> mod_security blocks many of the PHPMyAdmin actions/pages
> (different pages on different PHPMyAdmin pages).

Surely you mean to say your ModSecurity *configuration* blocks the
PHPMyAdmin pages? :)


> There's
> already a rule that excludes some rules for applying to
> PHPMyAdmin. But it's not enough. How can I expand that?
>
> #PhpMyadmin
> <LocationMatch "/tbl_change.php">
>    SecFilterRemove 300016
> </LocationMatch>
>
> mod_security still blocks this page, probably because it doesn't
> exclude all possible matches. It seems to apply to the line below
> (from rules.conf) with "id:300016".
> It's not clear to me if it applies to the next line as well.

Rule IDs are applied either to rules (single line) or rule chains
(multiple lines). Rule 300016 is a chained rule thus exclusion applies
to the second line too.

BTW, you should exclude all rules related to SQL Injection in order to
get PHPMyAdmin to work properly.


> It's
> obviously the next line that triggers the blocking because there's a
> "select from" statement in the URL (many of the PHPMyAdmin URLs contain c=
omplete
> SQL queries).

What is the error message that you get?

--=20
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Re: [mod-security-users] mod_security blocking many PHPMyAdmin functions

[Kai S. <mai...@co...>]

Ivan Ristic wrote on Mon, 22 May 2006 09:56:32 +0100:

Thanks for your answer!

> Surely you mean to say your ModSecurity *configuration* blocks the 
> PHPMyAdmin pages? :) 

Well, ultimately it is mod_security, but you are right, it's of course,
how it is configured ;-) I took the rules from 
http://www.gotroot.com/mod_security+rules, but don't use all of them.
I removed the blacklist ones and similar stuff, since they took too 
much memory for my taste. I also commented out one or two rules from 
the other files. I didn't change anything else or added my own rules.

> Rule IDs are applied either to rules (single line) or rule chains 
> (multiple lines). Rule 300016 is a chained rule thus exclusion applies 
> to the second line too. 

That's what I thought, too. But since it didn't seem to do this in this 
case I wasn't sure and I'm very new to mod_security. Maybe it's just a 
different rule that gets triggered and I'm looking at the wrong one. 
(yes, see below)

>  
> BTW, you should exclude all rules related to SQL Injection in order to 
> get PHPMyAdmin to work properly. 

Yes, I understand that. I had hoped that's already been done in the rules 
from gotroot. At least it's got started by excluding tbl_change.php.

> What is the error message that you get?

I can't reproduce the problem with "tbl_change.php" at the moment, but 
I get it with sql.php from PHPMyAdmin. I tried to add that page to the 
exclusions (exclude.conf), but this did't work. So, here we go:

> mod_security-message: Access denied with code 406. Pattern match
> "select.+from" at REQUEST_URI [severity "EMERGENCY"]
> mod_security-action: 406

The match is correct, it contains a "select ... from" statement. (BTW, no other
method to find the correct rule than searching for the pattern, right?)

The only match for this is in rules.conf:

> SecFilterSelective REQUEST_URI "!(/forum/posting\.php)"
> "chain,id:300016,rev:1,severity:2,msg:'Generic SQL injection
> protection'"
> SecFilterSelective ARGS
> "(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)"

(I don't see that "msg" anywhere, though. It's not in the audit.log and 
not in the HTTP error page. Shouldn't it get logged instead of or in 
addition to the message quoted above at least to the audit log?)

Ok, it's not this rule that hit. That also explains why the message wasn't
noted above. I searched all the rules files but I didn't search the main 
mod_security.conf that (I think) came with mod_security. 
There are these rules:
    # Very crude filters to prevent SQL injection attacks
     SecFilter "delete[[:space:]]+from"
     SecFilter "insert[[:space:]]+into"
     SecFilter "select.+from"
and it's the last one that gets triggered.
It seems all three rules are encompassed by the SQL Injection rules in 
rules.conf as quoted in my first posting. So, if I keep rules.conf I
could probably delete those three, right?

I added an exclusion for sql.php now and that seems to work.
If I wanted to add an exclusion for the simple rule above I would do this like that:
SecFilter "select.+from" "id:uniqueid,rev:x,severity:x,msg:'message'"
is that correct?

BTW, while viewing over the documentation I found some links to your webkreator.com
site and read some of the old PHP articles. However, the Techniques section doesn't show
the single articles, there seems to be some error with the template.

I'm now trying to understand how the chaining works. Documentation doesn't say anything
about finishing it so I suppose the chaining works only for the next line after the 
chain action? Is it limited to one line or can I add more lines to a chain by
adding the chain action to all of them except the last one? A brief look over the
gotroot rules doesn't reveal any chains over more than two lines, so more lines are 
either not supported or not necessary in most cases.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: [mod-security-users] mod_security blocking many PHPMyAdmin functions

[Ivan R. <iva...@gm...>]

On 5/22/06, Kai Schaetzl <mai...@co...> wrote:
> The match is correct, it contains a "select ... from" statement. (BTW, no=
 other
> method to find the correct rule than searching for the pattern, right?)

No, unless you have assigned unique IDs to each of your rules. (Which,
for example, I did for the Certified ModSecurity Rules.)

> Ok, it's not this rule that hit. That also explains why the message wasn'=
t
> noted above. I searched all the rules files but I didn't search the main
> mod_security.conf that (I think) came with mod_security.
> There are these rules:
>     # Very crude filters to prevent SQL injection attacks
>      SecFilter "delete[[:space:]]+from"
>      SecFilter "insert[[:space:]]+into"
>      SecFilter "select.+from"
> and it's the last one that gets triggered.
> It seems all three rules are encompassed by the SQL Injection rules in
> rules.conf as quoted in my first posting. So, if I keep rules.conf I
> could probably delete those three, right?

Yes, probably.


> If I wanted to add an exclusion for the simple rule above I would do this=
 like that:
> SecFilter "select.+from" "id:uniqueid,rev:x,severity:x,msg:'message'"
> is that correct?

Exclusion? No, that is a way to add a new rule.


> BTW, while viewing over the documentation I found some links to your webk=
reator.com
> site and read some of the old PHP articles. However, the Techniques secti=
on doesn't show the single articles, there seems to be some error with the =
template.

Thanks, I'll look into that.


> I'm now trying to understand how the chaining works. Documentation doesn'=
t say anything
> about finishing it so I suppose the chaining works only for the next line=
 after the
> chain action?

Yes.


> Is it limited to one line or can I add more lines to a chain by
> adding the chain action to all of them except the last one?

There's no limit, you can chain any number of rules together.

--=20
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Re: [mod-security-users] mod_security blocking many PHPMyAdmin functions

[Kai S. <mai...@co...>]

Ivan Ristic wrote on Tue, 23 May 2006 10:08:08 +0100:

> > If I wanted to add an exclusion for the simple rule above I would do
> this like that: 
> > SecFilter "select.+from"
> "id:uniqueid,rev:x,severity:x,msg:'message'" 
> > is that correct?
> 
>  
> Exclusion? No, that is a way to add a new rule.

I mean I change the existing rule like the above (add a unique id (outside 
the reserved range)) and then I can exclude that id like it is done in 
exclude.conf. Other way would be to use the regexp pattern in the rule 
itself to exclude something as it is done with many rules in the set from 
gotroot. But then I had the disadvantage of managing the differences 
between my changes and any newer versions of these files to these files.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com