Thread: [mod-security-users] mod_security + webmail + body message
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Tomas H. S. <thi...@te...> - 2005-10-28 10:06:02
|
Hi, =20 I'am tunning mod_security 1.8.7 in Red Hat 3.0 Upgrade 5 = (2.4.21-32.ELsmp) + apache 2.0.54 + webmail (uebimiau) =20 From my own webmail, if when sending a message, in the body the message, = appears a chain introduced in the file of configuration, the message is = rejected. For example: =20 In file mod_security.conf: =20 SecFilterDefaultAction "deny,log,status:403" . . . . .=20 . . . . .=20 Secfilter /bin/chmod =20 In the body of mail message "this is a example for the string /bin/chmod" =20 This generates following log. =20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D UNIQUE_ID: jFn6LMCoyZgAABlCGDoAAAAr Request: 192.168.207.1 - - [28/Oct/2005:10:48:06 +0200] "POST = /webmail/newmsg.php HTTP/1.0" 403 220 Handler: php-script ---------------------------------------- POST /webmail/newmsg.php HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, = application/x-shockwave-flash, application/vnd.ms-excel, = application/vnd.ms-powerpoint, application/msword, */* Referer: = https://correo.pruebas.es/webmail/newmsg.php?pag=3D1&folder=3Dinbox&sid=3D= {4361E2260EA50-4361E2261386F-1130488358}&tid=3D0&lid=3D0 Accept-Language: es Content-Type: application/x-www-form-urlencoded Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; = InfoPath.1) Host: correo.cajamar.es Content-Length: 363 Cache-Control: no-cache Cookie: = {4361E2260EA50-4361E2261386F-1130488358}=3D%7B4361E2260EA50-4361E2261386F= -1130488358%7D mod_security-message: Access denied with code 403. Pattern match = "/bin/chmod" at POST_PAYLOAD mod_security-action: 403 =20 363 tipo=3Dsend&is_html=3Dtrue&sid=3D%7B4361E2260EA50-4361E2261386F-113048835= 8%7D&lid=3D0&tid=3D0&folder=3Dinbox&sig=3DTomas+Hidalgo%3Cbr+%2F%3E%0D%0A= %28c%29+2005&textmode=3D&to=...@te...&cc=3D&bcc=3D= &subject=3Dprueba3&body=3D%3CBR%3Een+el+cuerpo+del+mensaje+aparece+la+pal= abra+%2Fbin%2Fchmod%3CBR%3E--%3CBR%3ETomas+Hidalgo%3CBR%3E%28c%29+2005%3C= BR%3E%3CBR%3E&priority=3D3 =20 HTTP/1.0 403 Forbidden Content-Length: 220 Connection: close Content-Type: text/html; charset=3Diso-8859-1 =20 Questions: =20 1) it is possible to avoid that mod_security does not verify the = body of the message? 2) He is coherent to use mod_security with a webmail? I have not = found any positive or negative reference =20 Many thanks for you help. =20 =20 =20 Tom=E1s Hidalgo Salvador thi...@te... Dpto. Sistemas Unix DSF Almariya Almeria - Andalucia - Spain =20 |
|
From: Ryan B. <rcb...@gm...> - 2005-10-28 12:07:21
|
VG9tYXMgLSBXZWxjb21lIHRvIG15IHdvcmxkIDopIEkgaGF2ZSBiZWVuIHVzaW5nIEFwYWNoZS9N b2RfU2VjdXJpdHkgYXMgYQpyZXZlcnNlIHByb3h5IGZvciBNaWNyb3NvZnQncyBPdXRsb29rIFdl YiBBY2Nlc3MgYW5kIGhhdmUgcnVuIHRoaXMgc2FtZQppc3N1ZS4gV2UgeW91IGFyZSBkZWFsaW5n IHdpdGggd2VibWFpbCBhcHBzLCBpdCBnZXRzIGluZmluaXRlbHkgbW9yZQpkaWZmaWN1bHQgdG8g ZmluZSB0dW5lIHlvdXIgZmlsdGVycy4gVGhpcyBpcyBkdWUgaW4gbW9zdCBwYXJ0IGZyb20gdGhl CmNvbmNlcHQgb2YgbWl4aW5nIEhUVFAgYW5kIFNNVFAuIFdlIGp1c3QgaGF2ZSBubyB3YXkgdG8g Zm9yZWNhc3QgImV4cGNlY3RlZApiZWhhdmlvciIgZm9yIHdoYXQgcGVvcGxlIHdpbGwgd3JpdGUg aW4gdGhlIGJvZHkgb2YgdGhlaXIgZW1haWxzLgogV2l0aCB0aGF0IGJlaW5nIHNhaWQsIHlvdSBj YW4gdHJ5IHNvbWUgb2YgdGhlIGZvbGxvd2luZyAtCiAxKSBUdXJuIG9mZiBQb3N0UGF5bG9hZCBz Y2FubmluZy4KVGhpcyB3b3VsZCBjZXJ0YWlubHkgc3RvcCB0aGVzZSBlcnJvcnMsIGJ1dCB0aGVu IHlvdSB3b3VsZCBhbHNvIG5vdCBiZQptb25pdG9yaW5nIGEga2V5IGFyZWEgd2hlcmUgYXR0YWNr ZXJzIHRhcmdldC4KIDIpIFVzZSBTZWNGaWx0ZXJTZWxlY3RpdmUgaW5zdGVhZCBvZiBTZWNGaWx0 ZXIKU2VjRmlsdGVyIGlzIHRvbyBicm9hZC4gU2VjRmlsdGVyU2VsZWN0aXZlIHdpbGwgYWxsb3cg eW91IHRvIGZvY3VzIHlvdXIKc2VhcmNoIHRvIHNwZWNpZmljIHJlcXVlc3QgbG9jYXRpb25zLiBU aGUgYmVzdCBsb2NhdGlvbnMgdG8gbG9vayBmb3IgYXR0YWNrcwooZXhsdWRpbmcgdGhlIHBvc3Qg cGF5bG9hZCkgYXJlIFRIRV9SRVFVRVNULCBRVUVSWV9TVFJJTkcgb3IgY2hvb3NlIHNvbWUKc3Bl Y2lmaWMgaGVhZGVycyBzdWNoIGFzIENPT0tJRV9WQVVMRVMuIFNvLCBhbiB1cGRhdGVkIGZpbHRl ciB3b3VsZCBsb29rCmxpa2UgdGhpcyAtCiBTZWNGaWx0ZXJTZWxlY3RpdmUgIlRIRV9SRVFVRVNU fENPT0tJRV9WQUxVRVMiICIvYmluL2NobW9kIgogSG9wZSB0aGlzIGhlbHBzLgogLS0KUnlhbiBD LiBCYXJuZXR0CldlYiBBcHBsaWNhdGlvbiBTZWN1cml0eSBDb25zb3J0aXVtIChXQVNDKSBNZW1i ZXIKQ0lTIEFwYWNoZSBCZW5jaG1hcmsgUHJvamVjdCBMZWFkClNBTlMgSW5zdHJ1Y3RvcjogU2Vj dXJpbmcgQXBhY2hlCkdDSUEsIEdDRkEsIEdDSUgsIEdTTkEsIEdDVVgsIEdTRUMKQXV0aG9yOiBQ cmV2ZW50aW5nIFdlYiBBdHRhY2tzIHdpdGggQXBhY2hlCgogT24gMTAvMjgvMDUsIFRvbWFzIEhp ZGFsZ28gU2FsdmFkb3IgPHRoaWRhbGdvQHRlY25vbG9naWEuY2FqYW1hci5lcz4gd3JvdGU6Cj4K PiAgSGksCj4KPiAgSSdhbSB0dW5uaW5nIG1vZF9zZWN1cml0eSAxLjguNyBpbiBSZWQgSGF0IDMu MCBVcGdyYWRlIDUgKDIuNC4yMS0zMi5FTHNtcCkKPiArIGFwYWNoZSAyLjAuNTQgKyB3ZWJtYWls ICh1ZWJpbWlhdSkKPgo+ICBGcm9tIG15IG93biB3ZWJtYWlsLCBpZiB3aGVuIHNlbmRpbmcgYSBt ZXNzYWdlLCBpbiB0aGUgYm9keSB0aGUgbWVzc2FnZSwKPiBhcHBlYXJzIGEgY2hhaW4gaW50cm9k dWNlZCBpbiB0aGUgZmlsZSBvZiBjb25maWd1cmF0aW9uLCB0aGUgbWVzc2FnZSBpcwo+IHJlamVj dGVkLiBGb3IgZXhhbXBsZToKPgo+ICBJbiBmaWxlIG1vZF9zZWN1cml0eS5jb25mOgo+Cj4gIFNl Y0ZpbHRlckRlZmF1bHRBY3Rpb24gImRlbnksbG9nLHN0YXR1czo0MDMiCj4KPiAuIC4gLiAuIC4K Pgo+IC4gLiAuIC4gLgo+Cj4gU2VjZmlsdGVyIC9iaW4vY2htb2QKPgo+ICBJbiB0aGUgYm9keSBv ZiBtYWlsIG1lc3NhZ2UKPgo+ICJ0aGlzIGlzIGEgZXhhbXBsZSBmb3IgdGhlIHN0cmluZyAvYmlu L2NobW9kIgo+Cj4gIFRoaXMgZ2VuZXJhdGVzIGZvbGxvd2luZyBsb2cuCj4KPiAgPT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQo+Cj4gVU5JUVVFX0lEOiBqRm42TE1Db3la Z0FBQmxDR0RvQUFBQXIKPgo+IFJlcXVlc3Q6IDE5Mi4xNjguMjA3LjEgPGh0dHA6Ly8xOTIuMTY4 LjIwNy4xLz4gLSAtIFsyOC9PY3QvMjAwNToxMDo0ODowNgo+ICswMjAwXSAiUE9TVCAvd2VibWFp bC9uZXdtc2cucGhwIEhUVFAvMS4wIiA0MDMgMjIwCj4KPiBIYW5kbGVyOiBwaHAtc2NyaXB0Cj4K PiAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCj4KPiBQT1NUIC93ZWJt YWlsL25ld21zZy5waHAgSFRUUC8xLjAKPgo+IEFjY2VwdDogaW1hZ2UvZ2lmLCBpbWFnZS94LXhi aXRtYXAsIGltYWdlL2pwZWcsIGltYWdlL3BqcGVnLAo+IGFwcGxpY2F0aW9uL3gtc2hvY2t3YXZl LWZsYXNoLCBhcHBsaWNhdGlvbi92bmQubXMtZXhjZWwsCj4gYXBwbGljYXRpb24vdm5kLm1zLXBv d2VycG9pbnQsIGFwcGxpY2F0aW9uL21zd29yZCwgKi8qCj4KPiBSZWZlcmVyOgo+IGh0dHBzOi8v Y29ycmVvLnBydWViYXMuZXMvd2VibWFpbC9uZXdtc2cucGhwP3BhZz0xJmZvbGRlcj1pbmJveCZz aWQ9ezQzNjFFMjI2MEVBNTAtNDM2MUUyMjYxMzg2Ri0xMTMwNDg4MzU4fSZ0aWQ9MCZsaWQ9MDxo dHRwczovL2NvcnJlby5wcnVlYmFzLmVzL3dlYm1haWwvbmV3bXNnLnBocD9wYWc9MSZmb2xkZXI9 aW5ib3gmc2lkPSU3QjQzNjFFMjI2MEVBNTAtNDM2MUUyMjYxMzg2Ri0xMTMwNDg4MzU4JTdEJnRp ZD0wJmxpZD0wPgo+Cj4gQWNjZXB0LUxhbmd1YWdlOiBlcwo+Cj4gQ29udGVudC1UeXBlOiBhcHBs aWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQKPgo+IENvbm5lY3Rpb246IEtlZXAtQWxpdmUK Pgo+IFVzZXItQWdlbnQ6IE1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDYuMDsgV2luZG93 cyBOVCA1LjE7IFNWMTsKPiBJbmZvUGF0aC4xKQo+Cj4gSG9zdDogY29ycmVvLmNhamFtYXIuZXMg PGh0dHA6Ly9jb3JyZW8uY2FqYW1hci5lcy8+Cj4KPiBDb250ZW50LUxlbmd0aDogMzYzCj4KPiBD YWNoZS1Db250cm9sOiBuby1jYWNoZQo+Cj4gQ29va2llOgo+IHs0MzYxRTIyNjBFQTUwLTQzNjFF MjI2MTM4NkYtMTEzMDQ4ODM1OH09JTdCNDM2MUUyMjYwRUE1MC00MzYxRTIyNjEzODZGLTExMzA0 ODgzNTglN0QKPgo+IG1vZF9zZWN1cml0eS1tZXNzYWdlOiBBY2Nlc3MgZGVuaWVkIHdpdGggY29k ZSA0MDMuIFBhdHRlcm4gbWF0Y2gKPiAiL2Jpbi9jaG1vZCIgYXQgUE9TVF9QQVlMT0FECj4KPiBt b2Rfc2VjdXJpdHktYWN0aW9uOiA0MDMKPgo+ICAzNjMKPgo+Cj4gdGlwbz1zZW5kJmlzX2h0bWw9 dHJ1ZSZzaWQ9JTdCNDM2MUUyMjYwRUE1MC00MzYxRTIyNjEzODZGLTExMzA0ODgzNTglN0QmbGlk PTAmdGlkPTAmZm9sZGVyPWluYm94JnNpZz1Ub21hcytIaWRhbGdvJTNDYnIrJTJGJTNFJTBEJTBB JTI4YyUyOSsyMDA1JnRleHRtb2RlPSZ0bz0KPiB0aGlkYWxnb0B0ZWNub2xvZ2lhLmNhamFtYXIu ZXMKPiAmY2M9JmJjYz0mc3ViamVjdD1wcnVlYmEzJmJvZHk9JTNDQlIlM0VlbitlbCtjdWVycG8r ZGVsK21lbnNhamUrYXBhcmVjZStsYStwYWxhYnJhKyUyRmJpbiUyRmNobW9kJTNDQlIlM0UtLSUz Q0JSJTNFVG9tYXMrSGlkYWxnbyUzQ0JSJTNFJTI4YyUyOSsyMDA1JTNDQlIlM0UlM0NCUiUzRSZw cmlvcml0eT0zCj4KPiAgSFRUUC8xLjAgNDAzIEZvcmJpZGRlbgo+Cj4gQ29udGVudC1MZW5ndGg6 IDIyMAo+Cj4gQ29ubmVjdGlvbjogY2xvc2UKPgo+IENvbnRlbnQtVHlwZTogdGV4dC9odG1sOyBj aGFyc2V0PWlzby04ODU5LTEKPgo+ICBRdWVzdGlvbnM6Cj4KPiAgMSkgaXQgaXMgcG9zc2libGUg dG8gYXZvaWQgdGhhdCBtb2Rfc2VjdXJpdHkgZG9lcyBub3QgdmVyaWZ5IHRoZSBib2R5IG9mCj4g dGhlIG1lc3NhZ2U/Cj4KPiAyKSBIZSBpcyBjb2hlcmVudCB0byB1c2UgbW9kX3NlY3VyaXR5IHdp dGggYSB3ZWJtYWlsPyBJIGhhdmUgbm90IGZvdW5kIGFueQo+IHBvc2l0aXZlIG9yIG5lZ2F0aXZl IHJlZmVyZW5jZQo+Cj4gIE1hbnkgdGhhbmtzIGZvciB5b3UgaGVscC4KPgo+ICAgIFRvbeFzIEhp ZGFsZ28gU2FsdmFkb3IKPgo+IHRoaWRhbGdvQHRlY25vbG9naWEuY2FqYW1hci5lcwo+Cj4gRHB0 by4gU2lzdGVtYXMgVW5peAo+Cj4gRFNGIEFsbWFyaXlhCj4KPiBBbG1lcmlhIJYgQW5kYWx1Y2lh IC0gU3BhaW4KPgo+Cg== |
|
From: Ivan R. <iv...@we...> - 2005-10-29 19:05:58
|
Ryan Barnett wrote: > Tomas - Welcome to my world :) I have been using Apache/Mod_Security as > a reverse proxy for Microsoft's Outlook Web Access and have run this > same issue. We you are dealing with webmail apps, it gets infinitely > more difficult to fine tune your filters. This is due in most part from > the concept of mixing HTTP and SMTP. We just have no way to forecast > "expcected behavior" for what people will write in the body of their > emails. > > With that being said, you can try some of the following - > > 1) Turn off PostPayload scanning. > This would certainly stop these errors, but then you would also not be > monitoring a key area where attackers target. > > 2) Use SecFilterSelective instead of SecFilter > SecFilter is too broad. SecFilterSelective will allow you to focus your > search to specific request locations. The best locations to look for > attacks (exluding the post payload) are THE_REQUEST, QUERY_STRING or > choose some specific headers such as COOKIE_VAULES. So, an updated > filter would look like this - > > SecFilterSelective "THE_REQUEST|COOKIE_VALUES" "/bin/chmod" Just a small correction: here you really want to use COOKIES_VALUES, because COOKIE_VALUES would only look in a cookie named "values". COOKIES_VALUES (with an "S") examines all cookies present in a request. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
Thanks for helping keep SourceForge clean.
X