17 Aug 23:34
Mod-Security and php forums
From: Matt Wrycraft <matt <at> wrycraft.net>
Subject: Mod-Security and php forums
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2006-08-17 21:34:56 GMT
Subject: Mod-Security and php forums
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2006-08-17 21:34:56 GMT
Hi all, this is my first question, so please let me know if I've missed anything. After a hacking attempt at another part of my site the sysadmins installed Mod Security and rules from http://www.gotroot.com/tiki-index.php?page=mod_security+rules I now get a number of false positives when posting on the forums (which are very active and people are getting annoyed at the number of 403s). I've run google search and checked out the gotroot forum to no avail. Looking at the audit.log most of the denied posts relate to: mod_security-message: Access denied with code 403. Pattern match "(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)" at POST_PAYLOAD I've tried loads of variations of posts on the forum and having multiple spaces or using "into" "select" and "from" in the right order is obviously what is causing me these problems. I tried commenting out the rule but Apache failed to start, a quick look suggested that it was part of a chain of rules and I didn't want to dig too deeply in case I broke it further, so I uncommented the rule and successfully restarted the webserver. I don't really know regex so am not in a position to completely re-write the rules, as I'm just as likely to make things worse, so I've reached the conclusion that I would just like to disable mod security for forum posts. I've checked /etc/modsecurity/exclude.conf and there already seems to be relevant rules for other php-based forums ie <LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*"> SecFilterRemove 300013 </LocationMatch> Now, I'm unsure what rule 300013 does. I've grepped for it and it seems to be commented out in the rules.conf.. Anyway, my forum uses the following POST URL, which i assume is the location match: /modules.php?name=Forums&file=posting&mode=newtopic&f=13 (with different information after 'posting') So I tried putting that into exclude.conf - adding a number of rules that I thought could be problems (and taking them from other rules excluded in the exclude.conf) as follows: <Location "/modules.php?name=Forums&file=posting.*"> SecFilterRemove 300013 SecFilterRemove 300014 SecFilterRemove 300016 SecFilterRemove 380000 SecFilterRemove 360001 </Location> This made no difference and I still suffer the false positives. All I want to do is exclude mod security from checking forum posts (yes I know the risks of this, but I'm using recent code, with additional handling, and feel that mod security is causing more harm than good right now) Can I for instance use a variation of: SecFilterSelective REQUEST_URI "/.*/Merchant2/merchant\.mv.*" allow,nolog ?? Any help would be graciously accepted! Many thanks in advance. Matt ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
RSS Feed