18 Aug 21:14
Re: Mod-Security and php forums
From: Matt Wrycraft <matt <at> wrycraft.net>
Subject: Re: Mod-Security and php forums
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2006-08-18 19:14:13 GMT
Subject: Re: Mod-Security and php forums
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2006-08-18 19:14:13 GMT
Thanks Mike! I'll do that. You're a star. Matt Michael Shinn wrote: > Matt, > > Send me your audit log entries (sanitize if you like, just leave me the > context of the way phpbb is being used), and I'll tweak the rules to > prevent these false positives. > > On Thu, 2006-08-17 at 23:02 +0100, Matt Wrycraft wrote: >> Thanks Tom! >> >> I am running SQL and can certainly understand the need to keep the rules >> dealing with injection attacks. SQL is used throughout my site and I >> would like to keep the rules generally, just exclude them from forum >> posts. I do have sanitation of forum posts anyway, which is why I'm >> happy to avoid using modsec there. >> >> Unfortunately, changing the forum software isn't really an option for me >> at the moment, and I really don't want to anyway as in all other >> respects its working fine. It's just the modsec false positives that are >> giving me sleepless nights. >> >> I just need the code to exclude it I guess. >> >> Matt >> >> Tom Anderson wrote: >>> If you're not running an SQL database, then you can comment out the >>> chain of rules dealing with SQL injection attacks. Otherwise, only >>> enable them on programs that deal directly with a database. If your >>> forums use a database, the best thing is to ensure there is sanitation >>> of input within your forum software. If so, you can disable the SQL >>> injection filters in mod_security. Otherwise, it might be prudent to >>> keep it or to change forum software. >>> >>> Tom >>> >>> Matt Wrycraft wrote: >>>> Hi all, this is my first question, so please let me know if I've missed >>>> anything. >>>> >>>> After a hacking attempt at another part of my site the sysadmins >>>> installed Mod Security and rules from >>>> http://www.gotroot.com/tiki-index.php?page=mod_security+rules >>>> I now get a number of false positives when posting on the forums (which >>>> are very active and people are getting annoyed at the number of 403s). >>>> I've run google search and checked out the gotroot forum to no avail. >>>> Looking at the audit.log most of the denied posts relate to: >>>> >>>> mod_security-message: Access denied with code 403. Pattern match >>>> "(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)" >>>> at POST_PAYLOAD >>>> >>>> I've tried loads of variations of posts on the forum and having multiple >>>> spaces or using "into" "select" and "from" in the right order is >>>> obviously what is causing me these problems. I tried commenting out the >>>> rule but Apache failed to start, a quick look suggested that it was part >>>> of a chain of rules and I didn't want to dig too deeply in case I broke >>>> it further, so I uncommented the rule and successfully restarted the >>>> webserver. >>>> I don't really know regex so am not in a position to completely >>>> re-write the rules, as I'm just as likely to make things worse, so I've >>>> reached the conclusion that I would just like to disable mod security >>>> for forum posts. >>>> >>>> I've checked /etc/modsecurity/exclude.conf and there already seems to be >>>> relevant rules for other php-based forums ie >>>> >>>> <LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*"> >>>> SecFilterRemove 300013 >>>> </LocationMatch> >>>> >>>> Now, I'm unsure what rule 300013 does. I've grepped for it and it seems >>>> to be commented out in the rules.conf.. >>>> >>>> Anyway, my forum uses the following POST URL, which i assume is the >>>> location match: >>>> /modules.php?name=Forums&file=posting&mode=newtopic&f=13 >>>> (with different information after 'posting') >>>> >>>> So I tried putting that into exclude.conf - adding a number of rules >>>> that I thought could be problems (and taking them from other rules >>>> excluded in the exclude.conf) as follows: >>>> >>>> <Location "/modules.php?name=Forums&file=posting.*"> >>>> SecFilterRemove 300013 >>>> SecFilterRemove 300014 >>>> SecFilterRemove 300016 >>>> SecFilterRemove 380000 >>>> SecFilterRemove 360001 >>>> </Location> >>>> >>>> This made no difference and I still suffer the false positives. >>>> >>>> All I want to do is exclude mod security from checking forum posts (yes >>>> I know the risks of this, but I'm using recent code, with additional >>>> handling, and feel that mod security is causing more harm than good >>>> right now) >>>> >>>> Can I for instance use a variation of: >>>> SecFilterSelective REQUEST_URI "/.*/Merchant2/merchant\.mv.*" allow,nolog >>>> >>>> ?? >>>> >>>> Any help would be graciously accepted! >>>> >>>> Many thanks in advance. >>>> >>>> Matt >>>> >>>> ------------------------------------------------------------------------- >>>> Using Tomcat but need to do more? Need to support web services, security? >>>> Get stuff done quickly with pre-integrated technology to make your job easier >>>> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >>>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod-security-users <at> lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> >>>> >>> >>> ------------------------------------------------------------------------- >>> Using Tomcat but need to do more? Need to support web services, security? >>> Get stuff done quickly with pre-integrated technology to make your job easier >>> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >>> _______________________________________________ >>> mod-security-users mailing list >>> mod-security-users <at> lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> >>> >> ------------------------------------------------------------------------- >> Using Tomcat but need to do more? Need to support web services, security? >> Get stuff done quickly with pre-integrated technology to make your job easier >> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >> _______________________________________________ >> mod-security-users mailing list >> mod-security-users <at> lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/mod-security-users ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
RSS Feed