3 Jul 18:05
Re: ModSecurity 2.5.5 and Wordpress 2.5.1 issue
From: Ivan Ristic <ivan.ristic <at> gmail.com>
Subject: Re: ModSecurity 2.5.5 and Wordpress 2.5.1 issue
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-07-03 16:05:48 GMT
Subject: Re: ModSecurity 2.5.5 and Wordpress 2.5.1 issue
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-07-03 16:05:48 GMT
I think the first rule is a false positive. I am yet to see an installation of ModSecurity where output compression is a problem. As for the second one, it looks like it's catching a HTML fragment in your request. I am planning to spend some time with WordPress in the near future - I might be able to tell you something useful in a week or so. On Sun, Jun 22, 2008 at 10:30 PM, cassy seven <cassyseven <at> gmail.com> wrote: > I'm getting these 2 errors with modsecurity 2.5.5 and Wordpress 2.5.1 > > [Sun Jun 22 11:07:54 2008] [error] [client 192.168.1.1] ModSecurity: > Warning. Operator EQ matched 0 at GLOBAL. [file > "/etc/modsecurity/modsecurity_crs_30_http_policy.conf"] [line "120"] [id > "960903"] [msg "ModSecurity does not support content encodings"] [severity > "WARNING"] [hostname "www.bloglocal.com"] [uri > "/wp-includes/js/tinymce/tiny_mce_config.php"] [unique_id > "NLEVC38AAQEAABnaA2MAAAAF"] > > [Sun Jun 22 11:08:57 2008] [error] [client 192.168.1.1] ModSecurity: > Warning. Pattern match > "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d > ..." at ARGS:content. [file > "/etc/modsecurity/modsecurity_crs_40_generic_attacks.conf"] [line "102"] [id > "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data "src=\\x22http:"] > [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.bloglocal.com"] > [uri "/wp-admin/admin-ajax.php"] [unique_id "OHc3nX8AAQEAABncBMkAAAAH"] > > -------------------------- > The first one corresponds to: > > SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \ > "phase:4,t:none,pass,log,auditlog,msg:'ModSecurity does not support > content encodings',id:'960903',severity:'4',chain,initcol:global=global" > SecRule &GLOBAL:alerted_960903_compression "@eq 0" > "setvar:global.alerted_960903_compression" > > aka: Outbound compressed content will be logged once, to alert the user > > Should I just ignore this? > -------------------------- > > The second one corresponds to: > > # > # XSS > # > SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES > "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| > ?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" > \ > > "phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site > Scripting (XSS) > Attack',id:'950004',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2'" > > Can I put a line like this before it to prevent this error from coming up? > > SecRule REQUEST_URI "^/wp-admin/" nolog,pass,skip:1 > -------------- > > Thanks in advance! > Cassy > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > _______________________________________________ > mod-security-users mailing list > mod-security-users <at> lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > -- -- Ivan Ristic ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
RSS Feed