Re: ModSec in front of MOSS?
2009-01-16 10:03:23 GMT
I use ModSecurity 2.17 on a reverse proxy for MOSS with success. I have also enabled all the rules of the core rule XSS, SQL injection (modsecurity_crs_40_generic_attacks smb.conf) that were not enabled by default. The pen test confirm, if necessary, the goodnes
The only rule custom rule in modsecurity_localrules.conf was the following
##################################
# Rule 2
# Bad HTML SPECIFICATION
# http://www.w3.org/TR/html401/interact/forms.html#h-17.13.4
# Notes :
# mod_security log contain x-vermeer-urlencoded
# but with OWA also x-www-UTF8-encoded so added for
# safety. Not harm anyway
##################################
SecRule REQUEST_METHOD "!^(?:get|head|propfind|options|PROPPATCH|MKCOL|LOCK|POLL|SEARCH|UNLOCK|MOVE|PUT|OPTIONS|DELETE|USERNAME|MERGE|CHECKOUT|PUT|MKACTIVITY|SUBSCRIBE|BDELETE|BPROPPATCH|BMOVE|BPOOL|BSEARCH|BPUT|BDELETE|BMERGE|BMKCOL|BLOCK|BPUT)$" \
"chain, t:lowercase, deny,log,auditlog,status:501,msg:'Request content type is not allowed by policy',,id:'4',severity:'4'"
SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml|application\/x-www-UTF8-encoded|application\/x-vermeer-urlencoded)"
SecRuleRemoveById 960010
hth
Sharepoint generally encodes HTML entities, but after seeing how hit-
and-miss the .NET encoding is, I'd rather not rely on it. We are
testing with the latest URLScan as well, to see what that buys us. The
problem for us is some of the controls and post-backs (they may be
custom web-parts, not certain) actually pass values containing things
like "...onmouseup(..." which then gets flagged as XSS (and
understandably so).
David
On Jan 7, 2009, at 3:31 PM, Ryan Barnett wrote:
> -----Original Message-----
> From: David Felio [mailto:david <at> ark.org]
> Sent: Wednesday, January 07, 2009 11:06 AM
> To: mod-security-users <at> lists.sourceforge.net
> Subject: [mod-security-users] ModSec in front of MOSS?
>
> Is anyone using ModSec in front of a MOSS (Microsoft Sharepoint)
> installation? We are just deploying our MOSS installation behind our
> ModSec proxies and I am finding there is so much garbage passed by
> MOSS that coding exceptions in the ModSec conf files for each instance
> probably won't be effective or efficient. I'm thinking I'm going to
> need to at least disabled the XSS patterns for our MOSS instances.
>
> [Ryan Barnett] What version of MOSS are you using? Did you happen
> to see our recent Breach Security Labs Alert for the Access Control
> Vuln in SharePoint 2007 - http://www.breach.com/resources/breach-security-labs/alerts/Microsoft-Access-Control-Vulnerability-SharePoint-2007.html
> . It includes a virtual patch that you can install on your Mod proxy.
>
> The Core Rule Set is a good starting point, however it is "attack-
> centric" as it is mainly looking for different classes of attacks,
> without any knowledge of the back-end web application or if that
> underlying vulnerability even exists. So, going back to the Virtual
> Patching concept, if you have run any vulnerability scans or
> conducted any pentests, etc... then you can certainly use
> ModSecurity to implement virtual patches and block those specific
> known issues.
>
> XSS is the attack, however a lack of proper html output encoding of
> user-supplied data is the vulnerability. Before deciding to disable
> the XSS rules, do you have any idea how SharePoint is handling user-
> supplied meta-characters in output? I have access to a SharePoint
> server and just ran a few easy XSS tests (search function, Create an
> Event, etc...) and it seemed to handle the meta-characters
> appropriately.
>
>
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Appliances, Rule Sets and Support: http://www.modsecurity.org/breach/index.html
RSS Feed