mod_rewrite is cancelling out mod_security on cpanel servers.. why?!?

[qwerty]

Ok this has been an issue that has been bugging me for a LONG time now. It's discussed here atomicorp.com • View topic - mod_security + mod_rewrite with strange behavior

Basically, if you're using modsec with a cpanel box and you have an account which has wordpress (with the default .htaccess incl. mod_rewrite rules in it) - mod_sec will not filter traffic for that account.

Why ? Because it appears that due to some weird way that cpanel loads apache modules .. mod_rewrite appears to take precedence and so cancels out mod_sec in some circumstances eg. default wordpress .htaccess mod_rewrite rules..

I've edited my httpd.conf and put the line Include "/usr/local/apache/conf/modsec2.conf" at the very top, hoping that this would fix it (by means of making modsec load FIRST before anything else) but it doesn't. So for some strange reason, if you have any accounts using mod_rewrite such as Wordpress, which is a FREQUENT hacking access point, you're in trouble even if you have modsec + good modsec rules installed.

Any help would be appreciated. I am certain that this is a cpanel specific issue (to do with apache module ordering/loading/config) because vanilla centos + apache + modsec does not have this issue at all..

[k-planethost]

You can also use your browser to test the rules by going to a URL similar to this:

http://your_host/foo.php?foo=http://www.example.com
cpanel now uses mod sec 2.6.2 try an easy apache update you say on your link that you use mod_security 2.5.13
the most of got rules doesnt work on mod_security 2.5.13
are you using system priority?
are you using (cmc) and have you disable any specific rules for that domain?

[qwerty]

I'm on modsec 2.6 already, the issue is the same.

I'm not using system priority. Why ? What does it do ?

Yes I am using CMC but don't see the relevance. We have hundreds of customers who have Wordpress installations.

[k-planethost]

System Priority | R-fx Networks
this is system priority
i am not sure if this project can help you to give priority to apache modules you can have a look

[qwerty]

oh that, yeah i seriously doubt it.

Since mod_rewrite is compiled statically into apache I am assuming only Cpanel could change the module loading by making modifications to EasyApache.

This is a serious issue with serious security implications that I believe very few people are aware of. For all intents and purposes, any account with Wordpress installed is automatically vulnerable and not protected by modsec at all due to the default rewrites in wordpress..

[qwerty]

And to complicate matters MUCH further ...

I just tested this theory on 5 servers. All very similar cpanel/ceonts5 setups.

4 out of 5 exhibited behaviour as described above ie. wordpress sites arent protected due to the mod_rewrite rules.

1 out of 5 servers, modsec is working as expected ie. it's blocking access even with wordpress rewrites .. BUT, and this is the confusing WTF part - modsec is only blocking if you're using Internet Explorer. If you use Chrome for example, it's still getting through without problems..

What. The. ****************.

[qwerty]

One thing I wish to clarify .. when I am able to load a page suc as hhttp://wordpress-site-hosted-by-me.com/?=http://foo.bar modsec DOES still make an entry in the audit_log saying that it has 'intercepted it' and given a 501 error BUT it hasn't actually blocked it as the page loads normally.

I think there's a serious bug in either easyapache or modsec. I believe it's EA ie. cpanel's apache compiles, as this issue does not occur on vanilla servers...

[qwerty]

Weird as it may sound think I've found a 'workaround' for whatever is causing this ...

My modsec is configured to show error 501 when triggered.

Now if I put a 501.shtml in the user account (with wordpress / rewrites) I get the error page instead of the url loading normally.

Weird huh ? Can't believe I actually stumbled accross this when it could've been a million other things.

So to me it seems as if the error page configuration is messing with modsec and when there's no 501.shtml available the urls that SHOULD be blocked don't get blocked because the 501.shtml is missing.

[k-planethost]

yes the webpage sometimes loads but on mod sec there is an entry 501.shtml as you say above.
with the link that i give you results
Not Found

The requested URL /foo.php was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request
if you try 4-5 times your ip should be block.
depends the adjustment on csf.
thats a test only
try to fake attack on one of your wordpress accounts such as sql reject and see if the rules are working properly. i dont think that has to do anything with cpanel this issue thats mod sec issue

[cPanelTristan]

Hello,

If you believe there might be an issue in our implementation of mod_rewrite in conjunction with mod_security, then please submit a bug report at http://go.cpanel.net/bugs to inquire about the issue with a link to this forum thread. If you would be able to post the ticket number here after submitting one so we can track the progress, that would be wonderful.

Thanks!

[qwerty]

I believe it's something to do with mod_rewrite and error documents which is causing modsec to not block the loading of pages when a modsec rule is triggered.

As mentioned above, if I put a 501.shtml in the customer's account, 501 is displayed when modsec is triggered ie. it works correctly. Without 501.shtml, modsec logs the error in audit_log BUT you're still able to load the url that triggered the modsec rule.

I've submitted a bug report ID 2031141

[k-planethost]

check your configuration on mod sec have you made any changes
me i dont use asl lite but free delayed rools of got root and some extra
if i fake attack with this link joomla sites return this on mozilla,exploler etc
Forbidden

You don't have permission to access /foo.php on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

after a while server says goodbuy to attack...depends from csf with 403 error

if i try to fake attack wordpress sites pages appears to load saying object not found
BUT the entry has as follows on audit log and server again says goodbuy to attack
[Mon Nov 28 10:40:23 2011] [error] [client my ip] ModSecurity: Access denied with code 403 (phase 2). Match of "beginsWith http:/%{SERVER_NAME}/" against "MATCHED_VAR" required. [file "path to my rules/10_asl_rules.conf"] [line "481"] [id "340162"] [rev "249"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)"] [data "http:/"] [severity "CRITICAL"] [hostname "domain.gr"] [uri "/foo.php"] [unique_id "TtNI97AJJfsAABycHMsAAAAH"]
all the servers are centos cpanel mod sec works exept if i have disable the rule id for specific domain