mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.6.3)
I've just learnt that there is an exploit in the wild which makes it trivially easy to bypass mod_security any version prior to 2.6.6
Easyapache is currently bundling 2.6.3 which is vulnerable.
Can 2.6.6 be included in easyapache ASAP ? And if it's going to take weeks to implement, is there any way we can manually mod_security to 2.6.6 until EA has it?
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.
I'd really like to not have to wait on cpanel to get around to fixing issues like this. So if anyone knows how to manually compile latest modsec from modsecurity.tar.gz on a centos5/cpanel system could you please post the steps?
I'm assuming all we need to do is grab latest source from modsecurity.org and compile it and then copy the new mod_security2.so file to /usr/local/apache/modules/mod_security2.so overwriting the old one. Is that right?
If so, could you please list steps to do this!
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.
Ok just an update .. I've worked out how to compile the latest modsec. Here are the steps I used (and a question):
1) cd /usr/src
2) wget http://www.modsecurity.org/download/...e_2.6.6.tar.gz
3) tar xzf modsecurity-apache_2.6.6.tar.gz
4) cd modsecurity-apache_2.6.6
5) ./configure --with-apr=/home/cpeasyapache/src/httpd-2.2.22/srclib/apr --with-apu=/usr/local/apache/bin/apu-1-config
6) make install
The compile process takes a few seconds and dumps the new mod_security2.so in /usr/local/modsecurity/lib/mod_security2.so
NOW MY QUESTION ... is it perfectly SAFE to copy /usr/local/modsecurity/lib/mod_security2.so (the new file) over /usr/local/apache/modules/mod_security2.so (old/existing one) and then restart apache ...? Will this work ? Could there be any issues?
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.
Ok the above ./configure line isn't complete .. I need to also specify --with-pcre but I'm still trying to work out the path
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.
Ok worked it out .. the full configure line should be: ./configure --with-apr=/home/cpeasyapache/src/httpd-2.2.22/srclib/apr --with-apu=/usr/local/apache/bin/apu-1-config --with-pcre=/opt/pcre
So to sum up step by step (this is a Centos5/Cpanel box) run these steps to upgrade to latest modsec:
1) cd /usr/src
2) wget http://www.modsecurity.org/download/...e_2.6.6.tar.gz
3) tar xzf modsecurity-apache_2.6.6.tar.gz
4) cd modsecurity-apache_2.6.6
5) ./configure --with-apr=/home/cpeasyapache/src/httpd-2.2.22/srclib/apr --with-apu=/usr/local/apache/bin/apu-1-config --with-pcre=/opt/pcre
6) service httpd stop
7) make install
8) service httpd start
I hope that helps someone.
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.
qwerty,
That's kind of you to remind us all that a modsecurity update was needed. And of course thanks for posting the details on how to do it manually.
Anybody who installs mod_security as a part of an EasyApache compile should be aware that if they follow the above steps and then run EasyApache [to recompile] in the future, the version of modsecurity that cPanel uses will overwrite any manual install that is done if they have mod_security selected in EasyApache. Thus they'd have to manually install the latest modsecurity again. Hopefully 2.6.6 will be updated shortly in EasyApache though.
Mike
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.
Thank you for bringing the security matter with mod_security to our attention. As we just learned of this problem we don't have enough of a grasp of the problem (updating to mod_security 2.6.6) to know how long it will take to do. We do intend to get it accomplished as soon as possible.
Kenneth
Development
cPanel, Inc.
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.
We should be able to publish EasyApache 3.13.5 today, which has mod_security 2.6.6
Kenneth
Development
cPanel, Inc.
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.
thanks you for your guide
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.
Hello, I have updated to the latest Easyapache and mod_security 2.6.5 is still there, no sign of 2.6.6?
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.
In WHM > Software > EasyApache, when you first open that page, what version does it show you?
For example, mine says: Welcome to Easy::Apache v3.14.3
According to the change log (always the best place to look for this sort of information):
EasyApache < AllDocumentation/ChangeLog < TWiki
3.13.5
2012-06-28
Implemented case 60072: Update mod_security to 2.6.6
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.
Welcome to Easy::Apache v3.14.3
Mod Security [More Info ↑]
v1.9.5 for Apache 1.3, v2.5.13 for Apache 2.0.x, v2.6.5 for Apache 2.2.x This option will make the following changes to your profile prior to the build:
Enables:
UniqueId
/home/cpeasyapache/src contains the following dirs:
modsecurity-apache_1.9.5/
modsecurity-apache_2.5.13/
modsecurity-apache_2.6.5/
Re: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.6.3)
when we rebuild Apache using latest EasyApache we get 2.6.5 on over 20 servers... So in changelog there is something wrong or someone forgot something...
Re: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.6.3)
Hi,
same here.
/home/cpeasyapache/src/modsecurity-apache_2.6.5/ is entered when recompiling with last easyapache
Then i deleted that directory, so:
make[1]: Entering directory `/home/cpeasyapache/src/modsecurity-apache_2.6.5/tools'
So no 2.6.6.
Re: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.6.3)
There's an updated comment here by cPanelNick:
PHP 5.4.5 and PHP 5.3.15 released!
LinkBack URL
About LinkBacks
Reply With Quote