Community Forums
Connect with us on LinkedIn
Community Notice
+ Reply to Thread
Results 1 to 13 of 13
  1. #1
    Member
    Join Date
    May 2006
    Posts
    236

    Default a mod_security rule is breaking one script on one account

    One of my customers has a shopping cart script which as an element that calls to to a "user_password.js" javascript file.

    mod_security is preventing that file from operating, giving it a 406 denial.

    I have discovered the mod_security rule that is causing this, the particular part highlighted in bold:

    Code:
    # Blind SQL injection
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql.user)|c(?:onstraint_type|harindex)|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)" \
            "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950007',severity:'2'"
    SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \
           "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950904',severity:'2'" 
    Is there any proper way for me to modify this so that it does not affect the cart script on this one account? I don't want to disable mod_security completely, and I'm not sure how crucial that particular rule is so I'm afraid to remove it. Is there a better option for me?

    Thank you for any help, this problem is holding up an important job.

  2. #2
    Member
    Join Date
    May 2006
    Posts
    236

    Default

    The only thing I've been able to discover so far is that any time mod_security sees a call to user_password in a script, it denies access to it. Unfortunately the script my customer needs to use calls to a file names user_password.js , and mod_security is preventing it from being accessed.

    Does anyone know of anything I can do?

  3. #3
    Member darren.nolan's Avatar
    Join Date
    Oct 2007
    Posts
    259

    Default

    Quote Originally Posted by Metro2 View Post
    The only thing I've been able to discover so far is that any time mod_security sees a call to user_password in a script, it denies access to it. Unfortunately the script my customer needs to use calls to a file names user_password.js , and mod_security is preventing it from being accessed.

    Does anyone know of anything I can do?
    Remove the rule that causes the error. Of course by doing that you weaken your security setup by that little bit more.

    It's a Security vs Usability debate that has been going since the dawn of time. I believe I have disabled that rule in particular for the same reason. I'd have to check for the specifics.

  4. #4
    Member
    Join Date
    May 2006
    Posts
    236

    Default

    Thanks for the reply Darren.

    I tried removing little bits and pieces, rules here and there, only to find out that the only way to really get mod_security to grant access to files named user_password.js is to completely remove the entire blocks of SQL Injection protection.

    I'd have to remove all of this:

    Code:
    # Blind SQL injection
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql.user)|c(?:onstraint_type|harindex)|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)" \
            "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950007',severity:'2'"
    SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \
           "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950904',severity:'2'"
    
    # SQL injection
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction|open(?:rowset|query)|dbms_java)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|(?:having|or|and)\b\s+?(?:\d{1,10}|'[^=]{1,10}')\s*?[=<>]+|(?:print\]\b\W*?\@|root)\@|c(?:ast\b\W*?\(|oalesce\b))|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)')" \
            "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950001',severity:'2'"
    SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:user_(?:(?:object|table|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|substr(?:ing)?|table_name|mb_users|rownum)\b" \
            "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950906',severity:'2'"
    Which is a pretty major "weakening" of it. Like, to the point that there'd almost be no reason to keep running mod_security, since (if I understand correctly) those sections are what protect most database-driven PHP sites.

    ugh...

  5. #5
    Member darren.nolan's Avatar
    Join Date
    Oct 2007
    Posts
    259

    Default

    Yeap - it's how it happens.

    This is why most PHP programmer actually build protection into their own to stop injection attacks either through URL or Form use.

    Having said that - Joomla STILL after many crys on their forums is still wide open for such attacks.

    I use a combination of mod_seucirty and suhosin to stop such things - without killing usability all together.

    I found that mod_security with the default ruleset never stopped all attacks on Joomla site - suhosin was the margin of protection needed to fix it up.

    Hurray for security.

  6. #6
    cPanel Partner NOC cPanel Partner NOC Badge
    Join Date
    Feb 2004
    Posts
    87

    Question

    hi
    which ruleset of modsecurity (for Apache2.0) do you use pleasE? (where can I download it?)


    I have some problems with this one for the administrator area( error 404) of joomla 1.5


    I use this one:

    <IfModule mod_security2.c>

    #
    # Mod Security2 Rules
    # Modified September 17, 2007
    # base on Kris S. - HostMerit.com's rules
    # by Tim Schoondergang - TimmiT.nl
    # mail: Tim.Schoondergang@TimmiT.nl
    # For use on CPanel servers with Mod_Security2

  7. #7
    cPanel Product Evangelist Infopro's Avatar
    Join Date
    May 2003
    Location
    Pennsylvania
    Posts
    7,165
    cPanel/Enkompass Access Level

    Root Administrator

    Lightbulb

    Quote Originally Posted by Metro2 View Post
    The only thing I've been able to discover so far is that any time mod_security sees a call to user_password in a script, it denies access to it. Unfortunately the script my customer needs to use calls to a file names user_password.js , and mod_security is preventing it from being accessed.

    Does anyone know of anything I can do?

    What script/cart is it? Can it be upgraded to solve this or this file be renamed and still work?

  8. #8
    Member
    Join Date
    May 2006
    Posts
    236

    Default

    Quote Originally Posted by Infopro View Post
    What script/cart is it? Can it be upgraded to solve this or this file be renamed and still work?

    It's a paid cart and I don't know if I should name it here, but I can answer your other two questions since I've sent a lot of related info to their support since I originally encountered this problem, and here is what I've found:

    - Renaming the file can't be done because the use of it is so heavily encoded into the script.

    - The developer says they will be providing a fix for this in a future upgrade, but there is no set date / ETA yet.

  9. #9
    cPanel Product Evangelist Infopro's Avatar
    Join Date
    May 2003
    Location
    Pennsylvania
    Posts
    7,165
    cPanel/Enkompass Access Level

    Root Administrator

    Lightbulb

    How about setting those particular rules to log and pass then, might be possible to at least keep an eye on it that way. Remarking them out would get you going till the devs work out a fix for the cart of course. If its a paid cart and not publicly accessible you might be ok, short term although I'm not sure I'd want to chance it myself, depending on the situation. (backups might be a good thing to have if you disabled them and get hit.)

    BTW, I did find a post on a forum for avactis stating they too are having this problem and would fix for next release. Of course that was posted in March.

  10. #10
    Member brianoz's Avatar
    Join Date
    Mar 2004
    Location
    Melbourne, Australia
    Posts
    1,093
    cPanel/Enkompass Access Level

    Root Administrator

    Default

    Mod Security rules can be disabled on a rule-by-rule basis for individual users. You can do it in .htaccess files.

    The other option might be to use mod_rewrite to work around the problem named script, although the mod_security solution is probably the correct one.

  11. #11
    Member sneader's Avatar
    Join Date
    Aug 2003
    Location
    La Crosse, WI
    Posts
    894
    cPanel/Enkompass Access Level

    Root Administrator

    Default

    Quote Originally Posted by brianoz View Post
    Mod Security rules can be disabled on a rule-by-rule basis for individual users. You can do it in .htaccess files.
    I'm going to start searching for the answer... but if you could provide an example, I would sure appreciate it !!!

    - Scott

  12. #12
    Member
    Join Date
    Aug 2002
    Posts
    1,118

    Default

    Notice that the rules in question in the first post have an ID:

    msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950007'
    msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950904'
    For the first rule the ID is 950007 and the second rule's ID is 950904. In order for this to work each individual rule needs to have its own ID.

    Now when you find an ID is being hit by a particular account you can remove that ID for that account with:

    SecRuleRemoveById 950007 950904
    Normally what I would do is I would add this to a modsec.conf file in the userdata directory for that account:

    mkdir -p /usr/local/apache/conf/userdata/std/2/username/domain.com
    vi /usr/local/apache/conf/userdata/std/2/username/domain.com/modsec.conf
    (Use whatever text editor you prefer, I'm partial to vi)

    Then in the modsec.conf file add:

    <IfModule mod_security2.c>
    SecRuleRemoveById 950007 950904
    </IfModule>
    Or if you just want to isolate this to a specific directory or path you can use:

    <IfModule mod_security2.c>
    <Location /path>
    SecRuleRemoveById 950007 950904
    </Location>
    </IfModule>
    excluding the <Location> container will disable these rules for the entire virtualhost.

    Now include that file:

    /scripts/ensure_vhost_includes --user=username
    Replace username with the owner of the account and replace domain.com with the virtualhost servername for that account.

  13. #13
    Member sneader's Avatar
    Join Date
    Aug 2003
    Location
    La Crosse, WI
    Posts
    894
    cPanel/Enkompass Access Level

    Root Administrator

    Default

    sparek-3, Thanks for the great info. I just shot you a PM also.

    - Scott

Similar Threads & Tags
Similar threads

  1. problem with the RBL rule in Mod_security
    By nitaish in forum cPanel and WHM Discussions
    Replies: 1
    Last Post: 06-18-2009, 12:29 PM
  2. mod_security 2.1.4 and the latest rule set (1.5.1)
    By DReade83 in forum cPanel and WHM Discussions
    Replies: 1
    Last Post: 12-19-2007, 01:49 PM
  3. How is this rule breaking squirrel
    By mitgib in forum E-mail Discussions
    Replies: 0
    Last Post: 09-14-2007, 10:13 AM
  4. mod_security rule
    By ramakant in forum New User Questions
    Replies: 4
    Last Post: 12-09-2005, 02:55 AM
  5. Looking for mod_security rule against IIS WebDAV exploit.
    By jols in forum cPanel and WHM Discussions
    Replies: 4
    Last Post: 11-06-2005, 02:14 AM
Linkedin       Facebook       Twitter       RSS       Flickr       YouTube