Using curl ruleset on modsec give my client image trouble to load
Hi,
I use modsec and one of the ruleset is :
SecFilterSelective THE_REQUEST "curl "
This ruleset will deny all image using "curl" name to show.
Example :
/Others/Sendal%20Ripcurl%20Man%20woman.jpg HTTP/1.1 | Access denied with code 406. Pattern match "curl " at THE_REQUEST
My client have shopcart that sell ripcurl product and all image can not shows on browser because of this ruleset.
Is there any way to avoid this without changing images name ?
Thanks
It's me ...... It's me ......
Anyone have solution about this issue ?
It's me ...... It's me ......
just recompile php with full curl support
Please read my first post again.Originally Posted by imran_kh
just recompile php with full curl support
This problem about mod_sec blocking all file name that have "curl" as the filename because of SecFilterSelective THE_REQUEST "curl " at mod_sec rule.
I think this is not relevan with recompile php with full curl support. But just for your information, my php already have full curl support
It's me ...... It's me ......
Just using common english words like that will cause you problems.
Since (I believe) you can't run any effective curl commands without options (curl -O etc.) you can add the minus sign (-) to the rule.
You could try something like this:
Another option is to use the 'chain' feature in mod_security to combine rules.Code:SecFilterSelective THE_REQUEST "curl[[:space:]]+-"
Your logs will give you a good idea also as to what rule will be effective or not. Just scan your logs for curl exploits and apply that information to create an effective rule.
The best solution is to use ids for all of your mod security rules, something like:
SecFilterSelective THE_REQUEST "curl " id:1000,deny,log,status:406
This gives anything that matches this mod_security rule the ID 1000.
Now in your httpd.conf file, in the VirtualHost container for this specific account add:
<IfModule mod_security.c>
<Location /Others>
SecFilterRemove 1000
</Location>
<IfModule>
The <Location> container is not completely necessary, but it helps localize the issue. However, this also means that should an exploitable script exist in the /Others directory, then it can then be used to execute curl commands, because files in that directory are exempt from the mod_security rule id 1000 (curl). If you don't use the <Location> container, then this means that any script in the VirtualHost would be exempt from the curl mod_security rule.
How about if my user have 3 directory to place his file ? Ex. Others, Jacket, and Surfboard
What i must add on <Location> ? Is it <Location /Others; /Jacket; /Surfboard> ?
Last edited by isputra; 08-28-2006 at 10:24 AM.
It's me ...... It's me ......
You would do something like:
<IfModule mod_security.c>
<Location /Others>
SecFilterRemove 1000
</Location>
<Location /Jacket>
SecFilterRemove 1000
</Location>
<Location /Surfboard>
SecFilterRemove 1000
</Location>
<IfModule>
You would need a separate <Location> container for each directory. If you have a bunch of files that are affected by this rule, then you might consider leaving the <Location> containers out and just using something like:
<IfModule mod_security.c>
SecFilterRemove 1000
<IfModule>
That would exempt the entire VirtualHost from the curl rule, which could open it for exploiting if the account has any outdated or vulnerable scripts installed. Or you could do as other have suggested and be more descriptive in your mod_security rule.
There really just isn't a black and white way of doing this. This is all just a gray area. How much security do you want to provide? Where do you draw the line with security versus website usability? If an account is not able to use anything on the account because of your security measures, then your security measures are probably too strict.
LinkBack URL
About LinkBacks
Reply With Quote