cPanel's own mod_security rules, kills cPanel's own e-list feature.

[jols]

Here's what I am running:
WHM 11.11.0 cPanel 11.15.0-R18373
REDHAT 5.1 i686 on standard - WHM X v3.1.0

Also using Apache 2.2

ISSUE: If you switch on/install the cPanel mod_security ruleset, this particular rule will make it impossible for anyone to manage their e-lists (MailMan) as access to the e-list admin page incurrs the 406 error:

# Restrict file extension
# removed exe so that frontpage will work
SecRule REQUEST_BASENAME "\.(?:c(?(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf?|at|ll|os)|$
"t:urlDecodeUni, t:lowercase, deny,log,auditlog,msg:'URL file extension is restricted by policy', severity:'2',id:'960035'"
-----------

Here's the error that was being hit because of this (I changed listed IP and some other info):

[Tue Dec 11 11:16:32 2007] [error] [client 11.11.11.11] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\.(?:c(?(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?urces|x)|l(?:icx|nk|og)|\\\\w{,5}~|webinfo|ht[rw]|xs ..." at REQUEST_BASENAME. [id "960035"] [msg "URL file extension is restricted by policy"] [severity "CRITICAL"] [hostname "domain.com"] [uri "/mailman/dirname/listname_domain.com"] [unique_id "39Mjw8-a8MIAADDjDfoAAAAE"]
-----------

Because there are several disallowed extensions in this particular rule, I have not been able to discover exactly which part of this rule that is in conflict, so I had to comment out the entire rule.

Questions:

-- How could cPanel have missed this conflict with their own cPanel e-list utility?

and

-- Is there anyway of discovering which part of this rule that is being violated?


Thanks.

 

[cPanelBilly]

Not sure how that made it to distro... That rule was marked to be removed previously.

I have contacted devel to have it removed again.

 

[cPDan]

try the default rule set for modsec 2 in test branch rev 3462, does that resolve it for you?

note to self: c 3543

 

[CoolMike]

I don't know which rule it is, but one of the rules also brakes the text editor in Joomla.

 

[jols]

I don't know which rule it is, but one of the rules also brakes the text editor in Joomla.

To find out:

1 -- Hit the error with a browser.

2 -- Grep the error log, e.g.:

grep yourdomain.com /usr/local/apache/logs/error_log

 

[jols]

try the default rule set for modsec 2 in test branch rev 3462, does that resolve it for you?

note to self: c 3543

Thanks cpDan, but would you mind putting that in English

Can I get at least some sketchy instructions about how to do this?

Thanks.

 

[cPanelKenneth]

Thanks cpDan, but would you mind putting that in English

Can I get at least some sketchy instructions about how to do this?

Thanks.

It means rebuild Apache, et al., doing this:

/scripts/easyapache --test-branch --build

Which will rebuild everything in your profile, using code from the EasyApache Test Branch.


BIG SCARY NOTE

Since this is the Test Branch, your EA3 build will have new features and functions that are less tested. Other problems may arise due to using the test branch. It's not recommended for prolonged production use.

 

[cPDan]

Thanks cpDan, but would you mind putting that in English

Can I get at least some sketchy instructions about how to do this?

Thanks.

Instead of rebuilding you could do this:

Assuming yout have Apache 2 + Mod Security setup still:

1) /usr/local/apache/conf/modsec2.user.conf still causes mailman URLs to 406, correct?

2) wget http://httpupdate.cpanel.net/cpanelsync/easy_test/targz/Cpanel/Easy/ModSec.pm.tar.gz

3) put modsec2.user.conf.default from the root of that tarball into /usr/local/apache/conf/modsec2.user.conf

4) restart Apache

5) mailman URL 406's or is good now?

 

[cPDan]

What mailman URL is specifically being caught by mod security?

I ask because I am unable to reproduce the problem.

 

[cPDan]

What mailman URL is specifically being caught by mod security?

I ask because I am unable to reproduce the problem.

I see it:

URL file extension is restricted by policy

so its the '.com' that rule doesn't like

 

[cPDan]

removed, meant for internal case so it wasn't very helpful here, sory

 

[cPDan]

fix is published, for now remove that rule via the mod sec rule editor if you wish

 

[rvskin]

Do you just remove it or modify it?
If you modify, please post the correct rule here.

 

[cPDan]

Do you just remove it or modify it?
If you modify, please post the correct rule here.

Just removed it, it also breaks .shtml and some other "extensions" (IE the trailing .com in the mailing list URL)

 

[kernow]

I could do with some help here please, which part of the rule is it thats causing the problem? Can you give me the lines that need deleiting so i can find it?

 

[jols]

I could do with some help here please, which part of the rule is it thats causing the problem? Can you give me the lines that need deleiting so i can find it?

Here's the entire rule that breaks things. I just commented it out.

# Restrict file extension
# removed exe so that frontpage will work
SecRule REQUEST_BASENAME "\.(?:c(?(?:nf(?:ig)?|m)|s(?roj|r)?|dx|er|fg|m d)|p(?:rinter|ass|db|ol|wd)|v(?:b(?roj|s)?|sdisc o)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf? |at|ll|os)|$
"t:urlDecodeUni, t:lowercase, deny,log,auditlog,msg:'URL file extension is restricted by policy', severity:'2',id:'960035'"


On my server, it was found here:
/usr/local/apache/conf/modsec2.user.conf

 

[kernow]

Thanks jols
Merry Christmas to you

 

[cPDan]

I could do with some help here please, which part of the rule is it thats causing the problem? Can you give me the lines that need deleiting so i can find it?

The one in the first post and also in the error.