cPanel's own mod_security rules, kills cPanel's own e-list feature.

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
Here's what I am running:
WHM 11.11.0 cPanel 11.15.0-R18373
REDHAT 5.1 i686 on standard - WHM X v3.1.0

Also using Apache 2.2

ISSUE: If you switch on/install the cPanel mod_security ruleset, this particular rule will make it impossible for anyone to manage their e-lists (MailMan) as access to the e-list admin page incurrs the 406 error:

# Restrict file extension
# removed exe so that frontpage will work
SecRule REQUEST_BASENAME "\.(?:c(?:eek:(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf?|at|ll|os)|$
"t:urlDecodeUni, t:lowercase, deny,log,auditlog,msg:'URL file extension is restricted by policy', severity:'2',id:'960035'"
-----------

Here's the error that was being hit because of this (I changed listed IP and some other info):

[Tue Dec 11 11:16:32 2007] [error] [client 11.11.11.11] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\.(?:c(?:eek:(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:eek:urces|x)|l(?:icx|nk|og)|\\\\w{,5}~|webinfo|ht[rw]|xs ..." at REQUEST_BASENAME. [id "960035"] [msg "URL file extension is restricted by policy"] [severity "CRITICAL"] [hostname "domain.com"] [uri "/mailman/dirname/listname_domain.com"] [unique_id "39Mjw8-a8MIAADDjDfoAAAAE"]
-----------

Because there are several disallowed extensions in this particular rule, I have not been able to discover exactly which part of this rule that is in conflict, so I had to comment out the entire rule.

Questions:

-- How could cPanel have missed this conflict with their own cPanel e-list utility?

and

-- Is there anyway of discovering which part of this rule that is being violated?


Thanks.
 
C

cPanelBilly

Guest
Not sure how that made it to distro... That rule was marked to be removed previously.

I have contacted devel to have it removed again.
 

cPDan

cPanel Staff
Staff member
Mar 9, 2004
721
13
243
try the default rule set for modsec 2 in test branch rev 3462, does that resolve it for you?

note to self: c 3543
 
Last edited:

CoolMike

Well-Known Member
Sep 6, 2001
312
0
316
I don't know which rule it is, but one of the rules also brakes the text editor in Joomla.
 

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
I don't know which rule it is, but one of the rules also brakes the text editor in Joomla.
To find out:

1 -- Hit the error with a browser.

2 -- Grep the error log, e.g.:

grep yourdomain.com /usr/local/apache/logs/error_log
 

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
try the default rule set for modsec 2 in test branch rev 3462, does that resolve it for you?

note to self: c 3543
Thanks cpDan, but would you mind putting that in English :)

Can I get at least some sketchy instructions about how to do this?

Thanks.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
Thanks cpDan, but would you mind putting that in English :)

Can I get at least some sketchy instructions about how to do this?

Thanks.
It means rebuild Apache, et al., doing this:

Code:
/scripts/easyapache --test-branch --build
Which will rebuild everything in your profile, using code from the EasyApache Test Branch.


BIG SCARY NOTE

Since this is the Test Branch, your EA3 build will have new features and functions that are less tested. Other problems may arise due to using the test branch. It's not recommended for prolonged production use.
 

cPDan

cPanel Staff
Staff member
Mar 9, 2004
721
13
243
Thanks cpDan, but would you mind putting that in English :)

Can I get at least some sketchy instructions about how to do this?

Thanks.
Instead of rebuilding you could do this:

Assuming yout have Apache 2 + Mod Security setup still:

1) /usr/local/apache/conf/modsec2.user.conf still causes mailman URLs to 406, correct?

2) wget http://httpupdate.cpanel.net/cpanelsync/easy_test/targz/Cpanel/Easy/ModSec.pm.tar.gz

3) put modsec2.user.conf.default from the root of that tarball into /usr/local/apache/conf/modsec2.user.conf

4) restart Apache

5) mailman URL 406's or is good now?
 
Last edited:

cPDan

cPanel Staff
Staff member
Mar 9, 2004
721
13
243
What mailman URL is specifically being caught by mod security?

I ask because I am unable to reproduce the problem.
 

cPDan

cPanel Staff
Staff member
Mar 9, 2004
721
13
243
What mailman URL is specifically being caught by mod security?

I ask because I am unable to reproduce the problem.
I see it:

URL file extension is restricted by policy

so its the '.com' that rule doesn't like
 

cPDan

cPanel Staff
Staff member
Mar 9, 2004
721
13
243
removed, meant for internal case so it wasn't very helpful here, sory
 
Last edited:

cPDan

cPanel Staff
Staff member
Mar 9, 2004
721
13
243
fix is published, for now remove that rule via the mod sec rule editor if you wish
 

cPDan

cPanel Staff
Staff member
Mar 9, 2004
721
13
243
Do you just remove it or modify it?
If you modify, please post the correct rule here.
Just removed it, it also breaks .shtml and some other "extensions" (IE the trailing .com in the mailing list URL)
 

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
I could do with some help here please, which part of the rule is it thats causing the problem? Can you give me the lines that need deleiting so i can find it? :eek:
Here's the entire rule that breaks things. I just commented it out.

# Restrict file extension
# removed exe so that frontpage will work
SecRule REQUEST_BASENAME "\.(?:c(?(?:nf(?:ig)?|m)|s(?roj|r)?|dx|er|fg|m d)|p(?:rinter|ass|db|ol|wd)|v(?:b(?roj|s)?|sdisc o)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf? |at|ll|os)|$
"t:urlDecodeUni, t:lowercase, deny,log,auditlog,msg:'URL file extension is restricted by policy', severity:'2',id:'960035'"


On my server, it was found here:
/usr/local/apache/conf/modsec2.user.conf
 

cPDan

cPanel Staff
Staff member
Mar 9, 2004
721
13
243
I could do with some help here please, which part of the rule is it thats causing the problem? Can you give me the lines that need deleiting so i can find it? :eek:
The one in the first post and also in the error.