The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel's own mod_security rules, kills cPanel's own e-list feature.

Discussion in 'Security' started by jols, Dec 11, 2007.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Here's what I am running:
    WHM 11.11.0 cPanel 11.15.0-R18373
    REDHAT 5.1 i686 on standard - WHM X v3.1.0

    Also using Apache 2.2

    ISSUE: If you switch on/install the cPanel mod_security ruleset, this particular rule will make it impossible for anyone to manage their e-lists (MailMan) as access to the e-list admin page incurrs the 406 error:

    # Restrict file extension
    # removed exe so that frontpage will work
    SecRule REQUEST_BASENAME "\.(?:c(?:eek:(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf?|at|ll|os)|$
    "t:urlDecodeUni, t:lowercase, deny,log,auditlog,msg:'URL file extension is restricted by policy', severity:'2',id:'960035'"
    -----------

    Here's the error that was being hit because of this (I changed listed IP and some other info):

    [Tue Dec 11 11:16:32 2007] [error] [client 11.11.11.11] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\.(?:c(?:eek:(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:eek:urces|x)|l(?:icx|nk|og)|\\\\w{,5}~|webinfo|ht[rw]|xs ..." at REQUEST_BASENAME. [id "960035"] [msg "URL file extension is restricted by policy"] [severity "CRITICAL"] [hostname "domain.com"] [uri "/mailman/dirname/listname_domain.com"] [unique_id "39Mjw8-a8MIAADDjDfoAAAAE"]
    -----------

    Because there are several disallowed extensions in this particular rule, I have not been able to discover exactly which part of this rule that is in conflict, so I had to comment out the entire rule.

    Questions:

    -- How could cPanel have missed this conflict with their own cPanel e-list utility?

    and

    -- Is there anyway of discovering which part of this rule that is being violated?


    Thanks.
     
  2. cPanelBilly

    cPanelBilly Guest

    Not sure how that made it to distro... That rule was marked to be removed previously.

    I have contacted devel to have it removed again.
     
  3. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    3
    Trophy Points:
    18
    try the default rule set for modsec 2 in test branch rev 3462, does that resolve it for you?

    note to self: c 3543
     
    #3 cPDan, Dec 11, 2007
    Last edited: Apr 9, 2008
  4. CoolMike

    CoolMike Well-Known Member

    Joined:
    Sep 6, 2001
    Messages:
    307
    Likes Received:
    0
    Trophy Points:
    16
    I don't know which rule it is, but one of the rules also brakes the text editor in Joomla.
     
  5. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    To find out:

    1 -- Hit the error with a browser.

    2 -- Grep the error log, e.g.:

    grep yourdomain.com /usr/local/apache/logs/error_log
     
  6. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Thanks cpDan, but would you mind putting that in English :)

    Can I get at least some sketchy instructions about how to do this?

    Thanks.
     
  7. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    It means rebuild Apache, et al., doing this:

    Code:
    /scripts/easyapache --test-branch --build
    
    Which will rebuild everything in your profile, using code from the EasyApache Test Branch.


    BIG SCARY NOTE

    Since this is the Test Branch, your EA3 build will have new features and functions that are less tested. Other problems may arise due to using the test branch. It's not recommended for prolonged production use.
     
  8. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    3
    Trophy Points:
    18
    Instead of rebuilding you could do this:

    Assuming yout have Apache 2 + Mod Security setup still:

    1) /usr/local/apache/conf/modsec2.user.conf still causes mailman URLs to 406, correct?

    2) wget http://httpupdate.cpanel.net/cpanelsync/easy_test/targz/Cpanel/Easy/ModSec.pm.tar.gz

    3) put modsec2.user.conf.default from the root of that tarball into /usr/local/apache/conf/modsec2.user.conf

    4) restart Apache

    5) mailman URL 406's or is good now?
     
    #8 cPDan, Dec 12, 2007
    Last edited: Dec 12, 2007
  9. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    3
    Trophy Points:
    18
    What mailman URL is specifically being caught by mod security?

    I ask because I am unable to reproduce the problem.
     
  10. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    3
    Trophy Points:
    18
    I see it:

    URL file extension is restricted by policy

    so its the '.com' that rule doesn't like
     
  11. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    3
    Trophy Points:
    18
    removed, meant for internal case so it wasn't very helpful here, sory
     
    #11 cPDan, Dec 12, 2007
    Last edited: Dec 12, 2007
  12. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    3
    Trophy Points:
    18
    fix is published, for now remove that rule via the mod sec rule editor if you wish
     
  13. rvskin

    rvskin Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    400
    Likes Received:
    1
    Trophy Points:
    18
    Do you just remove it or modify it?
    If you modify, please post the correct rule here.
     
  14. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    3
    Trophy Points:
    18
    Just removed it, it also breaks .shtml and some other "extensions" (IE the trailing .com in the mailing list URL)
     
  15. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I could do with some help here please, which part of the rule is it thats causing the problem? Can you give me the lines that need deleiting so i can find it? :eek:
     
    #15 kernow, Dec 21, 2007
    Last edited: Dec 21, 2007
  16. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Here's the entire rule that breaks things. I just commented it out.

    # Restrict file extension
    # removed exe so that frontpage will work
    SecRule REQUEST_BASENAME "\.(?:c(?(?:nf(?:ig)?|m)|s(?roj|r)?|dx|er|fg|m d)|p(?:rinter|ass|db|ol|wd)|v(?:b(?roj|s)?|sdisc o)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf? |at|ll|os)|$
    "t:urlDecodeUni, t:lowercase, deny,log,auditlog,msg:'URL file extension is restricted by policy', severity:'2',id:'960035'"


    On my server, it was found here:
    /usr/local/apache/conf/modsec2.user.conf
     
  17. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Thanks jols
    Merry Christmas to you :)
     
  18. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    3
    Trophy Points:
    18
    The one in the first post and also in the error.
     
Loading...

Share This Page