The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.6.3)

Discussion in 'Security' started by qwerty, Jun 25, 2012.

  1. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    16
    I've just learnt that there is an exploit in the wild which makes it trivially easy to bypass mod_security any version prior to 2.6.6

    Easyapache is currently bundling 2.6.3 which is vulnerable.

    Can 2.6.6 be included in easyapache ASAP ? And if it's going to take weeks to implement, is there any way we can manually mod_security to 2.6.6 until EA has it?
     
  2. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    16
    Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

    I'd really like to not have to wait on cpanel to get around to fixing issues like this. So if anyone knows how to manually compile latest modsec from modsecurity.tar.gz on a centos5/cpanel system could you please post the steps?

    I'm assuming all we need to do is grab latest source from modsecurity.org and compile it and then copy the new mod_security2.so file to /usr/local/apache/modules/mod_security2.so overwriting the old one. Is that right?

    If so, could you please list steps to do this!
     
  3. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    16
    Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

    Ok just an update .. I've worked out how to compile the latest modsec. Here are the steps I used (and a question):

    1) cd /usr/src
    2) wget http://www.modsecurity.org/download/modsecurity-apache_2.6.6.tar.gz
    3) tar xzf modsecurity-apache_2.6.6.tar.gz
    4) cd modsecurity-apache_2.6.6
    5) ./configure --with-apr=/home/cpeasyapache/src/httpd-2.2.22/srclib/apr --with-apu=/usr/local/apache/bin/apu-1-config
    6) make install

    The compile process takes a few seconds and dumps the new mod_security2.so in /usr/local/modsecurity/lib/mod_security2.so

    NOW MY QUESTION ... is it perfectly SAFE to copy /usr/local/modsecurity/lib/mod_security2.so (the new file) over /usr/local/apache/modules/mod_security2.so (old/existing one) and then restart apache ...? Will this work ? Could there be any issues?
     
  4. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    16
    Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

    Ok the above ./configure line isn't complete .. I need to also specify --with-pcre but I'm still trying to work out the path
     
  5. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    16
    Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

    Ok worked it out .. the full configure line should be: ./configure --with-apr=/home/cpeasyapache/src/httpd-2.2.22/srclib/apr --with-apu=/usr/local/apache/bin/apu-1-config --with-pcre=/opt/pcre

    So to sum up step by step (this is a Centos5/Cpanel box) run these steps to upgrade to latest modsec:

    1) cd /usr/src
    2) wget http://www.modsecurity.org/download/modsecurity-apache_2.6.6.tar.gz
    3) tar xzf modsecurity-apache_2.6.6.tar.gz
    4) cd modsecurity-apache_2.6.6
    5) ./configure --with-apr=/home/cpeasyapache/src/httpd-2.2.22/srclib/apr --with-apu=/usr/local/apache/bin/apu-1-config --with-pcre=/opt/pcre
    6) service httpd stop
    7) make install
    8) service httpd start

    I hope that helps someone.
     
  6. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

    qwerty,

    That's kind of you to remind us all that a modsecurity update was needed. And of course thanks for posting the details on how to do it manually.

    Anybody who installs mod_security as a part of an EasyApache compile should be aware that if they follow the above steps and then run EasyApache [to recompile] in the future, the version of modsecurity that cPanel uses will overwrite any manual install that is done if they have mod_security selected in EasyApache. Thus they'd have to manually install the latest modsecurity again. Hopefully 2.6.6 will be updated shortly in EasyApache though.

    Mike
     
  7. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

    Thank you for bringing the security matter with mod_security to our attention. As we just learned of this problem we don't have enough of a grasp of the problem (updating to mod_security 2.6.6) to know how long it will take to do. We do intend to get it accomplished as soon as possible.
     
  8. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

    We should be able to publish EasyApache 3.13.5 today, which has mod_security 2.6.6
     
  9. vanheict

    vanheict Registered

    Joined:
    Jul 2, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

    thanks you for your guide
     
  10. radeonpower

    radeonpower Well-Known Member

    Joined:
    Jul 23, 2009
    Messages:
    129
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

    Hello, I have updated to the latest Easyapache and mod_security 2.6.5 is still there, no sign of 2.6.6?
     
  11. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,480
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

    In WHM > Software > EasyApache, when you first open that page, what version does it show you?

    For example, mine says: Welcome to Easy::Apache v3.14.3

    According to the change log (always the best place to look for this sort of information):
    EasyApache < AllDocumentation/ChangeLog < TWiki

     
  12. radeonpower

    radeonpower Well-Known Member

    Joined:
    Jul 23, 2009
    Messages:
    129
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

    Welcome to Easy::Apache v3.14.3

    Mod Security [More Info ↑]
    v1.9.5 for Apache 1.3, v2.5.13 for Apache 2.0.x, v2.6.5 for Apache 2.2.x This option will make the following changes to your profile prior to the build:

    Enables:
    UniqueId


    /home/cpeasyapache/src contains the following dirs:
    modsecurity-apache_1.9.5/
    modsecurity-apache_2.5.13/
    modsecurity-apache_2.6.5/
     
  13. nospa

    nospa Well-Known Member

    Joined:
    Apr 23, 2012
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Reseller Owner
    when we rebuild Apache using latest EasyApache we get 2.6.5 on over 20 servers... So in changelog there is something wrong or someone forgot something...
     
  14. chposter

    chposter Active Member

    Joined:
    May 9, 2011
    Messages:
    39
    Likes Received:
    1
    Trophy Points:
    8
    Hi,

    same here.

    /home/cpeasyapache/src/modsecurity-apache_2.6.5/ is entered when recompiling with last easyapache

    Then i deleted that directory, so:

    make[1]: Entering directory `/home/cpeasyapache/src/modsecurity-apache_2.6.5/tools'

    So no 2.6.6.
     
  15. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,480
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
Loading...

Share This Page