mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.6.3)

qwerty

Well-Known Member
Jan 21, 2003
214
2
168
I've just learnt that there is an exploit in the wild which makes it trivially easy to bypass mod_security any version prior to 2.6.6

Easyapache is currently bundling 2.6.3 which is vulnerable.

Can 2.6.6 be included in easyapache ASAP ? And if it's going to take weeks to implement, is there any way we can manually mod_security to 2.6.6 until EA has it?
 

qwerty

Well-Known Member
Jan 21, 2003
214
2
168
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

I'd really like to not have to wait on cpanel to get around to fixing issues like this. So if anyone knows how to manually compile latest modsec from modsecurity.tar.gz on a centos5/cpanel system could you please post the steps?

I'm assuming all we need to do is grab latest source from modsecurity.org and compile it and then copy the new mod_security2.so file to /usr/local/apache/modules/mod_security2.so overwriting the old one. Is that right?

If so, could you please list steps to do this!
 

qwerty

Well-Known Member
Jan 21, 2003
214
2
168
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

Ok just an update .. I've worked out how to compile the latest modsec. Here are the steps I used (and a question):

1) cd /usr/src
2) wget http://www.modsecurity.org/download/modsecurity-apache_2.6.6.tar.gz
3) tar xzf modsecurity-apache_2.6.6.tar.gz
4) cd modsecurity-apache_2.6.6
5) ./configure --with-apr=/home/cpeasyapache/src/httpd-2.2.22/srclib/apr --with-apu=/usr/local/apache/bin/apu-1-config
6) make install

The compile process takes a few seconds and dumps the new mod_security2.so in /usr/local/modsecurity/lib/mod_security2.so

NOW MY QUESTION ... is it perfectly SAFE to copy /usr/local/modsecurity/lib/mod_security2.so (the new file) over /usr/local/apache/modules/mod_security2.so (old/existing one) and then restart apache ...? Will this work ? Could there be any issues?
 

qwerty

Well-Known Member
Jan 21, 2003
214
2
168
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

Ok the above ./configure line isn't complete .. I need to also specify --with-pcre but I'm still trying to work out the path
 

qwerty

Well-Known Member
Jan 21, 2003
214
2
168
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

Ok worked it out .. the full configure line should be: ./configure --with-apr=/home/cpeasyapache/src/httpd-2.2.22/srclib/apr --with-apu=/usr/local/apache/bin/apu-1-config --with-pcre=/opt/pcre

So to sum up step by step (this is a Centos5/Cpanel box) run these steps to upgrade to latest modsec:

1) cd /usr/src
2) wget http://www.modsecurity.org/download/modsecurity-apache_2.6.6.tar.gz
3) tar xzf modsecurity-apache_2.6.6.tar.gz
4) cd modsecurity-apache_2.6.6
5) ./configure --with-apr=/home/cpeasyapache/src/httpd-2.2.22/srclib/apr --with-apu=/usr/local/apache/bin/apu-1-config --with-pcre=/opt/pcre
6) service httpd stop
7) make install
8) service httpd start

I hope that helps someone.
 

mtindor

Well-Known Member
Sep 14, 2004
1,361
64
178
inside a catfish
cPanel Access Level
Root Administrator
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

qwerty,

That's kind of you to remind us all that a modsecurity update was needed. And of course thanks for posting the details on how to do it manually.

Anybody who installs mod_security as a part of an EasyApache compile should be aware that if they follow the above steps and then run EasyApache [to recompile] in the future, the version of modsecurity that cPanel uses will overwrite any manual install that is done if they have mod_security selected in EasyApache. Thus they'd have to manually install the latest modsecurity again. Hopefully 2.6.6 will be updated shortly in EasyApache though.

Mike
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,578
52
308
cPanel Access Level
Root Administrator
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

Thank you for bringing the security matter with mod_security to our attention. As we just learned of this problem we don't have enough of a grasp of the problem (updating to mod_security 2.6.6) to know how long it will take to do. We do intend to get it accomplished as soon as possible.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,578
52
308
cPanel Access Level
Root Administrator
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

We should be able to publish EasyApache 3.13.5 today, which has mod_security 2.6.6
 

radeonpower

Well-Known Member
Jul 23, 2009
135
4
68
Iceland
cPanel Access Level
Root Administrator
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

Hello, I have updated to the latest Easyapache and mod_security 2.6.5 is still there, no sign of 2.6.6?
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

In WHM > Software > EasyApache, when you first open that page, what version does it show you?

For example, mine says: Welcome to Easy::Apache v3.14.3

According to the change log (always the best place to look for this sort of information):
EasyApache < AllDocumentation/ChangeLog < TWiki

3.13.5
2012-06-28
Implemented case 60072: Update mod_security to 2.6.6
 

radeonpower

Well-Known Member
Jul 23, 2009
135
4
68
Iceland
cPanel Access Level
Root Administrator
Re: URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.

Welcome to Easy::Apache v3.14.3

Mod Security [More Info ↑]
v1.9.5 for Apache 1.3, v2.5.13 for Apache 2.0.x, v2.6.5 for Apache 2.2.x This option will make the following changes to your profile prior to the build:

Enables:
UniqueId


/home/cpeasyapache/src contains the following dirs:
modsecurity-apache_1.9.5/
modsecurity-apache_2.5.13/
modsecurity-apache_2.6.5/
 

nospa

Well-Known Member
Apr 23, 2012
110
0
66
cPanel Access Level
Reseller Owner
when we rebuild Apache using latest EasyApache we get 2.6.5 on over 20 servers... So in changelog there is something wrong or someone forgot something...
 

chposter

Active Member
May 9, 2011
39
1
58
Hi,

same here.

/home/cpeasyapache/src/modsecurity-apache_2.6.5/ is entered when recompiling with last easyapache

Then i deleted that directory, so:

make[1]: Entering directory `/home/cpeasyapache/src/modsecurity-apache_2.6.5/tools'

So no 2.6.6.