The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

modsec problem

Discussion in 'Security' started by Zion Ahead, Dec 20, 2006.

  1. Zion Ahead

    Zion Ahead Well-Known Member

    Joined:
    Nov 10, 2006
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    My support desk is occasionally acting strange due to the modsec.conf but I'm not sure which rule is causing the error:

    2006-12-20 09:21:33 1Gx3G9-0001pF-FK Expansion of ${if !eq {$header_From:}{}{$header_sender:$header_From:}fai l} failed while rewriting: syntax error in "if" item - "fail" expec$

    [Wed Dec 20 09:13:22 2006] [error] [client xx.xxx.148.18] mod_security: Access denied with code 403. Pattern match "rm\\\\x20" at POST_PAYLOAD [hostname "domain.com$


    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Change Server: string
    SecServerSignature "Apache"


    # This setting should be set to On only if the Web site is
    # using the Unicode encoding. Otherwise it may interfere with
    # the normal Web site operation.
    SecFilterCheckUnicodeEncoding Off

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis. "On" will log everything,
    # "DynamicOrRelevant" will log dynamic requests or violations,
    # and "RelevantOnly" will only log policy violations
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    SecAuditLog logs/audit_log

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Action to take by default
    SecFilterDefaultAction "deny,log,status:403"

    ## ## ## ## ## ## ## ## ## ##
    ## ## ## ## ## ## ## ## ## ##

    # Require HTTP_USER_AGENT and HTTP_HOST in all requests
    # SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    # Require Content-Length to be provided with
    # every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"

    # Don't accept transfer encodings we know we don't handle
    # (and you don't need it anyway)
    SecFilterSelective HTTP_Transfer-Encoding "!^$"

    # Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

    SecFilter "viewtopic\.php\?" chain
    SecFilter "chr\(([0-9]{1,3})\)" "deny,log"

    # Block various methods of downloading files to a server
    SecFilterSelective THE_REQUEST "wget "
    SecFilterSelective THE_REQUEST "lynx "
    SecFilterSelective THE_REQUEST "scp "
    SecFilterSelective THE_REQUEST "ftp "
    SecFilterSelective THE_REQUEST "cvs "
    SecFilterSelective THE_REQUEST "rcp "
    SecFilterSelective THE_REQUEST "curl "
    SecFilterSelective THE_REQUEST "telnet "
    SecFilterSelective THE_REQUEST "ssh "
    SecFilterSelective THE_REQUEST "echo "
    SecFilterSelective THE_REQUEST "links -dump "
    SecFilterSelective THE_REQUEST "links -dump-charset "
    SecFilterSelective THE_REQUEST "links -dump-width "
    SecFilterSelective THE_REQUEST "links http:// "
    SecFilterSelective THE_REQUEST "links ftp:// "
    SecFilterSelective THE_REQUEST "links -source "
    SecFilterSelective THE_REQUEST "mkdir "
    SecFilterSelective THE_REQUEST "cd /tmp "
    SecFilterSelective THE_REQUEST "cd /var/tmp "
    SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
    SecFilterSelective THE_REQUEST "/config.php?v=1&DIR "
    SecFilterSelective THE_REQUEST "&highlight=%2527%252E "
    SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "
    SecFilterSelective THE_REQUEST "arta\.zip "
    SecFilterSelective THE_REQUEST "cmd=cd\x20/var "
    SecFilterSelective THE_REQUEST "HCL_path=http "
    SecFilterSelective THE_REQUEST "clamav-partial "
    SecFilterSelective THE_REQUEST "vi\.recover "
    SecFilterSelective THE_REQUEST "netenberg "
    SecFilterSelective THE_REQUEST "psybnc "
    SecFilterSelective THE_REQUEST "fantastico_de_luxe "

    SecFilter "bcc:"
    SecFilter "bcc\x3a"
    SecFilter "bcc:|Bcc:|BCC:" chain
    SecFilter "[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}\,\x20[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}"
    SecFilterSelective POST_PAYLOAD "Bcc:"
    SecFilterSelective POST_PAYLOAD "Bcc:\x20"
    SecFilterSelective POST_PAYLOAD "bcc:"
    SecFilterSelective POST_PAYLOAD "bcc:\x20"
    SecFilterSelective POST_PAYLOAD "bcc: "
    SecFilterSelective THE_REQUEST "Bcc:"
    SecFilterSelective THE_REQUEST "Bcc:\x20"
    SecFilterSelective THE_REQUEST "cc:"
    SecFilterSelective THE_REQUEST "cc:\x20"
    SecFilterSelective THE_REQUEST "bcc:"
    SecFilterSelective THE_REQUEST "bcc:\x20"
    SecFilterSelective THE_REQUEST "bcc: "
    # WEB-PHP phpbb quick-reply.php arbitrary command attempt
    SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
    SecFilter "phpbb_root_path="

    SecFilterInheritance Off
     
  2. jshanley

    jshanley Member

    Joined:
    Jul 1, 2003
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    It looks like this rule is triggering for you.

    SecFilter "[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}\,\x20[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}"

    Because you didn't include the URL being accessed from the log, I can't give you an example of how to exclude it. But basically you'd

    a) assign the problem rule (above) an ID.
    b) exclude that rule (whitelist) for that specific URL.
     
Loading...

Share This Page