The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity blocking Firefox Indonesian version

Discussion in 'Security' started by markhard, Jan 12, 2009.

  1. markhard

    markhard Well-Known Member

    Joined:
    Apr 22, 2004
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    recently i noticed that the default rule from cpanel's modsecurity rules is blocking firefox and probably other browser which is using Indonesian language. here is the rule that give false alarm:

    Code:
    SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|[B]telnet|uname|echo|id[/B])\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|[B]telnet|uname|echo|id[/B] )(?:[\'\"\|\;\`\-\s]|$))" \
            "capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950006',severity:'2'"
    the rule blocks because the regex "telnet|uname|echo|id" match with firefox browser's user agent header:

    Code:
    Mozilla/5.0 (Windows; U; Windows NT 5.1; [B]id;[/B] rv:1.9b5) Gecko/2008032620 Firefox/3.0b5
    Mozilla/5.0 (Windows; U; Windows NT 5.1; [B]id;[/B] rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
    Mozilla/5.0 (Windows; U; Windows NT 5.1; [B]id;[/B] rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
    i wanted to create modsecurity rule to allow browser with Indonesian language but got confused with modsecurity rule, can someone help me modifying the rule to accept the browser which have Indonesian language?

    thank you
     
    #1 markhard, Jan 12, 2009
    Last edited: Jan 12, 2009
  2. harrysudana

    harrysudana Registered

    Joined:
    Mar 7, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    bali indonesia
    renaming telnet|uname|echo|id to telnet|uname|echo
    is that working?

    -------------------------
    Best Regards

    http://webwoke.com
     
    #2 harrysudana, Sep 10, 2009
    Last edited: Sep 11, 2009
  3. tajid

    tajid Registered

    Joined:
    Feb 15, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Simply delete "id" ... it is decreasing the security .. :(
    But I haven't find any other way since the "id" is in the Indonesian Firefox user agent header.

    btw it has been discussed before .. http://www.diskusiwebhosting.com/showthread.php?t=628&highlight=rule+galak
     
  4. alphaservers

    alphaservers Member

    Joined:
    Sep 7, 2009
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    modsecurity problem in isp indonesian

    Since issued by the indonesian government to protected legal content for multimedia content this problems is begin to make difficulty in offshore data center who was allowed adults content :D

    My idea is just try to use opendns.com and make your dns server is open and unforbidden listing in isp indonesian hope you can resolve your problems soon as possible if you still have problems with your mode_security use anynomous proxy and try to use indonesian proxy and checked your website is running better in isp indonesian provider :)
     
  5. harrysudana

    harrysudana Registered

    Joined:
    Mar 7, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    bali indonesia
    @tajid
    yes, the rule will decrease the security.

    @alphaservers
    probably opendns is good. i think it need extra campaign to inform all internet user in Indonesia for using opendns.

    or mybe should we try to contact the mozilla developer to change identity for indonesian to use "IDN" or something else instead of using "ID"?

    Or mybe try to inform the developer to stay away from using "id"?

    regards

    Harry S
    _________
    webwoke.com | SEO | Plugins | Wordpress
     
Loading...

Share This Page