ModSecurity blocking Firefox Indonesian version

[markhard]

recently i noticed that the default rule from cpanel's modsecurity rules is blocking firefox and probably other browser which is using Indonesian language. here is the rule that give false alarm:

SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|[B]telnet|uname|echo|id[/B])\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|[B]telnet|uname|echo|id[/B] )(?:[\'\"\|\;\`\-\s]|$))" \
        "capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950006',severity:'2'"

the rule blocks because the regex "telnet|uname|echo|id" match with firefox browser's user agent header:

Mozilla/5.0 (Windows; U; Windows NT 5.1; [B]id;[/B] rv:1.9b5) Gecko/2008032620 Firefox/3.0b5
Mozilla/5.0 (Windows; U; Windows NT 5.1; [B]id;[/B] rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
Mozilla/5.0 (Windows; U; Windows NT 5.1; [B]id;[/B] rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

i wanted to create modsecurity rule to allow browser with Indonesian language but got confused with modsecurity rule, can someone help me modifying the rule to accept the browser which have Indonesian language?

thank you

 

[harrysudana]

renaming telnet|uname|echo|id to telnet|uname|echo
is that working?

-------------------------
Best Regards

http://webwoke.com

 

[tajid]

i wanted to create modsecurity rule to allow browser with Indonesian language but got confused with modsecurity rule, can someone help me modifying the rule to accept the browser which have Indonesian language?

thank you

Simply delete "id" ... it is decreasing the security ..
But I haven't find any other way since the "id" is in the Indonesian Firefox user agent header.

btw it has been discussed before .. http://www.diskusiwebhosting.com/showthread.php?t=628&highlight=rule+galak

 

[alphaservers]

modsecurity problem in isp indonesian

Since issued by the indonesian government to protected legal content for multimedia content this problems is begin to make difficulty in offshore data center who was allowed adults content :D

My idea is just try to use opendns.com and make your dns server is open and unforbidden listing in isp indonesian hope you can resolve your problems soon as possible if you still have problems with your mode_security use anynomous proxy and try to use indonesian proxy and checked your website is running better in isp indonesian provider

 

[harrysudana]

@tajid
yes, the rule will decrease the security.

@alphaservers
probably opendns is good. i think it need extra campaign to inform all internet user in Indonesia for using opendns.

or mybe should we try to contact the mozilla developer to change identity for indonesian to use "IDN" or something else instead of using "ID"?

Or mybe try to inform the developer to stay away from using "id"?

regards

Harry S
_________
webwoke.com | SEO | Plugins | Wordpress