[Modsecurity] Horde login issue
Faris Raouf
faris at cymru1.net
Mon Nov 6 12:48:53 EST 2006
I'm having a very strange issue at the moment.
Basically logging in under Horde/imp (plesk 7.5.4, Redhat 9) was fine until
I updated my rules to the 20061310 set.
After that, rule 300018 triggers on logging in (and if I remove that rule
from the rules file others trigger. Basically 300013/15/16.
Adding this sort of thing (with variations of the location) to the exclude
file does not help (yes, I am restarting the httpd process)
<LocationMatch "/horde/imp/compose.php">
SecFilterRemove 300013
SecFilterRemove 300015
SecFilterRemove 300016
SecFilterRemove 300016
</LocationMatch>
Using SecFilterEngine Off and SecFilterScanPOST Off in the above does not
help.
I've also tried creating an .htaccess file in /usr/share/psa-horde/imp with
the following (or the secfilterremove rules) in. It doesn't help.
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
A typical audit log entry is as follows:
==9a51b60b==============================
Request: webmail.domain.com xx.xx.xx.xx - - [04/Nov/2006:07:34:51 +0000]
"GET /index.php?url=http%3A%2F%2Fwebmail.domain.com%2F HTTP/1.1" 500 1083
"http://webmail.domain.com/imp/login.php" "Mozilla/5.0 (Macintosh; U; Intel
Mac OS X; en) AppleWebKit/418 (KHTML, like Gecko) Safari/417.9.2"
41Uitz5FPeMAAF at WTSoAAAAM "-"
Handler: type-map
----------------------------------------
GET /index.php?url=http%3A%2F%2Fwebmail.domain.com%2F HTTP/1.1
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Cookie: Horde3=xxxxxxxxxxxxxxxxxxxxxxxxxx; auth_key=xxxxxxxxxxxxxxxxxxxxxx;
imp_key=xxxxxxxxxxxxxxxxxxxxxxx
Referer: http://webmail.domain.com/imp/login.php
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/418
(KHTML, like Gecko) Safari/417.9.2
Connection: keep-alive
Host: webmail.domain.com
mod_security-action: 500
mod_security-message: Access denied with code 500. Pattern match
"(ht|f)tps?:/" at QUERY_STRING [id "300018"] [rev "3"] [msg "Generic PHP
code injection protection via ARGS"] [severity "CRITICAL"]
HTTP/1.1 500 Internal Server Error
Vary: accept-language
Accept-Ranges: bytes
Connection: close
Content-Type: text/html
--9a51b60b--
What I don't understand is why I'm unable to turn mod_sec off or limit the
rules for this. It is driving me nuts. What am I doing wrong? I must be
doing something really daft.
Thanks,
Faris.
More information about the Modsecurity
mailing list