From dahl at unr.edu Tue Apr 17 19:46:33 2007 From: dahl at unr.edu (Michael P Dahl) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] Disable mod_security in .htaccess Message-ID: <8FB49BBFFBF42D43BEA4DB36F735CDA92C5735@UNRX.unr.edu> I'm trying to disable mod_security 2.0 for a particular user in their .htaccess: I tried using: SecFilterEngine Off SecFilterScanPOST Off But they do not work in 2.0. Then I tried using: SecRuleEngine off and got this error: [Tue Apr 17 16:42:04 2007] [alert] [client 192.168.1.1] /web/htdocs/license/.htaccess: SecRuleEngine not allowed here, referer: http://www.site.com/license/index.html Is it possible to do this? If so, what am I doing wrong? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20070417/3060a34f/attachment.html From holm at x-provi.de Wed Apr 18 04:38:17 2007 From: holm at x-provi.de (Holm Kapschitzki) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] LocationMatch question Message-ID: <4625D8F9.6080300@x-provi.de> Hello, sorry im an new in mod_sec. I have some problems with some rules und solve this with the location match. But i wonder cause i make an exclude rules and this doesnt help. If there is any sign after my string i have to use ".*" right ? But whats up with folders and signs before "/". For example this is the string: SecFilterRemove 300018 But the root directory is "/forum/newreply.php?do=postreply&t=13 ......" With the folder "forum" before. I have to use a wildcard before the string "/newreply.php?do=postreply&t=.*"? greets Holm From michal at sabren.com Thu Apr 19 06:21:01 2007 From: michal at sabren.com (Michal Wallace) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] Disable mod_security in .htaccess In-Reply-To: <8FB49BBFFBF42D43BEA4DB36F735CDA92C5735@UNRX.unr.edu> References: <8FB49BBFFBF42D43BEA4DB36F735CDA92C5735@UNRX.unr.edu> Message-ID: On Tue, 17 Apr 2007, Michael P Dahl wrote: > I'm trying to disable mod_security 2.0 for a particular user in their > .htaccess: > > I tried using: > > SecFilterEngine Off > SecFilterScanPOST Off > > But they do not work in 2.0. Is it possible your AllowOverride settings don't allow you to use .htaccess for this? That's just a wild guess. Sincerely, Michal J Wallace Sabren Enterprises, Inc. ------------------------------------- contact: michal@sabren.com hosting: http://www.cornerhost.com/ my site: http://www.withoutane.com/ ------------------------------------- From drear at iki.fi Sat Apr 21 10:02:35 2007 From: drear at iki.fi (drear) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] mod_magnet revisited Message-ID: <200704211702.35252.drear@iki.fi> Hi, I just joined to this list and therefore started a new thread, although there was a similar one already. But surely mod_magnet deserves another thread, likewise Lighttpd generally. I concur with the earlier comment in that the only thing holding me back is the lack of equivalent rules to use and compare. In every other field Lighttpd fits my needs much better than the predominant server. And presumably I am not alone. Thus, has anyone looked into porting some of the generic rules? If nothing else, few examples would make me much more confident in writing my own rules with mod_magnet and lua. Thanks, and with a reference to the earlier discussion, Jukka Ruohonen. From holm at x-provi.de Sat Apr 21 15:25:08 2007 From: holm at x-provi.de (Holm Kapschitzki) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] parameters in LocationMatch Message-ID: <462A6514.3060809@x-provi.de> Hello, I dont understand, if its possible to use something like the following in a LocationMatch directive. I had to make some excludes. For example: you say in exclude.conf: #PhpBB posting SecFilterRemove 300013 ok, there is the query string "?name=PNphpBB2&file=posting&mode=reply.*" It seems to work. At the other side this not working for me: "/admin/content_manager.php?action=edit&coID=10" Why? Is it possible to use any query string in a LocationMatch directive? For example this isnt working, too: SecFilterRemove 300018 Thats the mod_sec log: ==dd35fa36============================== Request: example.com 91.0.88.xxx - - [18/Apr/2007:10:20:21 +0200] "POST /newreply.php?do=postreply&t=13 HTTP/1.1" 200 0 "http://example.com/newreply.php?do=postreply&t=13" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)" wd9NElUKxY8AACawUlMAAAAR "-" Handler: fcgid-script ---------------------------------------- POST /newreply.php?do=postreply&t=13 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */* Referer: http://example.com/newreply.php?do=postreply&t=13 Accept-Language: de Content-Type: application/x-www-form-urlencoded UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322) Host: example.com Content-Length: 562 Connection: Keep-Alive Cache-Control: no-cache Cookie: vblastvisit=1160640450; vblastactivity=0; vb3_lastvisit=1160767645; vb3_lastactivity=0; vb3_userid=6; vb3_password=cc30d26714e50394e85d332c20886f74; vb3_forumpwd=a554eff09b878fba91ab6e280c636d88a-4-%7Bi-164_s-32-.fc7d6804b3f6619af0cff8fa3ff8434e._i-78_s-32-.4f26f1ec7006aa0efdb59b319e41d761._i-39_s-32-.22a465c7c6146799a24324d4e28634e4._i-57_s-32-.f0026f0c01de9be64933ec949ccb1702._%7D; vb3_styleid=7; vb3_sessionhash=41d67a1ea19f183040ea8b1c1e1c3a6e mod_security-message: Warning. Pattern match "!/imp/login\\.php" at HEADER("Referer") [id "300018"] [rev "3"] [msg "Generic PHP code injection protection via ARGS"] [severity "CRITICAL"] 562 title=&message=something... HTTP/1.0 301 Cache-Control: private Pragma: private Location: http://example.com/showthread.php?p=55266#post55266 Connection: close Content-Type: text/html; charset=ISO-8859-1 --dd35fa36-- Only this is working: SecFilterRemove 300018 greets Holm From mike at gotroot.com Sat Apr 21 16:29:58 2007 From: mike at gotroot.com (Michael Shinn) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] mod_magnet revisited In-Reply-To: <200704211702.35252.drear@iki.fi> References: <200704211702.35252.drear@iki.fi> Message-ID: <1177187398.3421.2.camel@localhost.localdomain> fun you should mention it, I'm experimenting with this now. It shows promise. I'll post some experimental generic rules soon, just need to nail some annoying bugs. On Sat, 2007-04-21 at 17:02 +0300, drear wrote: > Hi, > > I just joined to this list and therefore started a new thread, although there > was a similar one already. But surely mod_magnet deserves another thread, > likewise Lighttpd generally. > > I concur with the earlier comment in that the only thing holding me back is > the lack of equivalent rules to use and compare. In every other field > Lighttpd fits my needs much better than the predominant server. And > presumably I am not alone. > > Thus, has anyone looked into porting some of the generic rules? If nothing > else, few examples would make me much more confident in writing my own rules > with mod_magnet and lua. > > Thanks, and with a reference to the earlier discussion, > > Jukka Ruohonen. > _______________________________________________ > Modsecurity mailing list > Modsecurity@gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity From Crazy_Canucks at rogers.com Tue Apr 24 13:25:31 2007 From: Crazy_Canucks at rogers.com (Crazy Canucks) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] Rule 340000 Message-ID: <462E3D8B.7010902@rogers.com> Just thought you should know that rule 340000 in the modsec 2 rules completely blocked me from accessing my websites. The entry from my error log: [Tue Apr 24 14:16:58 2007] [error] [client 65.55.212.236] ModSecurity: Access denied with code 500 (phase 2). Match of "rx ^HTTP/(0\\\\.9|1\\\\.0|1\\\\.1)$" against "REQUEST_PROTOCOL" required. [id "340000"] [msg "Bad HTTP Protocol"] [severity "ALERT"] [hostname "www.crazy-canucks.com"] [uri "/robots.txt"] [unique_id "9AkWh8CoAGUAAG3fEDgAAAAE"] Owen Stairs