On Sat, 2012-09-01 at 10:41 +0100, Arthur Dent wrote:
> Hello all,
> 
> I am part-way through a bare metal rebuild of my small home server on a
> Fedora 17 platform. I have always had a problem with ModSec and
> Squirrelmail. Most of Squirrelmail's functions seem to hit ModSec rules.
> In the past I have dealt with this by means of a custom rule which I put
> in modsecurity_localrules.conf which read:
> SecRule REQUEST_URI "@rx(compose|delete_message|options|move_messages|
> gpg_pop_init.php)\.php" "pass,ctl:ruleEngine=DetectionOnly"
> (The URI is usually something like /webmail/src/compose.php)
> 
> Now that I am on the latest everything (ModSec 2.2.6, CRS 2.2.5) I
> wonder if there was a better way of doing this?
> 
> I am surely not the only person who uses ModSec and Squirrelmail.
> 
> What is the best way to deal with this?
> 
> Thanks in advance for any help / suggestions.
> 
> Mark

OK. No-one offered any suggestions so I have been trying to do this
myself without any success. I guess things have changed since I last had
this working.

I have created a modsecurity_crs_15_customrules.conf file and tried both
this:
SecRule REQUEST_URI "@rx(compose|delete_message|options|move_messages|
gpg_pop_init.php)\.php" "pass,ctl:ruleEngine=DetectionOnly"

and this:
SecRule REQUEST_URI "@rx \/webmail\/src\/"
"pass,nolog,noauditlog,ctl:ruleEngine=DetectionOnly"

but neither seen to work. Here is the relevant sections from the logs:
==========================8<===========================================
--53208e27-A--
[06/Sep/2012:08:28:57 +0100] UEhQuV5@KJoAAA-gZOEAAAAA 82.43.145.228 50213 
192.168.2.2 443
--53208e27-B--
POST /mywm/src/compose.php HTTP/1.1
Host: www.mydomain.org
Connection: keep-alive
Content-Length: 2032
Cache-Control: max-age=0
Origin: https://www.mydomain.org
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.1 (KHTML, like Gecko) 
Chrome/21.0.1180.89 Safari/537.1
Content-Type: multipart/form-data; 
boundary=----WebKitFormBoundaryApZrcLUMZNcW08Hw
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: 
https://www.mydomain.org/mywm/src/compose.php?mailbox=IN-School&startMessage=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,en-GB;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: key=OYX4xy5pBYc%3D; squirrelmail_language=deleted; 
SQMSESSID=vdpj7jlonemo25np8cqaac5q84

--53208e27-I--
smtoken=2Mjp0tu7F9D1&startMessage=1&session=1&passed%5fid=&identity=0&send%5fto=mark%40mydomain%2eorg&send%5fto%5fcc=&send%5fto%5fbcc=&subject=Test+Message&mailprio=3&body=Test+Message&send=Send&MAX%5fFILE%5fSIZE=2097152&username=mark&smaction=&mailbox=IN%2dSchool&composesession=1&querystring=mailbox%3dIN%2dSchool%26amp%3bstartMessage%3d1
--53208e27-F--
HTTP/1.1 403 Forbidden
Content-Length: 304
Connection: close
Content-Type: text/html; charset=iso-8859-1

--53208e27-H--
Message: Access denied with code 403 (phase 2). Pattern match 
"([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*){4,}"
 at ARGS:querystring. [file 
"/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
 [line "171"] [id "981173"] [rev "2.2.5"] [msg "Restricted SQL Character 
Anomaly Detection Alert - Total # of special characters exceeded"] [data "=1"]
Message: Failed to access DBM file "/var/log/httpd//global": Permission denied
Message: Failed to access DBM file "/var/log/httpd//ip": Permission denied
Action: Intercepted (phase 2)
Apache-Handler: php5-script
Stopwatch: 1346916537512630 18158 (- - -)
Stopwatch2: 1346916537512630 18158; combined=17993, p1=421, p2=12973, p3=0, 
p4=0, p5=2378, sr=53, sw=1, l=0, gc=2220
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); 
OWASP_CRS/2.2.5.
Server: Apache/2.2.22 (Fedora)

--53208e27-Z--
==========================8<===========================================

I am particularly mystified by the "Failed to access DBM file" message.
Can anyone assist me in getting this through?

Thanks

Mark

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to