On Thu, 2012-09-06 at 08:41 +0100, Arthur Dent wrote: > On Sat, 2012-09-01 at 10:41 +0100, Arthur Dent wrote: > > Hello all, > > > > I am part-way through a bare metal rebuild of my small home server on a > > Fedora 17 platform. I have always had a problem with ModSec and > > Squirrelmail. Most of Squirrelmail's functions seem to hit ModSec rules. > > In the past I have dealt with this by means of a custom rule which I put > > in modsecurity_localrules.conf which read: > > SecRule REQUEST_URI "@rx(compose|delete_message|options|move_messages| > > gpg_pop_init.php)\.php" "pass,ctl:ruleEngine=DetectionOnly" > > (The URI is usually something like /webmail/src/compose.php) > > > > Now that I am on the latest everything (ModSec 2.2.6, CRS 2.2.5) I > > wonder if there was a better way of doing this? > > > > I am surely not the only person who uses ModSec and Squirrelmail. > > > > What is the best way to deal with this? > > > > Thanks in advance for any help / suggestions. > > > > Mark > > OK. No-one offered any suggestions so I have been trying to do this > myself without any success. I guess things have changed since I last had > this working. > > I have created a modsecurity_crs_15_customrules.conf file and tried both > this: > SecRule REQUEST_URI "@rx(compose|delete_message|options|move_messages| > gpg_pop_init.php)\.php" "pass,ctl:ruleEngine=DetectionOnly" > > and this: > SecRule REQUEST_URI "@rx \/webmail\/src\/" > "pass,nolog,noauditlog,ctl:ruleEngine=DetectionOnly" > > but neither seen to work. Here is the relevant sections from the logs: > ==========================8<=========================================== > --53208e27-A-- > [06/Sep/2012:08:28:57 +0100] UEhQuV5@KJoAAA-gZOEAAAAA 82.43.145.228 50213 > 192.168.2.2 443 > --53208e27-B-- > POST /mywm/src/compose.php HTTP/1.1 > Host: www.mydomain.org > Connection: keep-alive > Content-Length: 2032 > Cache-Control: max-age=0 > Origin: https://www.mydomain.org > User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.1 (KHTML, like > Gecko) Chrome/21.0.1180.89 Safari/537.1 > Content-Type: multipart/form-data; > boundary=----WebKitFormBoundaryApZrcLUMZNcW08Hw > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Referer: > https://www.mydomain.org/mywm/src/compose.php?mailbox=IN-School&startMessage=1 > Accept-Encoding: gzip,deflate,sdch > Accept-Language: en-US,en;q=0.8,en-GB;q=0.6 > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 > Cookie: key=OYX4xy5pBYc%3D; squirrelmail_language=deleted; > SQMSESSID=vdpj7jlonemo25np8cqaac5q84 > > --53208e27-I-- > smtoken=2Mjp0tu7F9D1&startMessage=1&session=1&passed%5fid=&identity=0&send%5fto=mark%40mydomain%2eorg&send%5fto%5fcc=&send%5fto%5fbcc=&subject=Test+Message&mailprio=3&body=Test+Message&send=Send&MAX%5fFILE%5fSIZE=2097152&username=mark&smaction=&mailbox=IN%2dSchool&composesession=1&querystring=mailbox%3dIN%2dSchool%26amp%3bstartMessage%3d1 > --53208e27-F-- > HTTP/1.1 403 Forbidden > Content-Length: 304 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > --53208e27-H-- > Message: Access denied with code 403 (phase 2). Pattern match > "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*){4,}" > at ARGS:querystring. [file > "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] > [line "171"] [id "981173"] [rev "2.2.5"] [msg "Restricted SQL Character > Anomaly Detection Alert - Total # of special characters exceeded"] [data "=1"] > Message: Failed to access DBM file "/var/log/httpd//global": Permission denied > Message: Failed to access DBM file "/var/log/httpd//ip": Permission denied > Action: Intercepted (phase 2) > Apache-Handler: php5-script > Stopwatch: 1346916537512630 18158 (- - -) > Stopwatch2: 1346916537512630 18158; combined=17993, p1=421, p2=12973, p3=0, > p4=0, p5=2378, sr=53, sw=1, l=0, gc=2220 > Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); > OWASP_CRS/2.2.5. > Server: Apache/2.2.22 (Fedora) > > --53208e27-Z-- > ==========================8<=========================================== > > I am particularly mystified by the "Failed to access DBM file" message. > Can anyone assist me in getting this through?
OK - With thanks to Josh - who put me on the right track - I have now solved the DBM file error (it *was* a selinux problem), but I am still struggling to get squirrelmail to work with ModSec. This is an example of what happens when I try to create and send a message: ==========================8<=========================================== --be01bf35-A-- [12/Sep/2012:19:26:29 +0100] UFDT1V5@KJoAACBKdaUAAAAA 82.43.145.228 34343 192.168.2.2 443 --be01bf35-B-- POST /mywm/src/compose.php HTTP/1.1 Host: www.mydomain.org Connection: keep-alive Content-Length: 2041 Cache-Control: max-age=0 Origin: https://www.mydomain.org User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqAsmrZ53bK174WYX Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: https://www.mydomain.org/webmail/src/compose.php?mailbox=INBOX&startMessage=1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8,en-GB;q=0.6 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: key=Nta%2BtVqpYnE%3D; squirrelmail_language=deleted; SQMSESSID=3lf5on9kt9tmsv8jhppi7r8895; PHPSESSID=kvimuo0q0nsfeh0u4ap90sv777 --be01bf35-I-- smtoken=r2hbuOJf0MiC&startMessage=1&session=1&passed%5fid=&identity=0&send%5fto=mark%40mydomain%2eorg&send%5fto%5fcc=&send%5fto%5fbcc=&subject=Test+Message&mailprio=3&send=Send&body=Another+Test+Message%2e%0d%0a%0d%0aM%2e%0d%0a&MAX%5fFILE%5fSIZE=2097152&username=mark&smaction=&mailbox=INBOX&composesession=1&querystring=mailbox%3dINBOX%26amp%3bstartMessage%3d1 --be01bf35-F-- HTTP/1.1 403 Forbidden Content-Length: 304 Connection: close Content-Type: text/html; charset=iso-8859-1 --be01bf35-H-- Message: Access denied with code 403 (phase 2). Pattern match "\\W{4,}" at ARGS:body. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "155"] [id "960024"] [rev "2.2.5"] [msg "SQL Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data ".\x0d\x0a\x0d\x0a"] Action: Intercepted (phase 2) Apache-Handler: php5-script Stopwatch: 1347474389086911 22910 (- - -) Stopwatch2: 1347474389086911 22910; combined=14623, p1=397, p2=14178, p3=0, p4=0, p5=47, sr=96, sw=1, l=0, gc=0 Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5. Server: Apache/2.2.22 (Fedora) --be01bf35-Z-- ==========================8<=========================================== How do I allow these trough without compromising the security of the rest of the site? Thanks again... Mark
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
