Hi I have recently installed mod-security2 (v 2.6.3-1ubuntu0.2) on Ubuntu 12.04 LTS and the OWASP core rule set (v 2.2.5) as part of securing a web server running Joomla 2.5.6. I am using a Joomla template from Yootheme based on their Warp Theme framework v6.2 and their Widgetkit toolset v1.2.
Mod-security2 is generating a false positive for the Widgetkit map component and I was wondering how to go about creating a custom local rule exception for this. I have searched and come across some examples of custom rules but must admit I am a bit unsure about the how to create the rule in this case. The information from the modsec_audit.log is as follows: --4a562b4c-B-- GET /component/widgetkit/?tmpl=raw&id=5 HTTP/1.1 Host: sur-static-31.xxxx.yyyy User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive X-Requested-With: XMLHttpRequest Referer: http://sur-static-31.xxxx.yyyy/about-us/contact-us/general-contact-information Cookie: 8d46d49916e124b333b939f5c4e13acd=pdem1o994m5e29vlsc1dhqhv35; 03698be3bfdfc6348389481d8d00062c=r1tmq1i1pkgboh6fhmr3tl7oo6; jpanesliders_panel-sliders=0; jpanesliders_position-icon=0; jpanesliders_content-sliders-26=0; jpanesliders_permissions-sliders-26=0; jpanesliders_permissions-sliderscom_content=0 --4a562b4c-F-- HTTP/1.1 403 Forbidden Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 192 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 --4a562b4c-E-- <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /component/widgetkit/ on this server.</p> </body></html> --4a562b4c-H-- Message: Access denied with code 403 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:\\.exe|32)\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\ ..." at ARGS_NAMES:amp;id. [file "/etc/modsecurity/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "197"] [id "950006"] [rev "2.2.5"] [msg "System Command Injection"] [data ";id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] Action: Intercepted (phase 2) Stopwatch: 1348215302952777 4630 (- - -) Stopwatch2: 1348215302952777 4630; combined=2688, p1=346, p2=2283, p3=0, p4=0, p5=59, sr=100, sw=0, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.6.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.5. Server: Apache --4a562b4c-Z-- As I understand the log data, rule 950006 is actvated by the "id" variable in the url GET request GET /component/widgetkit/?tmpl=raw&id=5 HTTP/1.1. The "id" variable is the unique identity of the particular map created in the Widgetkit Map component. I tried to create a rule in modsecurity_crs_48_local_exceptions.conf based on the information in the triggered rule using ARGS_NAMES and trying to match the suffix of the url as follows: SecRule ARGS_NAMES:amp;id "@streq raw&id=5" \ "phase:2,t:none,nolog,pass,setvar:tx.anomaly_score=-20" This does not work and I am confident I am not getting the semantics correct. Also, I notice the url is being displayed in the error as ARGS_NAMES:amp;id whereas I thought it should be &id. Could anyone provide some pointers or refer me to documentation for how to create the rule correctly (excluding the actual value 5 so as to make it more general) so accessing this component will not trigger this rule without completely disabling the rule. Thanks in advance. Regards Paul Freeman __________ Information from ESET Smart Security, version of virus signature database 7508 (20120923) __________ The message was checked by ESET Smart Security. http://www.eset.com _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
