[Owasp-modsecurity-core-rule-set] cpanel modsecurity add-rule difficulty

2016-12-01 Thread Russell Clemings 
I'm having some trouble dealing with two false positives. This is cPanel's
implementation of OWASP ver.3.0.0, as nearly as I can tell (from /etc

/apache2

/conf.d

/modsec_vendor_configs

/OWASP/modsecurity_crs_10_setup.conf). I've masked some possibly sensitive
data.

523939:[Thu Dec 01 10:25:39.244073 2016] [:error] [pid 24880] [client
xx.xx.xxx.xxx] ModSecurity: Access denied with redirection to
http://www.example.com/ using status 302 (phase 2). Pattern match
"%((?!$|W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:returnUrl.
[file
"/etc/apache2/conf.d/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"]
[line "219"] [id "950109"] [rev "2"] [msg "Multiple URL Encoding Detected"]
[severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "6"] [accuracy "8"]
[tag "Host: www.example.com"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag
"OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] [hostname "www.example.com"] [uri
"/xxx.php"] [unique_id "WEBA83cQjKbwhNpTYWkudQQ"]

526747:[Thu Dec 01 10:41:28.958952 2016] [:error] [pid 26285] [client
xx.xx.xxx.xxx] ModSecurity: Access denied with redirection to
http://www.example.com/ using status 302 (phase 2). Match of "beginsWith
%{request_headers.host}" against "TX:1" required. [file
"/etc/apache2/conf.d/modsec_vendor_configs/OWASP/rules/REQUEST-31-APPLICATION-ATTACK-RFI.conf"]
[line "30"] [id "950120"] [rev "3"] [msg "Possible Remote File Inclusion
(RFI) Attack: Off-Domain Reference/Link"] [data "Matched Data:
https://another.example.com/a/account/validatethirdpartycorporateauthresult?redirectUrl=http:%2F%2Fanother.example.com%2Fa
found within TX:1:
another.example.com/a/account/validatethirdpartycorporateauthresult?redirectUrl=http:%2F%2Fanother.example.com%2Fa"]
[severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"]
[tag "Host: www.example.com"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-remote file
inclusion"] [tag "OWASP_CRS/WEB_ATTACK/RFI"] [hostname "www.example.com"]
[uri "/xxx.php"] [unique_id "WEBEqF9us8Ws-b6n3kgKmAI"]

I've confirmed that those rules are the problem by temporarily disabling
them, but I would like to create an exception instead. I am trying to use
the "add rule" function in cPanel's WHM/Security
Center/ModSecurity/Tools/Rules List. Here is what I'm trying to add (singly
and both at once):

SecRuleUpdateTargetById 950109 !ARGS:'another.example.com'
SecRuleUpdateTargetByID 950120 !ARGS_NAMES:'another.example.com'

When I try to save and deploy, here is what I get in the cPanel error log:

[2016-12-01 16:09:21 -0500] warn [xml-api] The system failed to deploy the
changes for “modsec/modsec2.user.conf”: The system could not validate the
new Apache configuration because httpd exited with a nonzero value. Apache
produced the following error: AH00526: Syntax error on line 1 of
/etc/apache2/conf.d/modsec/modsec2.user.conf:
Updating target by ID with no ruleset in this context

I've tried various combinations of single quotes, double quotes, no quotes,
but to no avail. It's up to the server vendor to file a ticket with cPanel
and they say it's not appropriate to do that for a syntax error.

Suggestions?

I did file reports via cPanel earlier today and got auto-replies from
secur...@modsecurity.org assigning ticket nos. 1332 and 1333, but nothing
further.
___
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Re: [Owasp-modsecurity-core-rule-set] Drupal 7, nginx with ModSecurity - How to resolve that 404 error page please?

2016-12-01 Thread Matej Zuzčák 
Hello Ehsan, Christian and Michael

thank you for your replies. So I will try use of nginx connector module.

Best Regards
Matej Zuzcak

Dňa 1.12.2016 o 10:53 Ehsan Mahdavi napísal(a):
> Dear Christian
> It isn't very odd to me if Matej uses Nginx with Modsec V2.x.
>
> As an experienced Nginx + Modsec V2.x(nginx_refactoring) user, it
> looks like to a known bug. While using nginx+modsecV2.x in reverse
> proxy mode (which is not the case for Matej) we have the very same
> issue for some post requests.
> I can refer you to these links:
>
> http://permalink.gmane.org/gmane.comp.apache.mod-security.user/12502
> 
> https://github.com/SpiderLabs/ModSecurity/issues/115
> 
> https://github.com/SpiderLabs/ModSecurity/issues/582
> 
> https://github.com/SpiderLabs/ModSecurity/issues/664
> 
> https://github.com/SpiderLabs/ModSecurity/issues/748
> 
>
>
> All complaining about this problem and no one takes the responsibility.
> The only way is to disable modsec for the requested uri and wait for
> the community to release modsec V3.0 or higher and hope that this bug
> will be fixed.
>
> Meantime he/she might find ctl:ruleEngine=off
>  useful.
>
> Br. Ehsan
>
> On Thu, Dec 1, 2016 at 11:56 AM, Christian Folini
> > wrote:
>
> Hello Matej,
>
> I had hoped somebody with an NginX could shed some light on this. But
> apparently not.
>
> It is very odd. Your server says he can not open a certain file
> (does it exist? permissions ok?) but then it seems that ModSec
> influences the behaviour of the server down to opening files.
> And that sounds quite crazy.
>
> On Mon, Nov 28, 2016 at 11:59:56AM +0100, Matej Zuzčák wrote:
> > OWASP rule set. But when I active ModSecurity in my virtual host
> config
> > file for my Drupal 7 web I do not login, register or reset
> password with
> > this error in log:
>
> You English is a bit hard to understand here. Could you rephrase,
> please?
>
> > I found some solutions for Apache web server (these solutions use
> > modifications of htaccess file), but not for Nginx.
>
> What was the problem with Apache exactly and what did you modify in
> the .htaccess file to make it go away?
>
> Cheers,
>
> Christian
>
>
> --
> https://www.feistyduck.com/training/modsecurity-training-course
> 
> mailto:christian.fol...@netnea.com
> 
> twitter: @ChrFolini
> ___
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> 
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> 
>
>
>
>
>
> ___
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

___
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Re: [Owasp-modsecurity-core-rule-set] Drupal 7, nginx with ModSecurity - How to resolve that 404 error page please?

2016-12-01 Thread Ehsan Mahdavi 
Dear Christian
It isn't very odd to me if Matej uses Nginx with Modsec V2.x.

As an experienced Nginx + Modsec V2.x(nginx_refactoring) user, it looks
like to a known bug. While using nginx+modsecV2.x in reverse proxy mode
(which is not the case for Matej) we have the very same issue for some post
requests.
I can refer you to these links:

http://permalink.gmane.org/gmane.comp.apache.mod-security.user/12502
https://github.com/SpiderLabs/ModSecurity/issues/115
https://github.com/SpiderLabs/ModSecurity/issues/582
https://github.com/SpiderLabs/ModSecurity/issues/664
https://github.com/SpiderLabs/ModSecurity/issues/748


All complaining about this problem and no one takes the responsibility.
The only way is to disable modsec for the requested uri and wait for the
community to release modsec V3.0 or higher and hope that this bug will be
fixed.

Meantime he/she might find ctl:ruleEngine=off
 useful
.

Br. Ehsan

On Thu, Dec 1, 2016 at 11:56 AM, Christian Folini <
christian.fol...@netnea.com> wrote:

> Hello Matej,
>
> I had hoped somebody with an NginX could shed some light on this. But
> apparently not.
>
> It is very odd. Your server says he can not open a certain file
> (does it exist? permissions ok?) but then it seems that ModSec
> influences the behaviour of the server down to opening files.
> And that sounds quite crazy.
>
> On Mon, Nov 28, 2016 at 11:59:56AM +0100, Matej Zuzčák wrote:
> > OWASP rule set. But when I active ModSecurity in my virtual host config
> > file for my Drupal 7 web I do not login, register or reset password with
> > this error in log:
>
> You English is a bit hard to understand here. Could you rephrase,
> please?
>
> > I found some solutions for Apache web server (these solutions use
> > modifications of htaccess file), but not for Nginx.
>
> What was the problem with Apache exactly and what did you modify in
> the .htaccess file to make it go away?
>
> Cheers,
>
> Christian
>
>
> --
> https://www.feistyduck.com/training/modsecurity-training-course
> mailto:christian.fol...@netnea.com
> twitter: @ChrFolini
> ___
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
___
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Re: [Owasp-modsecurity-core-rule-set] Drupal 7, nginx with ModSecurity - How to resolve that 404 error page please?

2016-12-01 Thread Christian Folini 
Hello Matej,

I had hoped somebody with an NginX could shed some light on this. But
apparently not.

It is very odd. Your server says he can not open a certain file
(does it exist? permissions ok?) but then it seems that ModSec
influences the behaviour of the server down to opening files.
And that sounds quite crazy.

On Mon, Nov 28, 2016 at 11:59:56AM +0100, Matej Zuzčák wrote:
> OWASP rule set. But when I active ModSecurity in my virtual host config
> file for my Drupal 7 web I do not login, register or reset password with
> this error in log:

You English is a bit hard to understand here. Could you rephrase,
please?

> I found some solutions for Apache web server (these solutions use
> modifications of htaccess file), but not for Nginx.

What was the problem with Apache exactly and what did you modify in
the .htaccess file to make it go away?

Cheers,

Christian


-- 
https://www.feistyduck.com/training/modsecurity-training-course
mailto:christian.fol...@netnea.com
twitter: @ChrFolini
___
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set