modifying mod_security

[shoggy24]

I recently implemented mod_security on my server and ever since i have been having problem with horde mail calendar.
Whenever a user try to make an entry in calender the page generates an error message and i was able to trace the error to the audit_log file and this line is always generated;
mod_security-message: Access denied with code 500. Pattern match "!/imp/login\\.php" at HEADER("Referer") [id "300018"] [rev "3"] [msg "Generic PHP code injection protection via ARGS"] [severity "CRITICAL"]

I am guessing i have to define some exclusions in mod_security conf files but i dont know which.

I also noticed this entry in my audit_log seems like an attemp to use my server as open proxy;
Request: umsky.com 58.62.26.19 - - [19/Apr/2007:18:00:44 --0700] "GET http://umsky.com/sproxy.php HTTP/1.0" 500 603 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" - "-"
Handler: php5-script
----------------------------------------
GET http://umsky.com/sproxy.php HTTP/1.0
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: umsky.com
Connection: Keep-Alive
mod_security-action: 500
mod_security-message: Access denied with code 500. Pattern match "^GET (http|https|ftp)\\:/" at THE_REQUEST [severity "EMERGENCY"]

I saw that access was denied but is there something i need to do.

Hope some can help me out

 

[DerFalk]

What rulez do you uses?

 

[shoggy24]

Originally posted by DerFalk
What rulez do you uses?

Thx Derfalk, for taking the time. pasted below is my mode_security rule set. I sometimes wonder if i really need all those rules.

<IfModule mod_security.c>

# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
#SecFilterEngine DynamicOnly

SecFilterEngine On

# Reject requests with status 500
SecFilterDefaultAction "deny,log,status:500"

# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
# enable version 1 (RFC 2965) cookies
SecFilterCookieFormat 1

SecServerResponseToken Off

#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"

# Accept almost all byte values
SecFilterForceByteRange 1 255

# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are
using
SecServerSignature "NOYB"

SecUploadDir /tmp
SecUploadKeepFiles Off

# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/modsecurity/audit_log

# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog /var/log/modsecurity/modsec_debug_log


#And now, the rules
#Remove any of these Include lines you do not use or have rules for.

#First, add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf

#Application protection rules
Include /etc/modsecurity/rules.conf

#Comment spam rules
Include /etc/modsecurity/blacklist.conf

#Bad hosts, bad proxies and other bad players
Include /etc/modsecurity/blacklist2.conf

#Bad clients, known bogus useragents and other signs of malware
Include /etc/modsecurity/useragents.conf

#Known bad software, rootkits and other malware
Include /etc/modsecurity/rootkits.conf

#Signatures to prevent proxying through your server
#only rule these rules if your server is NOT a proxy
Include /etc/modsecurity/proxy.conf

#Additional rules for Apache 2.x ONLY! Do not add this line if you
use Apache 1.x
Include /etc/modsecurity/apache2-rules.conf
</IfModule>

 

[DerFalk]

Are these rulesets the latest from gotroot.com?
The exclude.conf must be from N-20060928-01.

If there are older Versions you must be update them frist!

 

[shoggy24]

The rules are the latest from gotroot.com; 20061013

 

[DerFalk]

ok, add this to you exclude.conf:

#Squirrel mail and Horde postings
<LocationMatch "/imp/compose.php">
SecFilterRemove 300013
SecFilterRemove 300015
SecFilterRemove 300016
</LocationMatch>
</LocationMatch>
<LocationMatch "/index.php?url=http://webmail.*">
SecFilterRemove 300018
</LocationMatch>
<LocationMatch "/index.php?url=http%3A%2F%2Fwebmail.*">
SecFilterRemove 300018
</LocationMatch>

and restart your apache

 

[pdreissen]

Originally posted by DerFalk
#Squirrel mail and Horde postings
<LocationMatch "/imp/compose.php">
SecFilterRemove 300013
SecFilterRemove 300015
SecFilterRemove 300016
</LocationMatch>
</LocationMatch>
<LocationMatch "/index.php?url=http://webmail.*">
SecFilterRemove 300018
</LocationMatch>
<LocationMatch "/index.php?url=http%3A%2F%2Fwebmail.*">
SecFilterRemove 300018
</LocationMatch>

This will fail, watch the double </LocationMatch>, remove one!

so:

#Squirrel mail and Horde postings
<LocationMatch "/imp/compose.php">
SecFilterRemove 300013
SecFilterRemove 300015
SecFilterRemove 300016
</LocationMatch>
<LocationMatch "/index.php?url=http://webmail.*">
SecFilterRemove 300018
</LocationMatch>
<LocationMatch "/index.php?url=http%3A%2F%2Fwebmail.*">
SecFilterRemove 300018
</LocationMatch>

 

[shoggy24]

This is what i had in my exclude .conf;

#Squirrel mail and Horde postings
<LocationMatch "/imp/compose.php">
SecFilterRemove 300013
SecFilterRemove 300015
SecFilterRemove 300016
SecFilterRemove 300018
</LocationMatch>

I went ahead and added the last two of your exclusions;
<LocationMatch "/index.php?url=http://webmail.*">
SecFilterRemove 300018
</LocationMatch>
<LocationMatch "/index.php?url=http%3A%2F%2Fwebmail.*">
SecFilterRemove 300018
</LocationMatch>

and restarted apache but i still get the same error when i click an entry in the calendar, i did notice that i can create a new calendar entry from the menu but cannot create by clicking on the date in a calendar and i still cannot read entries in the calendar by clicking on it.

 

[pdreissen]

Check your error_log and make the corresponding entry in the exclude.conf or post the log here, so we can help!

 

[shoggy24]

[Sun Apr 22 14:44:05 2007] [error] [client 10.*.*.*] mod_security: Access denied with code 500. Pattern match "!/imp/login\\\\.php" at HEADER("Referer") [id "300018"] [rev "3"] [msg "Generic PHP code injection protection via ARGS"] [severity "CRITICAL"] [hostname "webmail.domain.com"] [uri "/kronolith/addevent.php?timestamp=1176033600&url=http%3A%2F%2Fwebmail.domain.com%2Fkronolith%2Findex.php"]

That is the error.log for apache. Hope this gives you an idea of what i need to exclude.

Thanks

 

[pdreissen]

Try to add this:

<LocationMatch "/kronolith/addevent.php?timestamp=*">
SecFilterRemove 300018
</LocationMatch>

Into your exclude.conf

Please restart apache after adding it!

 

[shoggy24]

I added it but it didnt fix it. tempted but I dont want to comment out my rules.conf as i would rather live with a buggy horde calendar than an exploitable server

 

[pdreissen]

I think there is something seriously wrong with your mod_sec install. This should work, as should all the above rules work.

Please make sure that the exclude config is in the modsecurity config (include httpd.conf) and that the exclude.conf is loaded first in the modsec hierach. (this is important)!

 

[atomicturtle]

Yep order matters! Id also avoid the generic rules distributed by breach. AFIAK, those are not horde or squirrelmail friendly.

Once we finish up some interface work on ASL 2.0 we'll probably stick out a new batch of rules in line with mod_sec 2.1.0.

 

[shoggy24]

I posted my mod-security config ealier in this thread and as you can see exclude.conf preceeds all other rules. I know that when i remove the filter rules below from my rules.conf it works just fine;

#really broad furl_fopen attack sig
#tune this for your system
SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:3,severity:2,msg:'Generic PHP code injection protection via ARGS'"
SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&)" chain
SecFilterSelective ARGS "(ht|f)tps?:/" chain
SecFilterSelective HTTP_Referer "!/imp/login\.php"
SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300040,rev:1,severity:2,msg:'Generic PHP code injection protection in URI'"
SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/" chain
SecFilterSelective HTTP_Referer "!/imp/login\.php"



but i dont want to remove it because i am too paranoid it will open my server to exploits.
I am also using mod_sec 1.9 from gotroot.com, do you think i should use mod_sec 2.

Thank you guys for your help.

 

[atomicturtle]

Not yet, theres nothing in 2.1.0 that you'd really use right now anyway. The rule format changed, so it doesn't perform anything like 1.9 or 1.8.

 

[shoggy24]

just in case anyone have this problem, i was able to resolve it by adding this lines to my exclude.conf;

<Directory /usr/share/psa-horde>
SecFilterRemove 300013
SecFilterRemove 300015
SecFilterRemove 300016
SecFilterRemove 300018
SecFilterRemove 300040
</Directory>