LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 04-30-2008, 01:43 PM   #1
fryzer
LQ Newbie
 
Registered: Apr 2008
Posts: 14

Rep: Reputation: 0
apache / mod_security: fixing false positive 950013


Hello this is my first post and I know that I can't ask for anything urgently hehe, but any help is really really appreciated.

I got a client with the following error:

Code:
[Wed Apr 30 12:30:30 2008] [error] [client 189.177.38.64] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:(?:\\\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\\\\$_(?:(?:pos|ge)t|session))\\\\b|<\\\\?(?!xml))" at ARGS:edit[introduction]. [id "950013"] [msg "PHP Injection Attack. Matched signature <<?>"] [severity "CRITICAL"] [hostname "www.mydomain.com"] [uri "/node/131/edit"] [unique_id "gVR4Qn8AAAEAABqgancAAABd"]
I've already created a modsecurity_crs_60_custom_rules.conf with

Code:
<LocationMatch "/node/131/edit">
 SecRuleRemoveById 950013
</LocationMatch>

I've restarted the application server and nothing, I keep getting the same error... Please any help is appreciated here

I forgot to mention that the "Introduction" field has this info at the moment of editing

Code:
      <img class="article-left" src="<?php print url_resource("someimage.jpg"); ?>" />
Thanks!
Fryzer

Last edited by fryzer; 04-30-2008 at 02:39 PM. Reason: Forgot a line of code!
 
Old 04-30-2008, 07:29 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,999
Blog Entries: 54

Rep: Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745
Welcome to LQ. hope you like it here. I haven't flexed my Mod_security rule-foo for a long time nor have I kept up with the docs. I think this should be a good start: http://www.modsecurity.org/blog/arch...ng_false.html: with respect to ttroubleshooting FPs and using a "modsecurity_crs_60_custom_rules.conf" properly. For altering the new version of the rule I think you should look at variable exclusion using ARGS (as in "!ARGS:somecontentfieldname"): http://www.modsecurity.org/documenta...es.html#N10BBB). HTH
 
Old 05-01-2008, 09:24 AM   #3
fryzer
LQ Newbie
 
Registered: Apr 2008
Posts: 14

Original Poster
Rep: Reputation: 0
Thanks for the reply and the links, I've tried altering the vhost rule instead of the global original rule sets and I've tried the variable exclusion solution too, I didn't post them since I thought that a good start to try to solve the problem would be the first approach and I am stuck there, I know the problem (the 950013 rule is begin triggered by the line of PHP code on the "Introduction" field at the moment of editing and posting), I know that is always a bad practice to do that in a Data base driven application environment and I don't actually know if is like recommended to fix the problem since the user can get used to that and continue making pages with that behavior.

But at the time being I am trying to find a solution just in case and later I'll see if I implement it or suggest the client to change that bad coding habit.

Anyway... any other tip is greatly appreciated!
Fryzer
 
Old 05-04-2008, 11:09 AM   #4
JerryM
LQ Newbie
 
Registered: May 2008
Posts: 2

Rep: Reputation: 0
Thumbs up ModSecurity -> dotDefender

Hi Fryzer,

We've got the same problem with modsecurity as you described.
I would suggest you will download the dotDefender from www.applicure.com
We installed the dotDefender on 8 of our servers and its working smoothly.
They have great support for the product as well.

Good Luck,
Jerry.

Last edited by JerryM; 05-04-2008 at 11:13 AM.
 
Old 05-04-2008, 08:02 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,999
Blog Entries: 54

Rep: Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745
Quote:
Originally Posted by JerryM View Post
I would suggest you will download the dotDefender from www.applicure.com
The product you suggested is commercial and proprietary, not OSS. While that may not be prohibitive, it can only be tested for 30 days and then costs USD 4K for the first two licenses. While I can't assess his situation (and this shouldn't be construed as me speaking for him) I can't see why his problem with just one rule would warrant moving over to the commercial product you suggested, unless (with all due respect) you have an interest in the product. Else maybe you could provide an objective qualitative (non-marketoid) comparison this product is undisputably superior compared to any other in the field? Just interested, OK?
 
Old 05-06-2008, 10:30 AM   #6
fryzer
LQ Newbie
 
Registered: Apr 2008
Posts: 14

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by JerryM View Post
Hi Fryzer,

We've got the same problem with modsecurity as you described.
I would suggest you will download the dotDefender from www.applicure.com
We installed the dotDefender on 8 of our servers and its working smoothly.
They have great support for the product as well.

Good Luck,
Jerry.
Thanks for the suggestion, I'm going to look into it but to be honest we probably won't be going that way since this is something we are trying to fix for one of our customers, and based on the fact that passing code through a database filed in a dynamic form is already a bad habit we wouldn't like to encourage the user to keep doing it.

Let's see but for the time being as I said thanks for the suggestion but I'd be a little bit more interested in an Open Source solution or simply a way to work this thing around!

Thanks!
Fryzer
 
  


Reply

Tags
application, firewall, pci, web


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
apache / mod_security: fixing false positives jrtayloriv Linux - Server 3 03-01-2008 04:03 PM
Is this a false positive....A/V question cbjhawks Linux - Security 4 02-21-2006 06:50 AM
Snort: Block False Positive from Dlink Wireless Router omICron Linux - Security 1 01-01-2005 01:41 AM
'Chkrootkit 0.43' false positive? Mr. Gone Linux - Security 2 03-09-2004 09:16 AM
'Chkrootkit 0.43' false positive? Mr. Gone Linux - Security 0 03-08-2004 08:06 AM


All times are GMT -5. The time now is 02:20 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration