Having problems with mod_security?

[青山 素子]

Either disable mod_security or find a better host. That's an awful filter to put in production.

[Forum Guy]

Wow, this problem is known since 2005 and never got fixed - impressive!

I don't think the host is bad coz he got security in place SMF apparently can't handle....2010 now... SMF2 RC3 still can't handle. Maybe time for a better forum software!?

[青山 素子]

If you actually bother to read about the issue, you would know it is about certain non-standard rules that trip up many products as well as SMF. If a host tosses up rules without understanding the impact they can have, they are a bad host to stay with as they are incompetent.

mod_security, if used intelligently, will work fine with SMF. In general, Suhosin would probably be a better choice, but many hosts won't recompile PHP for it. Unfortunately, many hosts don't use mod_security in an intelligent way - they just know that "more rules are better" and break things. If you're on shared hosting, you won't have the ability to choose the right filter rules and thus will have to try and disable the module entirely.

[Forum Guy]

Okay, and since most hosts are just too dumb to apply mod_security properly, especially to work with SMF, those seem to have no other issues as they use this mod since years with everything else on their servers.

I really wonder what is the problem here..

[青山 素子]

I really wonder what is the problem here..

Silly rules being implemented with restrictions like "can't have the word "post" in a get string. Yeah... Heck, I recall one poster earlier to either this topic or another where this module was being a problem. They couldn't write certain words in their forum posts. That's not an SMF issue, and I think was proven to be a bad mod_security rule by some simple tests that showed it affected any application.

I wouldn't say "most" hosts, anyway. If this was a huge issue, the topic would be much longer. Heck, you're the first new poster to this topic since April.

May I note that even the creator of mod_security, Trustwave, has noted that false positives are common because some of the rules are so generic? They even made a whole post about whitelisting false positives some years ago.

The real problem is not SMF, it's small-time webhosts using a product they aren't familiar with and which has been acknowledged by the author of needing to be tailored to the content running on the server (in other words, it's not suitable for mass shared hosting) being used for shared hosting. Then they compound it by grabbing "restrictive" rulle sets above the core and using those.

[Forum Guy]

Okay, thanks, what makes me wonder in my particular case I can (click) view any image attached to a forum post just fine BUT in the Admin/forum/attachments you click on SAME image name and it throws that error?

how can that be?

In other words, in the Admin panel all/every attachment image you try to view shows error while same images in their forum posts show up fine!?

something does not fit here..

[青山 素子]

Possibly it doesn't like the referrer header line with the hex values in the URL. Possibly, it's some other hidden thing. Do you have access to the error log to see what the error is?

[Forum Guy]

Error log is clean - no related entry!

[青山 素子]

There is a specific mod_security audit log. If you don't see it, ask your host to forward the appropriate log lines to you.

[Forum Guy]

Okay, will do!

[Forum Guy]

Support looked into it and confirmed - however, I wonder SMF2 code in admin/ browse attachments could be altered to pass this rule? This is the only 1 incident I have seen with security_mod enabled - all else seem to work fine.


I have confirmed that the issue is indeed mod_security, as the below excerpt from the error_log confirms.

@biz93 [~]# tail -f /usr/local/apache/logs/error_log | grep enchanting
[Sun Sep 26 06:50:26 2010] [error] [client xx.xxx.154.170] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(??:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(??:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at ARGS:action. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "139"] [id "950006"] [msg "System Command Injection"] [data ";id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "$$$$$$.biz"] [uri "/SMF2/index.php"] [unique_id "TJ9Pos2G@VUAAF2QVCoAAAEP"]

[青山 素子]

What's the URL it's flagging? Feel free to obscure the domain, the URI is really the important part.

[Forum Guy]

I guess you mean the referrer URL? here we go:

referer: http://deleted.biz/SMF2/index.php?action=admin;area=manageattachments;sa=browse;c1a9277=1b2045b57f74e6a132b71b66f315a6e2

[青山 素子]

The actual link to the file as well, please.

[Forum Guy]

okay, this is the complete thing - nothing more on offer

@biz93 [~]# tail -f /usr/local/apache/logs/error_log | grep enchanting
[Sun Sep 26 06:50:26 2010] [error] [client xx.xxx.xxx.170] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(??:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(??:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at ARGS:action. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "139"] [id "950006"] [msg "System Command Injection"] [data ";id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "deleted.biz"] [uri "/SMF2/index.php"] [unique_id "TJ9Pos2G@VUAAF2QVCoAAAEP"]
[Sun Sep 26 06:50:26 2010] [error] [client xx.xxx.xxx.170] File does not exist: /home/deleted/public_html/501.shtml, referer: http://deleted.biz/SMF2/index.php?action=admin;area=manageattachments;sa=browse;c1a9277=1b2045b57f74e6a132b71b66f315a6e2

[青山 素子]

But what is the URL that is being requested that trips that?

[Forum Guy]

I am no regex expert but I am under the impression that this part of the url string is throwing the command injection?!

....c1a9277=1b2045b57f74e6a132b71b66f315a6e2

The fix seems simple to me since we're basically talking about "viewing images" - the way it happens in the forum message with attachment works fine. Browsing/viewing an attachment from within the admin panel triggers an error vomit. Consequentially adjust the admin panel code (browsing attachments) the way image viewing is done from within the forum message and all should be well, no?

 

[SimpleJoe]

Just my two-cents, mod_security now comes built-in with cPanel hosting, and I've seen a way to edit mod_security so that it doesn't trip up Wordpress sites. If some guru were able to have an edit that would work for SMF, that could be a big leap. 

Also the .htaccess fix doesn't work on the new version of mod_security (2), only way I know to disable it for a domain is to add an entry for the domain to:
/usr/local/apache/conf/modsec2/whitelist.conf

then restart http

of course one should be careful when doing such things and check with their provider first as mod_security does actually prevent a lot of bad stuff. If only it didn't mess with good software like SMF and Wordpress...

[青山 素子]

I am no regex expert but I am under the impression that this part of the url string is throwing the command injection?!

....c1a9277=1b2045b57f74e6a132b71b66f315a6e2

Based on the regex you provided for the rule, it doesn't seem to be so. This is why I keep asking for the exact URL that is causing the issue. The regex appears to be looking for things like "telnet.exe" anywhere in the URL path.

If i get the full URL that is causing problems, i can run it through my tools and see what is matching to determine why it is being detected as a problem.

[omagiko]

Create a phpinfo.php file.  What is phpinfo.php?  If it contains "mod_security" anywhere in it, you have it.

Contact your host, then, and tell them of your problems.  Point them to this topic.  Perhaps they can create the file for you.

-[Unknown]

Warning: phpinfo() has been disabled for security reasons in /home/foromag/public_html/phpinfo.php on line 1