PDA

View Full Version : mod_security question

ffeingol
07-31-2007, 11:04 AM
OK, we're running an Enterprise version of LSWS on a VPS with cPanel. We have mod_security setup. For now we have just 1 rule for testing:

SecFilter "testit"

.shtml pages are being proxied to Apache.

If we browse http://www.mydomain.com/blah.shtml?testit then Apache blocks the request with a 406 (our error code set in the conf) and mod_security works properly. If we browse to http://www.mydomain.com/blah.php?testit LSWS serves up the page. I though LSWS should be reading the mod_security rules and applying them?

TIA,

Frank
mistwang
07-31-2007, 11:50 AM
How this rule was configured? in httpd.conf? which section of httpd.conf? or in LiteSpeed web console?
Can you please try the rule in another format?

SecFilterSelective "ARGS" "testit"

should have the same effect as yours, I just want to make sure it is not a bug with "SecFilter" directive.
ffeingol
07-31-2007, 11:59 AM
Hello,

Yes, it's in httpd.conf. It's configured in the "default" cPanel config (if you use mod_security installed via cPanel).


AddModule mod_security.c
Include "/usr/local/apache/conf/modsec.conf"


and then /usr/local/apache/conf/modsec.conf has:


<IfModule mod_security.c>
SecFilterEngine On
SecFilterCheckURLEncoding On
SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0
SecFilterDefaultAction "deny,log,status:406"
SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec.user.conf"
</IfModule>


and then finally modsec.user.conf


#SecFilter "testit"
SecFilterSelective "ARGS" "testit"


The results are the same for either form of the rule. The apache proxy works, LSWS does not.

Frank
mistwang
07-31-2007, 01:00 PM
It turns out to be a bug parsing query string with only one variable name, if there are other request variable or has a value, it will be caught.

The fix is in our 3.2.1 build, can you download and give it a try.
ffeingol
07-31-2007, 01:08 PM
Where/how do I download 3.2.1? The download pages looks like it only has 3.2.

TIA,

Frank
mistwang
07-31-2007, 01:13 PM
Just change the version number to 3.2.1 in the download link
ffeingol
07-31-2007, 09:03 PM
Thanks much. That fixed the issue.

Frank