Support

DraCoola · #11 12-07-2010, 02:12 PM

Any help? George? NiteWave? webizen?

mistwang · #12 12-07-2010, 09:21 PM

Looks like a bug with handling rule actions.
you add actions to those rules, without "deny" action, lsws default to allow, while apache may use SecDefaultAction.
You can explicitly add "deny" to the rule action for now.

DraCoola · #13 12-08-2010, 02:37 AM

Quote:

Originally Posted by mistwang

Looks like a bug with handling rule actions.
you add actions to those rules, without "deny" action, lsws default to allow, while apache may use SecDefaultAction.
You can explicitly add "deny" to the rule action for now.

Yes all rules that I've wrote and even from gotroot.com are mostly without "deny" at rule line as you told.
I am now add that "deny" action to all rules.
But while litespeed included "Deny" as "SecDefaultAction", I believe that would be more nice

So the issue has SOLVED! George is the master

DraCoola · #14 12-08-2010, 06:36 AM

Added "deny" just like rules below but still lsws bypassing the rules

-------------------------------------------------------------
SecRule REQUEST_URI|REQUEST_FILENAME "[A-Z|a-z|0-9]\.(cgi|pl|plx|ppl|perl)\?" "id:123456,rev:1,severity:2,msg:'PERL-CGI-1',deny"
SecRule REQUEST_URI|REQUEST_FILENAME "[A-Z|a-z|0-9]\.(cgi|pl|plx|ppl|perl)" "id:234567,rev:1,severity:2,msg:'PERL-CGI-2,deny'"
-------------------------------------------------------------

Switch to apache make domain.com/asdf.pl have forbidden access as it should be.
Not yet resolved

DraCoola · #15 12-08-2010, 09:52 AM

Another update :
**************

Include "/usr/local/apache/conf/modsec2.whitelist.conf" is ignored too.
The file is used to white list allowed path for an example :
-----------------------------------------------------------
<LocationMatch "/cgi-sys/suspendedpage.cgi">
SecRuleRemoveById 123456 234567
</LocationMatch>
-----------------------------------------------------------

While with the modsec2 rule :
----------------------------------------------------------
SecRule REQUEST_URI|REQUEST_FILENAME "[A-Z|a-z|0-9]\.(cgi|pl|plx|ppl|perl)" "id:234567,rev:1,severity:2,msg:'PERL-CGI-2',deny'"
----------------------------------------------------------

Lsws still deny/forbidden the white list path for /cgi-sys/suspendedpage.cgi
And apache did allow accessing white list the path as it should be.

The conclusion is : this is the real lsws bug that should get fix a.s.a.p.
Modsec2 is very important thing that must be instaled on all of shared hosting server.

mistwang · #16 12-08-2010, 12:43 PM

SecRuleRemoveById is not support in 4.0.x, will be supported in 4.1

mistwang · #17 12-08-2010, 12:44 PM

solution now, is to use a "chain" secrule to exclude URL "/cgi-sys/suspendedpage.cgi"

DraCoola · #18 12-10-2010, 12:58 PM

I will try to put "chain" to the rules with "!ARGS" to get an exclusion path.
But the newest 4.0.18 sounds very tasty on the change log

I hope "Improved mod_security compatibility" on that 4.0.18 were also "SecRuleRemoveById" recognition and "SecDefaultAction deny" included