|
|
12-05-2010, 07:27 AM
|
|
Senior Member
|
|
Join Date: Mar 2009
Posts: 149
|
|
[BUG?] Litespeed + ModSec2
I am using Litespeed Web Server Enterprise v4.0.17 on CENTOS 5.5 x86_64 standard with WHM 11.28.52 + ModSec2x
On my other non litespeed server with WHM 11.28.52 + Apache 2.2.17 + ModSec2x, I wrote these ModSec rules and worked :
---------------------------------------------------------------
SecRule REQUEST_URI "[A-Z|a-z|0-9]\.(cgi|pl|plx|ppl|perl)\?"
SecRule REQUEST_URI "[A-Z|a-z|0-9]\.(cgi|pl|plx|ppl|perl)"
---------------------------------------------------------------
But litespeed did completely bypass those rules above  
As we know perl and cgi are free to do Cross site scripting / XSS.
Reading all config files and then hack all sites on the server easily.
How to make litespeed read ModSec rules correctly?
Last edited by NiteWave; 12-08-2010 at 07:39 AM..
|
12-05-2010, 12:26 PM
|
|
Senior Member
|
|
Join Date: Mar 2009
Posts: 149
|
|
|
Any help? George? NiteWave?
This litespeed bug (?) could be very dangerous.
Because modsec2 rules can not prevent cgi and perl scripts accessing the whole system anymore with litespeed.
Turkey and Algerie hacker has used cgi-telnet script to do mass deface for thousands of websites in just couple hours.
The only thing can stop them is modsec rules in front of the webserver.
Because php open_basedir is totaly useless if cgi and perl are still permitted to walking arround from public_html
|
12-05-2010, 12:51 PM
|
|
LiteSpeed Staff
|
|
Join Date: May 2003
Location: New Jersey
Posts: 7,590
|
|
|
You can enable modsec debug log (in error_log), then try the rule, if 404 is return, it wont trigger the rule, make sure the file is there. if security rule is not triggered and the file is there, please send us the modsec log entires.
|
12-05-2010, 01:15 PM
|
|
Senior Member
|
|
Join Date: Mar 2009
Posts: 149
|
|
Thank you, George. But after switching from Apache to LiteSpeed twice, then suddenly .pl is forbidden now
Last edited by DraCoola; 12-05-2010 at 01:18 PM..
|
12-05-2010, 04:44 PM
|
|
LiteSpeed Staff
|
|
Join Date: Oct 2010
Posts: 2,338
|
|
|
any indication in error.log regarding the .pl?
|
12-05-2010, 07:04 PM
|
|
LiteSpeed Staff
|
|
Join Date: Sep 2009
Posts: 2,226
|
|
|
tested on our cPanel box,
in case not working, may need explicitly set
SecFilterEngine On
|
12-07-2010, 01:30 PM
|
|
Senior Member
|
|
Join Date: Mar 2009
Posts: 149
|
|
Quote:
Originally Posted by NiteWave
tested on our cPanel box,
in case not working, may need explicitly set
SecFilterEngine On
|
"SecFilterEngine On" was only work with modsec1 / apache 1.x
Modsec2 together with apache 2.x using "SecRuleEngine On"
If "SecFilterEngine On" put in modsec2 conf will definitely make the webserver refuse to start. |
12-07-2010, 01:42 PM
|
|
LiteSpeed Staff
|
|
Join Date: May 2003
Location: New Jersey
Posts: 7,590
|
|
|
Litespeed can take both, apache cannot.
|
12-07-2010, 01:47 PM
|
|
Senior Member
|
|
Join Date: Mar 2009
Posts: 149
|
|
Quote:
Originally Posted by webizen
any indication in error.log regarding the .pl?
|
Quote:
Originally Posted by mistwang
You can enable modsec debug log (in error_log), then try the rule, if 404 is return, it wont trigger the rule, make sure the file is there. if security rule is not triggered and the file is there, please send us the modsec log entires.
|
After two days lsws running fine with those "anti perl" rules, now it showing the "bug" again.
It suddenly wont work with the rules after restarting the webserver.
Honestly I don't know where to find the error_log for modsec.
The conf has said just like this :
-----------------------------------------------
LoadFile /opt/xml2/lib/libxml2.so
LoadFile /opt/lua/lib/liblua.so
LoadModule security2_module modules/mod_security2.so
<IfModule mod_security2.c>
SecRuleEngine On
SecRequestBodyAccess On
# See http://www.modsecurity.org/documenta...ion-Matrix.pdf
# "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 1
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"
</IfModule>
-----------------------------------------------
I have set DebugLog to 1 and creating logs/modsec_debug_log (dir/file) on the same directory (with the conf) but nothing happen to the debug log file
Any helps from litespeed staff will be very useful to prevent huge amount of websites defaces by perl XSS.
|
12-07-2010, 01:51 PM
|
|
Senior Member
|
|
Join Date: Mar 2009
Posts: 149
|
|
Quote:
Originally Posted by mistwang
Litespeed can take both, apache cannot.
|
I did put "SecFilterEngine On" on modsec2.conf with litespeed and resulting an error lines, then litespeed wont start.
I mean modsec2 just leave the old "SecFilterEngine On" and replace the tag with "SecRuleEngine On" to make it work with any webserver behind it (**)
(**) :
modsec2 + any version of litespeed = SecRuleEngine On
modsec2 + apache2 only = SecRuleEngine On
modsec + any version of litespeed = SecFilterEngine On
modsec + apache1 only = SecFilterEngine On
Last edited by DraCoola; 12-08-2010 at 03:03 AM..
Reason: added (**)
|
| Thread Tools |
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -7. The time now is 08:24 AM.
|
|
