[BUG?] Litespeed + ModSec2

Discussion in 'Bug Reports' started by DraCoola, Dec 5, 2010.

  1. DraCoola

    DraCoola Well-Known Member

    I am using Litespeed Web Server Enterprise v4.0.17 on CENTOS 5.5 x86_64 standard with WHM 11.28.52 + ModSec2x

    On my other non litespeed server with WHM 11.28.52 + Apache 2.2.17 + ModSec2x, I wrote these ModSec rules and worked :

    SecRule REQUEST_URI "[A-Z|a-z|0-9]\.(cgi|pl|plx|ppl|perl)\?"
    SecRule REQUEST_URI "[A-Z|a-z|0-9]\.(cgi|pl|plx|ppl|perl)"

    But litespeed did completely bypass those rules above :confused: :(

    As we know perl and cgi are free to do Cross site scripting / XSS.
    Reading all config files and then hack all sites on the server easily.

    How to make litespeed read ModSec rules correctly?
    Last edited by a moderator: Dec 8, 2010
  2. DraCoola

    DraCoola Well-Known Member

    Any help? George? NiteWave?
    This litespeed bug (?) could be very dangerous.
    Because modsec2 rules can not prevent cgi and perl scripts accessing the whole system anymore with litespeed.
    Turkey and Algerie hacker has used cgi-telnet script to do mass deface for thousands of websites in just couple hours.
    The only thing can stop them is modsec rules in front of the webserver.
    Because php open_basedir is totaly useless if cgi and perl are still permitted to walking arround from public_html
  3. mistwang

    mistwang LiteSpeed Staff

    You can enable modsec debug log (in error_log), then try the rule, if 404 is return, it wont trigger the rule, make sure the file is there. if security rule is not triggered and the file is there, please send us the modsec log entires.
  4. DraCoola

    DraCoola Well-Known Member

    Thank you, George. But after switching from Apache to LiteSpeed twice, then suddenly .pl is forbidden now :confused:
    Last edited: Dec 5, 2010
  5. webizen

    webizen Well-Known Member

    any indication in error.log regarding the .pl?
  6. NiteWave

    NiteWave Administrator

    tested on our cPanel box,

    in case not working, may need explicitly set

    SecFilterEngine On
  7. DraCoola

    DraCoola Well-Known Member

    "SecFilterEngine On" was only work with modsec1 / apache 1.x
    Modsec2 together with apache 2.x using "SecRuleEngine On"

    If "SecFilterEngine On" put in modsec2 conf will definitely make the webserver refuse to start.
  8. mistwang

    mistwang LiteSpeed Staff

    Litespeed can take both, apache cannot.
  9. DraCoola

    DraCoola Well-Known Member

    After two days lsws running fine with those "anti perl" rules, now it showing the "bug" again.
    It suddenly wont work with the rules after restarting the webserver.
    Honestly I don't know where to find the error_log for modsec.

    The conf has said just like this :

    LoadFile /opt/xml2/lib/libxml2.so
    LoadFile /opt/lua/lib/liblua.so
    LoadModule security2_module modules/mod_security2.so
    <IfModule mod_security2.c>
    SecRuleEngine On
    SecRequestBodyAccess On
    # See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf
    # "Add the rules that will do exactly the same as the directives"
    # SecFilterCheckURLEncoding On
    # SecFilterForceByteRange 0 255
    SecAuditEngine RelevantOnly
    SecAuditLog logs/modsec_audit.log
    SecDebugLog logs/modsec_debug_log
    SecDebugLogLevel 1
    SecDefaultAction "phase:2,deny,log,status:406"
    SecRule REMOTE_ADDR "^$" nolog,allow
    Include "/usr/local/apache/conf/modsec2.user.conf"

    I have set DebugLog to 1 and creating logs/modsec_debug_log (dir/file) on the same directory (with the conf) but nothing happen to the debug log file :confused:
    Any helps from litespeed staff will be very useful to prevent huge amount of websites defaces by perl XSS.
  10. DraCoola

    DraCoola Well-Known Member

    I did put "SecFilterEngine On" on modsec2.conf with litespeed and resulting an error lines, then litespeed wont start.
    I mean modsec2 just leave the old "SecFilterEngine On" and replace the tag with "SecRuleEngine On" to make it work with any webserver behind it (**)

    (**) :
    modsec2 + any version of litespeed = SecRuleEngine On
    modsec2 + apache2 only = SecRuleEngine On

    modsec + any version of litespeed = SecFilterEngine On
    modsec + apache1 only = SecFilterEngine On
    Last edited: Dec 8, 2010
  11. DraCoola

    DraCoola Well-Known Member

    Any help? George? NiteWave? webizen?
  12. mistwang

    mistwang LiteSpeed Staff

    Looks like a bug with handling rule actions.
    you add actions to those rules, without "deny" action, lsws default to allow, while apache may use SecDefaultAction.
    You can explicitly add "deny" to the rule action for now.
  13. DraCoola

    DraCoola Well-Known Member

    Yes all rules that I've wrote and even from gotroot.com are mostly without "deny" at rule line as you told.
    I am now add that "deny" action to all rules.
    But while litespeed included "Deny" as "SecDefaultAction", I believe that would be more nice :)
    So the issue has SOLVED! George is the master [​IMG]
  14. DraCoola

    DraCoola Well-Known Member

    Added "deny" just like rules below but still lsws bypassing the rules :(

    SecRule REQUEST_URI|REQUEST_FILENAME "[A-Z|a-z|0-9]\.(cgi|pl|plx|ppl|perl)\?" "id:123456,rev:1,severity:2,msg:'PERL-CGI-1',deny"
    SecRule REQUEST_URI|REQUEST_FILENAME "[A-Z|a-z|0-9]\.(cgi|pl|plx|ppl|perl)" "id:234567,rev:1,severity:2,msg:'PERL-CGI-2,deny'"

    Switch to apache make domain.com/asdf.pl have forbidden access as it should be.
    Not yet resolved :(
  15. DraCoola

    DraCoola Well-Known Member

    Another update :

    Include "/usr/local/apache/conf/modsec2.whitelist.conf" is ignored too.
    The file is used to white list allowed path for an example :
    <LocationMatch "/cgi-sys/suspendedpage.cgi">
    SecRuleRemoveById 123456 234567

    While with the modsec2 rule :
    SecRule REQUEST_URI|REQUEST_FILENAME "[A-Z|a-z|0-9]\.(cgi|pl|plx|ppl|perl)" "id:234567,rev:1,severity:2,msg:'PERL-CGI-2',deny'"

    Lsws still deny/forbidden the white list path for /cgi-sys/suspendedpage.cgi
    And apache did allow accessing white list the path as it should be.

    The conclusion is : this is the real lsws bug that should get fix a.s.a.p.
    Modsec2 is very important thing that must be instaled on all of shared hosting server.
  16. mistwang

    mistwang LiteSpeed Staff

    SecRuleRemoveById is not support in 4.0.x, will be supported in 4.1
  17. mistwang

    mistwang LiteSpeed Staff

    solution now, is to use a "chain" secrule to exclude URL "/cgi-sys/suspendedpage.cgi"
  18. DraCoola

    DraCoola Well-Known Member

    I will try to put "chain" to the rules with "!ARGS" to get an exclusion path.
    But the newest 4.0.18 sounds very tasty on the change log [​IMG]

    I hope "Improved mod_security compatibility" on that 4.0.18 were also "SecRuleRemoveById" recognition and "SecDefaultAction deny" included :)

Share This Page