mod_security RESPONSE_BODY

Discussion in 'Bug Reports' started by yolte, Feb 26, 2009.

  1. IrPr

    IrPr Well-Known Member

    suPHP has a lot of advantages in security but performances
    suPHP breaks EA/xCache/MMCache/etc opcode cache support, then will reduces io for PHP sources in huge traffics which leads to load increase and page generate latency

    the same trade off betnween security and performances! if you worry about mod_security RESPONSE_BODY disadvantages the same issue is here for suPHP, to me

    CGI attacks could be patched by chroot either ;)

    As i said, i disable malicious functions not all

    PHP shells are using a lot of functions, is_array for example
    i never disable is_array function, i just disable common exploit functions such as exec/system/shell

    Here is c99 exec function, take a look:
    function myshellexec($cmd)
    $result "";
     if (!empty(
      if (
    is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result join("\n",$result);}
      elseif ((
    $result = `$cmd`) !== FALSE) {}
      elseif (
    is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
      elseif (
    is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
      elseif (
    is_resource($fp popen($cmd,"r")))
    $result "";
    feof($fp)) {$result .= fread($fp,1024);}
    If you know PHP language, you will find that c99 myshellexec function requires at least one of exec, system or passthru
    so patching c99 execute function can be done by disabling these 3 functions, same for all attack methods implemented in all common php shells

    So, why Joomla or Wordpress or vBulletin or PHPBB should use execute functions? there is no need for execute functions in most of common PHP scripts
    Indeed just in some special cases such as FFMPEG convert exec functions are needed, believe me

    The exploit that i posted doesnt have any args and could be renamed easily, then how could mod_security detect and defect it?

    In fact mod_security just sniffs request header, and a good hacker can easily change args and filename then bypass mod_security rules ;)

    If you would like i can modify c99 php shell and send it to you, then you check your security rules against modified c99 version, however securing php will break all phpshell functionality like a charm
    Last edited: Mar 31, 2009
  2. anewday

    anewday Moderator

    Is the function, shell is the same as shell_exec ?
  3. Tony

    Tony Well-Known Member

    imagemagick is another that requires access to these commands.

    So really you're out of luck about supporting applications when a lot of them use these functions. You're damned if you do damned if you don't type of situation.

    As for suPHP my point was it has no openbase_dir protection at all. The LSWS implementation does have this while also running PHP as the user. There should be no 777 folders and so doing things outside of your folder is going to be very difficult. It would be quite difficult to do much past the users account unless they're aware of a privilege escalation exploit the system is vulnerable to. If this is the case there are numerous entry points besides PHP or Perl. You have SSH of the user if enabled. You have cron jobs if users can set those. There are several which could be the entry point. I've never seen it attempted via cron but I'm pretty sure it could be done.

    I believe cron could be the next way to do this because I've noticed viruses targeting FTP accounts and actually being used to replace index files or mass produce spam systems. It would not surprise me to see it used as an exploit mechanism. If it's not viruses there have also been exploits on popular web hosting billing systems that if the system was storing FTP passwords of users they've probably been compromised. Most of them do store the users original FTP password and most do not change it so probably lots of hosts with users ftp and control panel accounts compromised.

    A little off topic from the web server side but there are heck of a lot of potential places to run shells. The response body scanning is just something I'm weary of and I'd rather wait for a really solid solution for handling it rather than a quick one that could be improved with refinement.
  4. yolte

    yolte Member

    For example from this shell;

    Mod security response body rules checking "@ob_get_contents();@ob_clean()" this part of code. And blocking this shell.

    All gotroot staff working on shells body.

    We have disabled this functions. But it is very good to see 404 page when hacker runs a php exploit :) And mod_security response body rules makes this
  5. muiruri

    muiruri Well-Known Member

    For some reason customers with joomla sites when they try to log on to their joomla administrator section/control panel...

    get following error;


    406 Not Acceptable
    This request is not acceptable


    Found this is related to mod_security therefore when I add following lines in .htaccess for this specific domain.

    <IfModule mod_security.c>
    SecFilterEngine Off
    SecFilterScanPOST Off

    All works fine.

    My questions are;

    (a) Is there a place in LSWS 4.0.2 menu options to turn mod_sec off for specific host or domain? Or any better ideas to deal with this one pl'se ?

    (b) On this server last thing we did was to upgrading openSSL to latest verion 0.9.8k, and starting getting this problem.

Share This Page