I want to disable this rule:
[file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within ARGS:customize_changeset_uuid: a507417f-75f3-434e-ac8c-90b21b3b164d"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
For the directory
/var/www/romanpastu/wp-admin
Where should the exception go? In my .htaccess? or the vhost file?
Cause nothing seems to be working.
I'm using apache2
I've tried adding the following in my virtualhost file. However, its still not working
<LocationMatch "/wp-admin/update.php">
<IfModule security2_module>
SecRuleRemoveById 981173
</IfModule>
</LocationMatch>
<LocationMatch "/wp-admin/customize.php">
<IfModule security2_module>
SecRuleRemoveById 981173
</IfModule>
</LocationMatch>
It should be added after the rule is defined in your config. So if you are defining your vhost (including removing above rule) and then load your ModSecurity rules later on in your config then that will not work - it needs to be the other way around.
Also, unless ModSecurity was compiled with the --enable-htaccess-config setting (which is not by default), then you cannot alter ModSecurity rules in htaccess files.
Additionally putting rules within LocationMatch can cause issues. And also wp-admin is exactly the sort of page you want to use ModSecuritg to protect against so carefully consider if you really want to turn off these rules. Please see also my answer to this question for some more information: Apache LocationMatch wildcard for ModSecurity on wordpress site.
So I would suggest using the following instead to only turn this rule off for this argument that's causing you issues:
SecRuleUpdateTargetById 981173 !ARGS:'customize_changeset_uuid'
Note you may need to add similar exceptions if any other arguments cause problems.
Related
Summary:
I have setup a basic WAF with mod-security and the OWASP coreruleset 3.3.2. When using the WAF I see lots of warnings in modsec_audit.log regarding the CONNECT method, which trigger crs rule 920100:
Message: Warning. Match of "rx
^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./](?::\d+)?)?/[^?#](?:\?[^#\s])?(?:#[\S])?|connect
(?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options
\)\s+[\w\./]+|get /[^?#](?:\?[^#\s])?(?:#[\S])?)$" against
"REQUEST_LINE" required. [file
"/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
[line "63"] [id "920100"] [msg "Invalid HTTP Request Line"] [data
"CONNECT oneofmy.longer.hostname.here.abcde.com:443 HTTP/1.1"]
[severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"]
[tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"]
[tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"]
Details regarding setup:
I set up the WAF with mod_security 2.9.2 and httpd. I used the crs-setup.conf.example provided by crs and only modified these two settings regarding threshhold and allowing the CONNECT http method. (CONNECT method is used in our setup for proxy purposes).
SecAction \
"id:900110,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.inbound_anomaly_score_threshold=5,\
setvar:tx.outbound_anomaly_score_threshold=4"
SecAction \
"id:900200,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS CONNECT'"
What I have tried so far:
Google a lot about crs and mod-security rules. As per my current, admittedly limited mod-security/crs understanding, basically the regex of the rule 920100 does not match against the request line CONNECT oneofmy.longer.hostname.here.abcde.com:443 HTTP/1.1
Tried to find more details how the regex for 920100 is constructed.
looked up how the request line for a CONNECT string is defined in RFC. To me, the request line looks fine as per the RFC.
tried to debug the regexp with a site like regex101 and my request line. I did not succeed in debugging.
Looking at the part of the regular expression for rule 920100 that deals with the CONNECT method:
connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?
we can see that it's looking for an IPv4 address. For example, it would match on (and hence not raise an alert for) a request line like the following:
CONNECT 1.2.3.4:80 HTTP/1.1
As you say, the RFC seems to allow for domain names to be used with the CONNECT method, however, rule 920100 is not currently written to allow for this. This seems to be the cause of your issue.
With further investigation and testing, the rule can probably be expanded in a future CRS release to allow for domain names in CONNECT requests.
What can you do here and now?
To address this issue right now, you can add a rule exclusion to your Apache configuration. There are two ways you can do this:
Remove the offending rule completely by excluding it at configure time, like so:
#
# -- CRS Rule Exclusion: 920100 - Invalid HTTP Request Line
#
# Turn off rule due to issues with CONNECT requests
#
SecRuleRemoveById 920100
As a configure time rule exclusion, this should be placed after the inclusion of the Core Rule Set in your Apache configuration (because the rule that's being removed must be added/included in the first place before it can then be removed!).
Remove the offending rule conditionally, only for CONNECT requests, by excluding it at runtime, like so:
#
# -- CRS Rule Exclusion: 920100 - Invalid HTTP Request Line
#
# Turn off rule for CONNECT requests, which cause issues
#
SecRule REQUEST_METHOD "#streq CONNECT" \
"id:1000,\
phase:1,\
pass,\
nolog,\
ctl:ruleRemoveById=920100"
As a runtime time rule exclusion, this should be placed before the inclusion of the CRS in your Apache configuration (because the rule that's being modified must be modified before it fires off during execution).
A small word of warning
I can't find any mention of anyone else using ModSecurity with the CRS in this way, i.e. fielding CONNECT requests. The CRS rules aren't written to accommodate having a domain name in the request line, so you may find that you run into further false positives as a result. You would need to deal with those in a similar way to that described above.
(You can find an excellent tutorial on the subject of writing rule exclusions here: https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/).
Hopefully this helps.
I have an environment with Oracle WebLogic and OHS running.
In the mod_wl_ohs.conf I have following (beside config for other applications)
<Location /application1>
SetHandler weblogic-handler
WLLogFile /opt/logs/ application1.log
Debug OFF
WebLogicHost 127.0.0.1
WebLogicPort 23666
</Location>
This works fine the and the server listening to 23666 with the actual application1 application is handling the requests like “http://example.com/application1/*” .
Now I would like to redirect all requests for specific URL pattern to a different domain (not necessary on the same server), but continuing handling all requests others.
Redirect: http://example.com/application1/MagicKeyword/*
continue on: http://example.com/application1/NotTheKeyword* or http://example.com/application1/AlsoNotKeyword/*
What is the right approach for that?
I played around with some mod_rewrite rules, it seems they don’t take affect or break everything (in httpd.conf). I was also reading that we should not use mod_rewrite rules inside of location tag (can't find the reference now).
What else can I do?
Edit: So finally I found my error (somehow wrong syntax which not prevented the server from starting (like usual).
So I could:
in httpd.conf
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule "(.*)/application1/MagicKeyword/(.*)$" "https://www.example.org" [NC,L,R=301]
</IfModule>
or in the Location tag add:
RewriteEngine On
RewriteRule "(.*)/MagicKeyword/(.*)$" "https://www.example.org" [NC,L,R=301]
Why should I prefer one over the other?
Is there anything to concern about?
Two other options you can consider. You can use the order of location tags:
<Location /application1/MagicKeyword>
WebLogicHost otherhost
</Location>
<Location /application1>
WebLogicHost 127.0.0.1
</Location>
You can tell WebLogic to exclude a path (see https://docs.oracle.com/middleware/1212/webtier/PLGWL/plugin_params.htm#PLGWL473):
<Location /application1>
WebLogicHost 127.0.0.1
WLExcludePathOrMimeType /application1/MagicKeyword
</Location>
<Location /application1>
WebLogicHost otherhost
</Location>
I am trying to set up and run an old Web application(written in 2010) in a new Linux environment. The Apache server is not starting because of the error Unknown Authz provider access, caused by the configuration given below.
<Directory /srv/webapp>
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
SetOutputFilter DEFLATE
ExpiresActive On
ExpiresDefault "3 Months"
AuthType security::AuthCookieHandler
AuthName Maxio
PerlAuthenHandler security::AuthCookieHandler->authenticate
PerlAuthzHandler security::AuthCookieHandler->authorize
require access
</Directory>
I couldn't find any documentation for this, or any apache module that defines access , but security::AuthCookieHandler has
sub access
{
...
...
}
I understand that this is mod_perl based authentication, but haven't worked on this before. Apache starts if this authentication is disabled, and the application loads in the browser.
So the questions are
Is require access supposed to get the return value from sub access ?
If so, why sub access is not visible to the configuration ?
If not so, what is access here ?
After researching for a few hours I found out that this is because of changes in the latest versions of Apache and mod_perl.
From the Apache-AuthCookie documentation and Apache 2.4 porting notes, I learned that Apache 2.4 needs mod_perl version 2.0.9 or higher.
Also, a custom Authz Provider has to be added using PerlAddAuthzProvider. I was able to solve my issue by doing
PerlAddAuthzProvider access security::AuthCookieHandler->access
...
...
<Directory /srv/webapp>
...
...
require access
</Directory>
I am not a master of Apache/.htaccess.
For a URL: base-url/destination/, I need to show the page in that language which saved in the cookie. If no language us saved in the cookie or if the cookie is not present, I need to show the page same as that of browser's language.
Now, in order to achieve this, I wrote rules in .htaccess file as:
RewriteCond %{REQUEST_URI} /destination/$
RewriteCond %{HTTP_COOKIE} language_uiAAA(\w{3}).*?BBB
RewriteRule ^(.*)\$ $httpbase/%1/destination.html
This properly shows the page in the language saved in the cookie.
But, I've been asked to write rules using SetEnvIf, SetEnvIfNoCase or prefer-language.
Hence, I googled and wrote these rules:
SetEnvIf ^Cookie$ "(.+)" HTTP_MY_COOKIE=$1
SetEnvIf HTTP_MY_COOKIE ".+language_uiAAA(.+?)BBB.+" saved_language=$1
SetEnvIf saved_language "^(.+)$" prefer-language=$1
But,these rules aren't working. Please help.
OR
Please suggest a better way.
Voila!
Done!!
Here is the code:
SetEnvIf ^Cookie$ "(.+)" HTTP_MY_COOKIE=$1
SetEnvIf HTTP_MY_COOKIE ".+language_uiAAA(.+?)BBB.+" saved_language=$1
SetEnvIf saved_language "^(\w{2}).+$" prefer-language=$1
SetEnvIf REDIRECT_prefer-language (.+) prefer-language=$1
I am trying to run my first Perl Catalyst application using Apache and fastcgi.
Starting the server is fine, I can see the application's main page. All images/javascripts are loaded correctly (so, I assume the static content is served correctly).
For reasons I don't understand the dynamic content gives me a 404: e.g. when trying to go to www.webapp.org/search, I get "The requested URL /search was not found on this server."
Ok, here is how I set the aliases for the static content and
Alias /static /webapp/root/static/
Alias / /webapp/script/webapp_fastcgi.pl
I set the documentroot with
DocumentRoot /webapp/
Furthermore, I have a
<Location />
Options +ExecCGI
Order allow,deny
Allow from all
AddHandler fcgid-script .pl
</Location>
and a directive
<Files /webapp/script/webapp_fastcgi.pl>
PassEnv PERL5LIB
SetHandler fastcgi-script
</Files>
There is nothing else in the config file.
How can I add a directive to allow serving dynamic content (www.webapp.com/search)?
Thanks a lot in advance!
I see a space in AddHandler section. Please check your config file for typo's.
AddHandler fcgid-script .pl
Also please read this if you not did it already:
http://wiki.catalystframework.org/wiki/deployment/apache_fastcgi
For development work you could use catalyst without apache hassle: http://search.cpan.org/~mramberg/Catalyst-Runtime-5.80012/lib/Catalyst/Engine/FastCGI.pm#Standalone_FastCGI_Server
Assuming apxs installed mod_fastcgi.so into /usr/local/apache/libexec, add the following to an Apache .conf file:
LoadModule fastcgi_module libexec/mod_fastcgi.so
<IfModule mod_fastcgi.c>
FastCgiExternalServer /tmp/myapp.fcgi -host myhost:8081
Alias /myapp/ /tmp/myapp.fcgi/
</IfModule>