conflict with mod_security

Imperial · 2009-03-29 20:15

Imperial
Member
Offline

Registered: 2009-03-22
Posts: 19

Topic: conflict with mod_security

The fancy url feature seems to have a conflict with the apache mod_security module. When viewing some URLs, on the folder-based fancy system, it will cause mod_security to throw up an error and ban the user.

Here is a URL that caused the ban with folder-based (fancy) system on, don't know if that helps analyze the problem:
forums.fsmod.com/topic/8460/echo-base-assets/page/2/

It is to a private forum, so you wont actually be able to reach the page.

Here is a log from mod_security of the ban, from viewing said topic through folder-based (fancy). This does not occur using default URL style.

Time: Sat Mar 28 11:01:22 2009 -0500
IP: xx.xx.xx.xx
Failures: 15 (mod_security)
Interval: 300 seconds
Blocked: Yes

Log entries:

[Sat Mar 28 11:01:18 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "forums.fsmod.com"] [uri "/style/FirstStrike/FirstStrike_cs.css"] [unique_id "Sc5JzkKHIHsAAHPj2HEAAAAR"]
[Sat Mar 28 11:01:18 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "forums.fsmod.com"] [uri "/style/FirstStrike/FirstStrike.css"] [unique_id "Sc5JzkKHIHsAAHex5UUAAAAH"]
[Sat Mar 28 11:01:18 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "forums.fsmod.com"] [uri "/include/js/common.js"] [unique_id "Sc5JzkKHIHsAAHey5b0AAAAJ"]
[Sat Mar 28 11:01:18 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "forums.fsmod.com"] [uri "/extensions/pun_bbcode/styles.css"] [unique_id "Sc5JzkKHIHsAAHXz35kAAAAO"]
[Sat Mar 28 11:01:18 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "forums.fsmod.com"] [uri "/extensions/pun_bbcode/scripts.js"] [unique_id "Sc5JzkKHIHsAAHMp1V8AAAAL"]
[Sat Mar 28 11:01:19 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "forums.fsmod.com"] [uri "/extensions/pun_quote/scripts.js"] [unique_id "Sc5Jz0KHIHsAAHYM5AkAAAAX"]
[Sat Mar 28 11:01:19 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "www.fsmod.com"] [uri "/images/left.png"] [unique_id "Sc5Jz0KHIHsAAG15r80AAAAC"]
[Sat Mar 28 11:01:19 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "www.fsmod.com"] [uri "/images/r2.jpg"] [unique_id "Sc5Jz0KHIHsAAHe55k0AAAAK"]
[Sat Mar 28 11:01:19 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "www.fsmod.com"] [uri "/rot/img1.png"] [unique_id "Sc5Jz0KHIHsAAHey5b4AAAAJ"]
[Sat Mar 28 11:01:19 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "www.fsmod.com"] [uri "/images/bg.gif"] [unique_id "Sc5Jz0KHIHsAAHPj2HIAAAAR"]
[Sat Mar 28 11:01:19 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "www.fsmod.com"] [uri "/images/latestnewsbg.png"] [unique_id "Sc5Jz0KHIHsAAHex5UYAAAAH"]
[Sat Mar 28 11:01:19 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "www.fsmod.com"] [uri "/images/holo.png"] [unique_id "Sc5Jz0KHIHsAAHMp1WAAAAAL"]
[Sat Mar 28 11:01:19 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "forums.fsmod.com"] [uri "/img/avatars/536.jpg"] [unique_id "Sc5Jz0KHIHsAAHXz35oAAAAO"]
[Sat Mar 28 11:01:19 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "forums.fsmod.com"] [uri "/extensions/pun_bbcode/buttons/Oxygen/b.png"] [unique_id "Sc5Jz0KHIHsAAHYM5AoAAAAX"]
[Sat Mar 28 11:01:19 2009] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"] [hostname "forums.fsmod.com"] [uri "/img/avatars/587.jpg"] [unique_id "Sc5Jz0KHIHsAAHXs3rIAAAAM"]

Slavok · 2009-03-30 07:35

Slavok
PunBB Developer
Offline

From: Russia
Registered: 2008-06-11
Posts: 1,238

Re: conflict with mod_security

It seems like mod_security doesn't like "echo" in URL

Imperial · 2009-03-30 17:45

Imperial
Member
Offline

Registered: 2009-03-22
Posts: 19

Re: conflict with mod_security

Is there any real method to avoid echoing data pulled from the database to the url? Even so, though, I can't imagine that's the root of the problem here, or the default URL schema would be equally as problematic as it's still echoing the topic id, post id, etc.

conflict with mod_security

Posts: 3

1 Topic by Imperial 2009-03-29 20:15

Topic: conflict with mod_security

2 Reply by Slavok 2009-03-30 07:35

Re: conflict with mod_security

3 Reply by Imperial 2009-03-30 17:45

Re: conflict with mod_security

Posts: 3