headers
cassy seven | 22 Jun 23:28

ModSecurity 2.5.5 and Wordpress 2.5.1 issue

I'm getting these 2 errors with modsecurity 2.5.5 and Wordpress 2.5.1

[Sun Jun 22 11:07:54 2008] [error] [client 192.168.1.1] ModSecurity: Warning. Operator EQ matched 0 at GLOBAL. [file "/etc/modsecurity/modsecurity_crs_30_http_policy.conf"] [line "120"] [id "960903"] [msg "ModSecurity does not support content encodings"] [severity "WARNING"] [hostname "www.bloglocal.com"] [uri "/wp-includes/js/tinymce/tiny_mce_config.php"] [unique_id "NLEVC38AAQEAABnaA2MAAAAF"]

[Sun Jun 22 11:08:57 2008] [error] [client 192.168.1.1] ModSecurity: Warning. Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at ARGS:content. [file "/etc/modsecurity/modsecurity_crs_40_generic_attacks.conf"] [line "102"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data "src=\\x22http:"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.bloglocal.com"] [uri "/wp-adm in/admin-ajax.php"] [unique_id "OHc3nX8AAQEAABncBMkAAAAH"]

--------------------------
The first one corresponds to:

SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \
    "phase:4,t:none,pass,log,auditlog,msg:'ModSecurity does not support content encodings',id:'960903',severity:'4',chain,initcol:global=global"
SecRule &GLOBAL:alerted_960903_compression " <at> eq 0" "setvar:global.alerted_960903_compression"

aka: Outbound compressed content will be logged once, to alert the user

Should I just ignore this?
--------------------------

The second one corresponds to:

#
# XSS
#
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?(?:(?:script|meta)\b|if rame)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\ <at> import)\b)" \
        "phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'950004',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2'"

Can I put a line like this before it to prevent this error from coming up?

SecRule REQUEST_URI "^/wp-admin/" nolog,pass,skip:1
--------------
 
Thanks in advance!
Cassy
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply |
headers
Ivan Ristic | 3 Jul 18:05

Re: ModSecurity 2.5.5 and Wordpress 2.5.1 issue

I think the first rule is a false positive. I am yet to see an
installation of ModSecurity where output compression is a problem.

As for the second one, it looks like it's catching a HTML fragment in
your request. I am planning to spend some time with WordPress in the
near future - I might be able to tell you something useful in a week
or so.

On Sun, Jun 22, 2008 at 10:30 PM, cassy seven <cassyseven <at> gmail.com> wrote:
> I'm getting these 2 errors with modsecurity 2.5.5 and Wordpress 2.5.1
>
> [Sun Jun 22 11:07:54 2008] [error] [client 192.168.1.1] ModSecurity:
> Warning. Operator EQ matched 0 at GLOBAL. [file
> "/etc/modsecurity/modsecurity_crs_30_http_policy.conf"] [line "120"] [id
> "960903"] [msg "ModSecurity does not support content encodings"] [severity
> "WARNING"] [hostname "www.bloglocal.com"] [uri
> "/wp-includes/js/tinymce/tiny_mce_config.php"] [unique_id
> "NLEVC38AAQEAABnaA2MAAAAF"]
>
> [Sun Jun 22 11:08:57 2008] [error] [client 192.168.1.1] ModSecurity:
> Warning. Pattern match
> "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d
> ..." at ARGS:content. [file
> "/etc/modsecurity/modsecurity_crs_40_generic_attacks.conf"] [line "102"] [id
> "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data "src=\\x22http:"]
> [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.bloglocal.com"]
> [uri "/wp-admin/admin-ajax.php"] [unique_id "OHc3nX8AAQEAABncBMkAAAAH"]
>
> --------------------------
> The first one corresponds to:
>
> SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \
>     "phase:4,t:none,pass,log,auditlog,msg:'ModSecurity does not support
> content encodings',id:'960903',severity:'4',chain,initcol:global=global"
> SecRule &GLOBAL:alerted_960903_compression "@eq 0"
> "setvar:global.alerted_960903_compression"
>
> aka: Outbound compressed content will be logged once, to alert the user
>
> Should I just ignore this?
> --------------------------
>
> The second one corresponds to:
>
> #
> # XSS
> #
> SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES
> "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b|
> ?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)"
> \
>
> "phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site
> Scripting (XSS)
> Attack',id:'950004',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2'"
>
> Can I put a line like this before it to prevent this error from coming up?
>
> SecRule REQUEST_URI "^/wp-admin/" nolog,pass,skip:1
> --------------
>
> Thanks in advance!
> Cassy
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>

--

-- 
Ivan Ristic

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Permalink | Reply |

Gmane