Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: mod_sec stopping picasa plugin for wordpress |
|
| Author |
|
ibeau
Joined: 14 Feb 2009
Posts: 4
Location: Australia
|
 Posted: Sat 14 Feb '09 10:48 Post subject: mod_sec stopping picasa plugin for wordpress |
 |
|
Ever since enabling mod_security2 i have had forbidden errors when trying to use the picasa image express plugin for wordpress. When i turn mod_sec off the picasa plugin works.
I am using the following mod_sec rules. What do i need to change in order for the picasa plugin to work? Any help would be greatly appreciated. Thanks
| Code: |
SecRuleEngine On
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace
SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog logs/mod_security2.log
## -- General rules --------------------
SecRule ARGS "c:/" t:normalisePathWin
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"
SecRule ARGS "d:/" t:normalisePathWin
## -- phpBB attack --------------------
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"
SecRule REQUEST_URI "\.htgroup"
SecRule REQUEST_URI "\.htaccess"
SecRule REQUEST_URI "cd\.\."
SecRule REQUEST_URI "///cgi-bin"
SecRule REQUEST_URI "/cgi-bin///"
SecRule REQUEST_URI "/~root"
SecRule REQUEST_URI "/~ftp"
SecRule REQUEST_URI "/htgrep" chain
SecRule REQUEST_URI "/htgrep"
SecRule REQUEST_URI "/\.history"
SecRule REQUEST_URI "/\.bash_history"
SecRule REQUEST_URI "/~nobody"
SecRule REQUEST_URI "<script"
SecRule REQUEST_URI "psybnc"
SecRule REQUEST_URI "cmd=cd\x20/var"
SecRule REQUEST_URI "dir=http"
SecRule REQUEST_URI "\?STRENGUR"
SecRule REQUEST_URI "/etc/motd"
SecRule REQUEST_URI "/etc/passwd"
SecRule REQUEST_URI "conf/httpd\.conf"
SecRule REQUEST_URI "/bin/ps"
SecRule REQUEST_URI "bin/tclsh"
SecRule REQUEST_URI "tclsh8\x20"
SecRule REQUEST_URI "udp\.pl"
SecRule REQUEST_URI "linuxdaybot\.txt"
SecRule REQUEST_URI "wget\x20"
SecRule REQUEST_URI "bin/nasm"
SecRule REQUEST_URI "nasm\x20"
SecRule REQUEST_URI "/usr/bin/perl"
SecRule REQUEST_URI "links -dump "
SecRule REQUEST_URI "links -dump-(charset|width) "
SecRule REQUEST_URI "links (http|https|ftp)\:/"
SecRule REQUEST_URI "links -source "
SecRule REQUEST_URI "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)"
SecRule REQUEST_URI "cd\.\."
SecRule REQUEST_URI "///cgi-bin"
SecRule REQUEST_URI "/cgi-bin///"
SecRule REQUEST_URI "/~named(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~guest(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~logs(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~sshd(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~ftp(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~bin(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~nobody(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/\.history HTTP\/(0\.9|1\.0|1\.1)$"
SecRule REQUEST_URI "/\.bash_history HTTP\/(0\.9|1\.0|1\.1)$"
SecRule REQUEST_URI "lynx "
SecRule REQUEST_URI "Fhome"
SecRule REQUEST_URI "cvs"
SecRule REQUEST_URI "\.php\?phpinfo"
SecRule REQUEST_URI "\.php\?phpini"
SecRule REQUEST_URI "\.php\?mem"
SecRule REQUEST_URI "\.php\?cpu"
SecRule REQUEST_URI "\.php\?users"
SecRule REQUEST_URI "\.php\?tmp"
SecRule REQUEST_URI "\.php\?delete"
SecRule REQUEST_URI "curl "
SecRule REQUEST_URI "echo "
SecRule REQUEST_URI "links -dump-width "
SecRule REQUEST_URI "links http:// "
SecRule REQUEST_URI "links ftp:// "
SecRule REQUEST_URI "links -source "
SecRule REQUEST_URI "cd /tmp "
SecRule REQUEST_URI "cd /var/tmp "
SecRule REQUEST_URI "cd /etc/httpd/proxy "
SecRule REQUEST_URI "&highlight=%2527%252E "
SecRule REQUEST_URI "changedir=%2Ftmp%2F.php "
SecRule REQUEST_URI "arta\.zip "
SecRule REQUEST_URI "cmd=cd\x20/var "
SecRule REQUEST_URI "HCL_path=http "
SecRule REQUEST_URI "clamav-partial "
SecRule REQUEST_URI "vi\.recover "
SecRule REQUEST_URI "netenberg "
SecRule REQUEST_URI "psybnc "
SecRule REQUEST_URI "fantastico_de_luxe "
SecRule REQUEST_URI "2Fpublic_html&"
SecRule REQUEST_URI ".htaccess"
SecRule REQUEST_URI "c99sh_datapipe.pl"
SecRule REQUEST_URI "listDBs"
SecRule REQUEST_URI "%2home%2"
SecRule REQUEST_URI "%2home%"
SecRule REQUEST_URI "%home%"
SecRule REQUEST_URI "%home"
SecRule REQUEST_URI "home%"
SecRule REQUEST_URI "%2Fhome%2"
SecRule REQUEST_URI "%2Fhome%"
SecRule REQUEST_URI "%Fhome%"
SecRule REQUEST_URI "%Fhome"
SecRule REQUEST_URI "Fhome%"
SecRule REQUEST_URI "2Fpublic_html&"
SecRule REQUEST_URI "/etc/"
SecRule REQUEST_URI "sqlman"
SecRule REQUEST_URI "act=security"
SecRule REQUEST_URI "act=cmd"
SecRule REQUEST_URI "act=chmod"
SecRule REQUEST_URI "act=ls&d="
SecRule REQUEST_URI "act=f&f="
SecRule REQUEST_URI "act=sql"
SecRule REQUEST_URI "Bcc:"
SecRule REQUEST_URI "Bcc:\x20"
SecRule REQUEST_URI "cc:"
SecRule REQUEST_URI "cc:\x20"
SecRule REQUEST_URI "bcc:"
SecRule REQUEST_URI "bcc:\x20"
SecRule REQUEST_URI "bcc: "
SecRule REQUEST_URI "cd "
SecRule REQUEST_URI "mtwerco_"
SecRule REQUEST_URI "\<IMG.*/\bonerror\b[\s]*=/Ri"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/javascript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-javascript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/jscript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/vbscript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-vbscript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/ecmascript/i"
SecRule REQUEST_URI "STYLE[\s]*=[\s]*[^>]expression[\s]*\(/i"
SecRule REQUEST_URI "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>/i"
SecRule REQUEST_URI "<!\[CDATA\[<\]\]>SCRIPT"
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"
# For deny Shells opening
SecRule REQUEST_FILENAME "/(r0nin|TrYaG|TrYg|m0rtix|r57shell|c99shell|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute|c991)\.php"
SecRule REQUEST_FILENAME "\.pl"
SecRule REQUEST_FILENAME "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_FILENAME "\;(\s|\t)*perl .*\.pl"
SecRule RESPONSE_BODY "TrYaG"
SecRule RESPONSE_BODY "SnIpEr_SA"
SecRule RESPONSE_BODY "Sniper"
SecRule RESPONSE_BODY "shell"
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_chi ld_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[pace:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI ".htaccess"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "sql_passwd"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "config"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "public_html"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/etc"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/root"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/usr"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/boot"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/var"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/bin"
SecRule PATH_INFO "^/(bin|etc|sbin|opt|usr)"
#Generic PHP exploit signatures
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_ch ild_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
#Generic PHP exploit signatures
SecRule REQUEST_BODY|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_chil d_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
#slightly tighter rules with narrower focus
SecRule REQUEST_URI|REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_chi ld_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300008,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
#Prevent SQL injection in cookies
SecRule REQUEST_COOKIES "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[pace:]]+[A-Z|a-z|0-9|\*| |\,]+[[pace:]]+(from|into|table|database|index|view)[[pace:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300011,rev:1,severity:2,msg:'Generic SQL injection in cookie'"
#Genenric PHP body attack
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_chi ld_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[pace:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#Generic PHP remote file injection
SecRule REQUEST_URI "!(/do_command)" chain
SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)="
#script, perl, etc. code in HTTP_Referer string
SecRule HTTP_Referer "\#\!.*/"
#wormsign
SecRule REQUEST_URI "Hacked.*by.*member.*of.*SCC"
|
|
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Sat 14 Feb '09 20:28 Post subject: |
|
|
| I see it is set to log, so check Apache's error log, should tell you what line of this file is stopping the App from working properly. |
|
| Back to top |
|
ibeau
Joined: 14 Feb 2009
Posts: 4
Location: Australia
|
| Posted: Sun 15 Feb '09 5:15 Post subject: |
|
|
Thanks  I found the rule that was stopping it;
Message: Access denied with code 403 (phase 2). Pattern match "config" at REQUEST_LINE. [file "C:/Program Files/Apache Software Foundation/Apache2.2/conf/httpd.conf"] [line "645"] |
|
| Back to top |
|
|
|
|
|
|
