logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Third-party Modules View previous topic :: View next topic
Reply to topic   Topic: mod_sec stopping picasa plugin for wordpress
Author
ibeau



Joined: 14 Feb 2009
Posts: 4
Location: Australia

PostPosted: Sat 14 Feb '09 10:48    Post subject: mod_sec stopping picasa plugin for wordpress Reply with quote

Ever since enabling mod_security2 i have had forbidden errors when trying to use the picasa image express plugin for wordpress. When i turn mod_sec off the picasa plugin works.

I am using the following mod_sec rules. What do i need to change in order for the picasa plugin to work? Any help would be greatly appreciated. Thanks

Code:

SecRuleEngine On
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace

SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog logs/mod_security2.log

## -- General rules --------------------

SecRule ARGS "c:/" t:normalisePathWin
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"
SecRule ARGS "d:/" t:normalisePathWin

## -- phpBB attack --------------------
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"

SecRule REQUEST_URI "\.htgroup"
SecRule REQUEST_URI "\.htaccess"
SecRule REQUEST_URI "cd\.\."
SecRule REQUEST_URI "///cgi-bin"
SecRule REQUEST_URI "/cgi-bin///"
SecRule REQUEST_URI "/~root"
SecRule REQUEST_URI "/~ftp"
SecRule REQUEST_URI "/htgrep" chain
SecRule REQUEST_URI "/htgrep"
SecRule REQUEST_URI "/\.history"
SecRule REQUEST_URI "/\.bash_history"
SecRule REQUEST_URI "/~nobody"
SecRule REQUEST_URI "<script"
SecRule REQUEST_URI "psybnc"
SecRule REQUEST_URI "cmd=cd\x20/var"
SecRule REQUEST_URI "dir=http"
SecRule REQUEST_URI "\?STRENGUR"
SecRule REQUEST_URI "/etc/motd"
SecRule REQUEST_URI "/etc/passwd"
SecRule REQUEST_URI "conf/httpd\.conf"
SecRule REQUEST_URI "/bin/ps"
SecRule REQUEST_URI "bin/tclsh"
SecRule REQUEST_URI "tclsh8\x20"
SecRule REQUEST_URI "udp\.pl"
SecRule REQUEST_URI "linuxdaybot\.txt"
SecRule REQUEST_URI "wget\x20"
SecRule REQUEST_URI "bin/nasm"
SecRule REQUEST_URI "nasm\x20"
SecRule REQUEST_URI "/usr/bin/perl"
SecRule REQUEST_URI "links -dump "
SecRule REQUEST_URI "links -dump-(charset|width) "
SecRule REQUEST_URI "links (http|https|ftp)\:/"
SecRule REQUEST_URI "links -source "
SecRule REQUEST_URI "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)"
SecRule REQUEST_URI "cd\.\."
SecRule REQUEST_URI "///cgi-bin"
SecRule REQUEST_URI "/cgi-bin///"
SecRule REQUEST_URI "/~named(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~guest(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~logs(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~sshd(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~ftp(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~bin(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~nobody(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/\.history HTTP\/(0\.9|1\.0|1\.1)$"
SecRule REQUEST_URI "/\.bash_history HTTP\/(0\.9|1\.0|1\.1)$"
SecRule REQUEST_URI "lynx "
SecRule REQUEST_URI "Fhome"
SecRule REQUEST_URI "cvs"
SecRule REQUEST_URI "\.php\?phpinfo"
SecRule REQUEST_URI "\.php\?phpini"
SecRule REQUEST_URI "\.php\?mem"
SecRule REQUEST_URI "\.php\?cpu"
SecRule REQUEST_URI "\.php\?users"
SecRule REQUEST_URI "\.php\?tmp"
SecRule REQUEST_URI "\.php\?delete"
SecRule REQUEST_URI "curl "
SecRule REQUEST_URI "echo "
SecRule REQUEST_URI "links -dump-width "
SecRule REQUEST_URI "links http:// "
SecRule REQUEST_URI "links ftp:// "
SecRule REQUEST_URI "links -source "
SecRule REQUEST_URI "cd /tmp "
SecRule REQUEST_URI "cd /var/tmp "
SecRule REQUEST_URI "cd /etc/httpd/proxy "
SecRule REQUEST_URI "&highlight=%2527%252E "
SecRule REQUEST_URI "changedir=%2Ftmp%2F.php "
SecRule REQUEST_URI "arta\.zip "
SecRule REQUEST_URI "cmd=cd\x20/var "
SecRule REQUEST_URI "HCL_path=http "
SecRule REQUEST_URI "clamav-partial "
SecRule REQUEST_URI "vi\.recover "
SecRule REQUEST_URI "netenberg "
SecRule REQUEST_URI "psybnc "
SecRule REQUEST_URI "fantastico_de_luxe "
SecRule REQUEST_URI "2Fpublic_html&"
SecRule REQUEST_URI ".htaccess"
SecRule REQUEST_URI "c99sh_datapipe.pl"
SecRule REQUEST_URI "listDBs"
SecRule REQUEST_URI "%2home%2"
SecRule REQUEST_URI "%2home%"
SecRule REQUEST_URI "%home%"
SecRule REQUEST_URI "%home"
SecRule REQUEST_URI "home%"
SecRule REQUEST_URI "%2Fhome%2"
SecRule REQUEST_URI "%2Fhome%"
SecRule REQUEST_URI "%Fhome%"
SecRule REQUEST_URI "%Fhome"
SecRule REQUEST_URI "Fhome%"
SecRule REQUEST_URI "2Fpublic_html&"
SecRule REQUEST_URI "/etc/"
SecRule REQUEST_URI "sqlman"
SecRule REQUEST_URI "act=security"
SecRule REQUEST_URI "act=cmd"
SecRule REQUEST_URI "act=chmod"
SecRule REQUEST_URI "act=ls&d="
SecRule REQUEST_URI "act=f&f="
SecRule REQUEST_URI "act=sql"
SecRule REQUEST_URI "Bcc:"
SecRule REQUEST_URI "Bcc:\x20"
SecRule REQUEST_URI "cc:"
SecRule REQUEST_URI "cc:\x20"
SecRule REQUEST_URI "bcc:"
SecRule REQUEST_URI "bcc:\x20"
SecRule REQUEST_URI "bcc: "
SecRule REQUEST_URI "cd "
SecRule REQUEST_URI "mtwerco_"
SecRule REQUEST_URI "\<IMG.*/\bonerror\b[\s]*=/Ri"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/javascript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-javascript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/jscript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/vbscript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-vbscript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/ecmascript/i"
SecRule REQUEST_URI "STYLE[\s]*=[\s]*[^>]expression[\s]*\(/i"
SecRule REQUEST_URI "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>/i"
SecRule REQUEST_URI "<!\[CDATA\[<\]\]>SCRIPT"
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"

# For deny Shells opening
SecRule REQUEST_FILENAME "/(r0nin|TrYaG|TrYg|m0rtix|r57shell|c99shell|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute|c991)\.php"
SecRule REQUEST_FILENAME "\.pl"
SecRule REQUEST_FILENAME "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_FILENAME "\;(\s|\t)*perl .*\.pl"
SecRule RESPONSE_BODY "TrYaG"
SecRule RESPONSE_BODY "SnIpEr_SA"
SecRule RESPONSE_BODY "Sniper"
SecRule RESPONSE_BODY "shell"
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_chi ld_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[pace:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI ".htaccess"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "sql_passwd"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "config"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "public_html"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/etc"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/root"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/usr"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/boot"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/var"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/bin"

SecRule PATH_INFO "^/(bin|etc|sbin|opt|usr)"


#Generic PHP exploit signatures
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_ch ild_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"

#Generic PHP exploit signatures
SecRule REQUEST_BODY|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_chil d_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"

#slightly tighter rules with narrower focus
SecRule REQUEST_URI|REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_chi ld_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300008,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"

#Prevent SQL injection in cookies
SecRule REQUEST_COOKIES "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[pace:]]+[A-Z|a-z|0-9|\*| |\,]+[[pace:]]+(from|into|table|database|index|view)[[pace:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300011,rev:1,severity:2,msg:'Generic SQL injection in cookie'"

#Genenric PHP body attack
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_chi ld_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[pace:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#Generic PHP remote file injection
SecRule REQUEST_URI "!(/do_command)" chain
SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)="

#script, perl, etc. code in HTTP_Referer string
SecRule HTTP_Referer "\#\!.*/"

#wormsign
SecRule REQUEST_URI "Hacked.*by.*member.*of.*SCC"
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Sat 14 Feb '09 20:28    Post subject: Reply with quote

I see it is set to log, so check Apache's error log, should tell you what line of this file is stopping the App from working properly.
Back to top
ibeau



Joined: 14 Feb 2009
Posts: 4
Location: Australia

PostPosted: Sun 15 Feb '09 5:15    Post subject: Reply with quote

Thanks Smile I found the rule that was stopping it;

Message: Access denied with code 403 (phase 2). Pattern match "config" at REQUEST_LINE. [file "C:/Program Files/Apache Software Foundation/Apache2.2/conf/httpd.conf"] [line "645"]
Back to top


Reply to topic   Topic: mod_sec stopping picasa plugin for wordpress View previous topic :: View next topic
Post new topic   Forum Index -> Third-party Modules