ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding applications from attacks. ModSecurity supports Apache (both branches) today, with support for Java-based servers coming soon. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Created attachment 19891 [details] Ebuild for mod_security 1.7.1
I suggest net-www/mod_security as portage subsection.
Be forwarned.. This module has a really bad security track record. --------------------------------------------- Program: mod_security (www.modsecurity.org) Versions: 1.7RC1 to 1.7.1 (Apache 2 version) Synopsis: malloc based buffer overflow Author: Adam Dyga (adeon(at)o2.pl, ad(at)adsystems.com.pl) URL: http://adsystems.com.pl/adg-mod_security171.txt Discovered: October 24, 2003 Published: October 28, 2003 Issue: There is a exploitable malloc based buffer overflow in mod_security (apache 2 version). When appropriately exploited this can lead to (under some circumstances - remote) code execution on a vulnerable system with apache server user privileges. Details: The bug exists in sec_filter_out() function in apache2/mod_security.c : <snip> if (ctx->bufused + len > ctx->buflen) { char *newbuffer; // todo: implement a smarter extension policy unsigned long int newsize = ctx->buflen * 2; sec_debug_log(r, 3, "sec_filter_out: expanding buffer to %i", newsize); // allocate a larger buffer newbuffer = apr_palloc(f->r->pool, newsize + 1); memcpy(newbuffer, ctx->buffer, ctx->bufused); // free(ctx->buffer); ctx->buffer = newbuffer; ctx->buflen = newsize; ctx->input_ptr = ctx->buffer + ctx->bufused; } memcpy(ctx->input_ptr, data, len); ctx->input_ptr += len; ctx->bufused += len; </snip> As we can see, if ctx->buffer is too small, it's size is doubled, regardless of the size of incoming data. If incoming data size is larger than (ctx->buflen*2 - ctx->bufused) then the second memcpy may overwrite further header(s) of the next chunks on the heap. The author assumed, that incoming data size is not larger than 8kB, because Apache internally transports data in chunks that are 4kB/8kB long. However, this is not true when data is sent by server side script. This is a piece of mod_security debug log: sec_filter_out: got 198301 bytes, bufused=0, buflen=16384 sec_filter_out: expanding buffer to 32768 The buffer is overflowed when server side script is generating large output, for example when writing large file to the output: <?php Header('Content-Type: image/jpeg'); readfile('some_large_image.jpeg'); ?> When getting the 'some_large_image.jpeg' directly from server (not by the above script, but by using GET method instead), the buffer overflow doesn't occur. So, to perform an attack, the attacker has to have the possibility to upload his/her own script to the server (very common on web hosting servers) or to use some XSS bug found on the site. The sec_filter_out() function is called when the mod_security.so module is just loaded, no other directives in httpd.conf (from mod_security) are needed. Remedies: Upgrade to 1.7.2, which fixes the vulnerability. If that is not possible, turn output filtering off with "SecFilterScanOutput Off". Vendor status: October 24, 2003 - ivanr@webkreator.com notified, no response October 25, 2003 - ivanr@webkreator.com notified, got response October 28, 2003 - patched version of mod_security 1.7.2 released October 28, 2003 - public disclosure
Created attachment 19926 [details] Ebuild for mod_security 1.7.2 Thanks for the info solar , it's very fresh news ! ( 1.7.2 wasn t out yesterday ). here is the 1.7.2 ebuild.
Would be nice if this ebuilds against Apache 1.x too... (I dont use Apache2).
this ebuild should works with apache 1.x. do you have any troubles with it ?
Created attachment 26532 [details, diff] Patch to upgrade to mod_security-1.7.5 Version Bump. the dependencies have been updated , so no if you use -apache2 in USE, this add apache 1.3.28 ( the version I used ) to dependencies. also , the manual as been added.
Remove hardened@ from CC: Add us back if we are needed for anything else. (other than a commit)
maybe it would be a great enhancement if a basic configuration file (in the /etc/apache2/conf/ directory, such as xx_mod_security.conf) was added to the ebuild?
Created attachment 27550 [details] an example of 99_mod_security.conf Here is a configuration file corresponding to the examples from the official site. You just have to put it in /etc/apache2/conf/ and add -D SECURITY to the /etc/conf.d/apache2 file. Feel free to adjust it to your needs.
I don t know if we much spend time for this ebuild.since it's not gonna be in portage.
why won't this module be included in portage?
Created attachment 27924 [details] net-www/mod_security/mod_security-1.7.6.ebuild mod_security 1.7.6 is out. here is a new ebuild for it, which corrects the installation of the pdf manual, and add a configuration file for apache.
Created attachment 27925 [details] net-www/mod_security/mod_security-1.7.6.ebuild mod_security 1.7.6 is out. here is a new ebuild for it, which corrects the installation of the pdf manual, and add a configuration file for apache.
Created attachment 27926 [details] net-www/mod_security/files/99_mod_security.conf the configuration file for apache 2.
Created attachment 27927 [details] net-www/mod_security/files/mod_security.conf the configuration file for apache 1.
We wont be adding 1.7.1 to cvs since it has security problems. I dont have a problem adding 1.7.6 to cvs though. Will try to get to it tonight
Added last night. chuck
I just compiled it on a ppc machine and it worked fine if you would like to add 'ppc' to the keywords.