Hi! I'm running a Gentoo 2007.0/hardened box with apache and mod_security. And I just came into a surprise regarding a Norwegian word caused a HTTP 501 response. The word is "stålsøyler" with this encoding it works fine. But the word was URL encoded, and was written as "stålsøyler" ... which then triggered mod_security. I found the reason in the file /etc/apache2/modules.d/mod_security/40_generic_attacks.conf in line 133: SecRule ARGS "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" \ "capture,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'950006',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'" I'm guessing it is this part of the regexp which fails: |ls(?:of)?| Could we find a workaround here ... to allow 'åls' but not ';ls' ? ... this could also be a problem with other words too ... kind regards, David Sommerseth PS! If you wonder what "stålsøyer" means, it is something like "steel pillars" ... do not have a good dictionary available right now.
Maintainers, please advise.
this is not a security issue
Actually! I see I can deepen this one a little bit more. The specific scenario this one hits is when you have 2 html escaped letter (f.ex. å and ø) and with some data which hits this rule. the pattern which should be *allowed* (pseudo regexp, since I'm not a regexp guru): &(aring|oslash|aelig|u-umlaut|...etc...);(<reg_exp rule above>)&(aring|oslash|aelig.....) I hope this could help you narrow it down somewhat ... for more html entities, have a look here: http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references
Is anyone looking into this? ... I would like to do it, but I'm not strong enough with regexp, unfortunately ...
The core rule set is _quite_ messy; I'm sincerely tempted to just make it optional even though enabled by default, for any problem with that I think you'd be better reporting it upstream. To be honest I disabled quite a few of them because it stopped me from blogging about Unix standard file paths =_=
I've added a postinst message in 2.5.9-r1.
I must say, I'm rather disappointed by this solution. This is not FIXED ... the right status in this should rather be WONTFIX, because it is not fixed. A lame message saying "disable this check" in the ebuild do not solve this issue. But I see I need to go to more competent places to get this fixed.