[BUG?] Litespeed + ModSec2

[DraCoola]

I am using Litespeed Web Server Enterprise v4.0.17 on CENTOS 5.5 x86_64 standard with WHM 11.28.52 + ModSec2x

On my other non litespeed server with WHM 11.28.52 + Apache 2.2.17 + ModSec2x, I wrote these ModSec rules and worked :

---------------------------------------------------------------
SecRule REQUEST_URI "[A-Z|a-z|0-9]\.(cgi|pl|plx|ppl|perl)\?"
SecRule REQUEST_URI "[A-Z|a-z|0-9]\.(cgi|pl|plx|ppl|perl)"
---------------------------------------------------------------

But litespeed did completely bypass those rules above

As we know perl and cgi are free to do Cross site scripting / XSS.
Reading all config files and then hack all sites on the server easily.

How to make litespeed read ModSec rules correctly?

 

[DraCoola]

Any help? George? NiteWave?
This litespeed bug (?) could be very dangerous.
Because modsec2 rules can not prevent cgi and perl scripts accessing the whole system anymore with litespeed.
Turkey and Algerie hacker has used cgi-telnet script to do mass deface for thousands of websites in just couple hours.
The only thing can stop them is modsec rules in front of the webserver.
Because php open_basedir is totaly useless if cgi and perl are still permitted to walking arround from public_html

 

[mistwang]

You can enable modsec debug log (in error_log), then try the rule, if 404 is return, it wont trigger the rule, make sure the file is there. if security rule is not triggered and the file is there, please send us the modsec log entires.

 

[DraCoola]

Thank you, George. But after switching from Apache to LiteSpeed twice, then suddenly .pl is forbidden now

 

[webizen]

any indication in error.log regarding the .pl?

 

[NiteWave]

tested on our cPanel box,

in case not working, may need explicitly set

SecFilterEngine On

 

[DraCoola]

tested on our cPanel box,

in case not working, may need explicitly set

SecFilterEngine On

"SecFilterEngine On" was only work with modsec1 / apache 1.x
Modsec2 together with apache 2.x using "SecRuleEngine On"

If "SecFilterEngine On" put in modsec2 conf will definitely make the webserver refuse to start.

 

[mistwang]

Litespeed can take both, apache cannot.

 

[DraCoola]

any indication in error.log regarding the .pl?

You can enable modsec debug log (in error_log), then try the rule, if 404 is return, it wont trigger the rule, make sure the file is there. if security rule is not triggered and the file is there, please send us the modsec log entires.

After two days lsws running fine with those "anti perl" rules, now it showing the "bug" again.
It suddenly wont work with the rules after restarting the webserver.
Honestly I don't know where to find the error_log for modsec.

The conf has said just like this :

-----------------------------------------------
LoadFile /opt/xml2/lib/libxml2.so
LoadFile /opt/lua/lib/liblua.so
LoadModule security2_module modules/mod_security2.so
<IfModule mod_security2.c>
SecRuleEngine On
SecRequestBodyAccess On
# See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf
# "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 1
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"
</IfModule>
-----------------------------------------------

I have set DebugLog to 1 and creating logs/modsec_debug_log (dir/file) on the same directory (with the conf) but nothing happen to the debug log file
Any helps from litespeed staff will be very useful to prevent huge amount of websites defaces by perl XSS.

 

[DraCoola]

Litespeed can take both, apache cannot.

I did put "SecFilterEngine On" on modsec2.conf with litespeed and resulting an error lines, then litespeed wont start.
I mean modsec2 just leave the old "SecFilterEngine On" and replace the tag with "SecRuleEngine On" to make it work with any webserver behind it (**)

(**) :
modsec2 + any version of litespeed = SecRuleEngine On
modsec2 + apache2 only = SecRuleEngine On

modsec + any version of litespeed = SecFilterEngine On
modsec + apache1 only = SecFilterEngine On

 

[DraCoola]

Any help? George? NiteWave? webizen?

 

[mistwang]

Looks like a bug with handling rule actions.
you add actions to those rules, without "deny" action, lsws default to allow, while apache may use SecDefaultAction.
You can explicitly add "deny" to the rule action for now.

 

[DraCoola]

Looks like a bug with handling rule actions.
you add actions to those rules, without "deny" action, lsws default to allow, while apache may use SecDefaultAction.
You can explicitly add "deny" to the rule action for now.

Yes all rules that I've wrote and even from gotroot.com are mostly without "deny" at rule line as you told.
I am now add that "deny" action to all rules.
But while litespeed included "Deny" as "SecDefaultAction", I believe that would be more nice
So the issue has SOLVED! George is the master

 

[DraCoola]

Added "deny" just like rules below but still lsws bypassing the rules

-------------------------------------------------------------
SecRule REQUEST_URI|REQUEST_FILENAME "[A-Z|a-z|0-9]\.(cgi|pl|plx|ppl|perl)\?" "id:123456,rev:1,severity:2,msg:'PERL-CGI-1',deny"
SecRule REQUEST_URI|REQUEST_FILENAME "[A-Z|a-z|0-9]\.(cgi|pl|plx|ppl|perl)" "id:234567,rev:1,severity:2,msg:'PERL-CGI-2,deny'"
-------------------------------------------------------------

Switch to apache make domain.com/asdf.pl have forbidden access as it should be.
Not yet resolved

 

[DraCoola]

Another update :
**************

Include "/usr/local/apache/conf/modsec2.whitelist.conf" is ignored too.
The file is used to white list allowed path for an example :
-----------------------------------------------------------
<LocationMatch "/cgi-sys/suspendedpage.cgi">
SecRuleRemoveById 123456 234567
</LocationMatch>
-----------------------------------------------------------


While with the modsec2 rule :
----------------------------------------------------------
SecRule REQUEST_URI|REQUEST_FILENAME "[A-Z|a-z|0-9]\.(cgi|pl|plx|ppl|perl)" "id:234567,rev:1,severity:2,msg:'PERL-CGI-2',deny'"
----------------------------------------------------------

Lsws still deny/forbidden the white list path for /cgi-sys/suspendedpage.cgi
And apache did allow accessing white list the path as it should be.


The conclusion is : this is the real lsws bug that should get fix a.s.a.p.
Modsec2 is very important thing that must be instaled on all of shared hosting server.

 

[mistwang]

SecRuleRemoveById is not support in 4.0.x, will be supported in 4.1

 

[mistwang]

solution now, is to use a "chain" secrule to exclude URL "/cgi-sys/suspendedpage.cgi"

 

[DraCoola]

I will try to put "chain" to the rules with "!ARGS" to get an exclusion path.
But the newest 4.0.18 sounds very tasty on the change log

I hope "Improved mod_security compatibility" on that 4.0.18 were also "SecRuleRemoveById" recognition and "SecDefaultAction deny" included