Mod Sec Rule Not Working

[NC-Designs]

Hi, I run CXS on our server and I have noticed that the mod_security rule below is not working -

SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" \
"log,auditlog,deny,severity:2,id:'1010101'"

I also found the following error in the Server Log Viewer, any ideas? Thanks.

 

[Statskij]

Hello.
I use cxs on my servers too, but it doesn't work via mod_security rules, I use it via suhosin. For now it works just like that.
I think that developers of Litespeed should explore closely the question of interoperation of mod_security because mod_security rules protects well from hacker attack.

 

[NC-Designs]

Hello.
I use cxs on my servers too, but it doesn't work via mod_security rules, I use it via suhosin. For now it works just like that.
I think that developers of Litespeed should explore closely the question of interoperation of mod_security because mod_security rules protects well from hacker attack.

Yeah, the problem I am facing is a script uploaded via PHP only shows minimal information comparatively to Apache. For example, it fails to display the uploading script location?

 

[NiteWave]

the problem I am facing is a script uploaded via PHP only shows minimal information comparatively to Apache. For example, it fails to display the uploading script location?

uploading progress bar feature is addressed in litespeed 4.1RC2 and above.
see wiki:
http://www.litespeedtech.com/support/wiki/doku.php?id=litespeed_wiki:php:uploadprogress_bar

 

[NC-Designs]

uploading progress bar feature is addressed in litespeed 4.1RC2 and above.
see wiki:
http://www.litespeedtech.com/support/wiki/doku.php?id=litespeed_wiki:php:uploadprogress_bar

I mean like data that is sent to the CXS script through suhosin. For example -
(With LiteSpeed)

Scanning web upload script file...
Web upload script user: filetest (532)
Web upload script owner: ()
Web upload script:
Remote IP:
Deleted: No
Quarantined: No

(With Apache)

Scanning web upload script file...
Web upload script user: nobody (99)
Web upload script owner: filetest (532)
Web upload script: /home/filetest/public_html/upload.php
Remote IP: XX.XX.XX.XX
Deleted: No
Quarantined: No

With LiteSpeed I do not even know which script is uploading the malicious data, what IP is sending the malicious data and who even owns the script. The only way I can tell what user the script is under is because suExec within LiteSpeed seems not to work as it should and declares the visitor as the owner of the file. LiteSpeed is not parsing the data that Apache otherwise would.

Also, thank you for assistance Statskij, do you have the same problem as I do above?

 

[Statskij]

Yes, cxs doesn't work too.
I asked a question at this forum and developers answered me that files check doesn't work via mod_security.

I also use GotRoot rules for mod_security and not all of them work correctly.

So I think that Litespeed doesn't have full interoperation with mod_security.

 

[masood_y]

How can do that with "suhosin" in "/usr/local/lib/php.ini"?
I cant find "suhosin.upload.verification_script" in "/usr/local/lib/php.ini"
Im using cpanel/whm.