mod_security question

ffeingol

Well-Known Member
#1
OK, we're running an Enterprise version of LSWS on a VPS with cPanel. We have mod_security setup. For now we have just 1 rule for testing:

SecFilter "testit"

.shtml pages are being proxied to Apache.

If we browse http://www.mydomain.com/blah.shtml?testit then Apache blocks the request with a 406 (our error code set in the conf) and mod_security works properly. If we browse to http://www.mydomain.com/blah.php?testit LSWS serves up the page. I though LSWS should be reading the mod_security rules and applying them?

TIA,

Frank
 

mistwang

LiteSpeed Staff
#2
How this rule was configured? in httpd.conf? which section of httpd.conf? or in LiteSpeed web console?
Can you please try the rule in another format?

SecFilterSelective "ARGS" "testit"

should have the same effect as yours, I just want to make sure it is not a bug with "SecFilter" directive.
 

ffeingol

Well-Known Member
#3
Hello,

Yes, it's in httpd.conf. It's configured in the "default" cPanel config (if you use mod_security installed via cPanel).

Code:
AddModule mod_security.c
Include "/usr/local/apache/conf/modsec.conf"
and then /usr/local/apache/conf/modsec.conf has:

Code:
<IfModule mod_security.c>
SecFilterEngine On
SecFilterCheckURLEncoding On
SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0
SecFilterDefaultAction "deny,log,status:406"
SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec.user.conf"
</IfModule>
and then finally modsec.user.conf

Code:
#SecFilter "testit"
SecFilterSelective "ARGS" "testit"
The results are the same for either form of the rule. The apache proxy works, LSWS does not.

Frank
 

mistwang

LiteSpeed Staff
#4
It turns out to be a bug parsing query string with only one variable name, if there are other request variable or has a value, it will be caught.

The fix is in our 3.2.1 build, can you download and give it a try.
 
Top