store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Fri Nov 28, 2014 4:24 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 14 posts ] 
Author Message
 Post subject: Possible Mod_Security Related Bug
Unread postPosted: Wed Jun 08, 2011 1:37 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 164
We recently ran into an issue after the release of the mod_security 2.6.x rpm.

After the upgrade, Apache was refusing to start and giving an error similar to:

Syntax error on line 44 of 11_asl_adv_rules.conf:
Error parsing actions: Invalid transformation function: decodeBase64Ext

After researching the error, we ran across:

https://www.modsecurity.org/tracker/browse/MODSEC-233

After updating the two occurrences of decodeBase64Ext to base64DecodeExt in the 11 file, Apache started fine.

Just a heads-up in case that is a reproducible error and not a one-off issue with our test build (since we'll lose the change on a rule update).

Thanks.


Top
 Profile  
 
 Post subject: Re: Possible Mod_Security Related Bug
Unread postPosted: Wed Jun 08, 2011 1:40 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3673
Location: Chantilly, VA
Your rules are considerably out of date. That was changed many weeks ago when 2.6 came out and when the name for that transform changed from what it was in 2.5.13 (base64DecodeExt) to what it is now in 2.6 (decodeBase64Ext). The rules have always been aligned with whatever version of modsec is out. If your rules are out of date, then you should never upgrade modsecurity.

So make sure you upgrade your rules, they must be really out of date for you to see this. We didnt push 2.6 until we modified the rules.

The real bug is that the modsecurity developers did not provide backwards compatibility for their own change (which is common anytime a transform name has changed).

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Possible Mod_Security Related Bug
Unread postPosted: Wed Jun 08, 2011 2:28 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 164
Our rules are set (and have been set) to auto update. Likely all related in that there may have been an issue with the auto update after the problem first surfaced (but wasn't because the rules were out of date when the upgrade first happened).


Top
 Profile  
 
 Post subject: Re: Possible Mod_Security Related Bug
Unread postPosted: Wed Jun 08, 2011 2:30 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3673
Location: Chantilly, VA
Are you running the 3.0 beta, and have you updated it to the latest version?

What is the output of these commands:

asl -v

asl -u

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Possible Mod_Security Related Bug
Unread postPosted: Wed Jun 08, 2011 5:08 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 164
Yes, as best I know we are running the latest test build. Output:

asl -v
ASL Version 2.9.3: UNSUPPORTED: Development Build

asl -u
Checking for updates..
ASL version is current: 2.9.3 [OK]
Kernel version is current: 2.6.32.41-3 [OK]
APPINV rules are current: 201008021738 [OK]
CLAMAV rules are current: 201106061125 [OK]
GEOMAP rules are current: 201106080938 [OK]
MODSEC rules are current: 201106081315 [OK]
OSSEC rules are current: 201105100943 [OK]


Top
 Profile  
 
 Post subject: Re: Possible Mod_Security Related Bug
Unread postPosted: Wed Jun 08, 2011 5:35 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3673
Location: Chantilly, VA
Yeah you have something out of date. What happens when you run:

yum --enablerepo=asl-2.0-testing upgrade

and whats the output from asl -s -f

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Possible Mod_Security Related Bug
Unread postPosted: Thu Jun 09, 2011 11:19 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 164
From the yum output, the only thing that we haven't updated is the last kernel -4 versus -3. Other than that no other packages listed for the yum command.

Likely that something got borked on one of the updates so was just curious to see if I could trace it.

Only thing of note from asl -s -f that seems to be an error is:

Checking for disabled rules

Error: /var/asl/rules/modsec/spam.data not detected, skipping rule.
Error: There is a problem with the apache config
Rolling back to the previous update

Suggestions?

Thanks.


Top
 Profile  
 
 Post subject: Re: Possible Mod_Security Related Bug
Unread postPosted: Thu Jun 09, 2011 2:22 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3673
Location: Chantilly, VA
Quote:
Error: There is a problem with the apache config
Rolling back to the previous update


Yep, thats the problem, something is wrong with the apache config, so ASL wont touch or update it (which also means it wont really update your rules...)

Can you run /etc/init.d/httpd configtest

And send the output?

Also, have you made any changes to the modsecurity rules on your system?

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Possible Mod_Security Related Bug
Unread postPosted: Thu Jun 09, 2011 3:36 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 164
No apparent issues based on the output:

/etc/init.d/httpd configtest
Syntax OK

No changes to the rules other than the change mentioned in the first post.


Top
 Profile  
 
 Post subject: Re: Possible Mod_Security Related Bug
Unread postPosted: Fri Jun 10, 2011 5:45 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 164
Mike:

I think I may have found out what the issue is for the rules not being updated.

We have the rules set to auto-update so typically when I check with:

asl -u

I get all rules being up-to-date.

As I started poking around into the rules themselves, noticed that the file sizes weren't changing.

So based on when I knew a rule update was out (after the last auto run but before the next auto run), I ran it manually and got an error from wget.

Looks like it is our password that is the issue. The update script doesn't seem to be escaping passwords so some special characters are causing the actual rules download to fail. If I run the same wget string from the command line with \ in front of the special character, the rules are downloaded fine.

Even though the download fails from asl -u, the script is still updating the rule version to the latest version such that on subsequent runs, it will report all as being up-to-date even though the rules weren't actually updated. That seems to explain why the rules were not getting updated while asl -u was also reporting all was up to date.

Can you see if you can reproduce on your end?

This seems to happen on our ASL Lite box as well so don't think the issue is specific to the test build. Would also explain why this might be rare if most folks don't have special characters in their passwords.

Thanks.


Top
 Profile  
 
 Post subject: Re: Possible Mod_Security Related Bug
Unread postPosted: Tue Jun 14, 2011 2:19 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 164
Mike:

Any update regarding the characters in a password?

Thanks.


Top
 Profile  
 
 Post subject: Re: Possible Mod_Security Related Bug
Unread postPosted: Tue Jun 14, 2011 3:32 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7959
Location: earth
Yeah, its not going to be something we can investigate supporting until after 3.0 is out (yum for example does not like metacharacters). For now limit your passwords to alpha-numeric passwords.


Top
 Profile  
 
 Post subject: Re: Possible Mod_Security Related Bug
Unread postPosted: Wed Jun 15, 2011 3:42 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 164
Scott:

Thanks.

I'd suggest making a note when folks sign up for ASL about only alphanumeric characters to avoid anyone else being in a similar situation (only reason our other box on 2.x doesn't display the same behavior is that its password happened to not have any special characters in it).


Top
 Profile  
 
 Post subject: Re: Possible Mod_Security Related Bug
Unread postPosted: Mon Jul 23, 2012 6:57 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7959
Location: earth
Yup, 3.0 was released last year


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Yahoo [Bot] and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group