Pattern Match
Jun 20, 2007
mod_security: Access denied with code 406. Pattern match "<[[pace:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[pace:]]*>" at POST_PAYLOAD [hostname "domain.us"] [uri "/_vti_bin/_vti_aut/author.exe"]
This is my mod security rules.conf file
Code:
#Enforce proper HTTP requests
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0.9|1.0|1.1)$" "id:340000,rev:1,severity:1,msg:'Bad HTTP Protocol'"
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST|PUT|PROPFIND|OPTIONS)$" "chain,id:340001,rev:1,severity:2,msg:'Restricted HTTP function'"
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
#Generic rule for allowed characters, very broken at the moment, dont use it unless you can fix it
#Then post your fix eh!
#SecFilterSelective REQUEST_URI "!^[-a-zA-z0-9.+_/-?=]+$" "chain,id:340002,rev:1,severity:2,msg:'Restricted HTTP character set'"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" "chain,id:340003,rev:1,severity:2,msg:'Content Length not provided with POST'"
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$" "id:340004,rev:1,severity:2,msg:'Dis-allowed Transfer Encoding'"
#HTTP response spilting generic sigs
SecFilter "Content-Length:.*Content-Type:.*Content-Type:" "id:340005,rev:1,severity:2,msg:'HTTP response splitting'"
#HTTP response spilting generic sigs
SecFilter "Content-Length:" "chain,id:340006,rev:1,severity:2,msg:'HTTP response splitting'"
SecFilter "Content-Type:" chain
SecFilter "Content-Type:"
#deny TRACE method
SecFilterSelective REQUEST_METHOD "TRACE" "id:340007,rev:1,severity:2,msg:'TRACE method denied'"
#XSS insertion into Content-Type
SecFilterSelective THE_REQUEST "Content-Type:.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript:)" "id:300002,rev:1,severity:2,msg:'XSS attack in Content-type header'"
#Don't accept chunked encodings
#modsecurity can not look at these, so this is a hole
#that can bypass your rules, the rule before this one
#should cover this, but hey paranoia is cheap
SecFilterSelective HTTP_Transfer-Encoding "chunked" "id:300003,rev:1,severity:2,msg:'Chunked Transfer Encoding denied'"
#Code injection via content length
SecFilterSelective HTTP_Content-Length ";(system|passthru|exec)(" "id:330003,rev:1,severity:2,msg:'Code Injection in Content-Length header'"
#broad cross site scripting rule
#False alarms are a problem with this, use with caution
#SecFilterSelective THE_REQUEST "<(.|
)+>"
#generic recursion signatures
SecFilterSelective REQUEST_URI "!(alt_mod_frameset.php)" "chain,id:300004,rev:1,severity:2,msg:'Generic Path Recursion denied'"
SecFilterSelective THE_REQUEST "../../"
#generic path recurision sig
#generic recursion signatures
SecFilterSelective THE_REQUEST ".|./.|./.|" "id:300005,rev:1,severity:2,msg:'Generic Path Recursion denied'"
#generic bogus path sigs
SecFilterSelective THE_REQUEST ".../" "id:300006,rev:1,severity:2,msg:'Bogus Path denied'"
SecFilterSelective POST_PAYLOAD "[[:space:]]+...+;" "id:300007,rev:1,severity:2,msg:'Bogus Path denied'"
#Generic PHP exploit signatures
SecFilterSelective THE_REQUEST "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)(.*);" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
#Generic PHP exploit signatures
SecFilterSelective POST_PAYLOAD|REQUEST_URI "<?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)(.*);" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
View 2 Replies
Feb 22, 2008
Taken from apache error logs, are these below legit or false alarms per se? This same customer is having issues with php sendmail (server uses php 5 w/ phpsuexec enabled)
[Thu Feb 21 17:02:02 2008] [error] [client 216.9.250.112] mod_security: Access denied with code 406. Pattern match "!^[0-9a-z]*$" at COOKIE("PHPSESSID") [hostname "www.clientdomain.com"] [uri "/%23URL.ImagURL%23"]
[Fri Feb 22 10:13:18 2008] [error] [client 189.24.155.203] mod_security: Access denied with code 406. Pattern match "',''));" at POST_PAYLOAD [hostname "clientdomain.com"] [uri "/xmlrpc.php"] ....
View 1 Replies
View Related
Jan 12, 2006
We need a MANAGED dedicated server for a client we are developing a website for. They will do most of their sales online.
Here is what we have found: As far as a managed dedicated server, the BEST company we have found that offers 24/7/365 phone support and has their own in-house hardware tech staff is RackSpace.
However, RackSpace is a little pricey (starts at around $400/month).
Is there any other REPUTABLE company available that offers MANAGED DEDICATED SERVERS WITH 24/7/365 phone support and in-house hardware tech support at a better price? Everytime I call RackSpace, I get a human being on the phone...NEVER an answering machine.
We want to put our client's website in the best hands possible.
With that said, are their any suggestions at a better price that match the support of RackSpace?
Thank you VERY MUCH for your helpful insight. We need to launch the site in a couple of weeks.
View 14 Replies
View Related
Jul 10, 2008
There is a new page on Rackspace's website where they are offering to match the price of any hosting company that sells the same package of specifications. It sounds like there will be no compromise on the standards of service included in the deal.
View 6 Replies
View Related
Dec 30, 2014
I want to match a query string with modrewrite , the problem is that my query_string has a url as value:
%{QUERY_STRING} next=https://play.google.com/store/apps/details?pepe=1
and it doesn't work for me.
input='next=https://play.google.com/store/apps/details?pepe=1'
patttern='next=https://play.google.com/store/apps/details?pepe=1' => not-matched
but if I had to match only the uri , it works , the problem is when I try to add parameters to the query_string url:
http://someurl.com?next=https://play.google.com/store/apps/details?pepe=1
Is there any way to match that kind of query_string?
View 1 Replies
View Related
Jun 6, 2007
Hello,
I have two similar VPS plans with identical software setups.
I installed APF Firewall on VPS A, modified the conf.apf file to
change the interfaces to venet0 and set monokern to 1 and
then opened all the ingress ports required. Started the firewall
with 'service apf start' and everything went fine, and everything
is working fine with no errors.
I did the same on VPS B but when I start apf I get the following
error that reoccurs during the startup sequence:
iptables: No chain/target/match by that name
While the firewall does seem to be running (by checking iptables -L)
I am unable to download files on the VPS, via wget or yum ...
View 4 Replies
View Related
Oct 28, 2014
After downloading httpd-2.2.29-win32.zip and generating SHA1 and SHA256 checksums from the file, they do not match the checksums posted on the download page.
View 4 Replies
View Related
May 3, 2008
I'm having a bit of a problem with my SSL certificate and can't seem to work out how to get around it.
Trying to install a RapidSSL certificate to one of my websites but for some reason when i enter the certificate into cPanel it says:
modulus mismatch, key file does not match certificate. Please use the correct key file ..
View 3 Replies
View Related
Jul 17, 2014
OS = CentOS 6.5 (Final)
Plesk version = 12.0.18 Update #7, last updated at July 11, 2014 12:46 PM
I have been trying to make my sites better suited to anti spam measures. The only warning I have left to work out is:
Warning - Reverse DNS does not match SMTP Banner
In the Plesk settings i do have the outgoing mail setting set to Send from domain IP addresses and use domain names in SMTP greeting - still I get the warning.
I am using Post fix. This is a 1and1 dedicated server and I am using custom name servers for this domain. I believe the smtp banner is matching the main ip and not the domain.
View 7 Replies
View Related
Jan 30, 2013
I am using the following mod_rewrite rule for shortened SEO friendly links: RewriteRule ^blog/([^/]*).html$ /blog/blog.php?pid=$1 [R=301,L]
For Google SEO reasons, will the shortened rewritten link created from above be the permanent link, from the R=301? Even though the longer link is still functional? Or, do I need to create a rewrite match 301 rule to push the long URL to the shortened URL permanently?
View 5 Replies
View Related
Mar 26, 2014
I am running Apache on a Windows server and it is up and running.I downloaded and installed:
Apache 2.4.9 Win32 [Apache VC11 Binary] httpd-2.4.9-win32-VC11.zip
And included ModSecurity from download: modules-2.4-win32-VC11.zip..
The version of ModSecurity is mod_security-2.7.7 . It is up and running, but I get a warning:
ModSecurity: Loaded PCRE do not match with compiled!
Here's the difference in the PCRE from the logs:
PCRE compiled version="8.33 "; loaded version="8.34 2013-12-15".
The compiled version does not match the loaded version. Is this something I should be concerned about and try to find compiled versions that match?
View 2 Replies
View Related
Jun 1, 2007
loading a phpinfo() shows that the mysql variable "Client API version" on my server doesn't match the version of mysql installed ( 4.0.20 when mysql version is 4.1.21).
Can this cause trouble and php or mysql errors on scripts i'm running?
View 0 Replies
View Related