RC 0.6 ModSecurity 2.2.2 CRS optional rules (particularing modsecurity_crs_16_session_hijacking hits)
Hi,
I started playing with the modsecurity rules today.
I noticed that CRS modsecurity rule modsecurity_crs_16_session_hijacking.conf will hit on Roundcube 0.6 on my test server. I have not used modsec on any other version of RC.
Enabling the CRS 2.2.2 options rules breaks this RC set-up. I'm not an expert on these rules, so it is quite likely that I misinterpreted the results.
[24/Oct/2011:11:17:39 +0200] [webmail.example.com/sid#7f9bb5d47e08][rid#7f9bc55babd0][/][1] Access denied with code 403 (phase 1). Match of "streq %{SESSION.IP_HASH}" against "TX:ip_hash" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf"] [line "35"] [id "981059"] [msg "Warning - Sticky SessionID Data Changed
- IP Address Mismatch."]
[24/Oct/2011:11:23:16 +0200] [webmail.example.com/sid#7f06a783b698][rid#7f06b58a10e0][/][1] Access denied with code 403 (phase 1). Match of "streq %{SESSION.UA_HASH}" against "TX:ua_hash" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf"] [line "38"] [id "981060"] [msg "Warning - Sticky SessionID Data Changed
- User-Agent Mismatch."]
Some rules in these hit as well: Message: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_43_csrf_protection.conf"] [line "31"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."]
Message: Warning. Match of "rx (?i:\;? ?httponly;?)" against "TX:sessionid" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_55_application_defects.conf"] [line "71"] [id "981184"] [msg "AppDefect: Missing HttpOnly Cookie Flag."]
The other CRS and ASR rules seem fine so far...
Its possible that this is a apache misconfiguration by me.
Has anyone else used the modsecurity optional rule sets on Roundcube?
Best regards, S
PGP is optional: 4BA78604 I won't accept your confidentiality agreement, and your Emails are kept. ~Ö¿Ö~ -- List info: http://lists.roundcube.net/users/ BT/9b404e9e
On 24/10/11 12:53, Simon Loewenthal wrote:
Hi,
I started playing with the modsecurity rules today.I noticed that CRS modsecurity rule modsecurity_crs_16_session_hijacking.conf will hit on Roundcube 0.6 on my test server. I have not used modsec on any other version of RC.
Enabling the CRS 2.2.2 options rules breaks this RC set-up. I'm not an expert on these rules, so it is quite likely that I misinterpreted the results.
[24/Oct/2011:11:17:39 +0200] [webmail.example.com/sid#7f9bb5d47e08][rid#7f9bc55babd0][/][1] Access denied with code 403 (phase 1). Match of "streq %{SESSION.IP_HASH}" against "TX:ip_hash" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf"] [line "35"] [id "981059"] [msg "Warning - Sticky SessionID Data Changed
- IP Address Mismatch."]
[24/Oct/2011:11:23:16 +0200] [webmail.example.com/sid#7f06a783b698][rid#7f06b58a10e0][/][1] Access denied with code 403 (phase 1). Match of "streq %{SESSION.UA_HASH}" against "TX:ua_hash" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf"] [line "38"] [id "981060"] [msg "Warning - Sticky SessionID Data Changed
- User-Agent Mismatch."]
Some rules in these hit as well: Message: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_43_csrf_protection.conf"] [line "31"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."]
Message: Warning. Match of "rx (?i:\;? ?httponly;?)" against "TX:sessionid" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_55_application_defects.conf"] [line "71"] [id "981184"] [msg "AppDefect: Missing HttpOnly Cookie Flag."]
The other CRS and ASR rules seem fine so far...
Its possible that this is a apache misconfiguration by me.
Has anyone else used the modsecurity optional rule sets on Roundcube?
Best regards, S
I stripped out these rule IDs and RC pretty much works...
SecRuleRemoveById 981054 981054 981056 981057 981058 981059 981060 981061 981062 981063 981064 981219 981220 981221 981222 981223 981224 981179 981181 981182 981182 981183 981184 981185 981186
When saving a new Contact, the message "An error occurred while saving", is displayed. It trips up on this rule 981143
--e38a3129-A-- [24/Oct/2011:13:16:51 +0200] TqVJI1jGXw0AABqACNgAAAAD 62.58.11.11 26940 88.198.95.13 443 --e38a3129-B-- POST /?_orig_source=0 HTTP/1.1 Host: webmail.example.com User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110921 Ubuntu/10.04 (lucid) Firefox/3.6.23 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: https://webmail.example.com/?_orig_source=0 Cookie: spamprefsviewsplitter=195; prefsviewsplitter=195; addressviewsplitterd=200; addressviewsplitter=250; composesplitterv=175; mailviewsplitter=205; mailviewsplitterv=165; roundcube_sessid=ceh30pteuab8mslu3c2gjqmqv4; roundcube_sessauth=S381183011cb58a226ef9722d551e85bc6027be41 Content-Type: application/x-www-form-urlencoded Content-Length: 451
--e38a3129-F-- HTTP/1.1 200 OK X-Powered-By: PHP/5.3.8-1~dotdeb.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache X-Frame-Options: sameorigin Vary: Accept-Encoding Content-Encoding: gzip Keep-Alive: timeout=3, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
--e38a3129-H-- Message: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_43_csrf_protection.conf"] [line "31"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] Apache-Handler: application/x-httpd-php Stopwatch: 1319455011801599 117636 (- - -) Stopwatch2: 1319455011801599 117636; combined=6353, p1=485, p2=5723, p3=24, p4=112, p5=9, sr=40, sw=0, l=0, gc=0 Producer: ModSecurity for Apache/2.6.2 (http://www.modsecurity.org/); core ruleset/2.2.2. Server: Apache/2.2.16 (Debian)
--e38a3129-Z--
Mon Oct 24 13:19:22 2011] [error] [client 62.58.11.11] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_43_csrf_protection.conf"] [line "31"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "webmail.example.com"] [uri "/"] [unique_id "TqVJuVjGXw0AABp2BDIAAAAB
For some reason modsecurity won't disable this 981143 rule with the SecRuleRemoveById. Odd.
On 24/10/11 13:25, Simon Loewenthal wrote:
On 24/10/11 12:53, Simon Loewenthal wrote:
Hi,
I started playing with the modsecurity rules today.I noticed that CRS modsecurity rule modsecurity_crs_16_session_hijacking.conf will hit on Roundcube 0.6 on my test server. I have not used modsec on any other version of RC.
Enabling the CRS 2.2.2 options rules breaks this RC set-up. I'm not an expert on these rules, so it is quite likely that I misinterpreted the results.
[24/Oct/2011:11:17:39 +0200] [webmail.example.com/sid#7f9bb5d47e08][rid#7f9bc55babd0][/][1] Access denied with code 403 (phase 1). Match of "streq %{SESSION.IP_HASH}" against "TX:ip_hash" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf"] [line "35"] [id "981059"] [msg "Warning - Sticky SessionID Data Changed
- IP Address Mismatch."]
[24/Oct/2011:11:23:16 +0200] [webmail.example.com/sid#7f06a783b698][rid#7f06b58a10e0][/][1] Access denied with code 403 (phase 1). Match of "streq %{SESSION.UA_HASH}" against "TX:ua_hash" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf"] [line "38"] [id "981060"] [msg "Warning - Sticky SessionID Data Changed
- User-Agent Mismatch."]
Some rules in these hit as well: Message: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_43_csrf_protection.conf"] [line "31"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."]
Message: Warning. Match of "rx (?i:\;? ?httponly;?)" against "TX:sessionid" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_55_application_defects.conf"] [line "71"] [id "981184"] [msg "AppDefect: Missing HttpOnly Cookie Flag."]
The other CRS and ASR rules seem fine so far...
Its possible that this is a apache misconfiguration by me.
Has anyone else used the modsecurity optional rule sets on Roundcube?
Best regards, S
I stripped out these rule IDs and RC pretty much works...
SecRuleRemoveById 981054 981054 981056 981057 981058 981059 981060 981061 981062 981063 981064 981219 981220 981221 981222 981223 981224 981179 981181 981182 981182 981183 981184 981185 981186
When saving a new Contact, the message "An error occurred while saving", is displayed. It trips up on this rule 981143
--e38a3129-A-- [24/Oct/2011:13:16:51 +0200] TqVJI1jGXw0AABqACNgAAAAD 62.58.11.11 26940 88.198.95.13 443 --e38a3129-B-- POST /?_orig_source=0 HTTP/1.1 Host: webmail.example.com User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110921 Ubuntu/10.04 (lucid) Firefox/3.6.23 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: https://webmail.example.com/?_orig_source=0 Cookie: spamprefsviewsplitter=195; prefsviewsplitter=195; addressviewsplitterd=200; addressviewsplitter=250; composesplitterv=175; mailviewsplitter=205; mailviewsplitterv=165; roundcube_sessid=ceh30pteuab8mslu3c2gjqmqv4; roundcube_sessauth=S381183011cb58a226ef9722d551e85bc6027be41 Content-Type: application/x-www-form-urlencoded Content-Length: 451
--e38a3129-F-- HTTP/1.1 200 OK X-Powered-By: PHP/5.3.8-1~dotdeb.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache X-Frame-Options: sameorigin Vary: Accept-Encoding Content-Encoding: gzip Keep-Alive: timeout=3, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
--e38a3129-H-- Message: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_43_csrf_protection.conf"] [line "31"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] Apache-Handler: application/x-httpd-php Stopwatch: 1319455011801599 117636 (- - -) Stopwatch2: 1319455011801599 117636; combined=6353, p1=485, p2=5723, p3=24, p4=112, p5=9, sr=40, sw=0, l=0, gc=0 Producer: ModSecurity for Apache/2.6.2 (http://www.modsecurity.org/); core ruleset/2.2.2. Server: Apache/2.2.16 (Debian)
--e38a3129-Z--
Mon Oct 24 13:19:22 2011] [error] [client 62.58.11.11] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/etc/apache2/modsec-crs/optional_rules/modsecurity_crs_43_csrf_protection.conf"] [line "31"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "webmail.example.com"] [uri "/"] [unique_id "TqVJuVjGXw0AABp2BDIAAAAB
For some reason modsecurity won't disable this 981143 rule with the SecRuleRemoveById. Odd. --
Apologies, but this was my mistake. The last error was not caused by modsecurity, but a missing entry in the RC database:
roundcube: MDB2 Error: no such field (-19): _doQuery: [Error message:
Could not execute statement]#012[Last executed query: INSERT INTO
contacts (user_id, changed, del, vcard, name, email, firstname,
surname, words) VALUES (5, now(), 0,
'BEGIN:VCARD\r\nVERSION:3.0\r\nN:dd;sss;;;\r\nFN:sss
dd\r\nEMAIL;type=INTERNET;type=HOME:simon@mailcatch.com\r\nEND:VCARD',
'sss dd', 'simon@mailcatch.com', 'sss', 'dd', ' sss dd
simon@mailcatch.com')]#012[Native code: 1054]#012[Native message:
Unknown column 'words' in 'field list'
PGP is optional: 4BA78604 I won't accept your confidentiality agreement, and your Emails are kept. ~Ö¿Ö~ -- List info: http://lists.roundcube.net/users/ BT/9b404e9e
-
Simon Loewenthal