From e4e1b1143c8842452fd097c94a5e1593dd54988d Mon Sep 17 00:00:00 2001 From: Michael Fleming Date: Sat, 9 Jul 2005 00:41:23 +0000 Subject: [PATCH] - Spec cleanup (from Oliver Falk) - Updated config with some safe-but-useful rulesets --- mod_security.conf | 39 +++++++++++++++++++++++++++++++++++++-- mod_security.spec | 20 ++++++++++++-------- 2 files changed, 49 insertions(+), 10 deletions(-) diff --git a/mod_security.conf b/mod_security.conf index 40c07da..67b360e 100644 --- a/mod_security.conf +++ b/mod_security.conf @@ -1,5 +1,4 @@ # Example configuration file for the mod_security Apache module -# This is a minimal setup. You should add some extra entries here. LoadModule security_module modules/mod_security.so @@ -69,4 +68,40 @@ LoadModule security_module modules/mod_security.so # (and you don't need it anyway) SecFilterSelective HTTP_Transfer-Encoding "!^$" - + # Some common application-related rules from + # http://modsecrules.monkeydev.org/rules.php?safety=safe + + #Nuke Bookmarks XSS + SecFilterSelective THE_REQUEST "/modules\.php\?name=Bookmarks\&file=(del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=(<[[:space:]]*script|(http|https|ftp)\:/)" + + #Nuke Bookmarks Marks.php SQL Injection Vulnerability + SecFilterSelective THE_REQUEST "modules\.php\?name=Bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(union|select|delete|insert)" + + #PHPNuke general XSS attempt + #/modules.php?name=News&file=article&sid=1&optionbox= + SecFilterSelective THE_REQUEST "/modules\.php\?*name=<[[:space:]]*script" + + # PHPNuke SQL injection attempt + SecFilterSelective THE_REQUEST "/modules\.php\?*name=Search*instory=" + + #phpnuke sql insertion + SecFilterSelective THE_REQUEST "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\'/" + + # WEB-PHP phpbb quick-reply.php arbitrary command attempt + + SecFilterSelective THE_REQUEST "/quick-reply\.php" chain + SecFilter "phpbb_root_path=" + + #Topic Calendar Mod for phpBB Cross-Site Scripting Attack + SecFilterSelective THE_REQUEST "/calendar_scheduler\.php\?start=(<[[:space:]]*script|(http|https|ftp)\:/)" + + # phpMyAdmin: Safe + + #phpMyAdmin Export.PHP File Disclosure Vulnerability + SecFilterSelective SCRIPT_FILENAME "export\.php$" chain + SecFilterSelective ARG_what "\.\." + + #phpMyAdmin path vln + SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc" + + diff --git a/mod_security.spec b/mod_security.spec index 5e0f8f6..5749a2d 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -1,20 +1,20 @@ Summary: Security module for the Apache HTTP Server Name: mod_security Version: 1.8.7 -Release: 2%{?dist} +Release: 3%{?dist} License: GPL URL: http://www.modsecurity.org/ Group: System Environment/Daemons -Source: http://www.modsecurity.org/download/modsecurity-1.8.7.tar.gz +Source: http://www.modsecurity.org/download/modsecurity-%{version}.tar.gz Source1: mod_security.conf -BuildRoot: %{_tmppath}/%{name}-root/ -Requires: httpd >= 2.0.38 -BuildRequires: httpd-devel >= 2.0.38 +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +Requires: httpd +BuildRequires: httpd-devel %description -ModSecurity is an open source intrusion detection and prevention engine for web -applications. It operates embedded into the web server, acting as a powerful -umbrella - shielding web applications from attacks. +ModSecurity is an open source intrusion detection and prevention engine +for web applications. It operates embedded into the web server, acting +as a powerful umbrella - shielding web applications from attacks. %prep @@ -40,6 +40,10 @@ rm -rf %{buildroot} %config(noreplace) /etc/httpd/conf.d/mod_security.conf %changelog +* Sat Jul 9 2005 Michael Fleming 1.8.7-3 +- Correct Buildroot +- Some sensible and safe rules for common apps in mod_security.conf + * Thu May 19 2005 Michael Fleming 1.8.7-2 - Don't strip the module (so we can get a useful debuginfo package)