Uncategorized

Howto remove a single mod_security rule from a specific vhost

unocode_pnz3cj

On one of my sites, I post various PHP code snippets and examples, and mod_security’s 50_outbound.conf would always warn about PHP source code leakage. The rule was correct, and it was in fact catching PHP code being sent in the response, but I wanted to allow this for this site. I did not want to disable the rule, since this is an incredibly useful warning, but for this particular site, I felt it was fine to turn off.

With mod_security-2.1.2, they switched from phase:1 to phase:2 on when they check. This is important to understand, because phase:1 would be too early to exclude a rule at the vhost level. phase:2 rules will allow us to manage rules at the vhost. My particular rule set was handled at phase:4 which is response, so definitely won’t be a problem.

The particular rule I wanted to block was this:


SecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|
s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b" \
"ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',,id:'970015',severity:'4'"
SecRule RESPONSE_BODY "<\?(?!xml)" \
"chain,ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',,id:'970902',severity:'4'"
#SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)"

On one of my sites, I post various PHP code snippets and examples, and mod_security’s 50_outbound.conf would always warn about PHP source code leakage. The rule was correct, and it was in fact catching PHP code being sent in the response, but I wanted to allow this for this site. I did not want to disable the rule, since this is an incredibly useful warning, but for this particular site, I felt it was fine to turn off.

With mod_security-2.1.2, they switched from phase:1 to phase:2 on when they check. This is important to understand, because phase:1 would be too early to exclude a rule at the vhost level. phase:2 rules will allow us to manage rules at the vhost. My particular rule set was handled at phase:4 which is response, so definitely won’t be a problem.

The particular rule I wanted to block was this:


SecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|
s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b" \
"ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',,id:'970015',severity:'4'"
SecRule RESPONSE_BODY "<\?(?!xml)" \
"chain,ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',,id:'970902',severity:'4'"
#SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)"

To exclude this rule at the vhost level, I added the following to the VirtualHost block:


<IfModule mod_security2.c>
SecRuleRemoveById 970015
</IfModule>

You can also optionally add additional exclude rules here.