Stupid mod_security

Mod_Security, I don’t know why I keep you. Every time something breaks, it’s your fault. I guess I feel you have some vague sort of prophylactic value for my server – expecially since it’s hard for me to keep on top of all of the virtual hosts and domains I’m running… but damn, you’re always so aggressive.

For instance, I’ve been wondering for the last month why my webalizer reports were broken. It was the weirdest thing, I kept getting a 404 when trying to bring up the page. And even stranger, I could read all the image files in the directory but all the .html files were 404’d. I tried to sneak up on it, renaming the html files to .txt or .old, but no dice. I then tried creating new .html files with nothing but “hello world” and a few profanities (did I say I’d been trying to half heartedly figure this out for a month?).

Finally I went down the path I had hoped it wouldn’t be. I guess I need to go back to my “as soon as it breaks, try uninstalling mod_security and see what happens” tactics. And sure enough:

sudo yum remove mod_security

and everything was fine.

So I go and start running through the audit logs and error and other logs, and of course there’s nothing there. And finally I find you, hidden in the debug file.

Access denied with code 404 (phase 4). Pattern match "\b(?:Th(?:is (?:summary was generated by.{0,100}?(?:w(?:ebcruncher|wwstat)|analog|Jware)|analysis was produced by.{0,100}?(?:calamaris|EasyStat|analog)|report was generated by WebLog)|ese statistics were produced by (?:getstats|PeLAB))|[gG]enerated by. ..." at RESPONSE_BODY. [file "/etc/httpd/modsecurity.d/modsecurity_crs_50_outbound.conf"] [line "19"] [id "970002"] [msg "Statistics Information Leakage"] [severity "WARNING"]

Yea, this isn’t some innocent misunderstanding – you deliberately target webalizer along with all these other webstat programs. I’m all for proactive security, but maybe you shouldn’t intentionally just break normal shit out of the box, hmmm kay?

Mod_Security, you’re kind of a douche and I’m tossing you out.

This entry was posted in Security. Bookmark the permalink.

One Response to Stupid mod_security

Leave a Reply