The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Sun Feb 28, 2010 10:57 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Oct 20, 2009 7:14 am
Posts: 16
Location: GMT +1
I get the 403 error: You don't have permission for /administrator/index.php on this server

Log tells me that the error is caused by certain rule in mod_security:
Code:
Message: Access denied with code 403 (phase 2). Found 1513 byte(s) in ARGS:text outside range: 0 255. [file "/etc/apache2/conf.d/mod-security.conf"] [line "31"]
Action: Intercepted (phase 2)
Stopwatch: 1267352675593674 1937 (865* 1315 -)
Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/).
Server: Apache/2.2.9

Here is the rule:
Code:
# Only allow bytes from this range
SecRule ARGS:text "@validateByteRange 0 255"


Can somebody tell me how to fix this rule. I can turn it off (or disable 403 messages) but that is not the proper solution.

Thanks

_________________
Badgers? Badgers!....we don't need no stinkin' badgers !


Top
 Profile  
 
PostPosted: Sun Feb 28, 2010 10:49 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2727
Location: Wisconsin USA
I would take a close look at the /administrator/index.php and the site in general for being hacked.

I think that is a standard mod_security rule. It prevents what it is telling you bytes outside the range being submitted by url.

[ ] Run the forum post assistant and security tool Instructions available here Force a full install not an update. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files.

[ ] Ensure you have the latest version of Joomla. We recommend update manager

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should be max permissions of 644 for files & 755 for folders with no exceptions.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Sun Feb 28, 2010 11:19 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12423
Location: The Girly Side of Joomla in Sussex
hands up - i have never come across that before. will watch with interest.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Mon Mar 01, 2010 10:55 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Oct 20, 2009 7:14 am
Posts: 16
Location: GMT +1
@PhilD

Quote:
[ ] Ensure you have the latest version of Joomla. We recommend update manager

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should be max permissions of 644 for files & 755 for folders with no exceptions.


Considering the previous bad experience I've had, I did all the above security settings (all the security checklists + official debian Php and apache hardening instructions) thoroughly this time.

I started the forum post assistant and it showed that everything is secured (except sudo). Will post it here for you to double check.

So if I got that correctly, if I just install fresh joomla instance it should work with that rule enabled?

_________________
Badgers? Badgers!....we don't need no stinkin' badgers !


Top
 Profile  
 
PostPosted: Mon Mar 01, 2010 4:14 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2727
Location: Wisconsin USA
I'm not a mod_security rule expert, but the rule shows up in the standard set of recommended rules I find and helps prevent stack overflow attacks. The mod_security documentation explains the rule function better than I can.

Following From: http://www.modsecurity.org/documentatio ... ators.html
Quote:
validateByteRange

Description: Validates the byte range used in the variable falls into the specified range.

Example:

SecRule ARG:text "@validateByteRange 10, 13, 32-126"

Note

You can force requests to consist only of bytes from a certain byte range. This can be useful to avoid stack overflow attacks (since they usually contain "random" binary content). Default range values are 0 and 255, i.e. all byte values are allowed. This directive does not check byte range in a POST payload when multipart/form-data encoding (file upload) is used. Doing so would prevent binary files from being uploaded. However, after the parameters are extracted from such request they are checked for a valid range.

validateByteRange is similar to the ModSecurity 1.X SecFilterForceByteRange Directive however since it works in a rule context, it has the following differences:

*

You can specify a different range for different variables.
*

It has an "event" context (id, msg....)
*

It is executed in the flow of rules rather than being a built in pre-check.



My thought is that you were hacked and random byte data outside of the default 0 -255 byte range is attempting to be submitted in a stack overflow type attack.

If you did your own server setup there could also be a misconfiguration or conflict somewhere in the setup. I would try making sure everything on the domain is clean and secure first, and that the computer used for access is free of malware before getting deeper into the server configuration. I would not disable the rule.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Thu Mar 04, 2010 9:53 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Oct 20, 2009 7:14 am
Posts: 16
Location: GMT +1
@PhilD

I am sorry it took awhile. I installed a fresh joomla instance downloaded from official site and I get exactly the same errors like with the live site. So my assumption is that we can rule the hack out. I checked the logs more thoroughly and the "access denied" I posted is accompanied by other two versions. I send a question to the mod_sec mail list but there was no answer, so I really don't know what to do anymore (Review apache settings, php settings? I already ruled out .htdocs and folder permissions).

With this rule on I can't save any article as backend or frontend admin (or editor):

Code:
--47c73d34-H--
Message: Access denied with code 403 (phase 2). Found 13 byte(s) in ARGS:text outside range: 0 255. [file "/etc/apache2/conf.d/mod-security.conf"] [line "31"]
Action: Intercepted (phase 2)
Stopwatch: 1267650139142347 42225 (40668* 41207 -)
Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/).
Server: Apache/2.2.9
--47c73d34-Z--


With this rule on I can't save a specific two articles (I noticed 2, maybe there's more) that is currently unpublished:

Code:
--b572952b-H--
Message: Access denied with code 403 (phase 2). Invalid URL Encoding: Non-hexadecimal digits used at ARGS:text. [file "/etc/apache2/conf.d/mod-security.conf"] [line "27"]
Action: Intercepted (phase 2)
Stopwatch: 1267649993708438 20598 (19009* 19412 -)
Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/).
Server: Apache/2.2.9
--b572952b-Z--


This is an "access denied" from site log (the other two were from mod_sec audit log), which is happening quite often:

Code:
[Mon Mar 01 18:29:30 2010] [error] [client 192.168.1.1] ModSecurity: Access denied with code 403 (phase 2). Match of "rx (^application/x-www-form-urlencoded$|^multipart/form-data;)" against "REQUEST_HEADERS:Content-Type" required. [file "/etc/apache2/conf.d/mod-security.conf"] [line "39"] [hostname "myhost"] [uri "/index.php"] [unique_id "S4v5en8AAAEAAA3zCDwAAAAJ"]


If I turn this three rules off (I know it's a sec issue) everything works normally. Do you have any other ideas how to solve this annoyance. Thx

_________________
Badgers? Badgers!....we don't need no stinkin' badgers !


Top
 Profile  
 
PostPosted: Thu Mar 04, 2010 9:09 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2727
Location: Wisconsin USA
No, I'm sorry I don't have any other ideas. Have you tried posting these questions (maybe combine the issue your having with the three rules) in the forums at Web Hosting Talk?
http://www.webhostingtalk.com/

I would use the Hosting Security and Technology forum. http://www.webhostingtalk.com/forumdisplay.php?f=5

Someone there is likely to know the answer or be able to assist. If you do get an answer there, would you please post the answer or solution back here. I (and probably others) would like to know the solution.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 



Who is online

Users browsing this forum: crusonweb and 25 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group