403 forbidden caused by mod_security rule

[whyzerman]

I get the 403 error: You don't have permission for /administrator/index.php on this server

Log tells me that the error is caused by certain rule in mod_security:

Code: Select all

Message: Access denied with code 403 (phase 2). Found 1513 byte(s) in ARGS:text outside range: 0 255. [file "/etc/apache2/conf.d/mod-security.conf"] [line "31"]
Action: Intercepted (phase 2)
Stopwatch: 1267352675593674 1937 (865* 1315 -)
Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/).
Server: Apache/2.2.9

Here is the rule:

Code: Select all

# Only allow bytes from this range
SecRule ARGS:text "@validateByteRange 0 255"

Can somebody tell me how to fix this rule. I can turn it off (or disable 403 messages) but that is not the proper solution.

Thanks

[PhilD]

I would take a close look at the /administrator/index.php and the site in general for being hacked.

I think that is a standard mod_security rule. It prevents what it is telling you bytes outside the range being submitted by url.

[ ] Run the forum post assistant and security tool Instructions available here Force a full install not an update. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files.

[ ] Ensure you have the latest version of Joomla. We recommend update manager

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should be max permissions of 644 for files & 755 for folders with no exceptions.

[mandville]

hands up - i have never come across that before. will watch with interest.

[whyzerman]

@PhilD

[ ] Ensure you have the latest version of Joomla. We recommend update manager

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should be max permissions of 644 for files & 755 for folders with no exceptions.

Considering the previous bad experience I've had, I did all the above security settings (all the security checklists + official debian Php and apache hardening instructions) thoroughly this time.

I started the forum post assistant and it showed that everything is secured (except sudo). Will post it here for you to double check.

So if I got that correctly, if I just install fresh joomla instance it should work with that rule enabled?

[PhilD]

I'm not a mod_security rule expert, but the rule shows up in the standard set of recommended rules I find and helps prevent stack overflow attacks. The mod_security documentation explains the rule function better than I can.

Following From: http://www.modsecurity.org/documentatio ... ators.html

validateByteRange

Description: Validates the byte range used in the variable falls into the specified range.

Example:

SecRule ARG:text "@validateByteRange 10, 13, 32-126"

Note

You can force requests to consist only of bytes from a certain byte range. This can be useful to avoid stack overflow attacks (since they usually contain "random" binary content). Default range values are 0 and 255, i.e. all byte values are allowed. This directive does not check byte range in a POST payload when multipart/form-data encoding (file upload) is used. Doing so would prevent binary files from being uploaded. However, after the parameters are extracted from such request they are checked for a valid range.

validateByteRange is similar to the ModSecurity 1.X SecFilterForceByteRange Directive however since it works in a rule context, it has the following differences:

*

You can specify a different range for different variables.
*

It has an "event" context (id, msg....)
*

It is executed in the flow of rules rather than being a built in pre-check.

My thought is that you were hacked and random byte data outside of the default 0 -255 byte range is attempting to be submitted in a stack overflow type attack.

If you did your own server setup there could also be a misconfiguration or conflict somewhere in the setup. I would try making sure everything on the domain is clean and secure first, and that the computer used for access is free of malware before getting deeper into the server configuration. I would not disable the rule.

[whyzerman]

@PhilD

I am sorry it took awhile. I installed a fresh joomla instance downloaded from official site and I get exactly the same errors like with the live site. So my assumption is that we can rule the hack out. I checked the logs more thoroughly and the "access denied" I posted is accompanied by other two versions. I send a question to the mod_sec mail list but there was no answer, so I really don't know what to do anymore (Review apache settings, php settings? I already ruled out .htdocs and folder permissions).

With this rule on I can't save any article as backend or frontend admin (or editor):

Code: Select all

--47c73d34-H--
Message: Access denied with code 403 (phase 2). Found 13 byte(s) in ARGS:text outside range: 0 255. [file "/etc/apache2/conf.d/mod-security.conf"] [line "31"]
Action: Intercepted (phase 2)
Stopwatch: 1267650139142347 42225 (40668* 41207 -)
Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/).
Server: Apache/2.2.9
--47c73d34-Z--

With this rule on I can't save a specific two articles (I noticed 2, maybe there's more) that is currently unpublished:

Code: Select all

--b572952b-H--
Message: Access denied with code 403 (phase 2). Invalid URL Encoding: Non-hexadecimal digits used at ARGS:text. [file "/etc/apache2/conf.d/mod-security.conf"] [line "27"]
Action: Intercepted (phase 2)
Stopwatch: 1267649993708438 20598 (19009* 19412 -)
Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/).
Server: Apache/2.2.9
--b572952b-Z--

This is an "access denied" from site log (the other two were from mod_sec audit log), which is happening quite often:

Code: Select all

[Mon Mar 01 18:29:30 2010] [error] [client 192.168.1.1] ModSecurity: Access denied with code 403 (phase 2). Match of "rx (^application/x-www-form-urlencoded$|^multipart/form-data;)" against "REQUEST_HEADERS:Content-Type" required. [file "/etc/apache2/conf.d/mod-security.conf"] [line "39"] [hostname "myhost"] [uri "/index.php"] [unique_id "S4v5en8AAAEAAA3zCDwAAAAJ"]

If I turn this three rules off (I know it's a sec issue) everything works normally. Do you have any other ideas how to solve this annoyance. Thx

[PhilD]

No, I'm sorry I don't have any other ideas. Have you tried posting these questions (maybe combine the issue your having with the three rules) in the forums at Web Hosting Talk?
http://www.webhostingtalk.com/

I would use the Hosting Security and Technology forum. http://www.webhostingtalk.com/forumdisplay.php?f=5

Someone there is likely to know the answer or be able to assist. If you do get an answer there, would you please post the answer or solution back here. I (and probably others) would like to know the solution.