1.23.0 on X86_64 -- New Monitor Source Problem

[wildpossum]

Hi All.

I am getting this error whenever I try to change the monitor function of ZM 1.23.0

(from /var/log/httpd/errors log file)
[Sat Jan 12 14:56:32 2008] [error] [client 127.0.0.1] ModSecurity: Access denied with code 400 (phase 2). Pattern match "\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:new_monitor[LabelFormat]. [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "localhost"] [uri "/zm.php"] [unique_id "bbth6cCoAWQAAAsRJ@kAAAAE"]

Note my ZM config is default settings from make install. I haven't knowingly changed any setting(s).

I was simply trying to ADD a new monitor (I get the Monitor New pop-up OK) when I then proceed to the next screen (Source) a general screen pop-up, says:
Bad Request
Your browser sent a request that this server could not understand.
Apache/2.2.0 (Fedora) Server at localhost Port 80
and the above error message appears in the http/error logfile.


Any suggestions on why this is happening and what to try to resolve it. ?
I have rechecked that config has ZM_OPT_USE_AUTH not set.

[cordel]

What Distro/Revision?
What version of Apache?
What version or PHP?

[wildpossum]

Hi Codel.

64bit Distro ID - Fedora Core '8',
ZM 1.23.0 compiled from Source Code.
PHP 5.2.4-3
PHPMysql 5.2.4-3
httpd (apache) 2.2.6-3
mysql 5.0.45-6.fc8
glibc 3.7.2

Thanks

[cordel]

Remove package modsecurity or configure Apache module modsecurity so that it will work.

[wildpossum]

Thanks - Accurate and timely support

[lazyleopard]

There's a problem with one of the default mod_security rules which is trying to trap bad % encodings. It sees the encoded date-and-time format and gets confused.

The offending mod_security SecRule line looks like this:

Code: Select all

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"

The encoded date-and-time format probably looks something like this:

Code: Select all

LabelFormat%5D=%25y%2F%25m%2F%25d+%25H%3A%25M%3A%25S

and things like "%25d" seem to trip the pattern up.

[wildpossum]

Thanks everyone that responded.

Corrected as you pointed out and all is OK now.

[melcahoon]

Sorry to be dense, but I have the same issue and I am not sure how to make the Mod_Security work with Apache. Can you give me some step by step instructions? I am also using Fedora 8.

My error:

[Tue Apr 15 21:19:50 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Match of "rx (?:\\\\b(?:(?:i(?:nter
play|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\\\b|r(?:iff\\\\b|ar!B)|gif)|B(?:%pdf|\\\\.ra)\\\\b)
" against "RESPONSE_BODY" required. [id "970902"] [msg "PHP source code leakage"] [severity "WARNING"] [hostnam
e "localhost"] [uri "/zm/index.php?view=monitor"] [unique_id "-VwdlqZGUYIAAC7eCYQAAAAH"]
[Tue Apr 15 21:35:27 2008] [error] [client 127.0.0.1] ModSecurity: Access denied with code 400 (phase 2). Patte
~



Thanks!

[melcahoon]

I should note that I am not running the 64 bit version of Fedora. I am hoping for some help as until I can add a monitor, I am dead in the water!

[melcahoon]

I set the mod_security to DetectionOnly, but I am not sure how to configure it so that it will actually work when it is set to on. I guess I should clarify my question to indicate that I am looking for _that_ info.
Thanks in advance!