1.23.0 on X86_64 -- New Monitor Source Problem
- wildpossum
- Posts: 38
- Joined: Wed Jul 04, 2007 5:40 am
- Location: Sydney - AUSTRALIA
1.23.0 on X86_64 -- New Monitor Source Problem
Hi All.
I am getting this error whenever I try to change the monitor function of ZM 1.23.0
(from /var/log/httpd/errors log file)
[Sat Jan 12 14:56:32 2008] [error] [client 127.0.0.1] ModSecurity: Access denied with code 400 (phase 2). Pattern match "\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:new_monitor[LabelFormat]. [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "localhost"] [uri "/zm.php"] [unique_id "bbth6cCoAWQAAAsRJ@kAAAAE"]
Note my ZM config is default settings from make install. I haven't knowingly changed any setting(s).
I was simply trying to ADD a new monitor (I get the Monitor New pop-up OK) when I then proceed to the next screen (Source) a general screen pop-up, says:
Bad Request
Your browser sent a request that this server could not understand.
Apache/2.2.0 (Fedora) Server at localhost Port 80
and the above error message appears in the http/error logfile.
Any suggestions on why this is happening and what to try to resolve it. ?
I have rechecked that config has ZM_OPT_USE_AUTH not set.
I am getting this error whenever I try to change the monitor function of ZM 1.23.0
(from /var/log/httpd/errors log file)
[Sat Jan 12 14:56:32 2008] [error] [client 127.0.0.1] ModSecurity: Access denied with code 400 (phase 2). Pattern match "\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:new_monitor[LabelFormat]. [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "localhost"] [uri "/zm.php"] [unique_id "bbth6cCoAWQAAAsRJ@kAAAAE"]
Note my ZM config is default settings from make install. I haven't knowingly changed any setting(s).
I was simply trying to ADD a new monitor (I get the Monitor New pop-up OK) when I then proceed to the next screen (Source) a general screen pop-up, says:
Bad Request
Your browser sent a request that this server could not understand.
Apache/2.2.0 (Fedora) Server at localhost Port 80
and the above error message appears in the http/error logfile.
Any suggestions on why this is happening and what to try to resolve it. ?
I have rechecked that config has ZM_OPT_USE_AUTH not set.
Grahame
- wildpossum
- Posts: 38
- Joined: Wed Jul 04, 2007 5:40 am
- Location: Sydney - AUSTRALIA
- wildpossum
- Posts: 38
- Joined: Wed Jul 04, 2007 5:40 am
- Location: Sydney - AUSTRALIA
- lazyleopard
- Posts: 403
- Joined: Tue Mar 02, 2004 6:12 pm
- Location: Gloucestershire, UK
There's a problem with one of the default mod_security rules which is trying to trap bad % encodings. It sees the encoded date-and-time format and gets confused.
The offending mod_security SecRule line looks like this:
The encoded date-and-time format probably looks something like this:
and things like "%25d" seem to trip the pattern up.
The offending mod_security SecRule line looks like this:
Code: Select all
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
Code: Select all
LabelFormat%5D=%25y%2F%25m%2F%25d+%25H%3A%25M%3A%25S
Rick Hewett
- wildpossum
- Posts: 38
- Joined: Wed Jul 04, 2007 5:40 am
- Location: Sydney - AUSTRALIA
Can you tell me how?
Sorry to be dense, but I have the same issue and I am not sure how to make the Mod_Security work with Apache. Can you give me some step by step instructions? I am also using Fedora 8.
My error:
[Tue Apr 15 21:19:50 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Match of "rx (?:\\\\b(?:(?:i(?:nter
play|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\\\b|r(?:iff\\\\b|ar!B)|gif)|B(?:%pdf|\\\\.ra)\\\\b)
" against "RESPONSE_BODY" required. [id "970902"] [msg "PHP source code leakage"] [severity "WARNING"] [hostnam
e "localhost"] [uri "/zm/index.php?view=monitor"] [unique_id "-VwdlqZGUYIAAC7eCYQAAAAH"]
[Tue Apr 15 21:35:27 2008] [error] [client 127.0.0.1] ModSecurity: Access denied with code 400 (phase 2). Patte
~
Thanks!
My error:
[Tue Apr 15 21:19:50 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Match of "rx (?:\\\\b(?:(?:i(?:nter
play|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\\\b|r(?:iff\\\\b|ar!B)|gif)|B(?:%pdf|\\\\.ra)\\\\b)
" against "RESPONSE_BODY" required. [id "970902"] [msg "PHP source code leakage"] [severity "WARNING"] [hostnam
e "localhost"] [uri "/zm/index.php?view=monitor"] [unique_id "-VwdlqZGUYIAAC7eCYQAAAAH"]
[Tue Apr 15 21:35:27 2008] [error] [client 127.0.0.1] ModSecurity: Access denied with code 400 (phase 2). Patte
~
Thanks!
not 64 bit
I should note that I am not running the 64 bit version of Fedora. I am hoping for some help as until I can add a monitor, I am dead in the water!