mod_security 260 rc1

Gregg · April 21, 2011, 10:20:27 PM

Should we?

mario · April 23, 2011, 11:46:53 AM

Why not? What has changed between 2.5.x and 2.6.x ?

Gregg · April 23, 2011, 10:51:43 PM

I dunno

http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/branches/2.6.x/CHANGES?revision=1740

DnvrSysEngr · April 24, 2011, 02:39:08 AM

I noticed that you compiled this for 2.2.x versions of Apache. Any plans on compiling it for 2.3.x versions of Apache?

-S

Gregg · April 24, 2011, 02:54:22 AM

Maybe ... have to look it over and see what needs to be modified to make it work in both, as it is I do not believe it will. I see a hook function that is no longer in Apache 2.3, but that was same for mod_security 2.5.x.

Edit:

As it turns out, it was nothing more than what was done for 2.5.x to make it work, one less modification actually. I have it x86, will not be able to get to x64 till probably Monday, when that is done, I'll put them all up here on the d/l page.

Gregg · April 27, 2011, 01:34:21 AM

A little concerned now with the follow up on apachelounge's forum. Personally, if the only reason for wanting THIS RC is to get away from THAT problem, it's not going to happen.

Bottom line is the SecPcreMatchLimit & SecPcreMatchLimitRecursion will crash this module I think.
These are to keep at bay a possible DOS scenario, but I had seen it in theory but never saw a POC to prove theory could be used. That doesn't mean it can't, since I do not know for sure.

I have other concerns regarding things I am seeing. For instance, ap_get_scoreboard_worker() has changed to a wrapper function in Apache 2.3/2.4 and the call to this new wrapper, as well as the old for 2.2 are now in this RC. The problem I have is what they are looking for to know which it should be using.

Code Select

#if APR_MAJOR_VERSION > 1
                sbh = conn->sbh;
                if (sbh == NULL)        {
                    return DECLINED;
                }

                ws_record = ap_get_scoreboard_worker(sbh); 
#else
                ws_record = ap_get_scoreboard_worker(i, j);
#endif

everything I have ever read on list or been told is that ap_* is the Apache API, apr_* is APR. That said, why are they looking for APR 2 to decide which Apache API they are looking for. Maybe I am not seeing things further into the works, but at best this seems IMO an oversight, at worst , well I won't go there since they are still much better than I. But this should be obvious, maybe I'm wrong.

As far as mod_security, maybe 8.x of PCRE is too new and what these rules are doing requires an older version. Maybe there is no API in PCRE for adjusting these limits post PCRE 6 or 7.

So, that said, I do not think we should release these in any normal fashion. I still have not built an x64 version for 2.3. But, on the horizon is 2.3.12. We are waiting I think for APR & APR-Util releases I believe before the next version of Apache, both 2.2.18 & 2.3.12 are released. I do not want to build today and then do it again in a week. But alas, I must go to store later, will stop by the house and just do it then.

DnvrSysEngr · April 27, 2011, 03:43:12 AM

Here is the error message I got after installing Mod_Security 2.6.0 RC1 (32-bit).

The Apache service named reported the following error:
>>> httpd.exe: Syntax error on line 163 of C:/Program Files/Apache/conf/httpd.conf: Cannot load C:/Program Files/Apache/modules/mod_security2.so into server: The specified procedure could not be found. .

If I revert back to Mod_Security 2.5.13, all works well.

DnvrSysEngr · April 27, 2011, 03:53:09 AM

I forgot to mention that I am running Apache 2.3.11 32-bit on Windows 2008 Server 32-bit.

Gregg · April 27, 2011, 04:12:07 AM

Well yes, that one that was in my apachehaus.net site is for 2.2 only ... as the readme said same

.
I just built the x64 version 30 minutes ago and just now put them up on my server.
http://www.apachehaus.net:81/modules/

Apache's API between 2.2 & 2.3 are not binary compatible. Every time the MMN (module magic number) changes modules must be rebuilt. That number has bumped quite a few times since 2.3.11.

Anyhow, I have made sure I built these with 2.3.11, the x86 one on this laptop with
Server version: Apache/2.3.11 (Win32)
Server built: Apr 7 2011 17:57:06
Server's Module Magic Number: 20110203:2
Server loaded: APR 1.4.2, APR-UTIL 1.3.10
Compiled using: APR 1.4.2, APR-UTIL 1.3.10
Architecture: 32-bit
Server MPM: WinNT
threaded: yes (fixed thread count)
forked: no

so it will match what you have, it should anyway since all those version numbers match our released 2.3.11.

DnvrSysEngr · April 27, 2011, 07:06:42 AM

I have tried the 2.6.0 RC1 for 2.3.11 and it is a "no go" for Apache 2.3.11 servers. Tried on 2 different servers as well - one running on Windows 2008 and the other running Windows7.

Additionally, the .ZIP files for 2.2.17 and 2.3.11 are 100% identical (files/contents, folder names, file sizes, etc.).

Just for kicks, I downloaded the 2.6.0 RC1 .ZIP file for 2.3.11 and installed on a new server running 2.2.17 and it worked perfectly.

PS. Darn these Trolls spamming the site.

Gregg · April 27, 2011, 05:30:07 PM

I guess stuff happens when rushed, dang it! Will let you know when I replace them.

As far as the spammers, I cleaned a ton of stuff out yesterday. They're worse than cockroaches in your omelet from that greasy spoon down the street!

DnvrSysEngr · April 27, 2011, 06:28:26 PM

No worries on the mistake.

Does the config for Mod_security have to be placed in httpd.conf? If I am correct, for 2.5.13.1 it is in its own separate .conf file.

Thanks

~S

Gregg · April 27, 2011, 06:31:42 PM

No, do same with 2.6, I changed nothing but the module on my server.

DnvrSysEngr · April 27, 2011, 08:03:51 PM

OK. Thank you for the info. I will look for the 2.6.0 RC1 when iit is on the site and I will test it.

-S

Gregg · April 29, 2011, 08:00:18 PM

It's there, -r2. The file sizes are the same between the two but I took this one from my running Apache 2.3.11, so it works for me.