Gossamer Forum
Home : Products : Gossamer Mail : Discussion :

mod_security and Gossamer Mail

Quote Reply
mod_security and Gossamer Mail
Apache With mod_security causes 403 error when the following rule is also activated in the config section:

# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<.+>"

Does it mean that for Gossamer Mail to operate without any errors, the server is open for http XSS attacks? The rules which have the Gossamer Mail operating without any erros are enumerated below:

<IfModule mod_security.c>
# Only inspect dynamic requests
SecFilterEngine DynamicOnly

# Reject requests with status 403
SecFilterDefaultAction "deny,log,status:403"

# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off

# Accept almost all byte values
SecFilterForceByteRange 1 255

# Server masking is optional
# SecServerSignature "Microsoft-IIS/5.0"

SecUploadDir /tmp
SecUploadKeepFiles Off

# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log

# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log

# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^GET$" chain
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"

# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"

#Additional Rules

# Prevent path traversal (..) attacks
SecFilter "\.\./"

# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"

# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

# Prevent XSS atacks (HTML/Javascript injection)
# SecFilter "<.+>"


It's when the last line is uncommented that Gossamer Mails Fails with 403 error...
Additionally, how much would other GT Products be compatible with the rule sets as noted above if http is operating with mod_security activated?


Last edited by:

HyperTherm: Sep 1, 2004, 5:27 AM
Quote Reply
Re: [HyperTherm] mod_security and Gossamer Mail In reply to
More On This:

Even the sql injection attacks protection had to be disabled otherwise sending a newly composed mail gives following error:

mod_security-message: Access denied with code 403. Pattern match "select.+from" at POST_PAYLOAD.

mod_security-action: 403