blogs

mod_security-2.1.2 and sub requests and segmentation faults

When I moved from 1.8.7 to 2.1.1 I ran into a weird issue where sub requests were not being processed and blocks were not being performed if you were using mod_limitipconn. You can read about it here. During those days, I was running into intermittent segmentation faults with one vhost. I discovered that if I commented out the ErrorDocument for that particular vhost, the segfaults went away. I didn't give much more thought on it, but when we just rolled out to 2.1.2, we received more of these... enough for me to start digging.

What I discovered, if a location was using a proxy (squid / dansguardian, etc) and posted a form that was using the multipart/form-data enctype, without supplying a upload file, the segfaults would occur. I immediately contacted mod_sec mailing list (I'm tellin' ya, they have the best mailing list and responses to bugs!!!). I started working with one of the developers where we were trying to understand the cause.

passwd is messed up?!?!

So tonight, had to add a local user account on one of my development servers... and here is what happened:

comp ~ # passwd newuser
passwd: Critical error - immediate abort

hmm. I've never seen this before. Of course immediate reflex action is to zip to the Gentoo forums. Found out there apparently is a bug related to cracklib (which was a recent upgrade - Thu Oct 11 18:05:48 2007 >>> sys-libs/cracklib-2.8.10).

Simple fix is to do the following:

emerge -1 cracklib shadow

Another Windows Issue - howto disconnect mapped drives via command

When I put this together, I thought it was going to be all about Gentoo Linux, but ran into another Windows issue today.. thought I'd share.

Out of the blue today, when opening Windows Explorer, it would hang. Checking the Event Viewer I would get the following:

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 10/5/2007
Time: 6:12:42 PM
User: N/A
Computer: MYCOMP
Description:
Hanging application explorer.exe, version 6.0.2900.3156, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 48 61 6e 67   ion Hang
0010: 20 20 65 78 70 6c 6f 72     explor
0018: 65 72 2e 65 78 65 20 36   er.exe 6
0020: 2e 30 2e 32 39 30 30 2e   .0.2900.
0028: 33 31 35 36 20 69 6e 20   3156 in
0030: 68 75 6e 67 61 70 70 20   hungapp
0038: 30 2e 30 2e 30 2e 30 20   0.0.0.0
0040: 61 74 20 6f 66 66 73 65   at offse
0048: 74 20 30 30 30 30 30 30   t 000000
0050: 30 30                     00     

New Monitors!

o I finally got out of the dark age and bought some flatscreen LCD monitors and got rid of my old CRTs. I figured it was time since I grew a third nipple and I glow in the dark now.

I found a great deal at Buy.com for ViewSonic VA2026w 20" Widescreen monitors with $30 mail in rebate AND free shipping. So I ordered myself two of those bad boys. I received them today, and for some reason, thought I should read the instructions. It pointed out that the resolution should be set at 1680x1050. Hmmm. I have a pretty crappy, but reliable video card, and my gut said this ain't going to happen by default. Sure enough, checking the resolution settings, my card doesn't support it. Maybe a driver update will help.

Apache Segfault.. Ugh

So, I updated one of my servers to Apache-2.2 and Mod_security-2.1.2, and now I'm getting intermittent segfaults, which I think might be related to uploads and mod_security. I've been posting a few symptoms to the mod_sec mailing list, which has to be one of the best mailing lists on the planet. And now, I'm corresponding with one of the devs.

They asked for a backtrace from a coredump.. and you know.. I've never done that. So I'll provide a small how-to for that.

Configure httpd.conf to know where to post the dump (I added this value in 00_default_settings.conf)

CoreDumpDirectory /apache/writable/path

I didn't want to put into /tmp for obvious reasons. Just make sure you chown the directory apache:apache and you should be good to go.

Next we need to take limits off on the dump, so we can ensure we get everything.

ulimit -c unlimited

GLSA - What's up with PHP?

Okay, this has been bugging me a for a bit, and need to rant. Every night on run the following in cron:

/usr/bin/glsa-check -l --nocolor 'affected'

Everynight, I get an email sent to me with the following:

[A] means this GLSA was already applied,
[U] means the system is not affected and
[N] indicates that the system might be affected.

200705-19 [N] PHP: Multiple vulnerabilities ( dev-lang/php )
200610-14 [N] PHP: Integer overflow ( dev-lang/php )
200608-28 [N] PHP: Arbitary code execution ( dev-lang/php )
200703-21 [N] PHP: Multiple vulnerabilities ( dev-lang/php )

Howto remove a single mod_security rule from a specific vhost

On one of my sites, I post various PHP code snippets and examples, and mod_security's 50_outbound.conf would always warn about PHP source code leakage. The rule was correct, and it was in fact catching PHP code being sent in the response, but I wanted to allow this for this site. I did not want to disable the rule, since this is an incredibly useful warning, but for this particular site, I felt it was fine to turn off.

With mod_security-2.1.2, they switched from phase:1 to phase:2 on when they check. This is important to understand, because phase:1 would be too early to exclude a rule at the vhost level. phase:2 rules will allow us to manage rules at the vhost. My particular rule set was handled at phase:4 which is response, so definitely won't be a problem.

The particular rule I wanted to block was this:

SecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|
s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b" \
     "ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',,id:'970015',severity:'4'"
SecRule RESPONSE_BODY "<\?(?!xml)" \
         "chain,ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',,id:'970902',severity:'4'"
#SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)"

What's up with resource.dir and resource.pag in /tmp? - Apache-2.2 related.

So after my successful upgrade to Apache-2.2, I'm seeing these two zero length files in /tmp

-rw-r----- 1 apache apache 0 Sep 23 03:52 resource.dir
-rw-r----- 1 apache apache 0 Sep 23 03:52 resource.pag

Not sure what these are about, and they appear nightly if I delete them. So definitely not related to Apache service restart.

I posted this on the Gentoo forum, but haven't heard anything back. I sure miss the days when you'd get responses almost within minutes of posting.

http://forums.gentoo.org/viewtopic-t-586928-highlight-apache.html

If anyone has some info, let me know. I know it's not bad, but would just like to understand what's going on.

Upgrading Apache from 2.0.59-r5 to 2.2.6

Today's post will be about my procedure for upgrading Apache-2.0.59-r5 to apache-2.2.6. This is a major jump, and unfortunately, needs to happen. There are bugs-a-plenty at bugs.gentoo.org, and I touched upon these issues here.

The first step before doing any large upgrade is to scour the forums. I always want/need to see what I'm in for. I saw lots of issues with SSL, apache modules and logging issues. Keeping those in my mind, I pulled the trigger on the emerges.

emerge -v apache apache-tools

I'm having issues with the latest update to Mozilla Firefox 2.0.0.7

So my wife updated her Firefox last night, and now it's unable to resolve sites on the net. First thought, it has to be firewall.. right!?!? Of course, my irritation rises, since Norton is installed on that machine. I started disabling various 'protections', and still no-go?

Okay, IE7 works, so I thought I'd reinstall 2.0.0.7 since something might have gotten goofed there. Reinstall went smooth, but still no internet.

Next, is Google. I'm hoping that others have had this problem too. I found this useful thread.

Syndicate content