Results 1 to 6 of 6
  1. #1
    Join Date
    Feb 2004

    grsecurity FormMail protection?!

    ok... i think it seens very odd, but I can't think on other thing

    what's happening:
    I use cpanel, and have those 2 files on /usr/local/cpanel/cgi-sys:

    -rwxr-xr-x 1 root wheel 581324 May 19 13:23 FormMail.cgi*
    -rwxr-xr-x 1 root wheel 581324 May 12 10:18 TESTFormMail.cgi*

    they are... the same!

    when I try to use FormMail.cgi as action in a form and submit it, if one field is a textarea and have a linebreak (ENTER), I get error 406!
    but if I use the other (TESTFormMail.cgi), it goes well

    just to make it more clear:
    [email protected] [/usr/local/cpanel/cgi-sys]# diff FormMail.cgi TESTFormMail.cgi
    [email protected] [/usr/local/cpanel/cgi-sys]#
    so... any ideas?

    it seens there's something watching for "/^FormMail/" and making it bug?!

    already 1 day trying to figure this out, together with cpanel tech... and got nothing


    PS: I use RH enterprise with kernel 2.4.26 patched with grsecurity

  2. #2
    Join Date
    Jul 2001
    I don't think this is something to do with kernel or grsecurity patch. It is mostly related to mod_security by guessing the error 406
    Just some guessing
    Giam Teck Choon
    :: Join Community today to share your tips and tricks on server issues please ::
    :: Singapore Dedicated Servers :: Singapore Virtual Private Servers :: Linux/FreeBSD Server Management ::

  3. #3
    Join Date
    Jan 2004
    Yes the 406 error should be related to mod_security. You can turn it off in httpd.conf under SecFilterEngine. Stop and restart httpd. Thanks to Jonathan Michaelson of WayToTheWeb for the original information on this.

  4. #4
    Join Date
    Feb 2004
    found it with tail -f /var/log/httpd/audit_log:

    Content-length: 3379
    Content-type: text/xml
    mod_security-message: Invalid character detected
    mod_security-action: 406

    HTTP/1.0 406 Not Acceptable
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
    now i'll try to find which filter is generating this

    thanks very much

  5. #5
    Join Date
    Feb 2004
    wasn't hard...

    # WEB-CGI formmail arbitrary command execution attempt
    SecFilterSelective THE_REQUEST "/formmail" chain
    SecFilter "\x0a"
    seens it search for character 10 (AFAIK, the one windows put after 13 when you press ENTER)

    thanks again

  6. #6
    Join Date
    Jan 2004
    If you are running mod_security 1.7.6 might consider upgrading to 1.8dev2. Has been stable for us so far.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts