绕过 mod_security 在 dreamhost 上编写博客

绕过 mod_security 在 dreamhost 上编写博客

我已经编写了自己的简单博客软件来显示语法高亮的代码,并且它在我的本地主机上运行良好,但我在 Dreamhost 服务器上使用 mod_security 时遇到了问题。

[Wed Aug 02 06:45:17.149632 2023] [:error] [pid 8910:tid 3605015598848] [client 181.58.38.158:12472] [client 181.58.38.158] ModSecurity: Warning. Pattern match "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\\\s+(?:\\\\/|\\\\w)[^\\\\s]*(?:\\\\s+http\\\\/\\\\d|[\\\\r\\\\n])" at ARGS_NAMES:{"title":"Sharing Code For Authorised and Guest Users in Laravel","slug":"sharing-code-for-authorised-and-guest-users-in-laravel","content":"<p>My Reading Order site appears largely the same whether you're a registered user or just a guest. I wanted to use the same code in both cases, with minor changes for authorised users. This is straight foward in traditional PHP, but it wasn't clear how to do it in Laravel. Given that no one could answer my question on Stack Overflow, and my question was closed as 'subjective,' I assume that the knowledge I'm about to share isn't exactly common.</p>\\n<h2>The Problem</h2>\\n<p>Laravel comes with a middleware called 'Authenticate', which has an alias of 'auth'. According to the documentation,</p>\\n<blockquote>... middleware provide a convenient mechanism for inspecting and filter [hostname "design.murraygunn.id.au"] [uri "/blog/sharing-code-for-authorised-and-guest-users-in-laravel/update"] [unique_id "ZMpd7eTnEFdRa8HCSnC66wAAAA8"], referer: https://design.murraygunn.id.au/blog/sharing-code-for-authorised-and-guest-users-in-laravel/edit
[Wed Aug 02 06:45:17.150461 2023] [:error] [pid 8910:tid 3605015598848] [client 181.58.38.158:12472] [client 181.58.38.158] ModSecurity: Warning. Pattern match "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\\\s+(?:\\\\/|\\\\w)[^\\\\s]*(?:\\\\s+http\\\\/\\\\d|[\\\\r\\\\n])" at REQUEST_BODY. [file "/etc/modsecurity/mod_sec3_CRS/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "53"] [id "921110"] [msg "HTTP Request Smuggling Attack"] [data "Matched Data: lock\\x0alang=\\x22php\\x22\\x0a found within REQUEST_BODY: {\\x22title\\x22:\\x22sharing code for authorised and guest users in laravel\\x22,\\x22slug\\x22:\\x22sharing-code-for-authorised-and-guest-users-in-laravel\\x22,\\x22content\\x22:\\x22<p>my reading order site appears largely the same whether you're a registered user or just a guest. i wanted to use the same code in both cases, with minor changes for authorised users. this is straight foward in traditional php, but it wasn't clear how to do it in..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1" [hostname "design.murraygunn.id.au"] [uri "/blog/sharing-code-for-authorised-and-guest-users-in-laravel/update"] [unique_id "ZMpd7eTnEFdRa8HCSnC66wAAAA8"], referer: https://design.murraygunn.id.au/blog/sharing-code-for-authorised-and-guest-users-in-laravel/edit
[Wed Aug 02 06:45:17.151912 2023] [:error] [pid 8910:tid 3605015598848] [client 181.58.38.158:12472] [client 181.58.38.158] ModSecurity: Warning. Pattern match "[\\\\n\\\\r]" at ARGS_NAMES:{"title":"Sharing Code For Authorised and Guest Users in Laravel","slug":"sharing-code-for-authorised-and-guest-users-in-laravel","content":"<p>My Reading Order site appears largely the same whether you're a registered user or just a guest. I wanted to use the same code in both cases, with minor changes for authorised users. This is straight foward in traditional PHP, but it wasn't clear how to do it in Laravel. Given that no one could answer my question on Stack Overflow, and my question was closed as 'subjective,' I assume that the knowledge I'm about to share isn't exactly common.</p>\\n<h2>The Problem</h2>\\n<p>Laravel comes with a middleware called 'Authenticate', which has an alias of 'auth'. According to the documentation,</p>\\n<blockquote>... middleware provide a convenient mechanism for inspecting and filtering HTTP requests entering your application. For example, Laravel includes a middleware that verifies the user of your application is authenticated.  [hostname "design.murraygunn.id.au"] [uri "/blog/sharing-code-for-authorised-and-guest-users-in-laravel/update"] [unique_id "ZMpd7eTnEFdRa8HCSnC66wAAAA8"], referer: https://design.murraygunn.id.au/blog/sharing-code-for-authorised-and-guest-users-in-laravel/edit
[Wed Aug 02 06:45:17.159647 2023] [:error] [pid 8910:tid 3605015598848] [client 181.58.38.158:12472] [client 181.58.38.158] ModSecurity: Warning. Pattern match "(?:(?:_(?:\\\\$\\\\$ND_FUNC\\\\$\\\\$_|_js_function)|(?:new\\\\s+Function|\\\\beval)\\\\s*\\\\(|String\\\\s*\\\\.\\\\s*fromCharCode|function\\\\s*\\\\(\\\\s*\\\\)\\\\s*{|this\\\\.constructor)|module\\\\.exports\\\\s*=)" at ARGS_NAMES:{"title":"Sharing Code For Authorised and Guest Users in Laravel","slug":"sharing-code-for-authorised-and-guest-users-in-laravel","content":"<p>My Reading Order site appears largely the same whether you're a registered user or just a guest. I wanted to use the same code in both cases, with minor changes for authorised users. This is straight foward in traditional PHP, but it wasn't clear how to do it in Laravel. Given that no one could answer my question on Stack Overflow, and my question was closed as 'subjective,' I assume that the knowledge I'm about to share isn't exactly common.</p>\\n<h2>The Problem</h2>\\n<p>Laravel comes with a middleware called 'Authenticate', which has an alias of 'auth'. According to the documentation,</p>\\n<blockquote>... middleware provide a convenient mechanism fo [hostname "design.murraygunn.id.au"] [uri "/blog/sharing-code-for-authorised-and-guest-users-in-laravel/update"] [unique_id "ZMpd7eTnEFdRa8HCSnC66wAAAA8"], referer: https://design.murraygunn.id.au/blog/sharing-code-for-authorised-and-guest-users-in-laravel/edit
[Wed Aug 02 06:45:17.163379 2023] [:error] [pid 8910:tid 3605015598848] [client 181.58.38.158:12472] [client 181.58.38.158] ModSecurity: Warning. Pattern match "(?i:(?:[\\"'`](?:;?\\\\s*?(?:having|select|union)\\\\b\\\\s*?[^\\\\s]|\\\\s*?!\\\\s*?[\\"'`\\\\w])|(?:c(?:onnection_id|urrent_user)|database)\\\\s*?\\\\([^\\\\)]*?|u(?:nion(?:[\\\\w(\\\\s]*?select| select @)|ser\\\\s*?\\\\([^\\\\)]*?)|s(?:chema\\\\s*?\\\\([^\\\\)]*?|elect.*?\\\\w?user\\\\()|in ..." at ARGS_NAMES:{"title":"Sharing Code For Authorised and Guest Users in Laravel","slug":"sharing-code-for-authorised-and-guest-users-in-laravel","content":"<p>My Reading Order site appears largely the same whether you're a registered user or just a guest. I wanted to use the same code in both cases, with minor changes for authorised users. This is straight foward in traditional PHP, but it wasn't clear how to do it in Laravel. Given that no one could answer my question on Stack Overflow, and my question was closed as 'subjective,' I assume that the knowledge I'm about to share isn't exactly common.</p>\\n<h2>The Problem</h2>\\n<p>Laravel comes with a middleware called 'Authenticate', which has an alias of 'auth'. According to the docu [hostname "design.murraygunn.id.au"] [uri "/blog/sharing-code-for-authorised-and-guest-users-in-laravel/update"] [unique_id "ZMpd7eTnEFdRa8HCSnC66wAAAA8"], referer: https://design.murraygunn.id.au/blog/sharing-code-for-authorised-and-guest-users-in-laravel/edit
[Wed Aug 02 06:45:17.175032 2023] [:error] [pid 8910:tid 3605015598848] [client 181.58.38.158:12472] [client 181.58.38.158] ModSecurity: Access denied with code 418 (phase 2). Operator GE matched 7 at TX:anomaly_score. [file "/etc/modsecurity/mod_sec3_CRS/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 25)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "design.murraygunn.id.au"]

我是唯一被允许发帖的用户,所以我可能可以关闭 mod_security,但我想知道是否有办法绕过这个问题。Dreamhost 不允许修改 mod_security,而 encodeURLComponent(content) 没有帮助。

我想我可以编写一个函数来分解有问题的单词,但我希望已经有可用的函数了。有什么想法吗?

答案1

如果警告与软件的正常运行有关,则可以针对 URL 禁用规则。例如,ModSecurity 核心规则集 (CRS) 包含 POST 数据上的 HTML 和 JavaScript 内容规则,这些规则在用于在浏览器中编辑 HTML 页面的 CMS 和博客系统中很常见。

从日志中查找[id ""]字段并禁用导致误报的单个规则。将禁用规则限制在需要进行这些调整的 URL 上是明智的。这样您就可以避免降低整个网站的防御能力。

在这里,你可以找到[id "921110"]& [id "949110"]。要在 Apache 中针对包含 的路径禁用它们/blog/

<LocationMatch "/blog/">
    SecRuleRemoveById 921110 949110
</LocationMatch>

相关内容