CSF 3.28 - remotely block any IP address (modsec v1 and modsec v2 regexps)


ConfigServer Firewall 3.28 provides the option to block brute force login attempts on various services. regexps in csf/regexp.pm for modsec v1 and modsec v2 allowed any remote, unauthenticated person to block any IP address of their choice. The code for this looked similar to the following:

 97     if ( $log_line =~ /\[client (\d+\.\d+\.\d+\.\d+)\] ModSecurity: Access denied with code/ ) {
 98         return ( 'mod_sec alert', $1, 'mod_sec');
 99     }

The following steps can be used to take advantage of this issue:

Do this 5 times:

1. telnet <victim server> 80

2. enter the following, hit enter 2 x's after:
[client] ModSecurity: Access denied with code

This also worked via the modsec v2 regexp. In step 2 above, you would use the following:

[client] mod_security: Access denied with code

The result will be that lfd calls iptables to block


Remote, unauthenticated persons could block any IP address of their choice.