Re: [mod-security-users] Question regarding Bugtraq post
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2009-06-13 00:02:56
|
OSSEC junkie wrote: > Does anyone from ModSecurity have any comment about this post? > ModSecurity (Core Rules) HPP Filter Bypass Vulnerability > found at: http://www.securityfocus.com/archive/1/504240/30/0/threaded > > Here is what I responded to Lavakumar Kuppan with when he contacted be earlier this year. I may turn this into a blog post if I have time... I agree, it is still an issue, but it is one of "Impedance Mismatch". This is documented here: https://www.modsecurity.org/documentation/modsecurity-apache/2.5.7/modsecurity2-apache-reference.html#N11EEE [BTW, if you want to write up a more formal doc describing this (similar to the "PHP Peculiarities for ModSecurity Users"), I'd be glad to add it to the ModSecurity docs and credit your work.] And a blog on it here: http://thread.gmane.org/gmane.comp.apache.mod-security.user/5637 ModSecurity was designed in an Apache centric manner and with Apache centric technologies in mind (PHP especially as that was what Ivan was using at the time). So, adding IIS specifics to ModSecurity may make sense in your case, it may cause some strange side effects in most other installs -- especially when not used as a reverse proxy. What needs to be done -- and some thought has gone into it -- is to have a setting that allows ModSecurity to know what flavor of webserver it is trying to protect and what technologies are being used. Only then should it try to workaround issues like you are seeing. If it tries to guess, it will get it wrong. You have some other options (workarounds, but require some effort): 1) Use QUERY_STRING, REQUEST_BODY and HTTP_HEADERS:Cookie instead of ARGS. This will give you the raw data to match against. You will need to modify rule patterns accordingly. 2) Extend ModSecurity and add another target variable or two (ASP_ARGS, ASPNET_ARGS maybe). ModSecurity has an API for doing this. An example is included in the source (apache2/api/mod_var_remote_addr_port.c). If you do go the extension route, I am available to answer questions (well, the mod-users list is). And if it is quality code, then release it back to us and maybe we can include it in a future version of ModSecurity. While it is an issue, it is also a fairly common issue among WAF/IDS/IPS and one that is rather difficult to solve. Essentially ModSecurity needs to know how things are parsed by the web app and it can only know that if you tell it the specifics. In this case, it is just rather difficult to tell it without some dev efforts in rules and/or additional targets. thanks, -B -- Brian Rectanus Breach Security |