Re: [mod-security-users] turning off filter for xml in post payload
Brought to you by:
victorhora,
zimmerletw
From: Dan R. <sp...@el...> - 2006-11-30 23:51:43
|
thanks for that i couldnt work out where to put the ! :D Ofer Shezaf wrote: > > > > Thanks, > > > > This is definitely a bug in the Core Rule Set. You can use this rule > instead of the one you have, until I issue an additional version of > the core rule set: > > > > SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS > "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" > \ > > "deny,log,status:501,id:50013,severity:2,msg:'PHP Injection > Attack'" > > > > Or for version 1.2: > > > > SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS > "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" > \ > > "deny,log,status:501,id:950013,severity:2,msg:'PHP Injection > Attack'" > > > > ~ Ofer > > > > > > ------------------------------------------------------------------------ > > *From:* mod...@li... > [mailto:mod...@li...] *On Behalf > Of *Dan Rossi > *Sent:* Thursday, November 30, 2006 5:40 AM > *To:* mod...@li... > *Subject:* [mod-security-users] turning off filter for xml in post payload > > > > It seems this rule is trapping xml in postpayloads, > > SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS > "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?)" > \ > > > "auditlog,id:50013,phase:2,severity:4,msg:'(default/generic_attacks.conf) > PHP Injection Attack'" > > is there a way to add to allow xml of <?xml in that rule or would this > be correct ? > > > #SecRule !ARGS:TNO > "chain,auditlog,id:50013,severity:4,msg:'(custom.conf) PHP Injection > Attack'" > SecRule ARGS:TNO "!(<\?xml)" > "chain,auditlog,id:50013,severity:4,msg:'(custom.conf) PHP Injection > Attack'" > > the first one didnt work > |