Re: [mod-security-users] SQL Injection / XSS & SugarCRM
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] SQL Injection / XSS & SugarCRM
|
From: Ryan B. <Rya...@Br...> - 2008-08-12 18:40:21
|
> -----Original Message-----
> From: mod...@li... [mailto:mod-
> sec...@li...] On Behalf Of Clayton
Dillard
> Sent: Tuesday, August 12, 2008 2:33 PM
> To: ModSecurity
> Subject: [mod-security-users] SQL Injection / XSS & SugarCRM
>
> SugarCRM is a nasty application. We use ModSec to protect it. One
> problem we have is that SQL Injection and XSS events are generated
(FPs)
> for normal Sugar traffic. Since we host SugarCRM with the customer
> sites accessed by URI, it would be difficult to add a rule based on a
> directory structure. We need to write a modified version of these
rules
> so that we can still protect against legit SQL Injection and XSS
> attempts whilst avoiding FPs. Problem is that there are so many pages
> and modules and so on in Sugar that we don't know where to start with
> respect to writing a good set of rules.
>
> Any help would be appreciated.
>
> #########################################
>
> Aug 12 12:34:15 host0.mybiz.info httpd[24657]: [error] [client
> 63.138.169.146] ModSecurity: Warning. Pattern match
>
"(?:\\b(?:(?:s(?:elect\\b(?:.{1,100}?\\b(?:(?:length|count|top)\\b.{1,10
0}
>
?\\bfrom|from\\b.{1,100}?\\bwhere)|.*?\\b(?:d(?:ump\\b.*\\bfrom|ata_type
)|
>
(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|
pr
> epar)e|execute(?:sql)?|makewebtask)|ql_(?
> ..." at ARGS:query. [file
> "/etc/httpd/conf/modsecurity/modsecurity_crs_40_generic_attacks.conf"]
> [line "66"] [id "950001"] [msg "SQL Injection Attack"] [data "select
> campaign_log.%2a from campaign_log where"] [severity "CRITICAL"] [tag
> "WEB_ATTACK/SQL_INJECTION"] [hostname "host0.mybiz.info"] [uri
> "/dsa/index.php"] [unique_id "06YQawoKARYAAGBRC2IAAAAB"]
>
>
[Ryan Barnett] You would have to send some audit log examples of the
full transaction in order to determine why the FP is occurring and to
strategize an exception or update.
On a separate yet similar note - the scenario that you are describing is
not unique to SugarCRM. Anytime you are using a mainly negative
security model to protect these types of dynamic, client driven sites,
you are going to run into FPs. This is one of the main drivers for
ModProfiler -
http://www.modsecurity.org/projects/modprofiler/index.html. This if the
tool that Ivan and Ofer just presented on at Blackhat. I am not sure
when the tool will be released but it should be soon. ModProfiler will
help you with these issues by allowing you to feed it audit log data, it
will then weed out any transactions that generated errors and then it
will create a white-list/positive security ruleset for you.
Keep an eye out for its release.
|
