[mod-security-users] Problems with @inspectFile not escaping arguments
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] Problems with @inspectFile not escaping arguments
|
From: Gryzli B. <gry...@gm...> - 2015-12-08 07:50:14
|
Hi all,
I'm trying to make some rules work, and see some very strange behaviour.
I have the following rule in mod_security:
---
SecRule FULL_REQUEST "@inspectFile /tmp/test_script.pl" "id:159, deny,
status:406, phase:2"
---
When I pass some request to Apache I get bunch of logs in error_log
looking like this:
=========
/bin/sh: line 2: Host:: command not found
/bin/sh: line 3: Connection:: command not found
/bin/sh: line 4: Accept:: command not found
/bin/sh: line 5: Upgrade-Insecure-Requests:: command not found
/bin/sh: -c: line 6: syntax error near unexpected token `('
/bin/sh: -c: line 6: `User-Agent: Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36'
/bin/sh: line 2: Host:: command not found
/bin/sh: line 3: Connection:: command not found
/bin/sh: line 4: Accept:: command not found
/bin/sh: line 5: Upgrade-Insecure-Requests:: command not found
/bin/sh: -c: line 6: syntax error near unexpected token `('
/bin/sh: -c: line 6: `User-Agent: Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36'
===========
It seems that ModSecurity is unable to correctly escape the arguments,
which must be sent to the /tmp/test_scrip.pl, which results to execution
tries in /bin/sh.
This behavior looks extremely dangerous, cause attacker could easily use
it to execute malicious code with Apache user.
Is this a bug, or there is an option to make ModSecuriy escape correctly
the arguments passed ?
Regards,
Gryzli
|
