Re: [mod-security-users] Problems with @inspectFile not escaping arguments
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Problems with @inspectFile not escaping arguments
|
From: Felipe C. <FC...@tr...> - 2015-12-08 13:04:21
|
Hi Gryzli,
Thank you for the report.
Do not use the @inspectFile with variables that you don’t have control. @inspectFile
was originally created to be used with the FILES_TMPNAMES [1] as cited on the
example: [2]. The content of FILES_TMPNAMES is generated by ModSecurity, therefore we
don’t need to escape.
I think you concern is more than valid. I am adding a note at the Reference manual,
so that, others users will not use it in this fashion.
Maybe what you are looking for is to use the Lua engine [3]. Using the Lua engine,
you will be able to fetch the variables using: m.getvar("FULL_REQUEST");
Notice that using FULL_REQUEST is not always a good practice because it may drop the
performance of your server a little bit.
For ModSecurity version 3, the @inspectFile may not be necessary anymore. We wish to
support natively:
- Ruby
- Python
- Lua
- Any other suggestion?
(Moving this discussion to mod...@li...)
[1] https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#files_tmpnames
[2] https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#inspectfile
[3] https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#secrulescript
Br.,
Felipe “Zimmerle” Costa
Security Researcher, SpiderLabs
Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>
On 12/8/15, 4:50 AM, "Gryzli Bugbear" <gry...@gm...> wrote:
>Hi all,
>
>I'm trying to make some rules work, and see some very strange behaviour.
>
>I have the following rule in mod_security:
>---
>SecRule FULL_REQUEST "@inspectFile /tmp/test_script.pl" "id:159, deny,
>status:406, phase:2"
>---
>
>When I pass some request to Apache I get bunch of logs in error_log
>looking like this:
>=========
>/bin/sh: line 2: Host:: command not found
>/bin/sh: line 3: Connection:: command not found
>/bin/sh: line 4: Accept:: command not found
>/bin/sh: line 5: Upgrade-Insecure-Requests:: command not found
>/bin/sh: -c: line 6: syntax error near unexpected token `('
>/bin/sh: -c: line 6: `User-Agent: Mozilla/5.0 (X11; Linux x86_64)
>AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36'
>/bin/sh: line 2: Host:: command not found
>/bin/sh: line 3: Connection:: command not found
>/bin/sh: line 4: Accept:: command not found
>/bin/sh: line 5: Upgrade-Insecure-Requests:: command not found
>/bin/sh: -c: line 6: syntax error near unexpected token `('
>/bin/sh: -c: line 6: `User-Agent: Mozilla/5.0 (X11; Linux x86_64)
>AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36'
>===========
>
>It seems that ModSecurity is unable to correctly escape the arguments,
>which must be sent to the /tmp/test_scrip.pl, which results to execution
>tries in /bin/sh.
>
>This behavior looks extremely dangerous, cause attacker could easily use
>it to execute malicious code with Apache user.
>
>Is this a bug, or there is an option to make ModSecuriy escape correctly
>the arguments passed ?
>
>Regards,
>Gryzli
>
>------------------------------------------------------------------------------
>Go from Idea to Many App Stores Faster with Intel(R) XDK
>Give your users amazing mobile app experiences with Intel(R) XDK.
>Use one codebase in this all-in-one HTML5 development environment.
>Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
>http://scanmail.trustwave.com/?c=4062&d=sozm1oGKqts4aZ2DnwV7U8LosM7zRZ1IEmGX6zHnvw&s=5&u=http%3a%2f%2fpubads%2eg%2edoubleclick%2enet%2fgampad%2fclk%3fid%3d254741911%26iu%3d%2f4140
>_______________________________________________
>mod-security-users mailing list
>mod...@li...
>http://scanmail.trustwave.com/?c=4062&d=sozm1oGKqts4aZ2DnwV7U8LosM7zRZ1IEjaR7DO06Q&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-users
>Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>http://scanmail.trustwave.com/?c=4062&d=sozm1oGKqts4aZ2DnwV7U8LosM7zRZ1IEmTDuGrg7Q&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2frules%2f
>http://scanmail.trustwave.com/?c=4062&d=sozm1oGKqts4aZ2DnwV7U8LosM7zRZ1IEmXH6ma0uA&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2fsupport%2f
________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
|
