Re: [mod-security-users] Problems with @inspectFile not escaping arguments

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Am 08.12.2015 um 14:04 schrieb Felipe Costa:
> Hi Gryzli,
>
> Thank you for the report.
>
> Do not use the @inspectFile with variables that you don’t have control. @inspectFile
> was originally created to be used with the FILES_TMPNAMES [1] as cited on the
> example: [2]. The content of FILES_TMPNAMES is generated by ModSecurity, therefore we
> don’t need to escape.

SecRule FILES_TMPNAMES "@inspectFile 
/etc/httpd/modsecurity.d/check-upload.php" 
"id:'141',phase:2,block,status:400,t:none"

that script get called for each uploaded file with the full, sanitized 
path as param by modsec

> I think you concern is more than valid. I am adding a note at the Reference manual,
> so that, others users will not use it in this fashion.
>
> Maybe what you are looking for is to use the Lua engine [3]. Using the Lua engine,
> you will be able to fetch the variables using: m.getvar("FULL_REQUEST");
>
> Notice that using FULL_REQUEST is not always a good practice because it may drop the
> performance of your server a little bit.

and it's not needed at all to inspect upload-files

> For ModSecurity version 3, the @inspectFile may not be necessary anymore. We wish to
> support natively:

how is that supposed to work "natively"?

i mean the idea of calling a external script is to keep that as small 
and focused as possible while at the same time

what i would like to see native supported is a config file with allowed 
mimetypes and check upload-files against it - that's what our script 
baiscally does by the wollwoing code

the reason for calling the file-command is that on Fedora that package 
is typically recent while the native php-functions are proven to often 
detect the wrong mimetypes even for gif-images and the bundeled 
php-stuff don't see much updates to fix the error in a timely manner if ever

  ob_start();
  passthru('/usr/bin/file -b --mime-type ' . 
escapeshellarg($_SERVER['argv'][1]));
  $mime_type = trim(ob_get_clean());
  switch(in_array($mime_type, $allowed_mimetypes))
  {
   case true:  exit("1: upload mime-type '" . $mime_type . "' 
allowed\n"); break;
   case false: exit("0: upload mime-type '" . $mime_type . "' not 
allowed\n"); break;
  }

> On 12/8/15, 4:50 AM, "Gryzli Bugbear" <gry...@gm...> wrote:
>
>> Hi all,
>>
>> I'm trying to make some rules work, and see some very strange behaviour.
>>
>> I have the following rule in mod_security:
>> ---
>> SecRule FULL_REQUEST "@inspectFile /tmp/test_script.pl" "id:159, deny,
>> status:406, phase:2"
>> ---
>>
>> When I pass some request to Apache I get bunch of logs in error_log
>> looking like this:
>> =========
>> /bin/sh: line 2: Host:: command not found
>> /bin/sh: line 3: Connection:: command not found
>> /bin/sh: line 4: Accept:: command not found
>> /bin/sh: line 5: Upgrade-Insecure-Requests:: command not found
>> /bin/sh: -c: line 6: syntax error near unexpected token `('
>> /bin/sh: -c: line 6: `User-Agent: Mozilla/5.0 (X11; Linux x86_64)
>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36'
>> /bin/sh: line 2: Host:: command not found
>> /bin/sh: line 3: Connection:: command not found
>> /bin/sh: line 4: Accept:: command not found
>> /bin/sh: line 5: Upgrade-Insecure-Requests:: command not found
>> /bin/sh: -c: line 6: syntax error near unexpected token `('
>> /bin/sh: -c: line 6: `User-Agent: Mozilla/5.0 (X11; Linux x86_64)
>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36'
>> ===========
>>
>> It seems that ModSecurity is unable to correctly escape the arguments,
>> which must be sent to the /tmp/test_scrip.pl, which results to execution
>> tries in /bin/sh.
>>
>> This behavior looks extremely dangerous, cause attacker could easily use
>> it to execute malicious code with Apache user.
>>
>> Is this a bug, or there is an option to make ModSecuriy escape correctly
>> the arguments passed ?