Re: [mod-security-users] Problems with @inspectFile not escaping arguments
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Problems with @inspectFile not escaping arguments
|
From: Brian K. <bp...@gm...> - 2015-12-08 19:49:35
|
How about Perl?
Thanks,
Brian
On Tue, Dec 8, 2015, 07:13 Felipe Costa <FC...@tr...> wrote:
> Hi Gryzli,
>
> Thank you for the report.
>
> Do not use the @inspectFile with variables that you don’t have control.
> @inspectFile
> was originally created to be used with the FILES_TMPNAMES [1] as cited on
> the
> example: [2]. The content of FILES_TMPNAMES is generated by ModSecurity,
> therefore we
> don’t need to escape.
>
> I think you concern is more than valid. I am adding a note at the
> Reference manual,
> so that, others users will not use it in this fashion.
>
> Maybe what you are looking for is to use the Lua engine [3]. Using the Lua
> engine,
> you will be able to fetch the variables using: m.getvar("FULL_REQUEST");
>
> Notice that using FULL_REQUEST is not always a good practice because it
> may drop the
> performance of your server a little bit.
>
>
> For ModSecurity version 3, the @inspectFile may not be necessary anymore.
> We wish to
> support natively:
> - Ruby
> - Python
> - Lua
> - Any other suggestion?
>
>
> (Moving this discussion to mod...@li...)
>
>
> [1]
> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#files_tmpnames
> [2]
> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#inspectfile
> [3]
> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#secrulescript
>
>
>
> Br.,
> Felipe “Zimmerle” Costa
> Security Researcher, SpiderLabs
>
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
>
>
>
>
>
>
>
>
>
>
> On 12/8/15, 4:50 AM, "Gryzli Bugbear" <gry...@gm...>
> wrote:
>
> >Hi all,
> >
> >I'm trying to make some rules work, and see some very strange behaviour.
> >
> >I have the following rule in mod_security:
> >---
> >SecRule FULL_REQUEST "@inspectFile /tmp/test_script.pl" "id:159, deny,
> >status:406, phase:2"
> >---
> >
> >When I pass some request to Apache I get bunch of logs in error_log
> >looking like this:
> >=========
> >/bin/sh: line 2: Host:: command not found
> >/bin/sh: line 3: Connection:: command not found
> >/bin/sh: line 4: Accept:: command not found
> >/bin/sh: line 5: Upgrade-Insecure-Requests:: command not found
> >/bin/sh: -c: line 6: syntax error near unexpected token `('
> >/bin/sh: -c: line 6: `User-Agent: Mozilla/5.0 (X11; Linux x86_64)
> >AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36'
> >/bin/sh: line 2: Host:: command not found
> >/bin/sh: line 3: Connection:: command not found
> >/bin/sh: line 4: Accept:: command not found
> >/bin/sh: line 5: Upgrade-Insecure-Requests:: command not found
> >/bin/sh: -c: line 6: syntax error near unexpected token `('
> >/bin/sh: -c: line 6: `User-Agent: Mozilla/5.0 (X11; Linux x86_64)
> >AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36'
> >===========
> >
> >It seems that ModSecurity is unable to correctly escape the arguments,
> >which must be sent to the /tmp/test_scrip.pl, which results to execution
> >tries in /bin/sh.
> >
> >This behavior looks extremely dangerous, cause attacker could easily use
> >it to execute malicious code with Apache user.
> >
> >Is this a bug, or there is an option to make ModSecuriy escape correctly
> >the arguments passed ?
> >
> >Regards,
> >Gryzli
> >
>
> >------------------------------------------------------------------------------
> >Go from Idea to Many App Stores Faster with Intel(R) XDK
> >Give your users amazing mobile app experiences with Intel(R) XDK.
> >Use one codebase in this all-in-one HTML5 development environment.
> >Design, debug & build mobile apps & 2D/3D high-impact games for multiple
> OSs.
> >
> http://scanmail.trustwave.com/?c=4062&d=sozm1oGKqts4aZ2DnwV7U8LosM7zRZ1IEmGX6zHnvw&s=5&u=http%3a%2f%2fpubads%2eg%2edoubleclick%2enet%2fgampad%2fclk%3fid%3d254741911%26iu%3d%2f4140
> >_______________________________________________
> >mod-security-users mailing list
> >mod...@li...
> >
> http://scanmail.trustwave.com/?c=4062&d=sozm1oGKqts4aZ2DnwV7U8LosM7zRZ1IEjaR7DO06Q&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-users
> >Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> >
> http://scanmail.trustwave.com/?c=4062&d=sozm1oGKqts4aZ2DnwV7U8LosM7zRZ1IEmTDuGrg7Q&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2frules%2f
> >
> http://scanmail.trustwave.com/?c=4062&d=sozm1oGKqts4aZ2DnwV7U8LosM7zRZ1IEmXH6ma0uA&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2fsupport%2f
>
> ________________________________
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is strictly prohibited. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
> OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
