Re: [mod-security-users] Command injection attack

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Fri, 2005-08-12 at 14:04 +0200, David ROBERT wrote:
> Hi,
>=20
> I would like to write a rule to filter this kind of attack (Command
> injection attack):
>=20
> GET /stats.pl?toto=3Daa+bb+cc+|+any_unix_command+#+dd+ee&titi=3Dtata
>=20
> In GET or POST
>=20
> In fact I would like to block all the ";", "|", "#"
>=20
> I wrote :
> SecFilterSelective ARGS [;|\||#]
>=20
> It works but is it the best way ?

You don't need to use the pipes to separate the characters when you use
brackets.  You can do it like this:

SecFilterSelective ARGS [;\|#]

Also, I'm sure you already realize this, so this is just an aside for
anyone else that might not be sure, only use a rule like this if you
know that your applications don't use these characters in their
arguments.  You'd be surprised (I was) at the number of apps that use
pipes in their arguments!  :-)

--=20
Michael T. Shinn                                    KeyID:DAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xDAE2EC86
=20
Got Root?  http://www.gotroot.com
ModSecurity WebServer Firewall: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com