Re: [mod-security-users] ModSecurity rules for PHP vulnerabilities

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Steve West wrote:
> Hi folks,
> 
> I'm wondering if anyon knows how to prevent some PHP 4.4.x/5.x
> vulnerabilities via mod_security until PHP group releases fixes for
> these. Here is more info on the vulnerabilities:
> 
> PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html
> 
> PHP tempname() Arg: http://securitytracker.com/alerts/2006/Apr/1015881.html
> 
> PHP crashing Apache: http://securitytracker.com/alerts/2006/Apr/1015880.html

Exploiting these three requires local acces. They're certainly fairly nasty 
bugs, especially if you're hosting a number of sites; but while you can filter 
the request, you can't filter the PHP that is executed, at least not with 
mod_security. If I read these right, jailing Apache and PHP should mitigate 
the potential damage.

SecChrootDir in mod_security will only jail apache, though, not PHP, so I 
don't think it will help in this case.

> PHP phpinfo() validation:
> http://securitytracker.com/alerts/2006/Apr/1015879.html

This one does rely on request input, though it's tricky to match. Any script 
could execute phpinfo(), any random padding could be used to overflow that 
buffer and the XSS could be any HTML/PHP. gotroot.com has a number of anti-xss 
filters. You could also block anything above a 4096 byte range with

SecFilterSelective "POST_PAYLOAD|QUERY_STRING" ".{4097,}"

though this will cause false positives if you're running a forum, for example. 
This vulnerability has been fixed, however, so the best course is to update.

Terry.

> Thanks,
> 
> SW
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmd=k&kid0944&bid$1720&dat1642
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 