Thread: [mod-security-users] Protection against Bash injection

Brought to you by: victorhora, zimmerletw

mod-security-users

[mod-security-users] Protection against Bash injection

From: Marc S. <mar...@ap...> - 2018-11-08 15:47:24

For those who remember, we (Approach Belgium) published in 2011 the 
"cmdLine" transformation that handles most Windows cmd injections (and 
some basic bash injections). The "cmdLine" transformation is now 
officially part of ModSecurity for years.

We were also using, to protect our customers for some years, an 
additional transformation blocking several other bash injections.
We decided to also give it to the community.
The source code and the explanations are available on 
https://www.approach.be/en/modsecurity.html

Enjoy


	*Marc Stern
Cyber-Security Consulting Director*
Approach Belgium <https://www.approach.be>
Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
Follow us: <https://www.linkedin.com/company/16513/> 
<https://twitter.com/ApproachBe>
/*Inspiring the cyber-security community*/


This e-mail and any attachment are confidential and intended solely for 
the use of the individual to whom it is addressed. If you are not the 
intended recipient, please contact the sender and delete this message 
and any attachment from your system. Unauthorised publication, use, 
dissemination, forwarding, printing or copying of this e-mail and its 
associated attachments is strictly prohibited.

Re: [mod-security-users] Protection against Bash injection

From: Christian F. <chr...@ne...> - 2018-11-09 06:59:59

Hey Marc,

Wow. This is very cool. Just to be clear. You published this as an add-on
module for Apache that will integrate with ModSec 2.x on Apache.

Ideally your code contribution will be taken and integrated into the
upcoming (and final) 2.9.3 and hopefully into the libModSecurity 3.x release
line.

Am I correct?

Cheers,

Christian

On Thu, Nov 08, 2018 at 02:13:57PM +0000, Marc Stern wrote:
> For those who remember, we (Approach Belgium) published in 2011 the 
> "cmdLine" transformation that handles most Windows cmd injections (and 
> some basic bash injections). The "cmdLine" transformation is now 
> officially part of ModSecurity for years.
> 
> We were also using, to protect our customers for some years, an 
> additional transformation blocking several other bash injections.
> We decided to also give it to the community.
> The source code and the explanations are available on 
> https://www.approach.be/en/modsecurity.html
> 
> Enjoy
> 
> 
> 	*Marc Stern
> Cyber-Security Consulting Director*
> Approach Belgium <https://www.approach.be>
> Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
> Follow us: <https://www.linkedin.com/company/16513/> 
> <https://twitter.com/ApproachBe>
> /*Inspiring the cyber-security community*/
> 
> 
> This e-mail and any attachment are confidential and intended solely for 
> the use of the individual to whom it is addressed. If you are not the 
> intended recipient, please contact the sender and delete this message 
> and any attachment from your system. Unauthorised publication, use, 
> dissemination, forwarding, printing or copying of this e-mail and its 
> associated attachments is strictly prohibited.
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] Protection against Bash injection

From: Marc S. <mar...@ap...> - 2018-11-09 08:02:03

Hi Christian,

It can be compiled and used as a stand-alone module.
If you want to integrate it into 2.9.3, you're obviously welcome.

*Marc Stern
Cyber-Security Consulting Director*
Approach Belgium <https://www.approach.be>
Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium/*
Inspiring the cyber-security community

*/
On 09-11-18 07:59, Christian Folini wrote:
> Hey Marc,
>
> Wow. This is very cool. Just to be clear. You published this as an add-on
> module for Apache that will integrate with ModSec 2.x on Apache.
>
> Ideally your code contribution will be taken and integrated into the
> upcoming (and final) 2.9.3 and hopefully into the libModSecurity 3.x release
> line.
>
> Am I correct?
>
> Cheers,
>
> Christian
>
> On Thu, Nov 08, 2018 at 02:13:57PM +0000, Marc Stern wrote:
>> For those who remember, we (Approach Belgium) published in 2011 the
>> "cmdLine" transformation that handles most Windows cmd injections (and
>> some basic bash injections). The "cmdLine" transformation is now
>> officially part of ModSecurity for years.
>>
>> We were also using, to protect our customers for some years, an
>> additional transformation blocking several other bash injections.
>> We decided to also give it to the community.
>> The source code and the explanations are available on
>> https://www.approach.be/en/modsecurity.html
>>
>> Enjoy
>>
>>
>> 	*Marc Stern
>> Cyber-Security Consulting Director*
>> Approach Belgium <https://www.approach.be>
>> Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
>> Follow us: <https://www.linkedin.com/company/16513/>
>> <https://twitter.com/ApproachBe>
>> /*Inspiring the cyber-security community*/
>>
>>
>> This e-mail and any attachment are confidential and intended solely for
>> the use of the individual to whom it is addressed. If you are not the
>> intended recipient, please contact the sender and delete this message
>> and any attachment from your system. Unauthorised publication, use,
>> dissemination, forwarding, printing or copying of this e-mail and its
>> associated attachments is strictly prohibited.
>>
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] Protection against Bash injection

From: Christian F. <chr...@ne...> - 2018-11-09 08:29:48

+1

On Fri, Nov 09, 2018 at 07:27:58AM +0000, Marc Stern wrote:
> Hi Christian,
> 
> It can be compiled and used as a stand-alone module.
> If you want to integrate it into 2.9.3, you're obviously welcome.
> 
> *Marc Stern
> Cyber-Security Consulting Director*
> Approach Belgium <https://www.approach.be>
> Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium/*
> Inspiring the cyber-security community
> 
> */
> On 09-11-18 07:59, Christian Folini wrote:
> > Hey Marc,
> >
> > Wow. This is very cool. Just to be clear. You published this as an add-on
> > module for Apache that will integrate with ModSec 2.x on Apache.
> >
> > Ideally your code contribution will be taken and integrated into the
> > upcoming (and final) 2.9.3 and hopefully into the libModSecurity 3.x release
> > line.
> >
> > Am I correct?
> >
> > Cheers,
> >
> > Christian
> >
> > On Thu, Nov 08, 2018 at 02:13:57PM +0000, Marc Stern wrote:
> >> For those who remember, we (Approach Belgium) published in 2011 the
> >> "cmdLine" transformation that handles most Windows cmd injections (and
> >> some basic bash injections). The "cmdLine" transformation is now
> >> officially part of ModSecurity for years.
> >>
> >> We were also using, to protect our customers for some years, an
> >> additional transformation blocking several other bash injections.
> >> We decided to also give it to the community.
> >> The source code and the explanations are available on
> >> https://www.approach.be/en/modsecurity.html
> >>
> >> Enjoy
> >>
> >>
> >> 	*Marc Stern
> >> Cyber-Security Consulting Director*
> >> Approach Belgium <https://www.approach.be>
> >> Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
> >> Follow us: <https://www.linkedin.com/company/16513/>
> >> <https://twitter.com/ApproachBe>
> >> /*Inspiring the cyber-security community*/
> >>
> >>
> >> This e-mail and any attachment are confidential and intended solely for
> >> the use of the individual to whom it is addressed. If you are not the
> >> intended recipient, please contact the sender and delete this message
> >> and any attachment from your system. Unauthorised publication, use,
> >> dissemination, forwarding, printing or copying of this e-mail and its
> >> associated attachments is strictly prohibited.
> >>
> >> _______________________________________________
> >> mod-security-users mailing list
> >> mod...@li...
> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> >> http://www.modsecurity.org/projects/commercial/rules/
> >> http://www.modsecurity.org/projects/commercial/support/
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/