mod-security-users

[mod-security-users] Command injection attack

[David R. <cas...@gm...>]

Hi,

I would like to write a rule to filter this kind of attack (Command
injection attack):

GET /stats.pl?toto=3Daa+bb+cc+|+any_unix_command+#+dd+ee&titi=3Dtata

In GET or POST

In fact I would like to block all the ";", "|", "#"

I wrote :
SecFilterSelective ARGS [;|\||#]

It works but is it the best way ?

David ROBERT

RE: [mod-security-users] Command injection attack

[Sander H. - O. X. <in...@or...>]

mod...@li... wrote:
> Hi,
> 
> I would like to write a rule to filter this kind of attack (Command
> injection attack): 
> 
> GET /stats.pl?toto=aa+bb+cc+|+any_unix_command+#+dd+ee&titi=tata
> 
> In GET or POST
> 
> In fact I would like to block all the ";", "|", "#"
> 
> I wrote :
> SecFilterSelective ARGS [;|\||#]
> 
> It works but is it the best way ?
> 
> David ROBERT

No. You do not need to separate characters by an or (|) statement in [] or
[^] containers. They should contain all the characters you want to match.
Where, for instance a dot (.) will match any character, [;|#] will match to
; or | or #. They more or less contain an array (only not seperated by ,) of
characters you want to match to. Putting an ^ after the [ does the opposite.

Kind regards,
Sander Holthaus

Re: [mod-security-users] Command injection attack

[Michael S. <mi...@go...>]

On Fri, 2005-08-12 at 14:04 +0200, David ROBERT wrote:
> Hi,
>=20
> I would like to write a rule to filter this kind of attack (Command
> injection attack):
>=20
> GET /stats.pl?toto=3Daa+bb+cc+|+any_unix_command+#+dd+ee&titi=3Dtata
>=20
> In GET or POST
>=20
> In fact I would like to block all the ";", "|", "#"
>=20
> I wrote :
> SecFilterSelective ARGS [;|\||#]
>=20
> It works but is it the best way ?

You don't need to use the pipes to separate the characters when you use
brackets.  You can do it like this:

SecFilterSelective ARGS [;\|#]

Also, I'm sure you already realize this, so this is just an aside for
anyone else that might not be sure, only use a rule like this if you
know that your applications don't use these characters in their
arguments.  You'd be surprised (I was) at the number of apps that use
pipes in their arguments!  :-)

--=20
Michael T. Shinn                                    KeyID:DAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xDAE2EC86
=20
Got Root?  http://www.gotroot.com
ModSecurity WebServer Firewall: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com