Thread: [mod-security-users] ModSecurity rules for PHP vulnerabilities

Brought to you by: victorhora, zimmerletw

mod-security-users

[mod-security-users] ModSecurity rules for PHP vulnerabilities

From: Steve W. <ste...@gm...> - 2006-04-18 23:51:46

Hi folks,

I'm wondering if anyon knows how to prevent some PHP 4.4.x/5.x
vulnerabilities via mod_security until PHP group releases fixes for
these. Here is more info on the vulnerabilities:

PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.htm=
l

PHP tempname() Arg: http://securitytracker.com/alerts/2006/Apr/1015881.html

PHP crashing Apache: http://securitytracker.com/alerts/2006/Apr/1015880.htm=
l

PHP phpinfo() validation:
http://securitytracker.com/alerts/2006/Apr/1015879.html

Thanks,

SW

Re: [mod-security-users] ModSecurity rules for PHP vulnerabilities

From: Terry D. <tdo...@na...> - 2006-04-19 09:22:45

Steve West wrote:
> Hi folks,
> 
> I'm wondering if anyon knows how to prevent some PHP 4.4.x/5.x
> vulnerabilities via mod_security until PHP group releases fixes for
> these. Here is more info on the vulnerabilities:
> 
> PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html
> 
> PHP tempname() Arg: http://securitytracker.com/alerts/2006/Apr/1015881.html
> 
> PHP crashing Apache: http://securitytracker.com/alerts/2006/Apr/1015880.html

Exploiting these three requires local acces. They're certainly fairly nasty 
bugs, especially if you're hosting a number of sites; but while you can filter 
the request, you can't filter the PHP that is executed, at least not with 
mod_security. If I read these right, jailing Apache and PHP should mitigate 
the potential damage.

SecChrootDir in mod_security will only jail apache, though, not PHP, so I 
don't think it will help in this case.

> PHP phpinfo() validation:
> http://securitytracker.com/alerts/2006/Apr/1015879.html

This one does rely on request input, though it's tricky to match. Any script 
could execute phpinfo(), any random padding could be used to overflow that 
buffer and the XSS could be any HTML/PHP. gotroot.com has a number of anti-xss 
filters. You could also block anything above a 4096 byte range with

SecFilterSelective "POST_PAYLOAD|QUERY_STRING" ".{4097,}"

though this will cause false positives if you're running a forum, for example. 
This vulnerability has been fixed, however, so the best course is to update.

Terry.

> Thanks,
> 
> SW
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmd=k&kid0944&bid$1720&dat1642
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

Re: [mod-security-users] ModSecurity rules for PHP vulnerabilities

From: Ivan R. <iva...@gm...> - 2006-04-19 09:38:59

> Steve West wrote:
> > Hi folks,
> >
> > I'm wondering if anyon knows how to prevent some PHP 4.4.x/5.x
> > vulnerabilities via mod_security until PHP group releases fixes for
> > these. Here is more info on the vulnerabilities:
> >
> > PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882=
.html

For this one you could try looking for the string "compress.zlib:", e.g.

    SecFilterSelective ARGS_VALUES compress\.zlib:

> > PHP tempname() Arg: http://securitytracker.com/alerts/2006/Apr/1015881.=
html
> >
> > PHP crashing Apache: http://securitytracker.com/alerts/2006/Apr/1015880=
.html

These two require someone to be able to place code on the server. If
they can do that you have bigger problems :)

Terry Dooher wrote:
> If I read these right, jailing Apache and PHP should mitigate
> the potential damage.

Correct.

Terry Dooher wrote:
> SecChrootDir in mod_security will only jail apache, though, not PHP, so I
> don't think it will help in this case.

That's not true. SecChrootDir will chroot the entire process,
including the processes created at runtime (after chroot takes place).
(One does need to be carefull with "process daemons", such as
mod_cgid, though, as they may spawn before the chroot call. This
should not happen with 1.9.3 but it's better to check.) However, I
don't think it is possible to add SecChrootDir to an already-running
shared hosting platform. It would break too many things.

--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall