Hi all,
I found one rule which doesn't check for =https:// RFI attacks:
./slr_rules/modsecurity_crs_46_slr_et_rfi_attacks.conf
SecRule QUERY_STRING|REQUEST_BODY
"(?i:_CONF\[.*\]=(http|ftps?|php)\:\/)"
"ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS GeekLog
Remote File Include
Vulnerability',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'"
This should be =(https?|ftps?|php) - same for all PHP remote file
includes, they're technically possible over any of those protocols.
( For that matter, data:// or zlib:// should be possible too - see
e.g. http://www.php.net/manual/en/wrappers.data.php , and
http://www.php.net/manual/en/wrappers.php
I have mentioned this to ET's Matt Jonkman in the past, but I gather
he was worried about the performance hit from checking
(=data|https?|ftps?|zlib| etc etc) for
all PHP RFI sigs in Emerging Threats. mod_security may not be so
sensitive to the extra pattern matches. Just something to think about
- I can try for a proof of concept if anyone's interested?)
cheers,
Jamie
--
Jamie Riden / ja...@honeynet.org / jamie.ri...@gmail.com
http://uk.linkedin.com/in/jamieriden
--
Jamie Riden / ja...@honeynet.org / jamie.ri...@gmail.com
http://uk.linkedin.com/in/jamieriden
Jamie Riden / ja...@honeynet.org / jamie.ri...@gmail.com
http://uk.linkedin.com/in/jamieriden
Jamie Riden / ja...@honeynet.org / jamie.ri...@gmail.com
http://uk.linkedin.com/in/jamieriden
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
