Hello OWASP,
There is a problem with some characters used in SQL Injection rule:
In rule id:981318, some regex characters are encoded as UTF multibyte
characters.
My testbed:
latest CentOS 6.5
mod_security-2.7.3-2.el6.x86_64 from EPEL
mod_security_crs-2.2.6-3.el6.noarch from EPEL
Problem: rule id:981318 regular expression:
"(^[\"'`´’‘;]+|[\"'`´’‘;]+$)"
is encoded to:
"(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
This is wrong, as it catches also some valid multibyte characters as polish "ę"
(\xc4\x99) at the end of the URL arg, i.e. requesting:
http://blah.blah/script?removeins=Odinstaluj+aplikację
audit.log:
Message: Access denied with code 403 (phase 2).
Pattern match
"(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
at ARGS:removeins. [file
"/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common Injection
Testing Detected"]
[data "Matched Data: \x99 found within ARGS:removeins: Odinstaluj
aplikacj\xc4\x99"]
[severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"]
[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"]
[tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
IMO, these this regex should be modified to treat these characters specially,
i.e.:
"(^([\"'`;]|´|’|‘)+|([\"'`;]|´|’|‘)+$)"
With such regexp in forementioned rule, requesting:
http://blah.blah/script?a=’
audit.log:
Message: Access denied with code 403 (phase 2). Pattern match
"(^([\"'`;]|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)+|([\"'`;]|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)+$)"
at ARGS:a. [file
"/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common Injection
Testing Detected"]
[data "Matched Data: \xe2\x80\x99 found within ARGS:a: \xe2\x80\x99"] [severity
"CRITICAL"] [ver "OWASP_CRS/2.2.6"]
[maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
[tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"]
[tag "PCI/6.5.2"]
Regards,
--
Piotr Gackiewicz
Intertele S.A. - operator systemów ITL.PL i DOMENY.ITL.PL
al. T. Rejtana 10, 35-310 Rzeszów
TEL: +48 17 8507580, FAX: +48 17 8520275
http://www.itl.pl - niezawodne usługi hostingowe
http://domeny.itl.pl - tanie domeny internetowe
http://www.intertele.pl
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
