I want to give a FINAL reply about the RFI rule and then I’ll move on to other rules, honestly! Also for Noel who emailed me about data for this rule.
>> I would hate to see the rule totally disappear from base just on my one FP >> note though. Maybe more people can check their audit logs for the rule since >> it’s in CRSv2 too. It does rule out a lot of exploits on legacy / in house >> PHP apps and attackers try it daily. So it’s a hard call... > > Let's keep it in the base / on the default paranoia level then. Adding the > whitelisting you > proposed does little harm and is in line with the UUID whitelisting Noël has > developed > for 981173 (lately moved to > https://www.owasp.org/index.php/OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981173 > <https://www.owasp.org/index.php/OWASP_ModSec_CRS_Paranoia_Mode_Sibling_981173>) I said I had mostly only whitelisted ARGS:url for this rule. But I lied! After Noel emailed me, I checked logs and I noticed that I had adjusted the rule in my fork of the CRS git repo so it had a lower (non critical) score. So my experience was not the norm. To try to get some test data, I enabled the rule again on some staging & internal sites to make it critical again. The experience was pretty horrible. There was a lot of breakage, colleagues complaining that I am wasting their time with 403 errors, and now I remember why I had edited this rule... :) As I could have expected, apps that broke were basically anything where a URL is passed. Some examples: - Wordpress admin pages, with unpredictable names (e.g. id’s in args name) - Wordpress multisite (ARGS:option[ping_sites]) - Symfony user profile (ARGS:fos_user_profile_form[website], ARGS:fos_user_registration_form[website]) - vBulletin user profile (ARGS:homepage) - billing system (ARGS:return/ARGS:cancel/ARGS:notify) This is just from a few days of people getting 403s. So after this experiment, I’m tending towards saying, this is the type of rule that makes the CRS scary to use, even if the rule is effective against RFI. Of course if the default paranoia level is nonzero and it stays at that level, we have sorta CRSv2 parity and still a good way to get out of these FP. -- Walter Hop | PGP key: https://lifeforms.nl/pgp
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
