Results 1 to 8 of 8
  1. #1
    Join Date
    Sep 2004
    Posts
    245

    Urgent : Bypass Mod security rules !

    Hello

    one of my friends tell me that he can pass mod security rules (post & get ) by doing the following steps :

    for example :

    file.php?bad=system($_GET['cmd']);&cmd=ls

    Mod security will deny the request ...

    But :


    1) If register globals ON .

    2)

    <?php

    eval($bad);

    ?>


    3) Using cookies ...

    4) Open firefox browser , ---> Live header ,

    5) ask for file.php

    6) Hit reply ... and put this code at the end of the request :

    Cookie: bad=system($cmd);cmd=ls;


    so how to avoid that !

    thank you !

  2. #2
    Join Date
    Jan 2004
    Posts
    1,184
    That deppends on your rule set-up.

    It's very nice how you post a possible bug on public, you should be a-shame of your self.

    Any way this is a "bug" on your rule.

  3. #3
    Join Date
    May 2005
    Posts
    288
    1) I suggest you go discuss these things on the full-disclosure mailing list. This is not the place for it.
    2) Anyone who uses "eval($variable)" directly deserves to be hacked. And have both hands cut, so he would touch a computer ever again.

  4. #4
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,737
    That isn't a bug at all, that's just really stupid programming. I don't think you'll ever find anything that does exactly that.

    Having said that, this is why we need to keep installed PHP applications updated. Every now and then developers discover/are advised of more complicated (much more complicated) scenarios that do allow some access, and we then all rush to patch our applications - for instance, phpBB is one of the worst. I've never seen one as bad as the one you mention, something that stupid would need to be done deliberately.

    So, this isn't a bug, and it isn't really an example of an exploit for mod_security. Mod_security will still give you great protection if you have a reasonable ruleset. Nothing to worry about.

  5. #5
    Join Date
    Sep 2005
    Posts
    170
    Their point is not just that code, but mod_security does not check the cookie data or he doesn't have it configured.

    I noticed this "problem" way back, and I'm still not sure if there's a way to filter cookie data as well. I tried different suggestions but I was always able to inject stuff like "DROP TABLE" when it was in my rules. Maybe misconfiguration? If anyone does know how to apply this stuff to cookies please let me know.

    Still though, mod_Security is very effective.

  6. #6
    Join Date
    Oct 2004
    Location
    Southwest UK
    Posts
    1,175
    Its no way a modsecurity bug, you just havn't got it parsing cookies.

    Try:
    Code:
    SecFilterSelective COOKIE_bad "!^$"
    I think, if you want to apply rules to all cookies, you use the COOKIES_VALUES filter keyword instead, though you might want to reject all cookies with the phrase 'system(' in them.

    alternatively, turn off the dangerous system calls in PHP.ini

  7. #7
    It's very nice how you post a possible bug on public, you should be a-shame of your self.

    I suggest you go discuss these things on the full-disclosure mailing list. This is not the place for it.
    Its not a bug in php or apache, and he had a question on this, so this is entirely an appropriate place to ask.

    Anyone who uses "eval($variable)" directly deserves to be hacked. And have both hands cut, so he would touch a computer ever again.
    Ever consider that maybe another insecure php script or other exploit could be leveraged to upload php code with eval($var)?

    Yes, anyone who codes this is either a genious or a tool, depending on their intentions
    "The only difference between a poor person and a rich person is what they do in their spare time."
    "If youth is wasted on the young, then retirement is wasted on the old"

  8. #8
    Join Date
    Sep 2005
    Posts
    170

    ah...

    Ah, thanks very much.

    COOKIES_VALUES works great. Finally I see how to do it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •