Results 1 to 8 of 8
-
06-20-2006, 06:59 AM #1Registered User
- Join Date
- Sep 2004
- Posts
- 245
Urgent : Bypass Mod security rules !
Hello
one of my friends tell me that he can pass mod security rules (post & get ) by doing the following steps :
for example :
file.php?bad=system($_GET['cmd']);&cmd=ls
Mod security will deny the request ...
But :
1) If register globals ON .
2)
<?php
eval($bad);
?>
3) Using cookies ...
4) Open firefox browser , ---> Live header ,
5) ask for file.php
6) Hit reply ... and put this code at the end of the request :
Cookie: bad=system($cmd);cmd=ls;
so how to avoid that !
thank you !
-
06-20-2006, 07:35 AM #2Web Hosting Master
- Join Date
- Jan 2004
- Posts
- 1,184
That deppends on your rule set-up.
It's very nice how you post a possible bug on public, you should be a-shame of your self.
Any way this is a "bug" on your rule.
-
06-20-2006, 11:37 AM #3Web Hosting Guru
- Join Date
- May 2005
- Posts
- 288
1) I suggest you go discuss these things on the full-disclosure mailing list. This is not the place for it.
2) Anyone who uses "eval($variable)" directly deserves to be hacked. And have both hands cut, so he would touch a computer ever again.
-
06-20-2006, 06:16 PM #4Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
That isn't a bug at all, that's just really stupid programming. I don't think you'll ever find anything that does exactly that.
Having said that, this is why we need to keep installed PHP applications updated. Every now and then developers discover/are advised of more complicated (much more complicated) scenarios that do allow some access, and we then all rush to patch our applications - for instance, phpBB is one of the worst. I've never seen one as bad as the one you mention, something that stupid would need to be done deliberately.
So, this isn't a bug, and it isn't really an example of an exploit for mod_security. Mod_security will still give you great protection if you have a reasonable ruleset. Nothing to worry about.
-
06-21-2006, 12:29 PM #5WHT Addict
- Join Date
- Sep 2005
- Posts
- 170
Their point is not just that code, but mod_security does not check the cookie data or he doesn't have it configured.
I noticed this "problem" way back, and I'm still not sure if there's a way to filter cookie data as well. I tried different suggestions but I was always able to inject stuff like "DROP TABLE" when it was in my rules. Maybe misconfiguration? If anyone does know how to apply this stuff to cookies please let me know.
Still though, mod_Security is very effective.
-
06-21-2006, 02:31 PM #6Retired Moderator
- Join Date
- Oct 2004
- Location
- Southwest UK
- Posts
- 1,175
Its no way a modsecurity bug, you just havn't got it parsing cookies.
Try:
Code:SecFilterSelective COOKIE_bad "!^$"
alternatively, turn off the dangerous system calls in PHP.ini
-
06-21-2006, 03:02 PM #7Web Hosting Master
- Join Date
- Dec 2002
- Posts
- 1,304
It's very nice how you post a possible bug on public, you should be a-shame of your self.
I suggest you go discuss these things on the full-disclosure mailing list. This is not the place for it.
Anyone who uses "eval($variable)" directly deserves to be hacked. And have both hands cut, so he would touch a computer ever again.
Yes, anyone who codes this is either a genious or a tool, depending on their intentions"The only difference between a poor person and a rich person is what they do in their spare time."
"If youth is wasted on the young, then retirement is wasted on the old"
-
06-21-2006, 03:31 PM #8WHT Addict
- Join Date
- Sep 2005
- Posts
- 170
ah...
Ah, thanks very much.
COOKIES_VALUES works great. Finally I see how to do it.