Re: [Owasp-modsecurity-core-rule-set] [BUG Report] Restricted extensions rule bug

Wed, 29 Dec 2010 17:52:48 -0800 

I just change the rule to:
SecRule REQUEST_BASENAME "\.(.*)$" "chain,capture,setvar:tx.extension
=.%{tx.1}/,phase:2,t:none,t:urlDecodeUni,t:lowercase,deny,log,auditlog,msg:'URL
file extension is restricted by policy',
severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',logdata:'%{TX.0}'"
        SecRule TX:EXTENSION "@within %{tx.restricted_extensions}"
"t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{
rule.id}-POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}"

Then it works well.

2010/12/30 dreamice <[email protected]>

> Dear Ryan,
> I just find a bug of the Restricted extensions rule.
>
> The original rule are:
> setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/
> .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/
> .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/
> .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/
> .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/
> .xsx/', \
>
> SecRule REQUEST_BASENAME "\.(.*)$" "chain,capture,setvar:tx.extension
> =‘.%{tx.1}/’,phase:2,t:none,t:urlDecodeUni,t:lowercase,deny,log,auditlog,msg:'URL
> file extension is restricted by policy',
> severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',logdata:'%{TX.0}'"
>         SecRule TX:EXTENSION "@within %{tx.restricted_extensions}"
> "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{
> rule.id}-POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}"
> I test and debug it but this rule does not work right. So I saw that the
> rule set tx.extension with two more single quote(''), but the setvar does
> not set the two single quote.
> For example, if you request the base name test.log, the rule sets the
> tx.extension with '.log/', but the restrcted_extensions is .log, They are
> not equal and the rule can not be matched.
>
> Wish you do a test and update the rules. Thanks a lot.
>
> Best regards,
>
> dreamice
> 2010-12-30
>

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to