Re: [Owasp-modsecurity-core-rule-set] [BUG Report] Restricted extensions rule bug

Thu, 30 Dec 2010 05:58:37 -0800 

From:  dreamice <[email protected]>
Date:  Wed, 29 Dec 2010 19:50:08 -0600
To:  "[email protected]"
<[email protected]>, Ryan Barnett
<[email protected]>
Subject:  [BUG Report] Restricted extensions rule bug


>Dear Ryan,
>I just find a bug of the Restricted extensions rule.
> 
>The original rule are:
>setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/
>.bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/
>.dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/
>.key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/
>.resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/
>.xsd/ .xsx/', \
> 
>SecRule REQUEST_BASENAME "\.(.*)$"
>"chain,capture,setvar:tx.extension=Œ.%{tx.1}/¹,phase:2,t:none,t:urlDecodeU
>ni,t:lowercase,deny,log,auditlog,msg:'URL file extension is restricted by
>policy', 
>severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED',tag:'WASCTC/WASC-15',
>tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',logdata:'%{TX.0}'"
>        SecRule TX:EXTENSION "@within %{tx.restricted_extensions}"
>"t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_
>anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:
>tx.%{rule.id 
><http://rule.id>}-POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}
>"
>
>I test and debug it but this rule does not work right. So I saw that the
>rule set tx.extension with two more single quote(''), but the setvar does
>not set the two single quote.
>For example, if you request the base name test.log, the rule sets the
>tx.extension with '.log/', but the restrcted_extensions is .log, They are
>not equal and the rule can not be matched.
> 
>Wish you do a test and update the rules. Thanks a lot.

Nice catch and thanks for notifying me.  Those single quotes are placed
incorrectly.  As an FYI to those rule writers on the list, if you need to
do a setvar and you want to include spaces, you can use the single quotes
like this -

...pass,nolog,setvar:'name_of_variable=foo bar baz',msg:'....

I have updated the CRS code and will be updating SVN and releasing a bug
fix CRS version today.

Thanks again,
Ryan


_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to