Hi - I'm pretty new to modsecurity configuration but I think I found a problem
with one of the rules.
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*
"(?:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
"phase:2,rev:'2.1.2',capture,t:none,t:normalisePath,t:lowercase,ctl:auditLogParts=+E,block,msg:'System
Command
Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1"
The match pattern does not appear to be doing the right thing. Specifically,
given the text "make the little curl on the top", the rule matches the " curl "
portion. I believe what was intended is more like:
(?:(?:[\;\|\`]\W*?\b|/)(cc|wget|curl)\b(?:[\)\'\"\|\;\`\-\s]|$))
-- Ken
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
