osdir.com
mailing list archive

Subject: Re: ModSecurity rules for PHP vulnerabilities - msg#00091

List: apache.mod-security.user

Date: Prev Next Index Thread: Prev Next Index
Steve West wrote:
Hi folks,

I'm wondering if anyon knows how to prevent some PHP 4.4.x/5.x
vulnerabilities via mod_security until PHP group releases fixes for
these. Here is more info on the vulnerabilities:

PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html

PHP tempname() Arg: http://securitytracker.com/alerts/2006/Apr/1015881.html

PHP crashing Apache: http://securitytracker.com/alerts/2006/Apr/1015880.html

Exploiting these three requires local acces. They're certainly fairly nasty bugs, especially if you're hosting a number of sites; but while you can filter the request, you can't filter the PHP that is executed, at least not with mod_security. If I read these right, jailing Apache and PHP should mitigate the potential damage.

SecChrootDir in mod_security will only jail apache, though, not PHP, so I don't think it will help in this case.

PHP phpinfo() validation:
http://securitytracker.com/alerts/2006/Apr/1015879.html

This one does rely on request input, though it's tricky to match. Any script could execute phpinfo(), any random padding could be used to overflow that buffer and the XSS could be any HTML/PHP. gotroot.com has a number of anti-xss filters. You could also block anything above a 4096 byte range with

SecFilterSelective "POST_PAYLOAD|QUERY_STRING" ".{4097,}"

though this will cause false positives if you're running a forum, for example. This vulnerability has been fixed, however, so the best course is to update.

Terry.


Thanks,

SW


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=k&kid0944&bid$1720&dat1642
_______________________________________________
mod-security-users mailing list
mod-security-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/mod-security-users




-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642


Was this page helpful?
Yes No
Thread at a glance:

Previous Message by Date: click to view message preview

ModSecurity rules for PHP vulnerabilities

Hi folks, I'm wondering if anyon knows how to prevent some PHP 4.4.x/5.x vulnerabilities via mod_security until PHP group releases fixes for these. Here is more info on the vulnerabilities: PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html PHP tempname() Arg: http://securitytracker.com/alerts/2006/Apr/1015881.html PHP crashing Apache: http://securitytracker.com/alerts/2006/Apr/1015880.html PHP phpinfo() validation: http://securitytracker.com/alerts/2006/Apr/1015879.html Thanks, SW ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642

Next Message by Date: click to view message preview

Re: ModSecurity rules for PHP vulnerabilities

> Steve West wrote: > > Hi folks, > > > > I'm wondering if anyon knows how to prevent some PHP 4.4.x/5.x > > vulnerabilities via mod_security until PHP group releases fixes for > > these. Here is more info on the vulnerabilities: > > > > PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html For this one you could try looking for the string "compress.zlib:", e.g. SecFilterSelective ARGS_VALUES compress\.zlib: > > PHP tempname() Arg: http://securitytracker.com/alerts/2006/Apr/1015881.html > > > > PHP crashing Apache: http://securitytracker.com/alerts/2006/Apr/1015880.html These two require someone to be able to place code on the server. If they can do that you have bigger problems :) Terry Dooher wrote: > If I read these right, jailing Apache and PHP should mitigate > the potential damage. Correct. Terry Dooher wrote: > SecChrootDir in mod_security will only jail apache, though, not PHP, so I > don't think it will help in this case. That's not true. SecChrootDir will chroot the entire process, including the processes created at runtime (after chroot takes place). (One does need to be carefull with "process daemons", such as mod_cgid, though, as they may spawn before the chroot call. This should not happen with 1.9.3 but it's better to check.) However, I don't think it is possible to add SecChrootDir to an already-running shared hosting platform. It would break too many things. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642

Previous Message by Thread: click to view message preview

ModSecurity rules for PHP vulnerabilities

Hi folks, I'm wondering if anyon knows how to prevent some PHP 4.4.x/5.x vulnerabilities via mod_security until PHP group releases fixes for these. Here is more info on the vulnerabilities: PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html PHP tempname() Arg: http://securitytracker.com/alerts/2006/Apr/1015881.html PHP crashing Apache: http://securitytracker.com/alerts/2006/Apr/1015880.html PHP phpinfo() validation: http://securitytracker.com/alerts/2006/Apr/1015879.html Thanks, SW ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642

Next Message by Thread: click to view message preview

Re: ModSecurity rules for PHP vulnerabilities

> Steve West wrote: > > Hi folks, > > > > I'm wondering if anyon knows how to prevent some PHP 4.4.x/5.x > > vulnerabilities via mod_security until PHP group releases fixes for > > these. Here is more info on the vulnerabilities: > > > > PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html For this one you could try looking for the string "compress.zlib:", e.g. SecFilterSelective ARGS_VALUES compress\.zlib: > > PHP tempname() Arg: http://securitytracker.com/alerts/2006/Apr/1015881.html > > > > PHP crashing Apache: http://securitytracker.com/alerts/2006/Apr/1015880.html These two require someone to be able to place code on the server. If they can do that you have bigger problems :) Terry Dooher wrote: > If I read these right, jailing Apache and PHP should mitigate > the potential damage. Correct. Terry Dooher wrote: > SecChrootDir in mod_security will only jail apache, though, not PHP, so I > don't think it will help in this case. That's not true. SecChrootDir will chroot the entire process, including the processes created at runtime (after chroot takes place). (One does need to be carefull with "process daemons", such as mod_cgid, though, as they may spawn before the chroot call. This should not happen with 1.9.3 but it's better to check.) However, I don't think it is possible to add SecChrootDir to an already-running shared hosting platform. It would break too many things. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
Sign up for updates to this mailing list. email:
Loading Comments...
Home | News | Patents | Sitemap | FAQ | advertise

Advertising by