Re: Core rules matches "cd" ???

Searching in referer header is indeed dangerous and this is why the core
rule set does not do it for XSS and SQL injection signatures, however in
this case it is a bug in the rule set. When I wrote "cd .." I meant
literally that, and "." is a regexp special chat.

It should be "cd \.\."

I would post a patch shortly.

~ Ofer

> -----Original Message-----
> From: Ryan Barnett
> Sent: Tuesday, November 14, 2006 10:18 PM
> To: Chris Wakelin; Ofer Shezaf
> Cc: mod-security-users@xxxxxxxxxxxxxxxxxxxxx
> Subject: RE: [mod-security-users] Core rules matches "cd" ???
> 
> The variable (locations) for this rule most likely need to be updated
to
> exclude the Referer header - !REQUEST_HEADERS:Referer.  Most other
> rulesets in this file exclude the Referer header due to false positive
> hits such as this.
> 
> Ryan C. Barnett
> Director of Application Security Training
> Breach Security, Inc.
> Ryan.Barnett@xxxxxxxxxx
> www.Breach.com
> 
> > -----Original Message-----
> > From: mod-security-users-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:mod-
> > security-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Chris
Wakelin
> > Sent: Tuesday, November 14, 2006 3:08 PM
> > To: Ofer Shezaf
> > Cc: mod-security-users@xxxxxxxxxxxxxxxxxxxxx
> > Subject: Re: [mod-security-users] Core rules matches "cd" ???
> >
> >
> >
> > Ofer Shezaf wrote:
> > >> Amr Wrote:
> > >>
> > >> Hello dear all,
> > >> However cd is a Linux and even windows command ... I think that
there
> > > is
> > >> no very big need to match it in the core rules of modsecurity,
I'm
> > > using
> > >> modsecurity2 with its core rules,
> > >>
> > >> as this word is very short, a common word "the optical compact
disc",
> > > and > can be contained in other words frequently .... I think you
> could
> > > rewrite > the regular expression regarding system command
injection so
> > > as it doesn't > match it ... :)
> > >
> > > I agree, but the core rule set does not look for "cd", only for
"cd
> ..",
> > > exactly for this reason.
> > >
> > >
> > > ~ Ofer
> > >
> >
> > What about
> >
> > GET /ContEd/images/Hazel.jpg HTTP/1.1Host: www.rdg.ac.uk
> > User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US;
> > rv:1.8.0.1) Ge \
> > cko/20060111 Firefox/1.5.0.1
> > Accept: image/png,*/*;q=0.5
> > Accept-Language: en-us,en;q=0.5
> > Accept-Encoding: gzip,deflate
> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > Keep-Alive: 300
> > Connection: keep-alive
> > Referer:
> >
http://209.85.129.104/search?q=cache:mhxxY_UMCFcJ:www.rdg.ac.uk/ContEd/C
> \
> >
>
areer%2520Studies%2520Unit/New%2520pages/Careers%2520Staff.htm+phil+mcca
sh
> > &hl=en&
> > \
> > gl=uk&ct=clnk&cd=2&client=firefox-a
> > Cookie: style=Default
> >
> > which triggers
> >
> > System Command Injection    Warning. Pattern match
> >
>
"(?:(?:[\\;\\|]\\W*?\\b(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|yth
on
> >
>
|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\\+\\+|cc)|(?:
xt
> >
>
e)?rm|ls(?:of)?|telnet|uname|echo|id)|\\/(?:c(?:h(?:grp|mod|own|sh)|pp|c
)|
> >
>
p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?
:\
> >
>
\+\\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id))\\b|\\b(?:(?:n(?:et
(?
> >
>
:\\b\\W*?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elne
t\
> >
>
\.exe|clsh8?|ftp)|w(?:g(?:uest\\.exe|et)|sh\\.exe)|(?:rcmd|ftp)\\.exe|ec
ho
> >
>
\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\\\/c)|hmod\\b\\.{1
,1
> > 00}?\\+.{1,3}x|d\\b(?:\\W*?\\\\/|\\W*\\b..))))"
> > at REQUEST_HEADERS:Referer.
> >
> > Best Wishes,
> > Chris
> >
> > --
> >
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> > Christopher Wakelin,
c.d.wakelin@xxxxxxxxxxxxx
> > IT Services Centre, The University of Reading,  Tel: +44 (0)118 378
8439
> > Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975
3094
> >
> >
------------------------------------------------------------------------
> -
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to
share
> > your
> > opinions on IT & business topics through brief surveys - and earn
cash
> >
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE
V
> > _______________________________________________
> > mod-security-users mailing list
> > mod-security-users@xxxxxxxxxxxxxxxxxxxxx
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV