Thanks,
This is definitely a bug
in the Core Rule Set. You can use this rule instead of the one you have, until
I issue an additional version of the core rule set:
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS
"(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))"
\
"deny,log,status:501,id:50013,severity:2,msg:'PHP Injection Attack'"
Or for version 1.2:
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS
"(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))"
\
"deny,log,status:501,id:950013,severity:2,msg:'PHP Injection Attack'"
~ Ofer
From: mod-security-users-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:mod-security-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Dan Rossi
Sent: Thursday, November 30, 2006
5:40 AM
To:
mod-security-users@xxxxxxxxxxxxxxxxxxxxx
Subject: [mod-security-users]
turning off filter for xml in post payload
It seems this rule is trapping xml
in postpayloads,
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS
"(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?)"
\
"auditlog,id:50013,phase:2,severity:4,msg:'(default/generic_attacks.conf)
PHP Injection Attack'"
is there a way to add to allow xml of <?xml in that rule or would this be
correct ?
#SecRule !ARGS:TNO "chain,auditlog,id:50013,severity:4,msg:'(custom.conf)
PHP Injection Attack'"
SecRule ARGS:TNO "!(<\?xml)" "chain,auditlog,id:50013,severity:4,msg:'(custom.conf)
PHP Injection Attack'"
the first one didnt work
