incorrect bypass (false negative)
I bypassed this pull issue #355
In rule id = 933110, This behavior return true
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][5] Rule 7f05037de688: SecRule "FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name" "@rx .*\\.(?:php\\d*|phtml)\\.*$" "phase:2,log,auditlog,id:933110,block,capture,t:none,t:lowercase,msg:'PHP Injection Attack: PHP Script File Upload Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:application-multi,tag:language-php,tag:platform-multi,tag:attack-injection-php,tag:OWASP_CRS/WEB_ATTACK/PHP_INJECTION,tag:OWASP_TOP_10/A1,ctl:auditLogParts=+E,ver:OWASP_CRS/3.1.0,severity:CRITICAL,setvar:tx.msg=%{rule.msg},setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}" [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] T (0) lowercase: "test.php." [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][4] Transformation completed in 2 usec. [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][4] Executing operator "rx" with param ".*\\.(?:php\\d*|phtml)\\.*$" against REQUEST_HEADERS:X_Filename. [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Target value: "test.php." [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Added regex subexpression to TX.0: test.php. [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][4] Operator completed in 5 usec. [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][4] Ctl: Set auditLogParts to ABIJDEFHZE. [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Setting variable: tx.msg=%{rule.msg} [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Resolved macro %{rule.msg} to: PHP Injection Attack: PHP Script File Upload Found [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Set variable "tx.msg" to "PHP Injection Attack: PHP Script File Upload Found". [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Setting variable: tx.php_injection_score=+%{tx.critical_anomaly_score} [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Recorded original collection variable: tx.php_injection_score = "0" [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Relative change: php_injection_score=0+ [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Set variable "tx.php_injection_score" to "0". [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Setting variable: tx.anomaly_score_pl1=+%{tx.critical_anomaly_score} [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Recorded original collection variable: tx.anomaly_score_pl1 = "0" [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Relative change: anomaly_score_pl1=0+ [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Set variable "tx.anomaly_score_pl1" to "0". [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Setting variable: tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0} [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Resolved macro %{rule.id} to: 933110 [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Resolved macro %{MATCHED_VAR_NAME} to: REQUEST_HEADERS:X_Filename [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Resolved macro %{tx.0} to: test.php. [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Set variable "tx.933110-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-REQUEST_HEADERS:X_Filename" to "test.php.". [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Resolved macro %{TX.0} to: test.php. [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Resolved macro %{MATCHED_VAR_NAME} to: REQUEST_HEADERS:X_Filename [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Resolved macro %{MATCHED_VAR} to: test.php. [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][2] Warning. Pattern match ".*\\.(?:php\\d*|phtml)\\.*$" at REQUEST_HEADERS:X_Filename. [file "/etc/modsecurity/rules/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "111"] [id "933110"] [msg "PHP Injection Attack: PHP Script File Upload Found"] [data "Matched Data: test.php. found within REQUEST_HEADERS:X_Filename: test.php."] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][4] Rule returned 1. [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8ab0a0][/][9] Match -> mode NEXT_RULE.
But, by replacing X_Filename to X.Filename
X_Filename
X.Filename
[] [localhost/sid#7f04f62b5cf8][rid#7f04ff8a90a0][/][5] Rule 7f05037de688: SecRule "FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name" "@rx .*\\.(?:php\\d*|phtml)\\.*$" "phase:2,log,auditlog,id:933110,block,capture,t:none,t:lowercase,msg:'PHP Injection Attack: PHP Script File Upload Found',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:application-multi,tag:language-php,tag:platform-multi,tag:attack-injection-php,tag:OWASP_CRS/WEB_ATTACK/PHP_INJECTION,tag:OWASP_TOP_10/A1,ctl:auditLogParts=+E,ver:OWASP_CRS/3.1.0,severity:CRITICAL,setvar:tx.msg=%{rule.msg},setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}" [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8a90a0][/][4] Rule returned 0. [] [localhost/sid#7f04f62b5cf8][rid#7f04ff8a90a0][/][9] No match, not chained -> mode NEXT_RULE.
in my php application, that understandingX.Filename is X_Filename
GET /test.php HTTP/1.1 Host: localhost Accept: */* X.Filename: test.php.tmp Connection: close
And a rule id = 933111 is the same
I tested my ubuntu 16.04, PHP version 7.3 and the latest version crs (v3.0.2)
[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
The text was updated successfully, but these errors were encountered:
I guess you meant false negative here.
Confirmed. Since dot is not valid in a variable in PHP it is transformed to underscore.
Sorry, something went wrong.
sorry, i edited
Successfully merging a pull request may close this issue.
Type of Issue
incorrect bypass (false negative)
Description
I bypassed this pull issue #355
In rule id = 933110,
This behavior return true
But, by replacing
X_FilenametoX.Filenamein my php application, that understanding
X.FilenameisX_FilenameAnd a rule id = 933111 is the same
Your Environment
I tested my ubuntu 16.04, PHP version 7.3 and the latest version crs (v3.0.2)
Confirmation
[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
The text was updated successfully, but these errors were encountered: