New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PHP: move get_defined_functions() and friends into PL1 #1268

Merged
merged 1 commit into from Dec 25, 2018

Conversation

Projects
None yet
4 participants
@lifeforms
Copy link
Collaborator

lifeforms commented Dec 25, 2018

An interesting PHP code injection WAF bypass was posted at: https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/

In this post, indexing into get_defined_functions() is used to access blacklisted PHP functions.

As get_defined_functions and related PHP function names should be highly uncommon in normal traffic, we will block their names by default in pmf rule 933150.

PHP: move get_defined_functions() and friends into PL1
An interesting PHP code injection WAF bypass was posted at:
https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/
In this post, indexing into get_defined_functions() is used to
access blacklisted PHP functions.

As "get_defined_functions" and related PHP function names should
be highly uncommon in normal traffic, we will block their names by
default in pmf rule 933150.

@lifeforms lifeforms added this to the CRS v3.2.0 milestone Dec 25, 2018

@dune73

This comment has been minimized.

Copy link
Collaborator

dune73 commented Dec 25, 2018

Thank you for the PR @lifeforms. It does what it intends to do and fixes the false negative. Great it comes with two tests.

Ready to be merged as far as I am concerned.

@dune73 dune73 requested review from dune73 and removed request for dune73 Dec 25, 2018

@lifeforms lifeforms merged commit 6532e5f into SpiderLabs:v3.2/dev Dec 25, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@emphazer

This comment has been minimized.

Copy link
Collaborator

emphazer commented on 9fb1f27 Jan 3, 2019

@lifeforms what do you think about to backport this commit do v3.1/dev?

This comment has been minimized.

Copy link
Collaborator

csanders-git replied Jan 3, 2019

Given our quick timeline for 3.2 I think it makes sense but to back patch here

This comment has been minimized.

Copy link
Collaborator

dune73 replied Jan 3, 2019

Is there a typo in your statement, @csanders-git?

This comment has been minimized.

Copy link
Collaborator

csanders-git replied Jan 3, 2019

Yes... Thanks. *Not to back patch

This comment has been minimized.

Copy link
Collaborator

dune73 replied Jan 3, 2019

I agree. Backporting would mean a change to existing rules bringing better coverage, but also a slight potential for more FPs.
@emphazer: In your setup, it should be possible to roll out your own data file. Or am I wrong?

Other than that, we really need to bring out 3.2 in Summer.

This comment has been minimized.

Copy link
Collaborator

emphazer replied Jan 4, 2019

@dune73
sure thats not a problem,
i just try to keep it close as possible to the official repo.
but you are right.
we should focus more on 3.2 and consider to do backporting just for critical stuff.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment