New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New rule 950140 to detect CGI source code leakages #1275

Merged
merged 6 commits into from Jan 5, 2019

Conversation

Projects
None yet
3 participants
@emphazer
Copy link
Collaborator

emphazer commented Jan 3, 2019

If the CGI-Script processors or MIME type handlers are missconfigured,
the source code can be displayed in plain text.

for example:

#!/usr/bin/perl
#!/usr/bin/python
#!/usr/bin/ruby

@emphazer emphazer changed the title cgi source code leakage CGI source code leakage Jan 3, 2019

emphazer added some commits Jan 3, 2019

@emphazer emphazer added this to the CRS v3.2.0 milestone Jan 4, 2019

@emphazer emphazer changed the title CGI source code leakage New rule 950140 to detect CGI source code leakages Jan 4, 2019

@dune73

This comment has been minimized.

Copy link
Collaborator

dune73 commented Jan 4, 2019

Cool. Thank you for the PR @emphazer.

This rule will block all responses starting with #!/. Correct?

Another question: You are assigning this rule severity error, not severity critical. Why is this?

@lifeforms

This comment has been minimized.

Copy link
Collaborator

lifeforms commented Jan 4, 2019

I like this PR, not tested it yet. Shall I test and merge?

There's precedent for the ERROR severity, most of the response rules (like 950xxx, 953xxx, 954xxx) also use the ERROR severity. It's also documented in crs-setup.conf:

# - ERROR severity: Anomaly Score of 4.
#       Generated mostly from outbound leakage rules (95x files).

It's not intuitive to me also, and I also see a few response rules with CRITICAL, so maybe we should do another issue to harmonize them all, but let's integrate this PR first.

@lifeforms lifeforms self-assigned this Jan 4, 2019

@dune73

This comment has been minimized.

Copy link
Collaborator

dune73 commented Jan 4, 2019

I know the precedent and wonder what the reasoning might have been. It also leads to 4 being the default outbound anomaly score limit. If we could shift this all to 5, it would be cleaner, I think.

Please go ahead with testing and merging. I'll assign you as reviewer.

Looking at it quickly, I got the feeling it could do with a bit more extensive description, and 1-2 tests.

@dune73

This comment has been minimized.

Copy link
Collaborator

dune73 commented Jan 4, 2019

Oh, you self-assigned, while I wrote my comment...

@lifeforms

This comment has been minimized.

Copy link
Collaborator

lifeforms commented Jan 4, 2019

Not sure that we can do outbound rule tests...

@dune73

This comment has been minimized.

Copy link
Collaborator

dune73 commented Jan 4, 2019

Yes, we might have to do some acrobatics that are beyond this PR.

@emphazer

This comment has been minimized.

Copy link
Collaborator Author

emphazer commented Jan 4, 2019

@dune73
i just used the same severity like the other rules

yes it just looks for #!/ at the beginning.
pretty simple but very effective.

we had in the past 2-3x the situations that the customer did a mistake with a handler or with a mime type declaration...
if you don't intercept it it will become really ugly as soon the searchengines start to cache the raw source code :)

that's why i made that rule some months ago

@lifeforms

This comment has been minimized.

Copy link
Collaborator

lifeforms commented Jan 4, 2019

I've tested and made just a small rule change in commit 1c5c917 to allow for whitespace between shebang and the interpreter.

For instance, #! /bin/sh is also valid, and is now also detected by the rule.

Ready to merge from me.

@emphazer

This comment has been minimized.

Copy link
Collaborator Author

emphazer commented Jan 4, 2019

wow you are right.
i never saw a script with a whitespace directly after the #!
just #!/usr/bin/env bash for example. but you are absolutly right the whitespace is optional possible in shebang.

@emphazer

This comment has been minimized.

Copy link
Collaborator Author

emphazer commented Jan 4, 2019

@lifeforms please change the wildcard in a ?.
its uncommon to use more than one space.

@lifeforms

This comment has been minimized.

Copy link
Collaborator

lifeforms commented Jan 5, 2019

@emphazer Done!

@emphazer

This comment has been minimized.

Copy link
Collaborator Author

emphazer commented Jan 5, 2019

Looks good. It’s ready to be merged.

@lifeforms lifeforms merged commit 4895ef7 into SpiderLabs:v3.2/dev Jan 5, 2019

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@lifeforms

This comment has been minimized.

Copy link
Collaborator

lifeforms commented Jan 5, 2019

Done, thanks for the PR @emphazer !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment