Adding new PHP injection rules

coreruleset · Jul 2, 2013 · 0f07cbb · 0f07cbb
1 parent 895a7f9
commit 0f07cbb
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/CHANGES b/CHANGES
@@ -8,9 +8,13 @@
 Security Fixes:
 
 Improvements:
+* Updatd the /util directory structure
 * Added scripts to check Rule ID duplicates
 * Added script to remove v2.7 actions so older ModSecurity rules will work
   - https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/43
+* Added new PHP rule (958977) to detect PHP exploits (Plesk 0-day from king cope)
+  - http://seclists.org/fulldisclosure/2013/Jun/21
+  - http://blog.spiderlabs.com/2013/06/honeypot-alert-active-exploits-attempts-for-plesk-vulnerability-.html
 
 
 Bug Fixes:
@@ -22,8 +26,13 @@ Bug Fixes:
   - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/36
 * Problem with Regression Test (Invalid use of backslash) - Rule 960911 - Test2
   - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/34
+* ModSecurity: No action id present within the rule - ignore_static.conf
+  - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/17
 * "Bad robots" rule blocks all Java applets on Windows XP machines
   - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/16
+* duplicated rules id 981173
+  - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/18
+
 
 == Version 2.2.7 - 12/19/2012 ==
 

diff --git a/base_rules/modsecurity_crs_40_generic_attacks.conf b/base_rules/modsecurity_crs_40_generic_attacks.conf
@@ -232,5 +232,7 @@ SecRule TX:PM_SCORE "@eq 0" "phase:2,id:'981134',rev:'2',ver:'OWASP_CRS/2.2.8',m
 	SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \
 	        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',capture,t:none,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:'958976',tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
 
+	SecRule QUERY_STRING "@pm allow_url_include= safe_mode= suhosin.simulation= disable_functions= open_basedir= auto_prepend_file= php://input" \
+		"phase:2,rev:'1',ver:'OWASP_CRS/2.2.8',maturity:'1',accuracy:'9',t:none,t:urlDecodeUni,t:lowercase,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:'958977',tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
 
 SecMarker END_PM_CHECK