Greetings,
currently I'm fiddling around with mod_security for apache2 configurations on CentOS boxes, right now in a test environment first (i.e. separate non production box).
CentOS includes the mod_security "Core Rule Set" by Breach Security Inc, the devs behind that module.
So far all's running mostly, logs/auditlogs etc.
For simple testing, I made a small php form as following:
Code:
<?php
$link = mysql_connect("localhost",$user,$pass); //un/pw obfuscated for forum post
$dbsel = mysql_select_db($db);
if ($_REQUEST['meh'])
{
$sql = "SELECT name FROM users WHERE id = ".$_POST['meh'];
var_dump($sql);
$res = mysql_query($sql);
while ($row = mysql_fetch_array($res))
{
var_dump($row);
}
}
mysql_close($link);
?>
<form method="GET" action='wibble.php'>
<input type='text' name='meh' />
<input type='submit' value='submit' name='submit' />
</form>
so far so good. as soon as I enter in there e.g.
Code:
21832 OR 1=(SELECT COUNT(*) from users)
I'll get a mod_security log entry in the website's error log as well as in mod_security's audit logs, looking following:
website's error log file:
Code:
[Thu Jul 22 17:17:50 2010] [error] [client <IP>] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 6, SQLi=, XSS=): 900048-Detects chained SQL injection attempts 1/2"] [hostname "<WEBSITE>"] [uri "/wibble.php"] [unique_id "QnrIfgoYJQQAACE3HlUAAAAA"]
audit.log
Code:
URL IP - - [22/Jul/2010:17:17:50 +0100] "GET /wibble.php?meh=%2721832%27+OR+1%3D(SELECT+COUNT(*)+FROM+users)&submit=submit HTTP/1.1" 200 167 "-" "-" QnrIfgoYJQQAACE3HlUAAAAA "-" /20100722/20100722-1717/20100722-171750-QnrIfgoYJQQAACE3HlUAAAAA 0 2732 md5:a824ec2816b0c479db80bc91659e7eec
Code:
--38105e3c-A--
[22/Jul/2010:17:17:50 +0100] QnrIfgoYJQQAACE3HlUAAAAA <IP> 57085 10.24.37.4 443
--38105e3c-B--
GET /wibble.php?meh=%2721832%27+OR+1%3D(SELECT+COUNT(*)+FROM+users)&submit=submit HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.2.6) Gecko/20100628 Ubuntu/10.04 (lucid) Firefox/3.6.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: name=v2; SESSID=ghd7c2od5p594s4962so1j62o7
--38105e3c-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 167
Connection: close
Content-Type: text/html; charset=UTF-8
--38105e3c-E--
--38105e3c-H--
Message: Pattern match "(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+\w+[!=+]+[\s\d]*["=(])" at ARGS:meh. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "91"] [id "900048"] [msg "Detects chained SQL injection attempts 1/2"] [data "or 1=("] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"]
Message: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 6, SQLi=, XSS=): 900048-Detects chained SQL injection attempts 1/2"]
Apache-Error: [file "/builddir/build/BUILD/php-5.1.6/sapi/apache2handler/sapi_apache2.c"] [line 270] [level 3] PHP Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/test/www/wibble.php on line 14
Apache-Error: [file "/builddir/build/BUILD/php-5.1.6/sapi/apache2handler/sapi_apache2.c"] [line 270] [level 3] PHP Stack trace:
Apache-Error: [file "/builddir/build/BUILD/php-5.1.6/sapi/apache2handler/sapi_apache2.c"] [line 270] [level 3] PHP 1. {main}() /home/test/www/wibble.php:0
Apache-Error: [file "/builddir/build/BUILD/php-5.1.6/sapi/apache2handler/sapi_apache2.c"] [line 270] [level 3] PHP 2. mysql_fetch_array() /home/test/www/wibble.php:14
Apache-Handler: php5-script
Stopwatch: 1279815470205054 413084 (919 9773 -)
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.5.
Server: Apache
--38105e3c-Z--
this is all fine and works as expected (disregarding the malformed sql string anyway)
However as soon as I switch the form action from GET to POST, I don't get any log entries, nothing is checked, and the code's executed (as I do get the var_dump() output printed)
mod_security is set to allow the methods GET HEAD POST OPTIONS, stated in
/etc/httpd/modsecurity/modsecurity_crs_10_config.conf in the line
Code:
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
which as seen works. (removed POST once for testing from it, and the code wouldn't get that far)
Now, what I'm wondering is, why is the attempted POST sql injection not captured? Have I missed some default configuration in the CRS which lets it through, or does the CRS by default not deal with it (which would surprise me though)
Any information's greatly appreciated.
If further logs or conf printouts are needed, I can post those.
/edit: Reckon this belongs into the security forums, but if the server forum's the appropriate address, I'll be happy to report for move.
mod_security with CRS adjustments to capture php POST sql injection attempts
