OWASP 3.3.2 and "ping" with rules 932150 and 1234123447
Hello
FYI I was confronted with the blocking of an interface following modsecurity blocking by rule N"1234123447
Precisely the request: "?_wblapi=/forsef/v1/ping"
Triggers rule N"1234123447 because of the term "ping"
In bold just below.
There's a debate for this on the github coreruleset project, "ping" (and "time") is plan to be removed from the regex of rule 932150, but only for the next v3.4 dev that is not yet in stable state. The PR is here for rule 932150: Core Rule Set Project Regards
ModSecurity: Access denied with code 501, [Rule: 'ARGS' '(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?: map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\ .exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(? :\b\W*?[\\\/]|\W*?\.\.)|hmod.{0.40}?\+.{0.3}x))|[\;\|\ `]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s) |n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname| echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(? :asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+| cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$)) '> [id "1234123447"> [msg "System Command Injection"> [logdata "/ping"> [severity "CRITICAL"> [tag "WEB_ATTACK/COMMAND_INJECTION"> [uri "/?_wblapi=/forsef/v1/ping">
There's a debate for this on the github coreruleset project, "ping" (and "time") is plan to be removed from the regex of rule 932150, but only for the next v3.4 dev that is not yet in stable state. The PR is here for rule 932150: Core Rule Set Project Regards
-
Hey there! Thanks for posting this - if they plan to remove that rule, I'd say it's safe for you to whitelist it on your machine if you haven't done so already. 0 -
Yes, already done ;) thx 0
Please sign in to leave a comment.
Comments
2 comments