coreruleset icon indicating copy to clipboard operation
coreruleset copied to clipboard
verified publisher icon coreruleset

Detect `$ {` PHP injection

Open lifeforms opened this issue 3 years ago • 7 comments

Description

In #2668, it was shown that PHP variables can be accessed by $ { (note the space between the chars).

As @theMiddleBlue found, PL1 can be bypassed for example:

print_r($ {'_SER'.'VER'});

We have a rule 932130, which fires on ${ to detect unix shell snippets. I checked but in the shell, adding a space between $ and { doesn't work:

# testy=123
# echo ${testy}
123
# echo $ {testy}
$ {testy}

But in PHP it works. So the right place to detect this, is not the rule 932130, but a new rule, with a different attack class: PHP code injection.

Your Environment

  • CRS version (e.g., v3.2.0): nightly
  • Paranoia level setting: 2
  • ModSecurity version (e.g., 2.9.3): 2.9.3
  • Web Server and version (e.g., apache 2.4.41): apache
  • Operating System and version: n/a

Confirmation

[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

lifeforms avatar Jul 17 '22 15:07 lifeforms

This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days

github-actions[bot] avatar Nov 15 '22 01:11 github-actions[bot]

Notta di Stale!

lifeforms avatar Nov 15 '22 08:11 lifeforms