[Modsecurity] Some type of file injection vuln going around
Michael Shinn
mike at gotroot.com
Tue Oct 9 10:31:42 EDT 2007
On Tue, 2007-10-09 at 10:18 -0400, Ryan Barnett wrote:
> Now, to answer you questions -
> 1) You need to try and identify how this JS code was added to the html page. Was it uploaded through the website in a comment form/blog post, etc...? Or was it added by a local user who could have uploaded a new html page or edited the file locally from a command shell on the web server? In the former case, if you have the ModSecurity SecAuditEngine turned On, then you can do some quick grepping through the audit logs to identify any transactions that have this data present.
This really is the key. Its not likely this happened any other way than
thru either an upload, or an injection that allowed an upload or
modification of the code. To that end, is the JS in the index.html file
itself, or just in the content rendered by the page? If the later, how
does the site dynamically generate any of its content?
--
Michael T. Shinn KeyID:0xDAE2EC86
Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
SANS Advisory Board Member
Got Root? http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls: http://troubleshootingfirewalls.com
More information about the Modsecurity
mailing list