ModSecurity: MS3 false positive: incorrect match of HTTP POST body with string in`lfi-os-files.data'

Describe the bug

strings in lfi-os-files.data beginning with “.” are incorrectly matched against HTTP requests, "Matched “Operator PmFromFile' with parameter lfi-os-files.data’” is incorrectly reported and traffic is blocked.

Logs and dumps

2019/07/24 19:16:45 [warn] 51957#51957: *22640 [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator PmFromFile' with parameter lfi-os-files.data’ against variable ARGS_NAMES:json.profile.array_0' (Value: json.profile.array_0’ ) [file “/etc/yottaa-nginx/modsecurity.d//site.d/www_website_com/…/crs3.0.2/REQUEST-930-APPLICATION-ATTACK-LFI.conf”] [line “9”] [id “930120”] [rev “4”] [msg “OS File Access Attempt”] [data “Matched Data: .profile found within ARGS_NAMES:json.profile.array_0: json.profile.array_0”] [severity “2”] [ver “OWASP_CRS/3.0.0”] [maturity “9”] [accuracy “9”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-lfi”] [tag “OWASP_CRS”] [tag “OWASP_CRS/WEB_ATTACK/FILE_INJECTION”] [tag “WASCTC/WASC-33”] [tag “OWASP_TOP_10/A4”] [tag “PCI/6.5.4”] [hostname “127.0.0.1”] [uri “/www_website_com”] [unique_id “15639958055.218714”] [ref “o4,8v0,20t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercaseo4,8v0,20t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercaseo4,8v0,20t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t (10 characters omitted)”], client: 127.0.0.1, server: _, request: “POST /www_website_com HTTP/1.1”, host: “localhost:8080”

Use the curl command below, MS3 will block, MS2 will not. If you change “profile” to “.profile” in the curl command JSON, MS2 will then correctly block.

To Reproduce

notice the “profile” string in the JSON:

curl --header “Content-Type: application/json” --request POST --data ‘{“profile”:[“JimmyJohn”,“”,“99999999999”],“shippingAddress”:[“800 main street”,“United States of America”,“99999”,“Waltham”,“MA”,“Residential”,“”,“”],“validate”:false,“addressId”:“”}’ http://localhost:8080/www_website_com

Expected behavior

I expected MS3 to allow this HTTP POST (as MS2 does).

Server (please complete the following information): ModSecurity v3.0.3 commit 6ab464a nginx version: openresty/1.13.6.2 ModSecurity-nginx-1.0.0 CentOS Linux release 7.3.1611 (Core) kernel: 3.10.0-514.16.1.el7.x86_64

Rule Set (please complete the following information): OWASP CRS 3.0.2

Additional context

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 21 (19 by maintainers)

Most upvoted comments

I think the problem is with this behavior:

  • lfi list contains “.profile” pattern (explicitly with a dot - not “profile”, without dot)
  • user send “profile” pattern without dot, not “.profile”
  • even so, the engine evaluates it as matching

It’s similar, if the rule contains @rx array, and looks up the ARGS_NAMES|ARGS|XML:/* - but none of them contains array - the engine now will catch it.

Hope now it’s clear.

+2
airween on Sep 17, 2019

That discussion is better to take place at the CRS community on the CRS GitHub project.

As mentioned earlier I don’t think .profile by itself represents a lfi nor a threat. Very common to find websites with key as such: user.profile equals something. If that was up to me, I would review what is considered to be a lfi, possible by splitting this rule in more than one. But, I don’t have the context, the CRS community should be able to give you better assistance on that subject.

+1
zimmerle on Sep 18, 2019
Read more comments on GitHub
← ModSecurity: ModSecurity collection expirevar does not work
ModSecurity: Multipart: Final boundary missing. →