Welcome Guest, Not a member yet? Register   Sign In
CI Session tripping Modsecurity
#1

[eluser]Mike DeFelice[/eluser]
Quick question for fellow CI users,

I have a site built on CI 1.7.2 using CI's encrypted database sessions. Sometimes I would say once a week my modsecurity will be triggered by me with "cd /" in my cookie. I found the part and removed it since it seems to be triggered falsely a lot. For those interested I included the modsecurity code below.
Code:
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES \

        "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" \

My question is, what can this code really do? I'm just curious if the injected code only becomes a problem if it is echoed to the user or would it run even on a basic command such as if / switch, etc.

(Forgot the mention encryption is on and everything is being stored in a database)
#2

[eluser]bretticus[/eluser]
I strongly doubt that CI parses session data as PHP code. You can't really do a buffer overrun. Even if you could, browsers will not send a cookie larger than 4k anyway. (Edit: okay hackers would not send attempt via browsers, but still doubtful bash commands would ever get ran in this manner.)

You ought to turn on encryption for session cookies. Also, if you have much data in your session cookies, switch to database cookies too.
#3

[eluser]Mike DeFelice[/eluser]
Thanks Brett.

It helped clear up the matter for me, I was just uncertain on how the attacker would leverage these commands through cookies. but you cleared it up for me!




Theme © iAndrew 2016 - Forum software by © MyBB