8000 Synapse windows command injection false positive · Issue #2998 · coreruleset/coreruleset · GitHub
Synapse windows command injection false positive #2998
Closed
@fuomag9

Description

@fuomag9

Description

---wxhp0Kfp---B--
PUT /_matrix/federation/v1/send/1668004491987 HTTP/1.1
Content-Length: 1058
User-Agent: Synapse/1.71.0
Content-Type: application/json
Authorization: X-Matrix origin CENSOR
Host: chat.fuo.fi:443

---wxhp0Kfp---C--
{"origin":"libera.chat","origin_server_ts":1668361864315,"pdus":[{"auth_events":["CENSOR","$CENSOR"],"content":{"body":"it was, you want a cache server. no go RTFM, its FAR to complex of a subject to just say \"type this one line and you are good\"","format":"org.matrix.custom.html","formatted_body":"it was, you want a cache server. no go RTFM, its FAR to complex of a subject to just say "type this one line and you are good"","msgtype":"m.text"},"depth":552560,"hashes":{"sha256":"CENSOR"},"origin":"libera.chat","origin_server_ts":1668361864211,"prev_events":["CENSOR"],"room_id":"CENSOR","sender":"@Whiskey`:libera.chat","signatures":{"libera.chat":{"ed25519:t4fjCr":"CENSOR"}},"type":"m.room.message","unsigned":{"age_ts":1668361864211}}]}

---wxhp0Kfp---F--
HTTP/1.1 200
Server:
Server:
Date: Sun, 13 Nov 2022 17:51:04 GMT
Content-Type: application/json
Access-Control-Allow-Origin: *
Connection: keep-alive
Cache-Control: no-cache, no-store, must-revalidate
Access-Control-Allow-Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: X-Requested-With, Content-Type, Authorization, Date
Strict-Transport-Security: max-age=63072000

---wxhp0Kfp---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:[;\n\r`]|t[\"\^]*i[\"\^]*m[\"\^]*e|(?:\|)?\||&?&|\{)\s*(?:['(,@\"\s])*(?:(?:(?:[\x5c'\"\^]*\w[\x5c'\"\^]*:.*|[\^\.\w '\"/\x5c]*)\x5c|[\w'\"\./]+\/))?[\"\^]*(?:s[\"\^]*(?:y[\"\^]*s[\"\^]*(?:t[\" (5113 characters omitted)' against variable `ARGS:json.pdus.array_0.content.formatted_body' (Value: `it was, you want a cache server. no go RTFM, its FAR to complex of a subject to just say "type  (36 characters omitted)' ) [file "/etc/nginx/modsec/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "229"] [id "932115"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: ;type this one line and you are good&quot found within ARGS:json.pdus.array_0.content.formatted_body: it was, you want a cache server. no go RTFM, its FAR to complex of a subject to just (52 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "CENSOR"] [uri "/_matrix/federation/v1/send/1668004491987"] [unique_id "166836186474.987131"] [ref "o94,41v41,136"]

Audit Logs / Triggered Rule Numbers

932115

Your Environment

  • CRS version (e.g., v3.2.0): 4.0-dev
  • Paranoia level setting:
  • ModSecurity version (e.g., 2.9.3): latest
  • Web Server and version (e.g., apache 2.4.41): nginx
  • Operating System and version: ubuntu

Confirmation

[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions

    0