8000 fix(list): update php-variables by fzipi · Pull Request #2668 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix(list): update php-variables #2668

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 17, 2022
Merged

fix(list): update php-variables #2668

merged 1 commit into from
Jul 17, 2022

Conversation

fzipi
Copy link
Member
@fzipi fzipi commented Jun 28, 2022

Signed-off-by: Felipe Zipitria felipe.zipitria@owasp.org

  • update list with comments on where the data comes from
  • added deprecation comments on variables

Closes #2651

@fzipi
fix(list): update php-variables
8000
99b5033 
Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
@fzipi fzipi requested a review from theMiddleBlue June 28, 2022 22:50
@theMiddleBlue
Copy link
Contributor

just a question: should we add ${" or ${' to this list or do we rely on other rules to catch bypass techniques?

something like the following syntax seems valid with PHP:

php > echo gettype(${'null'});
PHP Warning:  Undefined variable $null in php shell code on line 1
NULL
php > 

php > echo gettype(${'_SERVER'});
array
php > echo gettype(${'_SER'.'VER'});
array
php > echo gettype(${'_SER' /**/ . /**/ 'VER'});
array

@fzipi
Copy link
Member Author
fzipi commented Jun 30, 2022

We have 933180 and 933210. But maybe we need an additional rule? Because the technique can be applied everywhere, not just here, right?

@theMiddleBlue
Copy link
Contributor

I've just checked on the sandbox, and ${'$_SERVER'} matches:

932130 PL1 Remote Command Execution: Unix Shell Expression Found
933130 PL1 PHP Injection Attack: Variables Found

but PL1 can be bypassed by sending $ {'$_SER' . 'VER'}

curl -s -H 'x-format-output: txt-matched-rules' -d $"a=\$+{'\$_SER'+.+'VER'}" 'https://sandbox.coreruleset.org/'

Also at PL2 it's blocked by 942260 PL2 Detects basic SQL authentication bypass attempts 2/3
so, maybe it needs a new rule

@dune73 dune73 mentioned this pull request Jul 4, 2022
Closed
@fzipi
Copy link
Member Author
fzipi commented Jul 16, 2022

@lifeforms Can you review this one? Per @theMiddleBlue 's comment, we might want a new rule but that is a different story.

@lifeforms
Copy link
Member
lifeforms commented Jul 17, 2022
edited
Loading

I agree we should have a new rule similar to 932130 that detects $ {.

I checked but in the shell, the space doesn't work:

# testy=123
# echo ${testy}
123
# echo $ {testy}
$ {testy}

But in PHP it works. So the right place is not the rule 932130. With a space, it aims at a different attack, namely PHP injection. I'll create an issue for that.

@lifeforms lifeforms mentioned this pull request Jul 17, 2022
Closed
@lifeforms lifeforms merged commit 38118db into coreruleset:v4.0/dev Jul 17, 2022
@fzipi fzipi mentioned this pull request Aug 1, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@theMiddleBlue theMiddleBlue Awaiting requested review from theMiddleBlue

Assignees
No one assigned
Labels
⚡ list update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

update file php-variables.data
3 participants
@fzipi @theMiddleBlue @lifeforms
0