Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

Rule 933210 PHP Injection Attack FP #1626

Open
emphazer opened this issue Nov 19, 2019 · 6 comments
Open

Rule 933210 PHP Injection Attack FP #1626

emphazer opened this issue Nov 19, 2019 · 6 comments
Assignees
@lifeforms @theMiddleBlue
Labels
False Positive

Comments

@emphazer
Copy link
Contributor

Rule 933210 PHP Injection Attack FP

Type of Issue

Incorrect blocking (false positive)

Description

curl 'localhost/picture(5)(4).jpg'

[msg "PHP Injection Attack: Variable Function Call Found"] [data "Matched Data: (5)(4) found within REQUEST_FILENAME: /picture(5)(4).jpg"]

Your Environment

  • CRS version (e.g. v3.2.0):
  • ModSecurity version (e.g. 2.9.3):

any ideas?
@emphazer
Copy link
Contributor Author

@theMiddleBlue do you have any ideas?

@theMiddleBlue
Copy link
Contributor

theMiddleBlue commented Nov 19, 2019
edited
Loading

Hi @emphazer

the rule tries to catch PHP code injection bypass technique such as (string)"system"("uname");. Maybe we can remove the REQUEST_FILENAME from the rule, I need to do some tests. I'll update this issue with more information.

thanks!

@theMiddleBlue theMiddleBlue self-assigned this Nov 19, 2019
@theMiddleBlue theMiddleBlue mentioned this issue Dec 2, 2019
Closed
@dune73
Copy link
Contributor

dune73 commented Dec 2, 2019

I am not sure this is what we want.

How about URLs like /app/index.php/connector/<parameter>. On a reverse proxy, this is part of the REQUEST_FILENAME.

But I agree we need to do something about the false positive.

@theMiddleBlue
Copy link
Contributor

How about URLs like /app/index.php/connector/. On a reverse proxy, this is part of the REQUEST_FILENAME.

totally agree, didn't think about it. need more time to test :/

@lifeforms lifeforms self-assigned this Dec 2, 2019
@github-actions
Copy link

github-actions bot commented Apr 2, 2020

This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days

@github-actions github-actions bot added the Stale issue This issue has been open 120 days with no activity. label Apr 2, 2020
@emphazer emphazer removed the Stale issue This issue has been open 120 days with no activity. label Apr 2, 2020
@emphazer
Copy link
Contributor Author

emphazer commented Apr 2, 2020

any news here?

This was referenced May 13, 2020
Closed
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@lifeforms lifeforms

@theMiddleBlue theMiddleBlue

Labels
False Positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@fgsch @dune73 @lifeforms @emphazer @theMiddleBlue