search

ReJeCtAll / naxsi

Automatically exported from code.google.com/p/naxsi
Other
0 stars 0 forks source link

Learning mode not working corectly #27

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
When rule is not match in HEADERS zone is not redirected to deny_url
The following rule is matched by naxsi and have entry in log file but in 
learning mode is not redirected to http_config.py

2012/03/26 14:46:01 [error] 23330#0: *1 NAXSI_FMT: 
ip=xx.xx.xx.xx&server=www.xxx.xx&uri=/user/register&total_processed=1&total_bloc
ked=1&zone0=ARGS&id0=1000&var_name0=artists.php?artist&zone1=ARGS&id1=1010&var_n
ame1=artists.php?artist&zone2=ARGS&id2=1011&var_name2=artists.php?artist&zone3=A
RGS&id3=1015&var_name3=artists.php?artist&zone4=ARGS&id4=1016&var_name4=artists.
php?artist&zone5=ARGS&id5=1020&var_name5=artists.php?artist&zone6=ARGS&id6=1200&
var_name6=artists.php?artist&zone7=ARGS&id7=1308&var_name7=artists.php?artist&zo
ne8=ARGS&id8=1309&var_name8=artists.php?artist, client: xx.xx.xx.xx, server: 
~.*xxx.xx, request: "GET 
/user/register?artists.php?artist=%40%40new%20union%23sqlmapsqlmap...%0Aselect%2
01,2,database%23sqlmap%0A%28%29 HTTP/1.1", host: "xxxx.xxx.xx"

But when rule matched a headers zone they are redirected to http_config.py
2012/03/26 14:17:46 [error] 23171#0: *1 NAXSI_FMT: 
ip=xx.xx.xx.xx&server=www.xxx.xx&uri=/images/sprite.gif&total_processed=35&total
_blocked=35&zone0=HEADERS&id0=1010&var_name0=cookie&zone1=HEADERS&id1=1011&var_n
ame1=cookie, client: xx.xx.xx.xx, server: ~.*one.bg, request: "GET 
/images/sprite.gif HTTP/1.1", host: "www.xxx.xxx", referrer: 
"http://www.xxx.xx/css/new.css"

What version of the product are you using? On what operating system?
nginx-1.0.14
naxsi-0.44
CentOS 6 x86_64

Please provide any additional information below.

Original issue reported on code.google.com by veselin....@gmail.com on 26 Mar 2012 at 11:55

GoogleCodeExporter commented 8 years ago 
Seams that problem is in how the nginx handle the requests but not the naxsi 
itself.

My nginx configuration looks  like that 

server {                                                                        

        listen 80;
        server_name test.com;
        rewrite ^(.*) http://www.test.com$1 permanent;
}
server {
     listen       80;
     server_name  ~.*test.com;    
     location / {
         root   /srv/test.com/www;
         include    /etc/nginx/nbs.rules;
         index  index.php;
         try_files $uri $uri/ /index.php?page=$uri&$args;
      }
      location ~ \.php${
          include    /etc/nginx/nbs.rules;
          root           /srv/test.com/www;
          fastcgi_pass   127.0.0.1:9000;
          fastcgi_index  index.php;
          include        fastcgi.conf;
      }                                                                                    
      location /RequestDenied {
      proxy_pass http://127.0.0.1:4242;
      }
}

If i send a request like 
http://www.test.com/a.php?artist=1%0BAND%28SELECT%0B1%20FROM%20mysql.x%29
I got a row into error log and the exception  was learned http_config.py
2012/03/29 16:01:50 [error] 20236#0: *777 NAXSI_FMT: 
ip=89.25.32.29&server=www.test.com&uri=/a.php&total_processed=170&total_blocked=
8&zone0=ARGS&id0=1000&var_name0=artist&zone1=ARGS&id1=1010&var_name1=artist&zone
2=ARGS&id2=1011&var_name2=artist&zone3=ARGS&id3=1020&var_name3=artist&zone4=ARGS
&id4=1308&var_name4=artist&zone5=ARGS&id5=1309&var_name5=artist, client: 
xxx.xxx.xxx.xxx, server: ~.*test.com, request: "GET 
/a.php?artist=1%0BAND(SELECT%0B1%20FROM%20mysql.x) HTTP/1.1", host: 
"www.test.com

But if i send 
http://www.test.com/?artist=1%0BAND%28SELECT%0B1%20FROM%20mysql.x%29

I got a row into error log but request is not forwarded to http_config.py
2012/03/29 16:05:35 [error] 20236#0: *853 NAXSI_FMT: 
ip=89.25.32.29&server=www.test.com&uri=/&total_processed=1408&total_blocked=23&z
one0=ARGS&id0=1000&var_name0=artist&zone1=ARGS&id1=1010&var_name1=artist&zone2=A
RGS&id2=1011&var_name2=artist&zone3=ARGS&id3=1020&var_name3=artist&zone4=ARGS&id
4=1308&var_name4=artist&zone5=ARGS&id5=1309&var_name5=artist, client: 
89.25.32.29, server: ~.*test.com, request: "GET 
/?artist=1%0BAND(SELECT%0B1%20FROM%20mysql.x) HTTP/1.1", host: "www.test.com"

Original comment by veselin....@gmail.com on 29 Mar 2012 at 1:08

GoogleCodeExporter commented 8 years ago 
Hello,

Any progress on this issue on your side ?

Best regards,

Original comment by ori...@gmail.com on 11 Apr 2012 at 9:21

GoogleCodeExporter commented 8 years ago

Original comment by ori...@gmail.com on 19 Apr 2012 at 9:02

GoogleCodeExporter commented 8 years ago 
Hello, Last days i made lots of test and i can reproduce the problem all the 
time . Here is a test configuration :

 server {
        listen          1984;
        server_name     'localhost';
        client_max_body_size 30M;
 location / {
        try_files $uri $uri/ /index.php?page=$uri&$args;
        root /usr/local/src/nginx-1.2.0/naxsi-0.45/t/servroot/html/;
        LearningMode;
        SecRulesEnabled;
        DeniedUrl "/RequestDenied";
        CheckRule "$SQL >= 8" BLOCK;
        CheckRule "$RFI >= 8" BLOCK;
        CheckRule "$TRAVERSAL >= 4" BLOCK;
        CheckRule "$XSS >= 8" BLOCK;
        index index.php;
 }
 location /RequestDenied {
   proxy_pass http://127.0.0.1:8000;
 }
 location ~ \.php$ {
 }
}

Test URL: 
http://127.0.0.1:1984/?artist=0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0
A1%2C2%2Ccurrent_user

Original comment by veselin....@gmail.com on 26 Apr 2012 at 10:43

Attachments: