search

coreruleset / nextcloud-rule-exclusions-plugin

Rule exclusion plugin for Nextcloud
Apache License 2.0
11 stars 7 forks source link

Cookie values collision with 932250 and 932236 #19

Closed prghix closed 1 year ago

prghix commented 1 year ago

I've just hit this... Nextcloud gave this client a cookie with value lsnsd0d3arsrpnrs35m3orl4rc ... eg. starting with ls... got denied, of course.

CRS: 4.0.0 Paranoia level: 2

How to reproduce the misbehavior (-> curl call)

---DbGGH79Z---B--
GET / HTTP/2.0

### Logs

---DbGGH79Z---F--
HTTP/2.0 403
Server: nginx
Date: Tue, 18 Apr 2023 11:50:07 GMT
Content-Length: 548
Content-Type: text/html
Connection: close

---DbGGH79Z---H-- ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\" '\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||& (3145 characters omitted)' against variable `REQUEST_COOKI ES:ocqx5m6nx2xn' (Value: `lsnsd0d3arsrpnrs35m3orl4rc' ) [file "/etc/nginx/modsec/conf.d/../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "435"] [id "932250"] [rev ""] [msg "Remote Command Execution: Direct Unix Command Execution"] [data "Matched Data: ls found within REQUEST_COOKIES:ocqx5m 6nx2xn: lsnsd0d3arsrpnrs35m3orl4rc"] [severity "2"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "xxx"] [uri "/"] [unique_id "168181860725.403479"] [ref "o0,2v1899,26"]

ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\ (5254 characters omitted)' against variable `REQUEST_COOKIES:ocqx5m6nx2xn' (Value: `lsnsd0d3arsrpnrs35m3orl4rc' ) [file "/etc/nginx/modsec/conf.d/../owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1213"] [id "932236"] [rev ""] [msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: ls found within REQUEST_COOKIES:ocqx5m6nx2xn: lsnsd0d3arsrpnrs35m3orl4rc"] [severity "2"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "80.79.27.134"] [uri "/"] [unique_id "168181860725.403479"] [ref "o0,2v1899,26"]

ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "/etc/nginx/modsec/conf.d/../owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "xxx"] [uri "/"] [unique_id "168181860725.403479"] [ref ""]

Your Environment

CRS: 4.0.0-rc1 Paranoia level: 2 Nginx: 1.20.1 OS: Rocky 9

Confirmation

[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

lifeforms commented 1 year ago

I think we should address this in the main CRS, rather than the plugin. There is already work ongoing to add word boundary to the checks. Could you open an issue in the CRS repo instead?

prghix commented 1 year ago

I think we should address this in the main CRS, rather than the plugin. There is already work ongoing to add word boundary to the checks. Could you open an issue in the CRS repo instead?

done.

azurit commented 1 year ago

@prghix Thank you, closing this!