Skip to content

Modsecurity rules problem #2605

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
shaghayegh9574 opened this issue Aug 14, 2021 · 3 comments
Closed

Modsecurity rules problem #2605

shaghayegh9574 opened this issue Aug 14, 2021 · 3 comments
Assignees
@martinhsv

Comments

@shaghayegh9574
Copy link

Hello everybody
I am using modsecurity v3.0.5 with nginx v1.20.1.
When I tried to test nginx configuration, I had problem with two rules. I can't understand what the problem is.
First rule is:

SecRule REQUEST_FILENAME "@contains /wp-admin/admin-ajax.php" \
	"id:234790,chain,msg:'RCE in Drag and Drop File Upload Contact Form 1.3.3.2 Plugin for WordPress||%{tx.domain}|%{tx.mode}|2',phase:2,block,log,t:none,t:urlDecode,t:normalizePath,rev:2,severity:2,tag:'CWAF',tag:'WPPlugin'"
SecRule ARGS:action "@streq dnd_codedropz_upload" \
	"chain,t:none,t:urlDecode"
SecRule &ARGS:upload-file "@ge 1" \
	"chain,t:none"
SecRule ARGS:supported_type|ARGS:filename "@contains %" \
	"t:none,t:urlDecode"

and result of nginx test is:

nginx: the configuration file /nginx/conf/nginx.conf syntax is ok
nginx: configuration file /nginx/conf/nginx.conf test is successful t:none,t:urlDecode

The syntax test is ok but what are these two words at the end of the result: t:none,t:urlDecode
And the second rule is:
SecRule TX:drupal_xmlrpc "@eq 1" \ "id:231011,chain,msg:'Brute-Force Amplification in Drupal 6.x before 6.38 and 7.x before 7.43 (CVE-2016-3163)||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'Drupal'" SecRule REQBODY_ERROR "@eq 0" \ "chain,t:none" SecRule XML://methodName/text() "@contains system.multicall" \ "chain,t:none,t:lowercase" SecRule &XML://member[*][name='methodName'] "@ge 10" \ "t:none"
and result of nginx test is:

nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /rule.conf. Line: 1216. Column: 55. Expecting a variable, got: : ='methodName'] "@ge 10" \ in nginx.conf:34
nginx: configuration file nginx.conf test failed

Thanks in advanced for any suggestion.
@martinhsv
Copy link
Contributor

Hi @shaghayegh9574 ,

For the first of the two rules that you mention, I expect you are hitting a parsing anomaly caused by the literal '%' sign. There is an open issue for that here: #2553 . You should probably consider using one of the two alternatives provided there.

I'm not sure off hand what the problem is with your second rule. Do you have sample input that you are trying to detect?

@martinhsv
Copy link
Contributor

martinhsv commented Aug 17, 2021
edited
Loading

Hi @shaghayegh9574 ,

It looks like a problem with using the equals sign in xpath expressions has previously been reported. See this open issue: #2328

In your specific case, perhaps using something like contains() instead of an equality operator might be a usable workaround.

@martinhsv martinhsv self-assigned this Aug 19, 2021
@martinhsv
Copy link
Contributor

Since both items discussed here are duplicates of already-open issues, I will go ahead and close this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@martinhsv martinhsv

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@martinhsv @shaghayegh9574