beta it republik » News

News

Untitled Document
News

PHP Evasion Possibilities for ModSecurity 2.x Users

The ModSecurity 2.1.0-rc7 Reference Manual seems to be missing an important section on PHP peculiarities and impedence mismatch. So Ivan Ristic has pulled together a list for the benefit of new users:


  • Impedence mismatch: since web application firewalls interpret input data independently from the systems they are protecting, there is a danger of information slipping through because of different interpretations. PHP is especially vulnerable to this issue because the engine was designed to be error friendly and "helpful".
  • Register Globals: when "register_globals" is set to "On" request parameters are automatically converted to script variables. In some PHP versions it is even possible to override the array.
  • Whitespace at the Beginning of Parameter Names: whitespace at the beginning of parameter names is ignored. (This is very dangerous if you are writing rules to target specific named variables.)
  • Whitepsace in Parameter Names: the remaining whitespace (in parameter names) is converted to underscores. The same applies to dots and to a "[" if the variable name does not contain a matching closing bracket. (Meaning that if you want to exploit a script through a variable that contains an underscore in the name you can send a parameter with a whitespace or a dot instead.)
  • Cookies and Cookie Names: cookies can be treated as request parameters. The discussion about variable names applies equally to the cookie names.
  • EGPCS: the order in which parameters are taken from the request and the environment is EGPCS (environment, GET, POST, Cookies, built-in variables). This means that a POST parameter will overwrite the parameters transported on the request line (in QUERY_STRING).
  • magic_quotes_gpc: when "magic_quotes_gpc" is set to "On" PHP will use backslash to escape the following characters: single quote, double quote, backslash, and the null byte.
  • magic_quotes_sybase: if "magic_quotes_sybase" is set to "On" only the single quote will be escaped using another single quote. In this case the "magic_quotes_gpc" setting becomes irrelevant.
  • Nested Arrays: PHP will automatically create nested arrays. For example "p[x][y]=1" results in a total of three variables.


Links

Comments



Name:




Comment:

Captcha Verification !
captcha_image