[Owasp-modsecurity-core-rule-set] [BUG Report] Restricted extensions rule bug

dreamice dreamice.jiang at gmail.com
Wed Dec 29 20:50:08 EST 2010


Dear Ryan,
I just find a bug of the Restricted extensions rule.

The original rule are:
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/
.bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/
.dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/
.licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/
.resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/
.xsx/', \

SecRule REQUEST_BASENAME "\.(.*)$" "chain,capture,setvar:tx.extension
=‘.%{tx.1}/’,phase:2,t:none,t:urlDecodeUni,t:lowercase,deny,log,auditlog,msg:'URL
file extension is restricted by policy',
severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',logdata:'%{TX.0}'"
        SecRule TX:EXTENSION "@within %{tx.restricted_extensions}"
"t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{
rule.id}-POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}"
I test and debug it but this rule does not work right. So I saw that the
rule set tx.extension with two more single quote(''), but the setvar does
not set the two single quote.
For example, if you request the base name test.log, the rule sets the
tx.extension with '.log/', but the restrcted_extensions is .log, They are
not equal and the rule can not be matched.

Wish you do a test and update the rules. Thanks a lot.

Best regards,

dreamice
2010-12-30
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20101230/a8ae076f/attachment.html 


More information about the Owasp-modsecurity-core-rule-set mailing list