Hi Elia,
On Sat, Dec 18, 2021 at 06:24:43AM +0100, Elia Pinto wrote:
> Is it possible to make a rule for mod_security for cve-2021-40438 if
> mod_security operates in reverse proxy mode? Any idea how this could be a
> rule for CRS?
CRS has a really good tool:
http://sandbox.coreruleset.org.
For more details you can read this article:
https://coreruleset.org/20211209/introducing-the-crs-sandbox/
I looked it up this vulnerability, and foud this:
https://firzen.de/building-a-poc-for-cve-2021-40438
My test and result were:
$ curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level: 4" "
https://sandbox.coreruleset.org/?unix:testsocket|http://test/"
920273 PL4 Invalid character in request (outside of very strict set)
942432 PL4 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 8)
980130 PL1 Inbound Anomaly Score Exceeded (Total Inbound Score: 8 - SQLI=3,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 0, 0, 0, 8
so looks like CRS (3.4/dev) protects the Apache, but only on PL4.
The triggered rules were:
920273:
https://github.com/coreruleset/coreruleset/blob/v3.4/dev/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L1533-L1549
942432:
https://github.com/coreruleset/coreruleset/blob/v3.4/dev/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf#L1554-L1573
Rules 949110 and 980130 triggered, because they check the
transaction anomly scores. The effective protection cames by
other two rules, what you are looking for IMHO.
If you've found any other attack types, please let me know.
Regards,
a.