Mod_Security Bypass Login (CRS, SQL Injection)

  • Vulnerability: Bypass mod_security to perform SQL injection (login bypass)
  • Affected Software: OWASP ModSecurity Core Rule Set
  • Affected Version: 2.2.9 (probably also prior versions)
  • Patched Version: 3.0.0
  • Risk: Low
  • Vendor Contacted: 2014-12-07 via mail, 2015-02-18 via github
  • Vendor Fix: 2014-12-09 (in dev tree, independent of report)
  • Public Disclosure: 2015-02-18 on github

Mod_Security & Core Rule Set

mod_security is an Intrusion Detection System / Web Application Firewall for Apache, IIS, and nginx developed by SpiderLabs. As a filter list it uses the OWASP ModSecurity Core Rule Set.

Injection Payload

Using the Core ModSecurity Rule Set ver.2.2.9 with default configuration, SecRuleEngine On, and all base_rules enabled, it is possible to inject the following payload, which can be used to bypass filters in SQL queries:

foo' or true #
foo' or false #

Continue

Talk #1: Reuse Apache rules in multiple directories or websites

“Talk” is a small series about what I learned today (well, sometimes it will be.). It contains small hints, ideas, tutorials or thought on Java and php or cs and programming in general.

This part of the series will cover how to configure multiple directories or websites in apache at once using the same rules.

Continue

LogEval – Java Server Log Analyzer and Parser

LogEval parses and analyses server log files such as Apache or Nginx logs. LogEval can be used instead of web-analysis tools such as Google Analytics or Piwik to save resources or in addition to those tools to get a broader picture of the webserver traffic.

Continue

Using SVN Apache Subversion command line tool

This tutorial will cover the absolute basics of using the Apache Subversion command line tool. It is aimed at people who are using svn for the first time or who have used guis for svn before but are considering using the command line tool from now on.

Why use apache subversion command line tool

My memory is not too great, so I try to avoid using command line tools (it is quite annoying having to look up every other command in the help pages). But subversion is easy to use as it only has a couple commands. Here, I will describe the onces you will need most often (and maybe even the only once you will ever really need). The advantages of the command line are flexibility (you definitely can use all commands subversion offers, not all guis provide these), easy usage, and certainty that no extra bugs are added by a gui. Continue