Mod_Security Bypass Login (CRS, SQL Injection)

  • Vulnerability: Bypass mod_security to perform SQL injection (login bypass)
  • Affected Software: OWASP ModSecurity Core Rule Set
  • Affected Version: 2.2.9 (probably also prior versions)
  • Patched Version: 3.0.0
  • Risk: Low
  • Vendor Contacted: 2014-12-07 via mail, 2015-02-18 via github
  • Vendor Fix: 2014-12-09 (in dev tree, independent of report)
  • Public Disclosure: 2015-02-18 on github

Mod_Security & Core Rule Set

mod_security is an Intrusion Detection System / Web Application Firewall for Apache, IIS, and nginx developed by SpiderLabs. As a filter list it uses the OWASP ModSecurity Core Rule Set.

Injection Payload

Using the Core ModSecurity Rule Set ver.2.2.9 with default configuration, SecRuleEngine On, and all base_rules enabled, it is possible to inject the following payload, which can be used to bypass filters in SQL queries:

foo' or true #
foo' or false #

Continue