Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
FP on 932150 (PL1) with payload "ping" and "time"
See original GitHub issueDescription
$ crssandbox -d "foo=ping tests broken"
...
932150 PL1 Remote Command Execution: Direct Unix Command Execution
...
Audit Logs / Triggered Rule Numbers
[2022-03-04 10:04:23.251575] [-:error] 127.0.0.1:33906 YiHWFxV2mSN4XfIw_cXfcQAAABc [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?:^|=)\\\\s*(?:{|\\\\s*\\\\(\\\\s*|\\\\w+=(?:[^\\\\s]*|\\\\$.*|\\\\$.*|<.*|>.*|\\\\'.*\\\\'|\\".*\\")\\\\s+|!\\\\s*|\\\\$)*\\\\s*(?:'|\\")*(?:[\\\\?\\\\*\\\\[\\\\]\\\\(\\\\)\\\\-\\\\|+\\\\w'\\"\\\\./\\\\x5c]+/)?[\\\\x5c'\\"]*(?:l[\\\\x5c'\\"]*(?:s(?:[\\\\x5c'\\"]*(?:b[\\\\x5c'\\"]*_[\\\\x5c'\\"]*r[\\\\x5c'\\"]*e[\\\\x5c'\\"] ..." at ARGS:foo. [file "/home/dune73/data/git/crs-official/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "438"] [id "932150"] [msg "Remote Command Execution: Direct Unix Command Execution"] [data "Matched Data: ping found within ARGS:foo: ping tests broken"] [severity "CRITICAL"] [ver "OWASP_CRS/3.4.0-dev"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/"] [unique_id "YiHWFxV2mSN4XfIw_cXfcQAAABc"]
Your Environment
- CRS version (e.g., v3.2.0): 3.4-dev
- Paranoia level setting: PL1
- ModSecurity version (e.g., 2.9.3): irrelevant
- Web Server and version (e.g., apache 2.4.41): irrelevant
- Operating System and version: irrelevant
Confirmation
[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
Issue Analytics
- State:
- Created 2 years ago
- Comments:16 (14 by maintainers)
Top Results From Across the Web
OWASP 3.3.2 and "ping" with rules 932150 and 1234123447
Hello FYI I was confronted with the blocking of an interface following modsecurity blocking by rule N°1234123447. Precisely the request: "?
Read more >Using Ping Options More Effectively - NetBeez
Ping is a command line utility that verifies the reachability and round-trip time (RTT) to a destination TCP/IP host. This command uses the ......
Read more >Ping command basics for testing and troubleshooting - Red Hat
Delving a little deeper into the results, the ping output displays the hostname and IP address information, packet loss, response times, ...
Read more >ping | Microsoft Learn
Reference article for the ping command, which verifies network ... along with round-trip times. ping is the primary TCP/IP command used to ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Hi @vandanrohatgi, thanks for your insight.
For now, due to time constraints, and balancing risk with false positives and maintenance load, we had already decided to remove the problematic words from rule 932150. I have made PR #2457 for this.
We are open to better solutions, and I think your regexp is a great start, so I will leave this issue open so we can discuss further.
Take a look at the SSRF ruleset for examples on different ways to use IP/names.