Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive on PHP SESSION cookie (ID: 942100) #145

Open
pryley opened this issue Jan 14, 2019 · 0 comments
Open

False positive on PHP SESSION cookie (ID: 942100) #145

pryley opened this issue Jan 14, 2019 · 0 comments

Comments

@pryley
Copy link

pryley commented Jan 14, 2019
edited
Loading

One of the users of our software is getting a SQLi false positive (id: 942100) on the contents of a PHP SESSION cookie:

Matched Data: n&1 found within REQUEST_COOKIES:_glsr_session: f1348d75e7764ae938dcf4357e9a19f1||1547417923||1547417563"

The contents of the SESSION cookie are as follows:

  1. "||" is used as the delimiter.

  2. The first part is a MD5 encoded string that serves as the session ID. This string is generated with the following code: md5(( new PasswordHash( 8, false ))->get_random_bytes( 32 ));

  3. The second part is the expiry timestamp string. This string is generated with the following code: time() + (24 * 60); // 24 minutes

  4. The third and final part is the expiry reset timestamp string. This string is generated with the following code: time() + (30 * 60); // 30 minutes

I'm guessing that the problem here is being caused by the delimiter, particularly the specific part of the string that is: 1||1. Perhaps libinjection is reading this as 1 OR 1.

Possible temporary solution:

Based on this issue, I have determined that a temporary fix would be to create a custom exception rule to the Modsecurity config:

SecRuleUpdateTargetById 942100 "!REQUEST_COOKIES:_glsr_session"

However, this is less than ideal as I cannot expect all of my users (or at least the ones with modsecurity active on their server) to have the knowledge and ability to do this.

Possible permanent solution:

If my assumptions above are correct, then the permanent solution (other than libinjection improving its detection routines) is to change the delimiter I am using to something else (i.e. __). However, since I do not use modsecurity, it will be impossible for me to verify this.

Here is the full error from the error log:

ModSecurity: Warning. detected SQLi using libinjection with fingerprint 'n&1' [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "43"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: n&1 found within REQUEST_COOKIES:_glsr_session: f1348d75e7764ae938dcf4357e9a19f1||1547417923||1547417563"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "the-website.com"] [uri "/"] [unique_id "XDuyP1V58gUkpQnNW14QXQAAAQc"]
pryley added a commit to pryley/site-reviews that referenced this issue Jan 14, 2019
@pryley
v3.1.6 release
cb0d565 
- Fixed a potential [modsecurity false positive](client9/libinjection#145)
pryley added a commit to pryley/site-reviews that referenced this issue Jan 14, 2019
@pryley
v3.1.7 release
d4da05e 
- Fixed Akismet integration
- Fixed Blacklist IP validation
- Fixed a potential [modsecurity false positive](client9/libinjection#145)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pryley