WebhostSecurity.com
ARTICLES
› Lessons Learned - Defense
› Lessons Learned - Offense
› Finding Bugs 1 - Softaculous
› Finding Bugs 2 - cPanel + Horde
› uid/gid Reuse Multi Vendor Issue
› Finding the WordPress 2.1.1 Backdoor
› Discovering Cdorked.A on cPanel
OFFENSE
› AtMail
› BFD
› cPanel
› CSF
› DirectAdmin
› Installatron
› Juniper
› Kloxo
› OSSEC
› Softaculous
› WHMEZLogin
› WHMReseller
DEFENSE
› STFN - Suspicious /tmp File Notifier
› ELM - Exim Log Monitor
› RFID - Remote File Inclusion Detector
› Twitter


CSF 2.67 - LF_MODSEC insecure regexp


DESCRIPTION

See issue 04 above for a complete explanation of this issue. The regexp for this issue looks similar to the following:


 638     if ( $log_line =~ /\[client (.*)\] mod_security: Access denied with code/ ) {
 639         return ( 'modsec from', $1, 'modsec' );
 640     }


IMPACT

Remote, unauthenticated command execution as root. LF_MODSEC is disabled by default.

This bug was not reported because it was not discovered until after it had been fixed. I believe this bug was fixed in the release that followed 2.76 as a result of reporting issue #08 (remotely block any IP address, pure-ftpd regexp).


WebhostSecurity.com © 2009 - 2020