Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

No libinjection check on last path segment #1328

Closed
theseion opened this issue Mar 21, 2019 · 5 comments
Closed

No libinjection check on last path segment #1328

theseion opened this issue Mar 21, 2019 · 5 comments
Labels
PR available this issue is referenced by an active pull request

Comments

@theseion
Copy link

The libinjection rule doesn't perform checks against the last path segment. That allows attackers to spam a webserver with URL's like the following:

https://domain.com/a/b/some-page_name999999.1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1
@theseion theseion mentioned this issue Mar 21, 2019
Closed
@theMiddleBlue theMiddleBlue added the PR available this issue is referenced by an active pull request label Apr 15, 2019
@ssiar-fastly
Copy link

Appreciate a response to this! @fgsch

@fgsch
Copy link
Contributor

fgsch commented Aug 1, 2019

@ssiar-fastly Please see PR above.

@fgsch fgsch mentioned this issue Aug 2, 2019
Merged
@dune73
Copy link
Contributor

dune73 commented Aug 2, 2019

PR #1329 superseeded by PR #1492.

PR #1492 has been merged. It fixes this issue. Closing this.

@dune73 dune73 closed this as completed Aug 2, 2019
@theseion
Copy link
Author

theseion commented Aug 5, 2019

Awesome! Thanks @dune73!

@dune73
Copy link
Contributor

dune73 commented Aug 5, 2019

You're most welcome. Glad we could merge this. Thank you for the initiative.

@CRS-migration-bot CRS-migration-bot mentioned this issue May 13, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
PR available this issue is referenced by an active pull request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added libinjection SQLi rule for last path segment theseion/owasp-modsecurity-crs
5 participants
@fgsch @theseion @dune73 @theMiddleBlue @ssiar-fastly