1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod_security and SQL Injection

Discussion in 'Security' started by ziceva, Feb 3, 2011.

  1. ziceva

    ziceva New Member

    Joined:
    May 10, 2010
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bucuresti, Romania
    It seems like SQL Injection is still possible with mod_security installed ... simply by putting the SQL code in a comment like /*! code_here */ ... this is a version dependent comment so will be executed by mysql, but it's not checked by mod_security (because it is a comment ...)

    I tried matching /*! ... with no success ... I tried matching ! and got hits only if the exclamation mark is alone ... as soon as it comes with /*! it doesn't get a match ...

    Any ideas an this?

    Let me explain by example:

    The problem: ht tp://example.com/test.php?id=1/*! UNION SELECT whatever */ does not get blocked
    Solution 1 (let's block ! ..):
    ht tp://example.com/test.php! (get's blocked)
    ht tp://example.com/test.php/*! (does not get blocked)
     
  2. ziceva

    ziceva New Member

    Joined:
    May 10, 2010
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bucuresti, Romania
    Found the solution ... I created a separate rule for this case and it worked just fine ... previously I was trying to edit the existing rule ...
     

Share This Page