Mod_security and SQL Injection

ziceva

Member
May 10, 2010
7
0
51
Bucuresti, Romania
It seems like SQL Injection is still possible with mod_security installed ... simply by putting the SQL code in a comment like /*! code_here */ ... this is a version dependent comment so will be executed by mysql, but it's not checked by mod_security (because it is a comment ...)

I tried matching /*! ... with no success ... I tried matching ! and got hits only if the exclamation mark is alone ... as soon as it comes with /*! it doesn't get a match ...

Any ideas an this?

Let me explain by example:

The problem: ht tp://example.com/test.php?id=1/*! UNION SELECT whatever */ does not get blocked
Solution 1 (let's block ! ..):
ht tp://example.com/test.php! (get's blocked)
ht tp://example.com/test.php/*! (does not get blocked)