Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Mod_security and SQL Injection

Discussion in 'Security' started by ziceva, Feb 3, 2011.

  1. ziceva

    ziceva Member

    Joined:
    May 10, 2010
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    Bucuresti, Romania
    It seems like SQL Injection is still possible with mod_security installed ... simply by putting the SQL code in a comment like /*! code_here */ ... this is a version dependent comment so will be executed by mysql, but it's not checked by mod_security (because it is a comment ...)

    I tried matching /*! ... with no success ... I tried matching ! and got hits only if the exclamation mark is alone ... as soon as it comes with /*! it doesn't get a match ...

    Any ideas an this?

    Let me explain by example:

    The problem: ht tp://example.com/test.php?id=1/*! UNION SELECT whatever */ does not get blocked
    Solution 1 (let's block ! ..):
    ht tp://example.com/test.php! (get's blocked)
    ht tp://example.com/test.php/*! (does not get blocked)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. ziceva

    ziceva Member

    Joined:
    May 10, 2010
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    Bucuresti, Romania
    Found the solution ... I created a separate rule for this case and it worked just fine ... previously I was trying to edit the existing rule ...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice