Mod_security and SQL Injection


May 10, 2010
Bucuresti, Romania
It seems like SQL Injection is still possible with mod_security installed ... simply by putting the SQL code in a comment like /*! code_here */ ... this is a version dependent comment so will be executed by mysql, but it's not checked by mod_security (because it is a comment ...)

I tried matching /*! ... with no success ... I tried matching ! and got hits only if the exclamation mark is alone ... as soon as it comes with /*! it doesn't get a match ...

Any ideas an this?

Let me explain by example:

The problem: ht tp://*! UNION SELECT whatever */ does not get blocked
Solution 1 (let's block ! ..):
ht tp://! (get's blocked)
ht tp://*! (does not get blocked)