REQUEST_HEADERS:Referer 340133

Customer support forums for the modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the real time modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
BDMM
Forum User
Forum User
Posts: 9
Joined: Fri Feb 17, 2006 3:00 am

REQUEST_HEADERS:Referer 340133

Unread post by BDMM »

Hi,

I am having issues when I do a search on my site and it looks like the referrer is triggering mod_security

[msg "Atomicorp.com WAF Rules: HTTP header PHP code injection attack"] [data "<? "] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "< ?[?%] ?|\\\\[ ?php" at REQUEST_HEADERS:Referer.

I am testing my script by seaching for "TEST <?" using a GET request which returns the correct results and doesn't trigger the rule, I am also using server side validation to remove dodgy strings etc.

The problem is that after doing a search if I click a link on my page it triggers mod_security as the referrer contains the query string "?pcid=0&s=&tr=0&pc=&kw=%3C%3F+test+me"

The question is
Is it safe to disable this rule?
Is it possible to do a PHP injection using a referrer?

OR
can I whitelist referrers from my own site?

Thanks
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4122
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: REQUEST_HEADERS:Referer 340133

Unread post by mikeshinn »

Is it safe to disable this rule?
If you're using PHP applications that trust the referrer, then no its not safe to disable this rule.
Is it possible to do a PHP injection using a referrer?
Unfortunately yes. Any field an application trusts could be used to inject. This rule was added because of a number of PHP applications that trust the referrer in one form or another had all sorts of vulnerabilities that made injection attacks possible via the referrer.

Heres an education article that goes through many different ways to inject code into PHP apps, include via the referrer header:

https://www.exploit-db.com/papers/12992/
can I whitelist referrers from my own site?
I wouldnt recomment it. A referrer is set by the client. They can simply send a referrer for your site with a malicious payload, and that would bypass the rule. In general, never ever trust referrers.
Post Reply