Atomicorp

Hi,

I am having issues when I do a search on my site and it looks like the referrer is triggering mod_security

[msg "Atomicorp.com WAF Rules: HTTP header PHP code injection attack"] [data "<? "] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "< ?[?%] ?|\\\\[ ?php" at REQUEST_HEADERS:Referer.

I am testing my script by seaching for "TEST <?" using a GET request which returns the correct results and doesn't trigger the rule, I am also using server side validation to remove dodgy strings etc.

The problem is that after doing a search if I click a link on my page it triggers mod_security as the referrer contains the query string "?pcid=0&s=&tr=0&pc=&kw=%3C%3F+test+me"

The question is
Is it safe to disable this rule?
Is it possible to do a PHP injection using a referrer?

OR
can I whitelist referrers from my own site?

Thanks

Is it safe to disable this rule?

If you're using PHP applications that trust the referrer, then no its not safe to disable this rule.

Is it possible to do a PHP injection using a referrer?

Unfortunately yes. Any field an application trusts could be used to inject. This rule was added because of a number of PHP applications that trust the referrer in one form or another had all sorts of vulnerabilities that made injection attacks possible via the referrer.

Heres an education article that goes through many different ways to inject code into PHP apps, include via the referrer header:

https://www.exploit-db.com/papers/12992/

can I whitelist referrers from my own site?

I wouldnt recomment it. A referrer is set by the client. They can simply send a referrer for your site with a malicious payload, and that would bypass the rule. In general, never ever trust referrers.