chrismfz Posted October 24, 2013 Share Posted October 24, 2013 It's your software so you know it better. How hard is it to create 10-20-50 mod_security rules which they will deny access to anything in the client area when the rule matching a GET/POST of keywords like tbladmin, licence/licencekey, sql SELECT with user/password keywords, tblusers and so on.? Not a solid bulletproof solution but at least can help with critical stuff like altering/viewing admin sql table messing around with licence, errors etc. sneaking/stealing passwords from configuration.php using var_dump or something else. etc... When AES_ENCRYPT exploit went public, Atomicorp patched it in a few hours with a simple one-liner (almost) rule. #AES_ENCRYPT SecRule REQUEST_URI "/clientarea\.php\?action=details" \ "chain,log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:lowercase,capture,id:331357,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Virtual Just In Time Patch: WHMCS AES_ENCRYPT SQL injection attack',logdata:'%{TX.0}'" SecRule ARGS:firstname|ARGS:lastname "(?:aes_encrypt|tbladmins)" "t:none,t:lowercase" How difficult is to create a whmcs ruleset thinking proactively ? At least give us an extra option of security (for anyone that uses mod_Security) 0 Quote Link to comment Share on other sites More sharing options...
alinford Posted October 25, 2013 Share Posted October 25, 2013 I did not see that Atomic had created a new rule for the exploit, but according to their blog, the rules they were already running protected against it: https://atomicorp.com/company/blogs/325-whmcs-sql-injection.html 0 Quote Link to comment Share on other sites More sharing options...
chrismfz Posted October 25, 2013 Author Share Posted October 25, 2013 This belongs to Patrick from Rack911. At least somebody else cares more. Covers latest exploits plus mass payment. In case someone didn't see this @ WHT, just mentioning it. SecRule REQUEST_URI|ARGS|REQUEST_BODY "tbladmins" "id:00001,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tbladmins" "id:00002,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblclients" "id:00003,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblclients" "id:00004,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblhosting" "id:00005,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblhosting" "id:00006,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblservers" "id:00007,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblservers" "id:00008,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tbltickets" "id:00009,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tbltickets" "id:00010,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblregistrars" "id:00011,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblregistrars" "id:00012,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblcontacts" "id:00013,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblcontacts" "id:00014,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblemails" "id:00015,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblemails" "id:00016,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblinvoices" "id:00017,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblinvoices" "id:00018,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblorders" "id:00019,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblorders" "id:00020,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblpaymentgateways" "id:00021,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblpaymentgateways" "id:00022,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblverificationdata" "id:00023,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblverificationdata" "id:00024,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblgatewaylog" "id:00025,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblgatewaylog" "id:00026,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tbldomains" "id:00027,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tbldomains" "id:00028,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tbladminlog" "id:00029,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tbladminlog" "id:00030,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblaccounts" "id:00031,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tblaccounts" "id:00032,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" # WHMCS Generic DB Protection SecRule REQUEST_URI|ARGS|REQUEST_BODY "[b]YOUR_WHMCS_DB_NAME[/b]" "id:00050,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "[b]YOUR_WHMCS_DB_NAME[/b]" "id:00051,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" # WHMCS Specific Exploits SecRule REQUEST_URI|ARGS|REQUEST_BODY "aes_encrypt" "id:00101,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "aes_encrypt" "id:00102,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tablejoin" "id:00103,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "tablejoin" "id:00104,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" # WHMCS 5.2.10 mass payment issue SecRule REQUEST_URI|ARGS|REQUEST_BODY "invoiceids" "id:00105,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" SecRule REQUEST_URI|ARGS|REQUEST_BODY "invoiceids" "id:00106,phase:4,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,log,deny,msg:'WHMCS'" Just change the "YOUR_WHMCS_DB_NAME" to your DB name - - - Updated - - - Edit: Supposed to be one rule per line, but forum raped it. Break it\ or fix it/edit it before use 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.