ModSecurity rule for Tikiwiki XSS
I just read about a Tikiwiki XSS here. Since the Vuurmuur wiki runs Tikiwiki I created a ModSecurity rule for it:
SecDefaultAction “log,deny,phase:2,status:403,t:urlDecodeUni,t:lowercase”
# XSS in remind password field SecRule REQUEST_METHOD “^post$” “chain,msg:‘TIKIWIKI lost password XSS’” SecRule REQUEST_FILENAME “tiki-remind_password.php” “chain” SecRule ARGS:/s*username/ “!^(:?[a-z0-9-_]{1,37})$”
This allows only valid usernames to be entered.
Update: Ivan Ristic privately pointed me at some possible problems with the rule:
- the escaping of the - and _ chars is not needed, although it seems to be harmless.
- the $ at the end of the filename is dangerous, because Apache treats tiki-remind_password.php/xxx as tiki-remind_password.php. In this case the rule is evaded.
- PHP (which Tikiwiki uses) ignores leading spaces in request arguments. So it treats ’ username’ the same as ‘username’. The rule needs to deal with that.
Thanks for your feedback Ivan!
Old rule:
SecDefaultAction “log,deny,phase:2,status:403,t:urlDecodeUni,t:lowercase”
# XSS in remind password field SecRule REQUEST_METHOD “^post$” “chain,msg:’TIKIWIKI lost password XSS’” SecRule REQUEST_FILENAME “tiki-remind_password.php$” “chain” SecRule ARGS:username “!^(:?[a-z0-9-_]{1,37})$”