ModSecurity rules for Tikiwiki 1.x tiki-graph_formula.php Function Injection Vulnerability
A new vulnerability has been found in Tikiwiki. Read more about it here.
I’ve created the following ModSecurity rule to block it.
SecDefaultAction “log,deny,phase:2,status:403,t:urlDecodeUni,t:lowercase”
SecRule REQUEST_FILENAME “tiki-graph_formula.php” “chain,msg:‘TIKIWIKI tiki-graph_formula.php link inclusion attempt’,severity:2” SecRule ARGS:/^s*[a-z]+$/ “^(ht|f)tps?://”
SecRule REQUEST_FILENAME “tiki-graph_formula.php” “chain,msg:‘TIKIWIKI tiki-graph_formula.php f parameter Function Injection Vulnerability’,severity:2” SecRule ARGS_NAMES “^s*f[.*]$”
Ivan, I hope these rules survive your scrutiny ;-)
Updated at 13:50: The first rule only covered the file inclusion in the title parameter which was what I was seeing in my logs. These rules should cover both the inclusion and the injection.