Closed
Description
Describe the bug
Seems like the Lua engine does not access to collections using with SecRuleScript.
Logs and dumps
debug.log:
[16840518365.411533] [/dump.php?a=<script] [4] Executing script: /home/airween/src/coreruleset/test.lua.
[16840518365.411533] [/dump.php?a=<script] [1]
error.log:
terminate called after throwing an instance of 'std::invalid_argument'
what(): Variable not found.
2023/05/14 10:17:00 [alert] 33634#33634: worker process 33636 exited on signal 6
curl's output:
* Empty reply from server
* Connection #0 to host localhost left intact
curl: (52) Empty reply from server
To Reproduce
- copy the second Lua script from here, which extract
ARGS:local d = m.getvars("ARGS", { "lowercase", "htmlEntityDecode" } ); - add the example directive to your config (base on reference manual):
SecRuleScript "/home/airween/src/coreruleset/test.lua" "id:1009,block" - send a request:
curl -v "http://localhost/dump.php?a=<script"
Expected behavior
I tried this scenarios with the same configuration with mod_security2 on Apache, and it works as well. The debug.log says:
Recipe: Invoking rule 7f409cc130f0; [file "/etc/modsecurity/crs/temp.conf"] [line "199"] [id "1009"].
Rule 7f409cc130f0: SecRuleScript "@" "phase:2,log,auditlog,id:1009,block"
Lua: Executing script: /home/airween/src/coreruleset/test.lua
T (0) lowercase: "<script"
T (0) htmlEntityDecode: "<script"
Lua: Script completed in 398 usec, returning: Suspected XSS in variable ARGS:a..
Warning. Suspected XSS in variable ARGS:a. [file "/etc/modsecurity/crs/temp.conf"] [line "199"] [id "1009"]
Rule returned 1.
Server (please complete the following information):
- libmodsecurity 3.0.9 (2121938)
- ModSecurity-nginx 1.0.3
- nginx-1.18.0
- Debian 11
Additional context
The original issue was described here.
Metadata
Metadata
Assignees
Labels
No labels