I just read about a Tikiwiki XSS here. Since the Vuurmuur wiki runs Tikiwiki I created a ModSecurity rule for it:
SecDefaultAction “log,deny,phase:2,status:403,t:urlDecodeUni,t:lowercase”
# XSS in remind password field
SecRule REQUEST_METHOD “^post$” “chain,msg:’TIKIWIKI lost password XSS'”
SecRule REQUEST_FILENAME “tiki-remind_password.php” “chain”
SecRule ARGS:/s*username/ “!^(:?[a-z0-9-_]{1,37})$”
This allows only valid usernames to be entered.
Update: Ivan Ristic privately pointed me at some possible problems with the rule:
- the escaping of the – and _ chars is not needed, although it seems to be harmless.
- the $ at the end of the filename is dangerous, because Apache treats tiki-remind_password.php/xxx as tiki-remind_password.php. In this case the rule is evaded.
- PHP (which Tikiwiki uses) ignores leading spaces in request arguments. So it treats ‘ username’ the same as ‘username’. The rule needs to deal with that.
Thanks for your feedback Ivan!
Old rule:
SecDefaultAction “log,deny,phase:2,status:403,t:urlDecodeUni,t:lowercase”
# XSS in remind password field
SecRule REQUEST_METHOD “^post$” “chain,msg:’TIKIWIKI lost password XSS’”
SecRule REQUEST_FILENAME “tiki-remind_password.php$” “chain”
SecRule ARGS:username “!^(:?[a-z0-9-_]{1,37})$”