cancel
Showing results for 
Search instead for 
Did you mean: 

Command Injection execution of shell commands and script interpreters issue

Highlighted
Occasional Contributor

Command Injection execution of shell commands and script interpreters issue

Hi guys

 

Baseline handler Shell Command Injection execution of shell commands and script interpreters rejects Opera users from Indonesia 

 

Opera/9.80 (Android; Opera Mini/32.0.2254/88.150; U; id) Presto/2.12.423 Version/12.16

 

id here is not the command but the locale

 

https://dev.opera.com/articles/opera-mini-request-headers/

https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#ID

 

Any fix or workaround?

removing the rule or not checking the header is unsafe

 

Tks

1 REPLY 1
Highlighted
Community Manager

Re: Command Injection execution of shell commands and script interpreters issue

There are a couple of possible workarounds on this one:

 

1. Exclude this check:

Useful for testing, but not a good idea for production, because this would leave the application open to other vulnerabilities such as shellshock (CVE-2014-6271) and future variants. Go to:

 

Handler Templates >
   BaselineProtectionHandler >
   exclude_from_baseline_check >
   User-Agent > (remove args, leave headers) > Code Injection > Add

 

 

2. TrafficScript rule:

You could add a TrafficScript rule - make sure it is the top rule, above “Application Firewall”

This would replace the locale code “id” with “Indonesia” which should work?

 

http.setHeader("User-Agent",
   string.replace(http.getHeader( "User-Agent" ),
   "; id) ",
   "; Indonesia) "));

 

If you have time, could you raise a support ticket for this one? That helps our team track this kind of query.