Description
Hello,
First, thanks you for all you did and do. ModSecurity is a great project.
Like #360 and #587, we need to sanitize XML content.
After hours of searches and tries, it's a fail. So here i am to grag some help if there is a solution - or a workarround - we can pay for it if needed.
We use native version of ModSecurity for Debian, so 2.9.3 on Buster and Bullseye.
This (xmlrpc.php for Wordpress) :
--90fbbb2d-C--
<?xml version="1.0"?><methodCall><methodName>wp.getOptions</methodName><params><param><value><i4>0</i4></value></param><param><value><string>root</string></value></param><param><value><string>my-password</string></value></param></params></methodCall>
--90fbbb2d-F--
Should be sanitized like this :
--90fbbb2d-C--
<?xml version="1.0"?><methodCall><methodName>wp.getOptions</methodName><params><param><value><i4>0</i4></value></param><param><value><string>root</string></value></param><param><value><string>***********</string></value></param></params></methodCall>
--90fbbb2d-F--
To iterate your tests : curl -X POST -H 'Content-Type: text/xml' -d '<?xml version="1.0"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>admin</string></value></param><param><value><string>my-password</string></value></param></params></methodCall>' https://your-link
It concerns as well SOAP transactions.
Here is some tries we did (and fails) :
SecRule REQUEST_HEADERS:Content-Type "text/xml" "id:'2100002',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
#SecRule XML:/string/text() "^(.)$" "id:1280007,phase:5,nolog,pass,sanitiseMatched"
#SecRule XML:string/text() "^(.)$" "id:1280008,phase:5,nolog,pass,sanitiseMatched"
#SecRule XML:string/text() "^(.)$" "id:1280009,phase:5,nolog,pass,sanitiseMatched"
#SecRule XML:string/ "^(.)$" "id:1280010,phase:5,nolog,pass,sanitiseMatched"
#SecRule XML:string "^(.*)$" "id:1280011,phase:5,nolog,pass,sanitiseMatched"
Thanks you for your time.
Kind regards,
Vincent