CSRF protection bypass vulnerability in CakePHP 2.x and 3.x before 3.1.5

Free Modsecurity rules - Comodo Web Application Fi
1

Hallo everyone!

A customer reported a problem with the application I built for him.
His hosting provider uses the WAF Rules and using CakePHP the Rules from Version 1.74 (2016.04.19) are triggered.
The exact rule is the “CSRF protection bypass vulnerability in CakePHP 2.x and 3.x before 3.1.5 (CVE-2015-8739)”.

As far as I was able to research, CakePHP has addressed this issue and the WAF Rule says, that it should be fixed by version >= 3.1.5

I have tested it with a CakePHP application using v3.3.4, but the rule is still triggered.

Tue Nov 08 13:49:22.148327 2016) (:error) (pid 16987) (client 192.168.15.6) ModSecurity: Access denied with code 403 (phase 2). String match "cakephp" at REQUEST_COOKIES_NAMES:CAKEPHP. (file "/usr/local/cwaf/rules/32_Apps_OtherApps.conf") (line "2402") (id "241601") (rev "2") (msg "COMODO WAF: CSRF protection bypass vulnerability in CakePHP 2.x and 3.x before 3.1.5 (CVE-2015-8739)||bookmark.test.com|F|2") (hostname "bookmark.test.com") (uri "/bookmarks/edit/1") (unique_id "WCHJ0sCoAHcAAEJbTZIAAAAE")

What can I do now?

Thanks for you help!
Malte

2

Can you provide modsecurity audit log for such event?

3

Hi!

Thanks for coming back so quickly!

Not sure what exactly it is you need?

Here are the debug.log with these settings:

SecDebugLog ${APACHE_LOG_DIR}/debug.log SecDebugLogLevel 3

(08/Nov/2016:16:03:01 +0100) (bookmark.test.com/sid#b5a75cf8)(rid#b6429058)(/bookmarks/edit/1)(1) Access denied with code 403 (phase 2). String match “cakephp” at REQUEST_COOKIES_NAMES:CAKEPHP. (file “/usr/local/cwaf/rules/32_Apps_OtherApps.conf”) (line “2402”) (id “241601”) (rev “2”) (msg “COMODO WAF: CSRF protection bypass vulnerability in CakePHP 2.x and 3.x before 3.1.5 (CVE-2015-8739)||bookmark.test.com|F|2”)

Also attached the logs with LogLevel 4

4

ah sorry!
I missunderstood.
Here is the modsec log

--2d0fb95c-A-- [08/Nov/2016:16:08:27 +0100] WCHqasCoAHcAAEn2sOgAAAAA 192.168.15.6 49758 192.168.0.119 80 --2d0fb95c-B-- POST /bookmarks/edit/1 HTTP/1.1 Host: bookmark.test.com Connection: keep-alive Content-Length: 103 Cache-Control: max-age=0 Origin: http://bookmark.test.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Referer: http://bookmark.test.com/bookmarks/edit/1 Accept-Encoding: gzip, deflate Accept-Language: en,de;q=0.8,en-US;q=0.6 Cookie: CAKEPHP=20hme4b2b247bb80aeuu2u9as3

–2d0fb95c-C–
_method=PUT&title=Test111588999%40%40%40123123&description=test+desc&url=test+url&tag_string=tag+string
–2d0fb95c-F–
HTTP/1.1 403 Forbidden
Content-Length: 309
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

–2d0fb95c-H–
Message: Access denied with code 403 (phase 2). String match “cakephp” at REQUEST_COOKIES_NAMES:CAKEPHP. [file “/usr/local/cwaf/rules/32_Apps_OtherApps.conf”] [line “2402”] [id “241601”] [rev “2”] [msg “COMODO WAF: CSRF protection bypass vulnerability in CakePHP 2.x and 3.x before 3.1.5 (CVE-2015-8739)||bookmark.test.com|F|2”]
Action: Intercepted (phase 2)
Stopwatch: 1478617706950240 107699 (- - -)
Stopwatch2: 1478617706950240 107699; combined=105740, p1=4936, p2=100335, p3=0, p4=0, p5=468, sr=74, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache/2.4.10 (Debian)
Engine-Mode: “ENABLED”

–2d0fb95c-Z–

5

Is the information you requested and I attached the correct one?

6

Thank you for provided info, we will investigate your request and give feedback soon.

7

awesome, thanks!! Looking forward to you feedback!

8

Hello 3tlam,

We have investigated the issue and the event triggered seems to be a "TRUE POSITIVE".
Reason: "The Request is crafted  with a illegal Request method which does not match the actual Request Method.
                  In this case it's a Possible CSRF attack attempt and the CWAF Rule is triggered."

Please feel free to post back regarding  any other queries.

Thank You,

9

Hi Naveen,

thanks for the reply!
What exactly means “illegal Request”?
As the modsec log shows, it’s a regular POST request? “POST /bookmarks/edit/1”

How can I “fix” the issue, so that the rule is no longer applied and the client can use his application again?

Best
Malte

10

Hi 3tlam,
As you can see in the modsec audit log , the post data “_method” which is used to identify the Request method being used is been modified,which indicates a possible CSRF protection bypass attempt.
The Rule will be only triggered for a malicious request (Like in your case) and all other Normal Requests should work fine.

11

Thanks!
I will look into it :slight_smile:

But the general request still stays the same: in your rule you state, that the vulnerability is “fixed” as of version >3.15
As I tried to show, it is not :frowning:

12

The Rule have been triggered cause may be someone tried to exploit it in the newer version.Even though it’s fixed,it will still trigger the rule when the pattern match occurs.

13

Mhh I don’t agree with your assessment: the error comes from a “stock” demo provided by CakePHP themselves:
http://book.cakephp.org/3.0/en/tutorials-and-examples/bookmarks/intro.html
and is provided through the “offical” github repo

14

after some private message the confusion was cleared up: the 3.1.5 refers to Comodo rule numbers :slight_smile:

so the only fix (untested) I can come up with is, to tell Cake not to use _method