A customer reported a problem with the application I built for him.
His hosting provider uses the WAF Rules and using CakePHP the Rules from Version 1.74 (2016.04.19) are triggered.
The exact rule is the “CSRF protection bypass vulnerability in CakePHP 2.x and 3.x before 3.1.5 (CVE-2015-8739)”.
As far as I was able to research, CakePHP has addressed this issue and the WAF Rule says, that it should be fixed by version >= 3.1.5
I have tested it with a CakePHP application using v3.3.4, but the rule is still triggered.
Tue Nov 08 13:49:22.148327 2016) (:error) (pid 16987) (client 192.168.15.6) ModSecurity: Access denied with code 403 (phase 2). String match "cakephp" at REQUEST_COOKIES_NAMES:CAKEPHP. (file "/usr/local/cwaf/rules/32_Apps_OtherApps.conf") (line "2402") (id "241601") (rev "2") (msg "COMODO WAF: CSRF protection bypass vulnerability in CakePHP 2.x and 3.x before 3.1.5 (CVE-2015-8739)||bookmark.test.com|F|2") (hostname "bookmark.test.com") (uri "/bookmarks/edit/1") (unique_id "WCHJ0sCoAHcAAEJbTZIAAAAE")
We have investigated the issue and the event triggered seems to be a "TRUE POSITIVE".
Reason: "The Request is crafted with a illegal Request method which does not match the actual Request Method.
In this case it's a Possible CSRF attack attempt and the CWAF Rule is triggered."
Please feel free to post back regarding any other queries.
Hi 3tlam,
As you can see in the modsec audit log , the post data “_method” which is used to identify the Request method being used is been modified,which indicates a possible CSRF protection bypass attempt.
The Rule will be only triggered for a malicious request (Like in your case) and all other Normal Requests should work fine.
But the general request still stays the same: in your rule you state, that the vulnerability is “fixed” as of version >3.15
As I tried to show, it is not
The Rule have been triggered cause may be someone tried to exploit it in the newer version.Even though it’s fixed,it will still trigger the rule when the pattern match occurs.