{"id":10374,"date":"2025-03-01T20:17:21","date_gmt":"2025-03-01T13:17:21","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10374"},"modified":"2026-02-03T20:19:33","modified_gmt":"2026-02-03T13:19:33","slug":"lo-hong-trong-modsecurity-khien-ung-dung-web-bi-tan-cong","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/03\/01\/lo-hong-trong-modsecurity-khien-ung-dung-web-bi-tan-cong\/","title":{"rendered":"L\u1ed7 h\u1ed5ng trong ModSecurity khi\u1ebfn \u1ee9ng d\u1ee5ng web b\u1ecb t\u1ea5n c\u00f4ng"},"content":{"rendered":"

M\u1ed9t l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt \u0111\u00e1ng ch\u00fa \u00fd v\u1eeba \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n trong ModSecurity, t\u01b0\u1eddng l\u1eeda \u1ee9ng d\u1ee5ng web (Web Application Firewall \u2013 WAF) m\u00e3 ngu\u1ed3n m\u1edf \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng r\u1ed9ng r\u00e3i tr\u00ean to\u00e0n c\u1ea7u. L\u1ed7 h\u1ed5ng n\u00e0y mang m\u00e3 \u0111\u1ecbnh danh CVE-2025-27110 v\u00e0 c\u00f3 th\u1ec3 khi\u1ebfn nhi\u1ec1u \u1ee9ng d\u1ee5ng web d\u00f9 \u0111\u00e3 tri\u1ec3n khai WAF v\u1eabn \u0111\u1ee9ng tr\u01b0\u1edbc nguy c\u01a1 b\u1ecb t\u1ea5n c\u00f4ng m\u00e0 kh\u00f4ng h\u1ec1 hay bi\u1ebft. Do ModSecurity th\u01b0\u1eddng \u0111\u01b0\u1ee3c tri\u1ec3n khai nh\u01b0 tuy\u1ebfn ph\u00f2ng th\u1ee7 \u0111\u1ea7u ti\u00ean cho c\u00e1c website v\u00e0 h\u1ec7 th\u1ed1ng tr\u1ef1c tuy\u1ebfn, \u0111i\u1ec3m y\u1ebfu n\u00e0y \u0111\u01b0\u1ee3c \u0111\u00e1nh gi\u00e1 l\u00e0 c\u00f3 ph\u1ea1m vi \u1ea3nh h\u01b0\u1edfng l\u1edbn.<\/p>\n

\"\"<\/p>\n

ModSecurity \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf nh\u1eb1m b\u1ea3o v\u1ec7 \u1ee9ng d\u1ee5ng web tr\u01b0\u1edbc c\u00e1c h\u00ecnh th\u1ee9c t\u1ea5n c\u00f4ng ph\u1ed5 bi\u1ebfn nh\u01b0 cross-site scripting (XSS), SQL injection v\u00e0 th\u1ef1c thi m\u00e3 t\u1eeb xa (RCE). Tuy nhi\u00ean, l\u1ed7 h\u1ed5ng l\u1ea7n n\u00e0y xu\u1ea5t hi\u1ec7n trong libmodsecurity3, th\u01b0 vi\u1ec7n l\u00f5i ch\u1ecbu tr\u00e1ch nhi\u1ec7m ph\u00e2n t\u00edch v\u00e0 x\u1eed l\u00fd l\u01b0u l\u01b0\u1ee3ng HTTP. C\u1ee5 th\u1ec3, CVE-2025-27110 \u1ea3nh h\u01b0\u1edfng \u0111\u1ebfn phi\u00ean b\u1ea3n libmodsecurity3 3.0.13 v\u00e0 \u0111\u01b0\u1ee3c \u0111\u00e1nh gi\u00e1 v\u1edbi \u0111i\u1ec3m CVSSv4 l\u00e0 7,9, cho th\u1ea5y m\u1ee9c \u0111\u1ed9 nghi\u00eam tr\u1ecdng cao.<\/p>\n

Nguy\u00ean nh\u00e2n c\u1ee7a l\u1ed7 h\u1ed5ng n\u1eb1m \u1edf c\u00e1ch libmodsecurity3 x\u1eed l\u00fd c\u00e1c th\u1ef1c th\u1ec3 HTML \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a. Trong m\u1ed9t s\u1ed1 tr\u01b0\u1eddng h\u1ee3p, khi c\u00e1c th\u1ef1c th\u1ec3 HTML ch\u1ee9a c\u00e1c ch\u1eef s\u1ed1 0 \u0111\u1ee9ng \u0111\u1ea7u, th\u01b0 vi\u1ec7n kh\u00f4ng th\u1ec3 gi\u1ea3i m\u00e3 ch\u00ednh x\u00e1c n\u1ed9i dung. K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 l\u1ee3i d\u1ee5ng \u0111i\u1ec3m y\u1ebfu n\u00e0y \u0111\u1ec3 m\u00e3 h\u00f3a payload \u0111\u1ed9c h\u1ea1i theo c\u00e1ch m\u00e0 ModSecurity kh\u00f4ng nh\u1eadn di\u1ec7n \u0111\u01b0\u1ee3c, t\u1eeb \u0111\u00f3 v\u01b0\u1ee3t qua c\u00e1c quy t\u1eafc b\u1ea3o m\u1eadt hi\u1ec7n c\u00f3. Khi \u0111\u00f3, l\u01b0u l\u01b0\u1ee3ng \u0111\u1ed9c h\u1ea1i v\u1eabn \u0111\u01b0\u1ee3c ph\u00e9p \u0111i qua WAF v\u00e0 ti\u1ebfp c\u1eadn tr\u1ef1c ti\u1ebfp \u1ee9ng d\u1ee5ng web ph\u00eda sau.<\/p>\n

H\u1ec7 qu\u1ea3 c\u1ee7a vi\u1ec7c v\u01b0\u1ee3t qua c\u01a1 ch\u1ebf ki\u1ec3m tra n\u00e0y l\u00e0 r\u1ea5t nghi\u00eam tr\u1ecdng. C\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng nh\u01b0 XSS ho\u1eb7c SQL injection c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c che gi\u1ea5u m\u1ed9t c\u00e1ch tinh vi, khi\u1ebfn qu\u1ea3n tr\u1ecb vi\u00ean tin r\u1eb1ng h\u1ec7 th\u1ed1ng \u0111ang \u0111\u01b0\u1ee3c b\u1ea3o v\u1ec7 an to\u00e0n trong khi th\u1ef1c t\u1ebf c\u00e1c payload \u0111\u1ed9c h\u1ea1i \u0111\u00e3 x\u00e2m nh\u1eadp th\u00e0nh c\u00f4ng. \u0110i\u1ec1u n\u00e0y \u0111\u1eb7c bi\u1ec7t nguy hi\u1ec3m \u0111\u1ed1i v\u1edbi c\u00e1c t\u1ed5 ch\u1ee9c ph\u1ee5 thu\u1ed9c nhi\u1ec1u v\u00e0o ModSecurity m\u00e0 kh\u00f4ng c\u00f3 th\u00eam l\u1edbp gi\u00e1m s\u00e1t ho\u1eb7c ki\u1ec3m tra b\u1ed5 sung.<\/p>\n

Tr\u01b0\u1edbc m\u1ed1i \u0111e d\u1ecda tr\u00ean, nh\u00f3m ph\u00e1t tri\u1ec3n ModSecurity \u0111\u00e3 nhanh ch\u00f3ng ph\u00e1t h\u00e0nh libmodsecurity3 phi\u00ean b\u1ea3n 3.0.14 \u0111\u1ec3 kh\u1eafc ph\u1ee5c l\u1ed7i x\u1eed l\u00fd th\u1ef1c th\u1ec3 HTML. B\u1ea3n v\u00e1 t\u1eadp trung c\u1ea3i thi\u1ec7n c\u01a1 ch\u1ebf gi\u1ea3i m\u00e3, \u0111\u1ea3m b\u1ea3o c\u00e1c th\u1ef1c th\u1ec3 HTML d\u00f9 c\u00f3 ch\u1ee9a s\u1ed1 0 \u0111\u1ee9ng \u0111\u1ea7u v\u1eabn \u0111\u01b0\u1ee3c ph\u00e2n t\u00edch \u0111\u1ea7y \u0111\u1ee7 tr\u01b0\u1edbc khi \u00e1p d\u1ee5ng c\u00e1c quy t\u1eafc b\u1ea3o m\u1eadt.<\/p>\n

C\u00e1c chuy\u00ean gia an ninh m\u1ea1ng khuy\u1ebfn c\u00e1o t\u1ea5t c\u1ea3 ng\u01b0\u1eddi d\u00f9ng ModSecurity c\u1ea7n c\u1eadp nh\u1eadt ngay l\u00ean phi\u00ean b\u1ea3n m\u1edbi nh\u1ea5t \u0111\u1ec3 lo\u1ea1i b\u1ecf nguy c\u01a1 b\u1ecb khai th\u00e1c. \u0110\u1ed3ng th\u1eddi, qu\u1ea3n tr\u1ecb vi\u00ean n\u00ean r\u00e0 so\u00e1t l\u1ea1i c\u00e1c quy t\u1eafc WAF, theo d\u00f5i nh\u1eadt k\u00fd truy c\u1eadp b\u1ea5t th\u01b0\u1eddng v\u00e0 k\u1ebft h\u1ee3p th\u00eam c\u00e1c bi\u1ec7n ph\u00e1p b\u1ea3o m\u1eadt kh\u00e1c nh\u1eb1m gi\u1ea3m thi\u1ec3u r\u1ee7i ro. Vi\u1ec7c duy tr\u00ec c\u1eadp nh\u1eadt th\u01b0\u1eddng xuy\u00ean l\u00e0 y\u1ebfu t\u1ed1 then ch\u1ed1t \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o ModSecurity ti\u1ebfp t\u1ee5c ph\u00e1t huy hi\u1ec7u qu\u1ea3 trong vi\u1ec7c b\u1ea3o v\u1ec7 c\u00e1c \u1ee9ng d\u1ee5ng web tr\u01b0\u1edbc c\u00e1c k\u1ef9 thu\u1eadt t\u1ea5n c\u00f4ng ng\u00e0y c\u00e0ng tinh vi.<\/p>\n","protected":false},"excerpt":{"rendered":"

M\u1ed9t l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt \u0111\u00e1ng ch\u00fa \u00fd v\u1eeba \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n trong ModSecurity, t\u01b0\u1eddng l\u1eeda \u1ee9ng d\u1ee5ng web (Web Application Firewall \u2013 WAF) m\u00e3 ngu\u1ed3n m\u1edf \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng r\u1ed9ng r\u00e3i tr\u00ean to\u00e0n c\u1ea7u. L\u1ed7 h\u1ed5ng n\u00e0y mang m\u00e3 \u0111\u1ecbnh danh CVE-2025-27110 v\u00e0 c\u00f3 th\u1ec3 khi\u1ebfn nhi\u1ec1u \u1ee9ng d\u1ee5ng web d\u00f9 \u0111\u00e3 tri\u1ec3n khai […]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-10374","post","type-post","status-publish","format-standard","hentry","category-tin-tuc-cua-vien"],"_links":{"self":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10374","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/comments?post=10374"}],"version-history":[{"count":0,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10374\/revisions"}],"wp:attachment":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/media?parent=10374"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/categories?post=10374"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/tags?post=10374"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}