8000 add a rule block upload filename with ../ and something like that · Issue #2446 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

add a rule block upload filename with ../ and something like that #2446

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
k4n5ha0 opened this issue Mar 22, 2022 · 5 comments
Closed

add a rule block upload filename with ../ and something like that #2446

k4n5ha0 opened this issue Mar 22, 2022 · 5 comments
Assignees
@franbuehler
Labels
PR available this issue is referenced by an active pull request 👍 Feature Request

Comments

@k4n5ha0
Copy link
k4n5ha0 commented Mar 22, 2022

Motivation

when paranoia_level=2
i can upload a file with ../ or ..\
image

and windows filename can not inclue / \ : * ? " < > |

i think it is owasp Path Traverser vul

Proposed solution

so i think modsecurity need block upload filename include / \ : * ? " < > | with paranoia_level=1
especial / \ :
reference linking:
https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload

thx again
@franbuehler
Copy link
Contributor

Wow, that's a nice finding.
Thank you for your report.

I'll check it!

@franbuehler
Copy link
Contributor

I found a way to reproduce this request:
curl -v -F "data=@file;filename=../1.7z" localhost

First I thought that I will extend the data file restricted-upload.data of the rule 932180.

But then I found the "Directory Traversal" rules 930100 and 930110 that already cover a lot of possible encodings.

When I extend the targets of the rule 930110 with FILES, the reported request no longer works.

So my solution would be to extend both rules 930100 and 930110 with FILES. I think we don't need FILES_NAMES (Contains a list of form fields that were used for file upload. Available only on inspected multipart/form-data requests.)

What do you think about this proposal?

@dune73
Copy link
Member
dune73 commented Mar 23, 2022

Proposal looks good to me.

I seem to remember that the values of FILES and FILES_NAMES are not very intuitive.

@franbuehler
Copy link
Contributor

Ok, I'll propose a PR.
Thank you for the feedback.

@franbuehler franbuehler self-assigned this Mar 24, 2022
@franbuehler franbuehler mentioned this issue Mar 25, 2022
Merged
@franbuehler franbuehler added the PR available this issue is referenced by an active pull request label Mar 25, 2022
@fzipi
Copy link
Member
fzipi commented Apr 1, 2022

Closing after merge.

@fzipi fzipi closed this as completed Apr 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@franbuehler franbuehler

Labels
PR available this issue is referenced by an active pull request 👍 Feature Request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dune73 @fzipi @franbuehler @k4n5ha0
0