[Owasp-modsecurity-core-rule-set] Block upload file (jsp,php)

Paolo Luise paolo.luiseit at gmail.com
Sun Feb 1 10:39:47 UTC 2015


Hi Ilyass,
the rule 960035 in the file modsecurity_crs_30_http_policy.conf, which is
the one that uses the restricted_extensions variable, bases its match on
the REQUEST_BASENAME, that is "the filename part of REQUEST_FILENAME" (
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#REQUEST_BASENAME
).

File uploads are handled in the body of the POST request, and then the
basename is that of the script which orchestrates the upload.

I would suggest you to intercept your upload request with a tool such as
ZAP by OWASP, and identify the process of the uploads in your application.

For example, you may find a request like this:

POST http://mysite/upload.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:34.0) Gecko/20100101
Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://mysite/contentadmin.php
Content-Length: 15748
Content-Type: multipart/form-data;
boundary=---------------------------100259790820425171131264960
Host: mysite

The content-type is multipart so, in the body, there will be more than one
separated by the boundary identifier. Among these, there is the one
referred to a png image:

-----------------------------100259790820425171131264960
Content-Disposition: form-data; name="upload"; filename="waf.png"
Content-Type: image/png

In this case you should have to write rules acting on phase 2 body content,
checking the filename and content-type headers.

Hope this could be of any help for you

Paolo


Hi ,
>
> How can I block upload a specific file such as (.jsp/.php)
> I configured this rule :
> /etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_30_http_policy.conf
>
> with this :
>
> SecAction \
>   "id:'900012', \
>
> phase:1,
> \
>   t:none, \
>
>
>   setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
>
>
>
>
> setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json',
> \
>   setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
>
>
>   setvar:'tx.restricted_extensions=.asa/ .jsp/ .asax/ .ascx/ .axd/ .backup/
> .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/
> .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ \
> .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/
> .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/
> .vsdisco/ .webinfo/ .xsd/ .xsx/', \
>   setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/
> /Content-Range/ /Translate/ /via/ /if/', \
>
>   nolog, \
>
>
>   pass
>
>
> ?But it's don't stop upload .jsp file.
>
> Have you any idea ?
>
> Thank you?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150201/0c979474/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list