[Owasp-modsecurity-core-rule-set] Owasp-modsecurity-core-rule-set Digest, Vol 70, Issue 1

Ilyass Kaouam ilyassikai at gmail.com
Mon Feb 2 10:39:35 UTC 2015


Thak you Paolo :)
I'll tried this (y)


2015-02-01 12:00 GMT+00:00 <
owasp-modsecurity-core-rule-set-request at lists.owasp.org>:

> Send Owasp-modsecurity-core-rule-set mailing list submissions to
>         owasp-modsecurity-core-rule-set at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
> or, via email, send a message with subject or body 'help' to
>         owasp-modsecurity-core-rule-set-request at lists.owasp.org
>
> You can reach the person managing the list at
>         owasp-modsecurity-core-rule-set-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Owasp-modsecurity-core-rule-set digest..."
>
>
> Today's Topics:
>
>    1. Re: Block upload file (jsp,php) (Paolo Luise)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 1 Feb 2015 11:39:47 +0100
> From: Paolo Luise <paolo.luiseit at gmail.com>
> To: owasp-modsecurity-core-rule-set at lists.owasp.org
> Subject: Re: [Owasp-modsecurity-core-rule-set] Block upload file
>         (jsp,php)
> Message-ID:
>         <
> CAPF6YCk6gf4AeDzHvmLBveZiaQKMpTjXJHaCJ1h2C7s5MSTz2Q at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Ilyass,
> the rule 960035 in the file modsecurity_crs_30_http_policy.conf, which is
> the one that uses the restricted_extensions variable, bases its match on
> the REQUEST_BASENAME, that is "the filename part of REQUEST_FILENAME" (
>
> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#REQUEST_BASENAME
> ).
>
> File uploads are handled in the body of the POST request, and then the
> basename is that of the script which orchestrates the upload.
>
> I would suggest you to intercept your upload request with a tool such as
> ZAP by OWASP, and identify the process of the uploads in your application.
>
> For example, you may find a request like this:
>
> POST http://mysite/upload.php HTTP/1.1
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:34.0) Gecko/20100101
> Firefox/34.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Referer: http://mysite/contentadmin.php
> Content-Length: 15748
> Content-Type: multipart/form-data;
> boundary=---------------------------100259790820425171131264960
> Host: mysite
>
> The content-type is multipart so, in the body, there will be more than one
> separated by the boundary identifier. Among these, there is the one
> referred to a png image:
>
> -----------------------------100259790820425171131264960
> Content-Disposition: form-data; name="upload"; filename="waf.png"
> Content-Type: image/png
>
> In this case you should have to write rules acting on phase 2 body content,
> checking the filename and content-type headers.
>
> Hope this could be of any help for you
>
> Paolo
>
>
> Hi ,
> >
> > How can I block upload a specific file such as (.jsp/.php)
> > I configured this rule :
> > /etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_30_http_policy.conf
> >
> > with this :
> >
> > SecAction \
> >   "id:'900012', \
> >
> > phase:1,
> > \
> >   t:none, \
> >
> >
> >   setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
> >
> >
> >
> >
> >
> setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json',
> > \
> >   setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
> >
> >
> >   setvar:'tx.restricted_extensions=.asa/ .jsp/ .asax/ .ascx/ .axd/
> .backup/
> > .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/
> > .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ \
> > .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/
> > .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/
> > .vsdisco/ .webinfo/ .xsd/ .xsx/', \
> >   setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/
> > /Content-Range/ /Translate/ /via/ /if/', \
> >
> >   nolog, \
> >
> >
> >   pass
> >
> >
> > ?But it's don't stop upload .jsp file.
> >
> > Have you any idea ?
> >
> > Thank you?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150201/0c979474/attachment-0001.html
> >
>
> ------------------------------
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
>
> End of Owasp-modsecurity-core-rule-set Digest, Vol 70, Issue 1
> **************************************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150202/0266f59c/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list