coreruleset: Failed to block .phps and .htaccess file upload in #REQUEST-933-APPLICATION-ATTACK-PHP rules
_Issue originally created by user umarfarook882 on date 2017-06-20 19:31:45. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/817._
When i was going through #REQUEST-933-APPLICATION-ATTACK-PHP #Rule ID:933110. At first, i thought something was missing. I done my little research ๐
PHP support Extension: .php, .phtml, .php3, .php4, .php5, .php7, .phps
then i found .phps extension was missing on the regex. so i was able to upload .phps file. Anyway it not a major bug, because by default on apache, it will not allow .phps file to run. it has no use. So i did find another way to execute the .phps file by uploading the .htaccess file.
Then i thought definitely OWASP CRS will block uploading .htacess file, but surprisingly there is no rule to block .htaccess file upload. Finally i uploaded .htaccess file and execute the .phps which gives shell access ๐
So its better to block the .htaccess and .phps file upload for better security. ๐
For more information & detailed explanation check my demo video on Github
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 16
User lifeforms commented on date 2017-06-20 19:50:26:
I would very much like to prevent
.htaccessfrom being uploaded!Iโm not so very sure about
.phps. I donโt think it does anything special.With a
.htaccessyou can make every file an executable PHP file, e.g.Then upload a
test.blahfile and execute it.So letโs add
.htaccess. Only question is where? Rule 933110 is PHP specific. But.htaccessis not PHP specific. So maybe we should create a different general rule? I could see us adding more entries in the future.