Hi Ilyass, the rule 960035 in the file modsecurity_crs_30_http_policy.conf, which is the one that uses the restricted_extensions variable, bases its match on the REQUEST_BASENAME, that is "the filename part of REQUEST_FILENAME" ( https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#REQUEST_BASENAME ).
File uploads are handled in the body of the POST request, and then the basename is that of the script which orchestrates the upload. I would suggest you to intercept your upload request with a tool such as ZAP by OWASP, and identify the process of the uploads in your application. For example, you may find a request like this: POST http://mysite/upload.php HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://mysite/contentadmin.php Content-Length: 15748 Content-Type: multipart/form-data; boundary=---------------------------100259790820425171131264960 Host: mysite The content-type is multipart so, in the body, there will be more than one separated by the boundary identifier. Among these, there is the one referred to a png image: -----------------------------100259790820425171131264960 Content-Disposition: form-data; name="upload"; filename="waf.png" Content-Type: image/png In this case you should have to write rules acting on phase 2 body content, checking the filename and content-type headers. Hope this could be of any help for you Paolo Hi , > > How can I block upload a specific file such as (.jsp/.php) > I configured this rule : > /etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_30_http_policy.conf > > with this : > > SecAction \ > "id:'900012', \ > > phase:1, > \ > t:none, \ > > > setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \ > > > > > setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json', > \ > setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \ > > > setvar:'tx.restricted_extensions=.asa/ .jsp/ .asax/ .ascx/ .axd/ .backup/ > .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ > .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ \ > .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ > .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ > .vsdisco/ .webinfo/ .xsd/ .xsx/', \ > setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ > /Content-Range/ /Translate/ /via/ /if/', \ > > nolog, \ > > > pass > > > ?But it's don't stop upload .jsp file. > > Have you any idea ? > > Thank you?
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
