Thak you Paolo :) I'll tried this (y)
2015-02-01 12:00 GMT+00:00 < owasp-modsecurity-core-rule-set-requ...@lists.owasp.org>: > Send Owasp-modsecurity-core-rule-set mailing list submissions to > owasp-modsecurity-core-rule-set@lists.owasp.org > > To subscribe or unsubscribe via the World Wide Web, visit > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > or, via email, send a message with subject or body 'help' to > owasp-modsecurity-core-rule-set-requ...@lists.owasp.org > > You can reach the person managing the list at > owasp-modsecurity-core-rule-set-ow...@lists.owasp.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Owasp-modsecurity-core-rule-set digest..." > > > Today's Topics: > > 1. Re: Block upload file (jsp,php) (Paolo Luise) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 1 Feb 2015 11:39:47 +0100 > From: Paolo Luise <paolo.luis...@gmail.com> > To: owasp-modsecurity-core-rule-set@lists.owasp.org > Subject: Re: [Owasp-modsecurity-core-rule-set] Block upload file > (jsp,php) > Message-ID: > < > capf6yck6gf4aedzhvmlbveziaqkmptjxjhacj1h2c7s5mst...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Hi Ilyass, > the rule 960035 in the file modsecurity_crs_30_http_policy.conf, which is > the one that uses the restricted_extensions variable, bases its match on > the REQUEST_BASENAME, that is "the filename part of REQUEST_FILENAME" ( > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#REQUEST_BASENAME > ). > > File uploads are handled in the body of the POST request, and then the > basename is that of the script which orchestrates the upload. > > I would suggest you to intercept your upload request with a tool such as > ZAP by OWASP, and identify the process of the uploads in your application. > > For example, you may find a request like this: > > POST http://mysite/upload.php HTTP/1.1 > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:34.0) Gecko/20100101 > Firefox/34.0 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 > Referer: http://mysite/contentadmin.php > Content-Length: 15748 > Content-Type: multipart/form-data; > boundary=---------------------------100259790820425171131264960 > Host: mysite > > The content-type is multipart so, in the body, there will be more than one > separated by the boundary identifier. Among these, there is the one > referred to a png image: > > -----------------------------100259790820425171131264960 > Content-Disposition: form-data; name="upload"; filename="waf.png" > Content-Type: image/png > > In this case you should have to write rules acting on phase 2 body content, > checking the filename and content-type headers. > > Hope this could be of any help for you > > Paolo > > > Hi , > > > > How can I block upload a specific file such as (.jsp/.php) > > I configured this rule : > > /etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_30_http_policy.conf > > > > with this : > > > > SecAction \ > > "id:'900012', \ > > > > phase:1, > > \ > > t:none, \ > > > > > > setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \ > > > > > > > > > > > setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json', > > \ > > setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \ > > > > > > setvar:'tx.restricted_extensions=.asa/ .jsp/ .asax/ .ascx/ .axd/ > .backup/ > > .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ > > .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ \ > > .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ > > .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ > > .vsdisco/ .webinfo/ .xsd/ .xsx/', \ > > setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ > > /Content-Range/ /Translate/ /via/ /if/', \ > > > > nolog, \ > > > > > > pass > > > > > > ?But it's don't stop upload .jsp file. > > > > Have you any idea ? > > > > Thank you? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150201/0c979474/attachment-0001.html > > > > ------------------------------ > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > End of Owasp-modsecurity-core-rule-set Digest, Vol 70, Issue 1 > ************************************************************** >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
