Block uploads of files with .phps extension

lifeforms · lifeforms · commit 496d3134f569 · 2017-09-15T22:44:37.000+02:00
(cherry picked from commit 4a2cc78)
diff --git a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
@@ -63,7 +63,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 #
 # [ PHP Script Uploads ]
 #
-# Block file uploads with PHP extensions (.php, .php5, .phtml etc).
+# Block file uploads with filenames ending in PHP related extensions
+# (.php, .phps, .phtml, .php5 etc).
 #
 # Many application contain Unrestricted File Upload vulnerabilities.
 # https://www.owasp.org/index.php/Unrestricted_File_Upload
@@ -80,7 +81,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # X_Filename, or X-File-Name to transmit the file name to the server;
 # scan these request headers as well as multipart/form-data file names.
 #
-SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \
+SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phps|phtml)\.*$" \
     "msg:'PHP Injection Attack: PHP Script File Upload Found',\
     phase:2,\
     ver:'OWASP_CRS/3.0.0',\
@@ -588,8 +589,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
 #
 # [ PHP Script Uploads: Superfluous extension ]
 #
-# Block file uploads with PHP extensions (.php, .php5, .phtml etc)
-# anywhere in the name, followed by a dot.
+# Block file uploads with PHP related extensions (.php, .phps, .phtml,
+# .php5 etc) anywhere in the name, followed by a dot.
 #
 # Example: index.php.tmp
 #
@@ -606,7 +607,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
 #
 # This rule is a stricter sibling of rule 933110.
 #
-SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \
+SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phps|phtml)\..*$" \
     "msg:'PHP Injection Attack: PHP Script File Upload Found',\
     phase:2,\
     ver:'OWASP_CRS/3.0.0',\

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,8 @@ SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAME`
`63`	`63`	`#`
`64`	`64`	`# [ PHP Script Uploads ]`
`65`	`65`	`#`
`66`		`-# Block file uploads with PHP extensions (.php, .php5, .phtml etc).`
	`66`	`+# Block file uploads with filenames ending in PHP related extensions`
	`67`	`+# (.php, .phps, .phtml, .php5 etc).`
`67`	`68`	`#`
`68`	`69`	`# Many application contain Unrestricted File Upload vulnerabilities.`
`69`	`70`	`# https://www.owasp.org/index.php/Unrestricted_File_Upload`
`@@ -80,7 +81,7 @@ SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|ARGS_NAME`
`80`	`81`	`# X_Filename, or X-File-Name to transmit the file name to the server;`
`81`	`82`	`# scan these request headers as well as multipart/form-data file names.`
`82`	`83`	`#`
`83`		`-SecRule FILES\|REQUEST_HEADERS:X-Filename\|REQUEST_HEADERS:X_Filename\|REQUEST_HEADERS:X-File-Name "@rx .\.(?:php\d\|phtml)\.*$" \`
	`84`	`+SecRule FILES\|REQUEST_HEADERS:X-Filename\|REQUEST_HEADERS:X_Filename\|REQUEST_HEADERS:X-File-Name "@rx .\.(?:php\d\|phps\|phtml)\.*$" \`
`84`	`85`	`"msg:'PHP Injection Attack: PHP Script File Upload Found',\`
`85`	`86`	`phase:2,\`
`86`	`87`	`ver:'OWASP_CRS/3.0.0',\`
`@@ -588,8 +589,8 @@ SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_F`
`588`	`589`	`#`
`589`	`590`	`# [ PHP Script Uploads: Superfluous extension ]`
`590`	`591`	`#`
`591`		`-# Block file uploads with PHP extensions (.php, .php5, .phtml etc)`
`592`		`-# anywhere in the name, followed by a dot.`
	`592`	`+# Block file uploads with PHP related extensions (.php, .phps, .phtml,`
	`593`	`+# .php5 etc) anywhere in the name, followed by a dot.`
`593`	`594`	`#`
`594`	`595`	`# Example: index.php.tmp`
`595`	`596`	`#`
`@@ -606,7 +607,7 @@ SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|REQUEST_COOKIES_NAMES\|REQUEST_F`
`606`	`607`	`#`
`607`	`608`	`# This rule is a stricter sibling of rule 933110.`
`608`	`609`	`#`
`609`		`-SecRule FILES\|REQUEST_HEADERS:X-Filename\|REQUEST_HEADERS:X_Filename\|REQUEST_HEADERS:X-File-Name "@rx .\.(?:php\d\|phtml)\..*$" \`
	`610`	`+SecRule FILES\|REQUEST_HEADERS:X-Filename\|REQUEST_HEADERS:X_Filename\|REQUEST_HEADERS:X-File-Name "@rx .\.(?:php\d\|phps\|phtml)\..*$" \`
`610`	`611`	`"msg:'PHP Injection Attack: PHP Script File Upload Found',\`
`611`	`612`	`phase:2,\`
`612`	`613`	`ver:'OWASP_CRS/3.0.0',\`