Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
add a rule block upload filename with ../ and something like that
See original GitHub issueMotivation
when paranoia_level=2
i can upload a file with ../ or ..\
and windows filename can not inclue / \ : * ? " < > |
i think it is owasp Path Traverser vul
Proposed solution
so i think modsecurity need block upload filename include / \ : * ? " < > | with paranoia_level=1
especial / \ :
reference linking:
https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
thx again
Issue Analytics
- State:
- Created a year ago
- Reactions:2
- Comments:5 (5 by maintainers)
Top Results From Across the Web
Upload files blocked by AWS WAF
First, review for common rules that block file uploads. If a common rule isn't blocking the upload, consider additional options for allowing ...
Read more >Block syncing of specific file types - SharePoint in Microsoft 365
Select the Block upload of specific file types check box. Enter the file name extensions you want to block, for example: exe or...
Read more >How to Block HTTP Downloads or Uploads of Specific File ...
Add all File Extensions that you would like to block (".ZIP", ".RAR" and ". ... Navigate to Policy | Rules and Policies |...
Read more >Failed to block .phps and .htaccess file upload in #REQUEST ...
When i was going through #REQUEST-933-APPLICATION-ATTACK-PHP #Rule ID:933110. At first, i thought something was missing.
Read more >File Upload - OWASP Cheat Sheet Series
File upload is becoming a more and more essential part of any application, where the user ... Change the filename to something generated...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Wow, that’s a nice finding. Thank you for your report.
I’ll check it!
Closing after merge.