Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Failed to block .phps and .htaccess file upload in #REQUEST-933-APPLICATION-ATTACK-PHP rules

See original GitHub issue

_Issue originally created by user umarfarook882 on date 2017-06-20 19:31:45. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/817._

When i was going through #REQUEST-933-APPLICATION-ATTACK-PHP #Rule ID:933110. At first, i thought something was missing. I done my little research 😃

PHP support Extension: .php, .phtml, .php3, .php4, .php5, .php7, .phps

then i found .phps extension was missing on the regex. so i was able to upload .phps file. Anyway it not a major bug, because by default on apache, it will not allow .phps file to run. it has no use. So i did find another way to execute the .phps file by uploading the .htaccess file.

Then i thought definitely OWASP CRS will block uploading .htacess file, but surprisingly there is no rule to block .htaccess file upload. Finally i uploaded .htaccess file and execute the .phps which gives shell access 😃

So its better to block the .htaccess and .phps file upload for better security. 😃

For more information & detailed explanation check my demo video on Github

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:16

github_iconTop GitHub Comments

1reaction
CRS-migration-botcommented, May 13, 2020

User lifeforms commented on date 2017-06-20 19:50:26:

I would very much like to prevent .htaccess from being uploaded!

I’m not so very sure about .phps. I don’t think it does anything special.

With a .htaccess you can make every file an executable PHP file, e.g.

<FilesMatch \.blah$>
	SetHandler application/x-httpd-php
</FilesMatch>

Then upload a test.blah file and execute it.

So let’s add .htaccess. Only question is where? Rule 933110 is PHP specific. But .htaccess is not PHP specific. So maybe we should create a different general rule? I could see us adding more entries in the future.

0reactions
CRS-migration-botcommented, May 13, 2020

User lifeforms commented on date 2018-05-20 13:31:51:

PR is in #1095.

Read more comments on GitHub >

github_iconTop Results From Across the Web

WAF Rule Testing (Unrestricted File Upload Vulnerability)
So we need to create .htaccess file to allow .phps to execute as file type application/x-httpd-php (or) we can allow any file extension...
Read more >
Bypass OWASP CRS && CWAF [WAF Rule Testing - YouTube
Becuase when i am going through their CWAF rules, i understand they have no rules to block malicious file upload `i.e . php...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

phpMyAdmin "on" cookie blocked by libinjection

Next page

Failed to include some sensitive path or file in #REQUEST-930-APPLICATION-ATTACK-LFI rules