Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
lfi-os-files.data: add some common files
See original GitHub issue_Issue originally created by user lifeforms on date 2016-06-26 16:50:30. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/382._
I’d suggest to add some entries to the LFI data.
First, some versioning related files and directories which may be lying around in web roots and allow attackers to retrieve source code, paths, settings, developer identities, possible hardcoded passwords, etc:
.git/.gitconfig.gitignore.hg/.svn/
Also, some nice prizes for LFI:
.htaccess.htpasswd
Ideally I’d check for these strings in REQUEST_FILENAME as well as parameters.
False positive possibility seems low to me, I have blocked these entries for a long time with no problems.
Issue Analytics
- State:
- Created 3 years ago
- Comments:10
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
User lifeforms commented on date 2016-08-10 12:54:22:
Yeah. It’s not super urgent and the
.gitcase needs a regexp to prevent FP so probably better to turn those into a separate rule. 3.1 sounds right.User dune73 commented on date 2016-08-10 08:37:28:
csanders-git assigned this to the CRS 3.1 milestone. I assume the 3.0.0 dev label can thus be replaced by the approriate 3.1.0 label.