lfi-os-files.data: add some common files
See original GitHub issue_Issue originally created by user lifeforms on date 2016-06-26 16:50:30. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/382._
I’d suggest to add some entries to the LFI data.
First, some versioning related files and directories which may be lying around in web roots and allow attackers to retrieve source code, paths, settings, developer identities, possible hardcoded passwords, etc:
.git/
.gitconfig
.gitignore
.hg/
.svn/
Also, some nice prizes for LFI:
.htaccess
.htpasswd
Ideally I’d check for these strings in REQUEST_FILENAME
as well as parameters.
False positive possibility seems low to me, I have blocked these entries for a long time with no problems.
Issue Analytics
- State:
- Created 3 years ago
- Comments:10
Top Results From Across the Web
Common file name extensions in Windows - Microsoft Support
Learn what file name extensions are, which extensions are common in Windows, and how to view them in File Explorer.
Read more >What are the most common file types and file extensions?
Below is a list of the most common file extensions, broken into categories by type of files. Audio file formats by file extensions....
Read more >Common Windows file extensions | Technical Support Services
Common Windows file extensions ;.CVS, Canvas ;.DBF, dbase II, III, IV data ;.DIF, Data Interchange format ;.DOC or .DOCX, Microsoft Word for Windows/Word97....
Read more >Differences between RIF, LDS, and PUF Data Files - ResDAC
The RIF and LDS files both contain beneficiary-level data, however, some variables included in the RIF data may be presented differently (ranged or...
Read more >21 Different Types of Files and How to Use Them | Indeed.com
Discover 21 common types of files you may encounter in the workplace and learn more about each type, including the typical uses and ......
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
User lifeforms commented on date 2016-08-10 12:54:22:
Yeah. It’s not super urgent and the
.git
case needs a regexp to prevent FP so probably better to turn those into a separate rule. 3.1 sounds right.User dune73 commented on date 2016-08-10 08:37:28:
csanders-git assigned this to the CRS 3.1 milestone. I assume the 3.0.0 dev label can thus be replaced by the approriate 3.1.0 label.