Re: [mod-security-users] [Fwd: blocking upload of .php files]

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

> Hi, is it possible to block a file upload based on file extension?

   The short answer is yes. The exact solution depends of the
   modsecurity version you are using.

> I can't block php files by blocking content-type text/plain, because I 
> don't want to block .txt files.

   Both the content type and the filename of the file being uploaded
   are supplied by the client. A malicious user could, therefore, forge
   any or both of them.

> There is no rule to filter for filename extension specifically, right?

   There isn't in the 1.8.x branch but there is in the 1.9.x branch.
   In 1.9dev1 I added several variables related to file upload. This is
   a part of the CHANGES (http://www.modsecurity.org/download/CHANGES)
   file:

     * New variables added: FILE_NAME_*, FILE_SIZE_*, FILE_NAMES,
     FILE_SIZES, FILES_COUNT, HEADER_*, HEADERS, HEADERS_NAMES,
     HEADERS_VALUES, HEADERS_COUNT, ARGS_COUNT, COOKIES_COUNT

   But because the information provided in FILE_NAMES cannot be
   trusted the attacker is still able to upload a PHP file although
   not with a ".php" extension. So the following would still be
   possible:

   1. Someone uploads a PHP file with an extension .gif. Let's assume
      it goes to "/g/image.gif".

   2. He then proceeds to exploit another flaw in the application
      where he injects the "/g/image.gif" filename into an
      include() PHP statement. By doing this he gets to execute
      code on the server.

   There is a better way. You can write a simple script to be executed
   with SecUploadApproveScript. The script will be executed with the
   filename to the file on disk as the only parameter. The script needs
   to read the file and look for "<%" or "<?" strings. If found the file
   is likely to be a PHP file.

   Actually, the best approach is to perform both checks (only possible
   with 1.9.x). First for the filename and then for the file content.

> <Location /cms>
> SecFilterInheritance Off
> SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data chain
> SecFilterSelective POST_PAYLOAD "filename=\"[[:print:]]+\.php\""
> </Location>

   This does not work because modsecurity never gives you access to
   a multipart/form-data body directly. Such a body is too complex
   (plus it can contain binary data) to be evaluated using regular
   expressions.

-- 
Ivan Ristic (http://www.modsecurity.org)