Add some rules for Typo3, courtesy of @kjojo

author: jvoisin 2018-03-02 13:45:33 +0100
committer: jvoisin 2018-03-02 13:45:33 +0100
commit: ea13be2426e5fbe0b026f5d80f14a2377d560401 (patch)
tree: 2e99f86f59694bee827cc173d974e154b98a5758
parent: 9e769944ff07e39f3890f192e9bb8c57a8cef54c (diff)
2 files changed, 67 insertions, 0 deletions
diff --git a/config/typo3.rules b/config/typo3.rules
new file mode 100644
index 0000000..57fafd1
--- /dev/null
+++ b/config/typo3.rules
@@ -0,0 +1,55 @@
+# Harden the `chmod` function
+sp.disable_function.function("chmod").param("mode").filename_r("typo3/sysext/core/Classes/Utility/GeneralUtility.php$").value_r("^[0-9]{2}6$").allow();
+sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
+# Prevent various `mail`-related vulnerabilities
+sp.disable_function.function("mail").param("additional_parameters").value("").allow();
+# use swiftmailer to send email
+sp.disable_function.function("mail").drop();
+##Prevent various `include`-related vulnerabilities
+sp.disable_function.function_r("^(?:require|include)_once$").value_r("\.php$").allow();
+sp.disable_function.function_r("^require|include$").value_r("\.php$").allow();
+sp.disable_function.function_r("^(?:require|include)_once$").drop();
+sp.disable_function.function_r("^require|include$").drop();
+# Prevent `system`-related injections
+sp.disable_function.function("system").drop();
+sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_function.function("exec").param("command").filename_r("typo3/sysext/core/Classes/Utility/CommandUtility.php$").value_r("^'/usr/bin/convert' [a-zA-Z0-9_\\-\\.\\*'\+\\[\\] \/]+ 2>&1$").allow();
+sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n]").drop();
+# Prevent runtime modification of interesting things
+sp.disable_function.function("ini_set").param("var_name").filename_r("typo3/sysext/core/Classes/Core/Bootstrap.php$").value("memory_limit").allow();
+sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop();
+sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop();
+sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop();
+sp.disable_function.function("ini_set").param("var_name").value("include_path").drop();
+sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop();
+# Detect some backdoors via environnement recon
+sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/core/Classes/Cache/Backend/SimpleFileBackend.php$").value("open_basedir").allow();
+sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/install/Classes/SystemEnvironment/Check.php$").value("open_basedir").allow();
+sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/install/Classes/SystemEnvironment/SetupCheck.php$").value("allow_url_fopen").allow();
+sp.disable_function.function("ini_get").param("var_name").filename_r("vendor/guzzlehttp/guzzle/src/functions.php$").value("allow_url_fopen").allow();
+sp.disable_function.function("ini_get").param("var_name").value_r("(?:allow_url_fopen|open_basedir|suhosin)").drop();
+#need to be allow for example to execute Scheduled tasks
+sp.disable_function.function("function_exists").param("function_name").filename_r("vendor/guzzlehttp/guzzle/src/functions.php$").value_r("^curl_multi_exec$|^curl_exec$").allow();
+sp.disable_function.function("function_exists").param("function_name").value_r("(?:eval|exec|system)").drop();
+sp.disable_function.function("is_callable").param("var").value_r("(?:eval|exec|system)").drop();
+# Ghetto sqli hardening
+sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("/\\*").drop();
+sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("--").drop();
+sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("#").drop();
+sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r(";.*;").drop();
+sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("benchmark").drop();
+sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("sleep").drop();
+sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("information_schema").drop();
+#File upload
+sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
+sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
diff --git a/src/tests/config_typo3.phpt b/src/tests/config_typo3.phpt
new file mode 100644
index 0000000..1b678ca
--- /dev/null
+++ b/src/tests/config_typo3.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Rules for Typo3
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/../../config/typo3.rules
+--FILE--
+<?php 
+echo "ok"
+?>
+--EXPECT--
+ok
author	jvoisin	2018-03-02 13:45:33 +0100
committer	jvoisin	2018-03-02 13:45:33 +0100
commit	ea13be2426e5fbe0b026f5d80f14a2377d560401 (patch)
tree	2e99f86f59694bee827cc173d974e154b98a5758
parent	9e769944ff07e39f3890f192e9bb8c57a8cef54c (diff)

diff --git a/config/typo3.rules b/config/typo3.rules new file mode 100644 index 0000000..57fafd1 --- /dev/null +++ b/config/typo3.rules
@@ -0,0 +1,55 @@
	1	# Harden the `chmod` function
	2	sp.disable_function.function("chmod").param("mode").filename_r("typo3/sysext/core/Classes/Utility/GeneralUtility.php$").value_r("^[0-9]{2}6$").allow();
	3	sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
	4
	5	# Prevent various `mail`-related vulnerabilities
	6	sp.disable_function.function("mail").param("additional_parameters").value("").allow();
	7	# use swiftmailer to send email
	8	sp.disable_function.function("mail").drop();
	9
	10
	11	##Prevent various `include`-related vulnerabilities
	12	sp.disable_function.function_r("^(?:require\|include)_once$").value_r("\.php$").allow();
	13	sp.disable_function.function_r("^require\|include$").value_r("\.php$").allow();
	14	sp.disable_function.function_r("^(?:require\|include)_once$").drop();
	15	sp.disable_function.function_r("^require\|include$").drop();
	16
	17	# Prevent `system`-related injections
	18	sp.disable_function.function("system").drop();
	19	sp.disable_function.function("shell_exec").param("command").value_r("[$\|;&`\\n]").drop();
	20	sp.disable_function.function("exec").param("command").filename_r("typo3/sysext/core/Classes/Utility/CommandUtility.php$").value_r("^'/usr/bin/convert' [a-zA-Z0-9_\\-\\.\\*'\+\\[\\] \/]+ 2>&1$").allow();
	21	sp.disable_function.function("exec").param("command").value_r("[$\|;&`\\n]").drop();
	22	sp.disable_function.function("proc_open").param("command").value_r("[$\|;&`\\n]").drop();
	23
	24	# Prevent runtime modification of interesting things
	25	sp.disable_function.function("ini_set").param("var_name").filename_r("typo3/sysext/core/Classes/Core/Bootstrap.php$").value("memory_limit").allow();
	26	sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop();
	27	sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop();
	28	sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop();
	29	sp.disable_function.function("ini_set").param("var_name").value("include_path").drop();
	30	sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop();
	31
	32	# Detect some backdoors via environnement recon
	33	sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/core/Classes/Cache/Backend/SimpleFileBackend.php$").value("open_basedir").allow();
	34	sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/install/Classes/SystemEnvironment/Check.php$").value("open_basedir").allow();
	35	sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/install/Classes/SystemEnvironment/SetupCheck.php$").value("allow_url_fopen").allow();
	36	sp.disable_function.function("ini_get").param("var_name").filename_r("vendor/guzzlehttp/guzzle/src/functions.php$").value("allow_url_fopen").allow();
	37	sp.disable_function.function("ini_get").param("var_name").value_r("(?:allow_url_fopen\|open_basedir\|suhosin)").drop();
	38
	39	#need to be allow for example to execute Scheduled tasks
	40	sp.disable_function.function("function_exists").param("function_name").filename_r("vendor/guzzlehttp/guzzle/src/functions.php$").value_r("^curl_multi_exec$\|^curl_exec$").allow();
	41	sp.disable_function.function("function_exists").param("function_name").value_r("(?:eval\|exec\|system)").drop();
	42	sp.disable_function.function("is_callable").param("var").value_r("(?:eval\|exec\|system)").drop();
	43
	44	# Ghetto sqli hardening
	45	sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("/\\*").drop();
	46	sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("--").drop();
	47	sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("#").drop();
	48	sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r(";.*;").drop();
	49	sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("benchmark").drop();
	50	sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("sleep").drop();
	51	sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("information_schema").drop();
	52
	53	#File upload
	54	sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
	55	sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();


diff --git a/src/tests/config_typo3.phpt b/src/tests/config_typo3.phpt new file mode 100644 index 0000000..1b678ca --- /dev/null +++ b/src/tests/config_typo3.phpt
@@ -0,0 +1,12 @@
	1	--TEST--
	2	Rules for Typo3
	3	--SKIPIF--
	4	<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
	5	--INI--
	6	sp.configuration_file={PWD}/../../config/typo3.rules
	7	--FILE--
	8	<?php
	9	echo "ok"
	10	?>
	11	--EXPECT--
	12	ok