Add yet an other stupid things to the default set of rules

author: jvoisin 2020-04-25 15:08:40 +0200
committer: jvoisin 2020-04-25 15:08:40 +0200
commit: bbdf470f4e2d87d90c9ea11f4ce572e4416ffeab (patch)
tree: dcf337e5d1b79fa27c75740a82288ff3b6324858 /config/default.rules
parent: 15b4b451f1997267848fb7a23f7310adaff04f54 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/config/default.rules b/config/default.rules
index 1446fb8..9dfa68e 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -45,6 +45,9 @@ sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
 # This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
 sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop()
+# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
+sp.disable_function.function("extract").param("array").value_r("^_").drop()
 # This is also burned:
 # ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
 # Since we have no way of matching on two parameters at the same time, we're
author	jvoisin	2020-04-25 15:08:40 +0200
committer	jvoisin	2020-04-25 15:08:40 +0200
commit	bbdf470f4e2d87d90c9ea11f4ce572e4416ffeab (patch)
tree	dcf337e5d1b79fa27c75740a82288ff3b6324858 /config/default.rules
parent	15b4b451f1997267848fb7a23f7310adaff04f54 (diff)

diff --git a/config/default.rules b/config/default.rules index 1446fb8..9dfa68e 100644 --- a/config/default.rules +++ b/config/default.rules
@@ -45,6 +45,9 @@ sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
45	# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80	45	# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
46	sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop()	46	sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop()
47		47
		48	# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
		49	sp.disable_function.function("extract").param("array").value_r("^_").drop()
		50
48	# This is also burned:	51	# This is also burned:
49	# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));	52	# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
50	# Since we have no way of matching on two parameters at the same time, we're	53	# Since we have no way of matching on two parameters at the same time, we're