diff options
| author | jvoisin | 2018-03-02 13:45:33 +0100 |
|---|---|---|
| committer | jvoisin | 2018-03-02 13:45:33 +0100 |
| commit | ea13be2426e5fbe0b026f5d80f14a2377d560401 (patch) | |
| tree | 2e99f86f59694bee827cc173d974e154b98a5758 /config | |
| parent | 9e769944ff07e39f3890f192e9bb8c57a8cef54c (diff) | |
Add some rules for Typo3, courtesy of @kjojo
Diffstat (limited to 'config')
| -rw-r--r-- | config/typo3.rules | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/config/typo3.rules b/config/typo3.rules new file mode 100644 index 0000000..57fafd1 --- /dev/null +++ b/config/typo3.rules | |||
| @@ -0,0 +1,55 @@ | |||
| 1 | # Harden the `chmod` function | ||
| 2 | sp.disable_function.function("chmod").param("mode").filename_r("typo3/sysext/core/Classes/Utility/GeneralUtility.php$").value_r("^[0-9]{2}6$").allow(); | ||
| 3 | sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop(); | ||
| 4 | |||
| 5 | # Prevent various `mail`-related vulnerabilities | ||
| 6 | sp.disable_function.function("mail").param("additional_parameters").value("").allow(); | ||
| 7 | # use swiftmailer to send email | ||
| 8 | sp.disable_function.function("mail").drop(); | ||
| 9 | |||
| 10 | |||
| 11 | ##Prevent various `include`-related vulnerabilities | ||
| 12 | sp.disable_function.function_r("^(?:require|include)_once$").value_r("\.php$").allow(); | ||
| 13 | sp.disable_function.function_r("^require|include$").value_r("\.php$").allow(); | ||
| 14 | sp.disable_function.function_r("^(?:require|include)_once$").drop(); | ||
| 15 | sp.disable_function.function_r("^require|include$").drop(); | ||
| 16 | |||
| 17 | # Prevent `system`-related injections | ||
| 18 | sp.disable_function.function("system").drop(); | ||
| 19 | sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n]").drop(); | ||
| 20 | sp.disable_function.function("exec").param("command").filename_r("typo3/sysext/core/Classes/Utility/CommandUtility.php$").value_r("^'/usr/bin/convert' [a-zA-Z0-9_\\-\\.\\*'\+\\[\\] \/]+ 2>&1$").allow(); | ||
| 21 | sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n]").drop(); | ||
| 22 | sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n]").drop(); | ||
| 23 | |||
| 24 | # Prevent runtime modification of interesting things | ||
| 25 | sp.disable_function.function("ini_set").param("var_name").filename_r("typo3/sysext/core/Classes/Core/Bootstrap.php$").value("memory_limit").allow(); | ||
| 26 | sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop(); | ||
| 27 | sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop(); | ||
| 28 | sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop(); | ||
| 29 | sp.disable_function.function("ini_set").param("var_name").value("include_path").drop(); | ||
| 30 | sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop(); | ||
| 31 | |||
| 32 | # Detect some backdoors via environnement recon | ||
| 33 | sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/core/Classes/Cache/Backend/SimpleFileBackend.php$").value("open_basedir").allow(); | ||
| 34 | sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/install/Classes/SystemEnvironment/Check.php$").value("open_basedir").allow(); | ||
| 35 | sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/install/Classes/SystemEnvironment/SetupCheck.php$").value("allow_url_fopen").allow(); | ||
| 36 | sp.disable_function.function("ini_get").param("var_name").filename_r("vendor/guzzlehttp/guzzle/src/functions.php$").value("allow_url_fopen").allow(); | ||
| 37 | sp.disable_function.function("ini_get").param("var_name").value_r("(?:allow_url_fopen|open_basedir|suhosin)").drop(); | ||
| 38 | |||
| 39 | #need to be allow for example to execute Scheduled tasks | ||
| 40 | sp.disable_function.function("function_exists").param("function_name").filename_r("vendor/guzzlehttp/guzzle/src/functions.php$").value_r("^curl_multi_exec$|^curl_exec$").allow(); | ||
| 41 | sp.disable_function.function("function_exists").param("function_name").value_r("(?:eval|exec|system)").drop(); | ||
| 42 | sp.disable_function.function("is_callable").param("var").value_r("(?:eval|exec|system)").drop(); | ||
| 43 | |||
| 44 | # Ghetto sqli hardening | ||
| 45 | sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("/\\*").drop(); | ||
| 46 | sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("--").drop(); | ||
| 47 | sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("#").drop(); | ||
| 48 | sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r(";.*;").drop(); | ||
| 49 | sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("benchmark").drop(); | ||
| 50 | sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("sleep").drop(); | ||
| 51 | sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("information_schema").drop(); | ||
| 52 | |||
| 53 | #File upload | ||
| 54 | sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop(); | ||
| 55 | sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop(); | ||