summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--config/default.rules1
-rw-r--r--config/examples.rules41
-rw-r--r--config/rips.rules35
-rw-r--r--src/tests/example_configuration.phpt20
4 files changed, 32 insertions, 65 deletions
diff --git a/config/default.rules b/config/default.rules
index 88398c1..b52ae4c 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -1,6 +1,5 @@
1# Harden the `chmod` function 1# Harden the `chmod` function
2sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop(); 2sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
3sp.disable_function.function("chmod").param("mode").value_r("o\\+w$").drop();
4 3
5# Prevent various `mail`-related vulnerabilities 4# Prevent various `mail`-related vulnerabilities
6sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); 5sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
diff --git a/config/examples.rules b/config/examples.rules
deleted file mode 100644
index 664a67a..0000000
--- a/config/examples.rules
+++ /dev/null
@@ -1,41 +0,0 @@
1# Restrict system calls to specific file
2sp.disable_function.function("system").filename("/update.php").allow();
3sp.disable_function.function("system").drop();
4
5
6# Restrict system calls to specific file with a specific hash
7sp.disable_function.function("system").filename("/update.php").hash("d27c6c5686bc129716b6aac8dfefe2d519a80eb6cc144e97ad42c728d423eed0").allow();
8sp.disable_function.function("system").drop();
9
10
11# AbanteCart 1.2.8 - Multiple SQL Injections <https://blog.ripstech.com/2016/abantecart-multiple-sql-injections>
12sp.disable_function.filename("/core/lib/language_manager.php").function("ALanguageManager>_clone_language_rows").param("from_language").value_r("[^0-9]").drop();
13sp.disable_function.filename("/admin/model/tool/backup.php").function("ModelToolBackup>createBackupTask").param("data[table_list]").value_r("'").drop();
14
15
16# Redaxo 5.2.0: Remote Code Execution via CSRF <https://blog.ripstech.com/2016/redaxo-remote-code-execution-via-csrf>
17# See <http://code.vtiger.com/vtiger/vtigercrm/commit/9b5c5338f80237ae072a06e1ba4a5cfcbfe063b0> for details
18sp.disable_function.filename("/redaxo/src/addons/structure/pages/linkmap.php").function("substr").param("string").value_r("\"").drop();
19
20
21# Guest Post: Vtiger 6.5.0 - SQL Injection <https://blog.ripstech.com/2016/vtiger-sql-injection/>
22sp.disable_function.filename("/modules/Calendar/Activity.php").function("save_module").param("query").value_r("[^0-9;]").drop();
23
24
25# The State of Wordpress Security <https://blog.ripstech.com/2016/the-state-of-wordpress-security>
26# All In One WP Security & Firewall
27sp.disable_function.filename("/admin/wp-security-dashboard-menu.php").function("render_tab3").var("_REQUEST[tab]").value_r("\"").drop();
28
29
30# PHPKit 1.6.6: Code Execution for Privileged Users <https://blog.ripstech.com/2016/phpkit-code-exection-for-privileged-users>
31sp.disable_function.filename("/pkinc/func/default.php").function("move_uploaded_file").param("destination").value_r("\\.ph\\.+$").drop();
32
33
34# Coppermine 1.5.42: Second-Order Command Execution <https://blog.ripstech.com/2016/coppermine-second-order-command-execution>
35sp.disable_function.filename("/include/imageobject_im.class.php").function("exec").var("CONFIG[im_options]").value_r("[^a-z0-9]").drop();
36sp.disable_function.filename("/forgot_passwd.php").function("cpg_db_query").var("CLEAN[id]").value_r("[^a-z0-9]").drop();
37
38
39# CVE-2017-1001000 - https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
40sp.disable_function.filename("/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_GET[id]").value_r("[^0-9]").drop();
41sp.disable_function.filename("/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_POST[id]").value_r("[^0-9]").drop();
diff --git a/config/rips.rules b/config/rips.rules
index 9497528..52e3f27 100644
--- a/config/rips.rules
+++ b/config/rips.rules
@@ -1,4 +1,33 @@
1sp.disable_function.function("define").filename_r("/static_pages/index.php").var("$_SERVER[PHP_SELF]").value_r("\"").drop(); 1# AbanteCart 1.2.8 - Multiple SQL Injections <https://blog.ripstech.com/2016/abantecart-multiple-sql-injections>
2sp.disable_function.function("ModelToolBackup::createBackupTask").filename_r("/admin/model/tool/backup.php").param("data[table_list]").value_r("'").drop(); 2sp.disable_function.function("define").filename_r("/static_pages/index\\.php$").var("$_SERVER[PHP_SELF]").value_r("\"").drop();
3sp.disable_function.function("ALanguageManager::_clone_language_rows").filename_r("/core/lib/language_manager.php").param("from_language").value_r("[^0-9]").drop(); 3sp.disable_function.function("ModelToolBackup::createBackupTask").filename_r("/admin/model/tool/backup\\.php$").param("data[table_list]").value_r("'").drop();
4sp.disable_function.function("ALanguageManager::_clone_language_rows").filename_r("/core/lib/language_manager\\.php$").param("from_language").value_r("[^0-9]").drop();
5
6
7# Redaxo 5.2.0: Remote Code Execution via CSRF <https://blog.ripstech.com/2016/redaxo-remote-code-execution-via-csrf>
8# See <http://code.vtiger.com/vtiger/vtigercrm/commit/9b5c5338f80237ae072a06e1ba4a5cfcbfe063b0> for details
9sp.disable_function.filename("/redaxo/src/addons/structure/pages/linkmap.php").function("substr").param("string").value_r("\"").drop();
10
11
12# Guest Post: Vtiger 6.5.0 - SQL Injection <https://blog.ripstech.com/2016/vtiger-sql-injection/>
13sp.disable_function.filename("/modules/Calendar/Activity.php").function("save_module").param("query").value_r("[^0-9;]").drop();
14
15
16# The State of Wordpress Security <https://blog.ripstech.com/2016/the-state-of-wordpress-security>
17# All In One WP Security & Firewall
18sp.disable_function.filename("/admin/wp-security-dashboard-menu.php").function("render_tab3").var("_REQUEST[tab]").value_r("\"").drop();
19
20
21# PHPKit 1.6.6: Code Execution for Privileged Users <https://blog.ripstech.com/2016/phpkit-code-exection-for-privileged-users>
22sp.disable_function.filename("/pkinc/func/default.php").function("move_uploaded_file").param("destination").value_r("\\.ph\\.+$").drop();
23
24
25# Coppermine 1.5.42: Second-Order Command Execution <https://blog.ripstech.com/2016/coppermine-second-order-command-execution>
26sp.disable_function.filename("/include/imageobject_im.class.php").function("exec").var("CONFIG[im_options]").value_r("[^a-z0-9]").drop();
27sp.disable_function.filename("/forgot_passwd.php").function("cpg_db_query").var("CLEAN[id]").value_r("[^a-z0-9]").drop();
28
29
30# CVE-2017-1001000 - https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
31sp.disable_function.filename("/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_GET[id]").value_r("[^0-9]").drop();
32sp.disable_function.filename("/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_POST[id]").value_r("[^0-9]").drop();
4 33
diff --git a/src/tests/example_configuration.phpt b/src/tests/example_configuration.phpt
deleted file mode 100644
index 6c2e82d..0000000
--- a/src/tests/example_configuration.phpt
+++ /dev/null
@@ -1,20 +0,0 @@
1--TEST--
2Shipped configuration
3--SKIPIF--
4<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
5--INI--
6sp.configuration_file={PWD}/../../config/examples.rules
7--FILE--
8<?php
9ob_start();
10phpinfo();
11$info = ob_get_clean();
12ob_get_clean();
13if (strstr($info, 'Valid config => yes') !== FALSE) {
14 echo "win";
15} else {
16 echo "lose";
17}
18?>
19--EXPECTF--
20win