summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--config/typo3.rules38
1 files changed, 18 insertions, 20 deletions
diff --git a/config/typo3.rules b/config/typo3.rules
index 57fafd1..c76cf91 100644
--- a/config/typo3.rules
+++ b/config/typo3.rules
@@ -2,22 +2,20 @@
2sp.disable_function.function("chmod").param("mode").filename_r("typo3/sysext/core/Classes/Utility/GeneralUtility.php$").value_r("^[0-9]{2}6$").allow(); 2sp.disable_function.function("chmod").param("mode").filename_r("typo3/sysext/core/Classes/Utility/GeneralUtility.php$").value_r("^[0-9]{2}6$").allow();
3sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop(); 3sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
4 4
5# Prevent various `mail`-related vulnerabilities
6sp.disable_function.function("mail").param("additional_parameters").value("").allow();
7# use swiftmailer to send email
8sp.disable_function.function("mail").drop();
9
10
11##Prevent various `include`-related vulnerabilities 5##Prevent various `include`-related vulnerabilities
12sp.disable_function.function_r("^(?:require|include)_once$").value_r("\.php$").allow(); 6sp.disable_function.function("require_once").value_r("\.php$").allow();
13sp.disable_function.function_r("^require|include$").value_r("\.php$").allow(); 7sp.disable_function.function("include_once").value_r("\.php$").allow();
14sp.disable_function.function_r("^(?:require|include)_once$").drop(); 8sp.disable_function.function("require").value_r("\.php$").allow();
15sp.disable_function.function_r("^require|include$").drop(); 9sp.disable_function.function("include").value_r("\.php$").allow();
10sp.disable_function.function("require_once").drop()
11sp.disable_function.function("include_once").drop()
12sp.disable_function.function("require").drop()
13sp.disable_function.function("include").drop()
16 14
17# Prevent `system`-related injections 15# Prevent `system`-related injections
18sp.disable_function.function("system").drop(); 16sp.disable_function.function("system").drop();
19sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n]").drop(); 17sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n]").drop();
20sp.disable_function.function("exec").param("command").filename_r("typo3/sysext/core/Classes/Utility/CommandUtility.php$").value_r("^'/usr/bin/convert' [a-zA-Z0-9_\\-\\.\\*'\+\\[\\] \/]+ 2>&1$").allow(); 18sp.disable_function.function("exec").param("command").filename_r("typo3/sysext/core/Classes/Utility/CommandUtility.php$").value_r("^'/usr/bin/convert' [a-zA-Z0-9_\\.'\+\\[\\] \/\\-]+ 2>&1$").allow();
21sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n]").drop(); 19sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n]").drop();
22sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n]").drop(); 20sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n]").drop();
23 21
@@ -34,21 +32,21 @@ sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/syse
34sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/install/Classes/SystemEnvironment/Check.php$").value("open_basedir").allow(); 32sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/install/Classes/SystemEnvironment/Check.php$").value("open_basedir").allow();
35sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/install/Classes/SystemEnvironment/SetupCheck.php$").value("allow_url_fopen").allow(); 33sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/install/Classes/SystemEnvironment/SetupCheck.php$").value("allow_url_fopen").allow();
36sp.disable_function.function("ini_get").param("var_name").filename_r("vendor/guzzlehttp/guzzle/src/functions.php$").value("allow_url_fopen").allow(); 34sp.disable_function.function("ini_get").param("var_name").filename_r("vendor/guzzlehttp/guzzle/src/functions.php$").value("allow_url_fopen").allow();
37sp.disable_function.function("ini_get").param("var_name").value_r("(?:allow_url_fopen|open_basedir|suhosin)").drop(); 35sp.disable_function.function("ini_get").param("var_name").value_r("^(?:allow_url_fopen|open_basedir|suhosin)$").drop();
38 36
39#need to be allow for example to execute Scheduled tasks 37#need to be allow for example to execute Scheduled tasks
40sp.disable_function.function("function_exists").param("function_name").filename_r("vendor/guzzlehttp/guzzle/src/functions.php$").value_r("^curl_multi_exec$|^curl_exec$").allow(); 38sp.disable_function.function("function_exists").param("function_name").filename_r("vendor/guzzlehttp/guzzle/src/functions.php$").value_r("^(?:curl_multi_exec|curl_exec)$").allow();
41sp.disable_function.function("function_exists").param("function_name").value_r("(?:eval|exec|system)").drop(); 39sp.disable_function.function("function_exists").param("function_name").value_r("(?:eval|exec|system)").drop();
42sp.disable_function.function("is_callable").param("var").value_r("(?:eval|exec|system)").drop(); 40sp.disable_function.function("is_callable").param("var").value_r("(?:eval|exec|system)").drop();
43 41
44# Ghetto sqli hardening 42# Ghetto sqli hardening
45sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("/\\*").drop(); 43sp.disable_function.function("QueryBuilder::setParameter").param("value").value_r("/\\*").drop();
46sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("--").drop(); 44sp.disable_function.function("QueryBuilder::setParameter").param("value").value_r("--").drop();
47sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("#").drop(); 45sp.disable_function.function("QueryBuilder::setParameter").param("value").value_r("#").drop();
48sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r(";.*;").drop(); 46sp.disable_function.function("QueryBuilder::setParameter").param("value").value_r(";.*;").drop();
49sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("benchmark").drop(); 47sp.disable_function.function("QueryBuilder::setParameter").param("value").value_r("benchmark").drop();
50sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("sleep").drop(); 48sp.disable_function.function("QueryBuilder::setParameter").param("value").value_r("sleep").drop();
51sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("information_schema").drop(); 49sp.disable_function.function("QueryBuilder::setParameter").param("value").value_r("information_schema").drop();
52 50
53#File upload 51#File upload
54sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop(); 52sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();