From c473be13687ebd98c328f390d936be311dae7db6 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Wed, 17 Jan 2018 14:53:40 +0100 Subject: Our configuration files are ending in .rules, not .ini This commit fixes the documentation, our shipped configuration files, and the related tests. Thanks to @remicollet for the tip --- config/default.ini | 54 --------------------------------------------------- config/default.rules | 54 +++++++++++++++++++++++++++++++++++++++++++++++++++ config/examples.ini | 41 -------------------------------------- config/examples.rules | 41 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 95 insertions(+), 95 deletions(-) delete mode 100644 config/default.ini create mode 100644 config/default.rules delete mode 100644 config/examples.ini create mode 100644 config/examples.rules (limited to 'config') diff --git a/config/default.ini b/config/default.ini deleted file mode 100644 index 88398c1..0000000 --- a/config/default.ini +++ /dev/null @@ -1,54 +0,0 @@ -# Harden the `chmod` function -sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop(); -sp.disable_function.function("chmod").param("mode").value_r("o\\+w$").drop(); - -# Prevent various `mail`-related vulnerabilities -sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); - -##Prevent various `include`-related vulnerabilities -sp.disable_function.function_r("^(?:require|include)_once$").value_r("\\.(?:php|php7|inc|tpl)$").allow(); -sp.disable_function.function_r("^require|include$").value_r("\\.(?:php|php7|inc|tpl)$").allow(); -sp.disable_function.function_r("^(?:require|include)_once$").drop(); -sp.disable_function.function_r("^require|include$").drop(); - -# Prevent `system`-related injections -sp.disable_function.function("system").param("command").value_r("[$|;&`\\n]").drop(); -sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n]").drop(); -sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n]").drop(); -sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n]").drop(); - -# Prevent runtime modification of interesting things -sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop(); -sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop(); -sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop(); -sp.disable_function.function("ini_set").param("var_name").value("include_path").drop(); -sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop(); - -# Detect some backdoors via environnement recon -sp.disable_function.function("ini_get").param("var_name").value_r("(?:allow_url_fopen|open_basedir|suhosin)").drop(); -sp.disable_function.function("function_exists").param("function_name").value_r("(?:eval|exec|system)").drop(); -sp.disable_function.function("is_callable").param("var").value_r("(?:eval|exec|system)").drop(); - -# Ghetto sqli hardening -sp.disable_function.function_r("mysqli?_query").param("query").value_r("/\\*").drop(); -sp.disable_function.function_r("mysqli?_query").param("query").value_r("--").drop(); -sp.disable_function.function_r("mysqli?_query").param("query").value_r("#").drop(); -sp.disable_function.function_r("mysqli?_query").param("query").value_r(";.*;").drop(); -sp.disable_function.function_r("mysqli?_query").param("query").value_r("benchmark").drop(); -sp.disable_function.function_r("mysqli?_query").param("query").value_r("sleep").drop(); -sp.disable_function.function_r("mysqli?_query").param("query").value_r("information_schema").drop(); -sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop(); -sp.disable_function.function("PDO::query").param("query").value_r("--").drop(); -sp.disable_function.function("PDO::query").param("query").value_r("#").drop(); -sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop(); -sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop(); -sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop(); -sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop(); - -# Ghetto sqli detection -sp.disable_function.function_r("mysqli?_query").ret("FALSE").drop(); -sp.disable_function.function_r("PDO::query").ret("FALSE").drop(); - -#File upload -sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop(); -sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop(); diff --git a/config/default.rules b/config/default.rules new file mode 100644 index 0000000..88398c1 --- /dev/null +++ b/config/default.rules @@ -0,0 +1,54 @@ +# Harden the `chmod` function +sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop(); +sp.disable_function.function("chmod").param("mode").value_r("o\\+w$").drop(); + +# Prevent various `mail`-related vulnerabilities +sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); + +##Prevent various `include`-related vulnerabilities +sp.disable_function.function_r("^(?:require|include)_once$").value_r("\\.(?:php|php7|inc|tpl)$").allow(); +sp.disable_function.function_r("^require|include$").value_r("\\.(?:php|php7|inc|tpl)$").allow(); +sp.disable_function.function_r("^(?:require|include)_once$").drop(); +sp.disable_function.function_r("^require|include$").drop(); + +# Prevent `system`-related injections +sp.disable_function.function("system").param("command").value_r("[$|;&`\\n]").drop(); +sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n]").drop(); +sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n]").drop(); +sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n]").drop(); + +# Prevent runtime modification of interesting things +sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop(); +sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop(); +sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop(); +sp.disable_function.function("ini_set").param("var_name").value("include_path").drop(); +sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop(); + +# Detect some backdoors via environnement recon +sp.disable_function.function("ini_get").param("var_name").value_r("(?:allow_url_fopen|open_basedir|suhosin)").drop(); +sp.disable_function.function("function_exists").param("function_name").value_r("(?:eval|exec|system)").drop(); +sp.disable_function.function("is_callable").param("var").value_r("(?:eval|exec|system)").drop(); + +# Ghetto sqli hardening +sp.disable_function.function_r("mysqli?_query").param("query").value_r("/\\*").drop(); +sp.disable_function.function_r("mysqli?_query").param("query").value_r("--").drop(); +sp.disable_function.function_r("mysqli?_query").param("query").value_r("#").drop(); +sp.disable_function.function_r("mysqli?_query").param("query").value_r(";.*;").drop(); +sp.disable_function.function_r("mysqli?_query").param("query").value_r("benchmark").drop(); +sp.disable_function.function_r("mysqli?_query").param("query").value_r("sleep").drop(); +sp.disable_function.function_r("mysqli?_query").param("query").value_r("information_schema").drop(); +sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop(); +sp.disable_function.function("PDO::query").param("query").value_r("--").drop(); +sp.disable_function.function("PDO::query").param("query").value_r("#").drop(); +sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop(); +sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop(); +sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop(); +sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop(); + +# Ghetto sqli detection +sp.disable_function.function_r("mysqli?_query").ret("FALSE").drop(); +sp.disable_function.function_r("PDO::query").ret("FALSE").drop(); + +#File upload +sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop(); +sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop(); diff --git a/config/examples.ini b/config/examples.ini deleted file mode 100644 index 664a67a..0000000 --- a/config/examples.ini +++ /dev/null @@ -1,41 +0,0 @@ -# Restrict system calls to specific file -sp.disable_function.function("system").filename("/update.php").allow(); -sp.disable_function.function("system").drop(); - - -# Restrict system calls to specific file with a specific hash -sp.disable_function.function("system").filename("/update.php").hash("d27c6c5686bc129716b6aac8dfefe2d519a80eb6cc144e97ad42c728d423eed0").allow(); -sp.disable_function.function("system").drop(); - - -# AbanteCart 1.2.8 - Multiple SQL Injections -sp.disable_function.filename("/core/lib/language_manager.php").function("ALanguageManager>_clone_language_rows").param("from_language").value_r("[^0-9]").drop(); -sp.disable_function.filename("/admin/model/tool/backup.php").function("ModelToolBackup>createBackupTask").param("data[table_list]").value_r("'").drop(); - - -# Redaxo 5.2.0: Remote Code Execution via CSRF -# See for details -sp.disable_function.filename("/redaxo/src/addons/structure/pages/linkmap.php").function("substr").param("string").value_r("\"").drop(); - - -# Guest Post: Vtiger 6.5.0 - SQL Injection -sp.disable_function.filename("/modules/Calendar/Activity.php").function("save_module").param("query").value_r("[^0-9;]").drop(); - - -# The State of Wordpress Security -# All In One WP Security & Firewall -sp.disable_function.filename("/admin/wp-security-dashboard-menu.php").function("render_tab3").var("_REQUEST[tab]").value_r("\"").drop(); - - -# PHPKit 1.6.6: Code Execution for Privileged Users -sp.disable_function.filename("/pkinc/func/default.php").function("move_uploaded_file").param("destination").value_r("\\.ph\\.+$").drop(); - - -# Coppermine 1.5.42: Second-Order Command Execution -sp.disable_function.filename("/include/imageobject_im.class.php").function("exec").var("CONFIG[im_options]").value_r("[^a-z0-9]").drop(); -sp.disable_function.filename("/forgot_passwd.php").function("cpg_db_query").var("CLEAN[id]").value_r("[^a-z0-9]").drop(); - - -# CVE-2017-1001000 - https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html -sp.disable_function.filename("/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_GET[id]").value_r("[^0-9]").drop(); -sp.disable_function.filename("/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_POST[id]").value_r("[^0-9]").drop(); diff --git a/config/examples.rules b/config/examples.rules new file mode 100644 index 0000000..664a67a --- /dev/null +++ b/config/examples.rules @@ -0,0 +1,41 @@ +# Restrict system calls to specific file +sp.disable_function.function("system").filename("/update.php").allow(); +sp.disable_function.function("system").drop(); + + +# Restrict system calls to specific file with a specific hash +sp.disable_function.function("system").filename("/update.php").hash("d27c6c5686bc129716b6aac8dfefe2d519a80eb6cc144e97ad42c728d423eed0").allow(); +sp.disable_function.function("system").drop(); + + +# AbanteCart 1.2.8 - Multiple SQL Injections +sp.disable_function.filename("/core/lib/language_manager.php").function("ALanguageManager>_clone_language_rows").param("from_language").value_r("[^0-9]").drop(); +sp.disable_function.filename("/admin/model/tool/backup.php").function("ModelToolBackup>createBackupTask").param("data[table_list]").value_r("'").drop(); + + +# Redaxo 5.2.0: Remote Code Execution via CSRF +# See for details +sp.disable_function.filename("/redaxo/src/addons/structure/pages/linkmap.php").function("substr").param("string").value_r("\"").drop(); + + +# Guest Post: Vtiger 6.5.0 - SQL Injection +sp.disable_function.filename("/modules/Calendar/Activity.php").function("save_module").param("query").value_r("[^0-9;]").drop(); + + +# The State of Wordpress Security +# All In One WP Security & Firewall +sp.disable_function.filename("/admin/wp-security-dashboard-menu.php").function("render_tab3").var("_REQUEST[tab]").value_r("\"").drop(); + + +# PHPKit 1.6.6: Code Execution for Privileged Users +sp.disable_function.filename("/pkinc/func/default.php").function("move_uploaded_file").param("destination").value_r("\\.ph\\.+$").drop(); + + +# Coppermine 1.5.42: Second-Order Command Execution +sp.disable_function.filename("/include/imageobject_im.class.php").function("exec").var("CONFIG[im_options]").value_r("[^a-z0-9]").drop(); +sp.disable_function.filename("/forgot_passwd.php").function("cpg_db_query").var("CLEAN[id]").value_r("[^a-z0-9]").drop(); + + +# CVE-2017-1001000 - https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html +sp.disable_function.filename("/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_GET[id]").value_r("[^0-9]").drop(); +sp.disable_function.filename("/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_POST[id]").value_r("[^0-9]").drop(); -- cgit v1.3