PT-2019-13349 · Owasp · Owasp Modsecurity Core Rule Set

Fgsch

Publicado

2019-07-09

Atualizado

2023-01-30

CVE-2019-13464

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions OWASP ModSecurity Core Rule Set (CRS) version 3.0.2

Description An issue was discovered where the use of X.Filename instead of X Filename can bypass some PHP Script Uploads rules. This occurs because PHP automatically transforms dots into underscores in certain contexts where dots are invalid.

Recommendations For OWASP ModSecurity Core Rule Set (CRS) version 3.0.2, consider using X Filename instead of X.Filename to prevent bypassing of PHP Script Uploads rules. As a temporary workaround, review and update the existing rules to ensure they are not relying on the incorrect transformation of dots to underscores.

Exploit

Correção

Unrestricted File Upload

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-434

Identificadores relacionados

AZL-44598

CVE-2019-13464

DLA-3293-1

Produtos afetados

Owasp Modsecurity Core Rule Set

PT-2019-13349 · Owasp · Owasp Modsecurity Core Rule Set

CVE-2019-13464

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 11