PT-2019-13349 · Owasp · Owasp Modsecurity Core Rule Set
Fgsch
·
Published
2019-07-09
·
Updated
2023-01-30
·
CVE-2019-13464
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
OWASP ModSecurity Core Rule Set (CRS) version 3.0.2
Description
An issue was discovered where the use of
X.Filename instead of X Filename can bypass some PHP Script Uploads rules. This occurs because PHP automatically transforms dots into underscores in certain contexts where dots are invalid.Recommendations
For OWASP ModSecurity Core Rule Set (CRS) version 3.0.2, consider using
X Filename instead of X.Filename to prevent bypassing of PHP Script Uploads rules. As a temporary workaround, review and update the existing rules to ensure they are not relying on the incorrect transformation of dots to underscores.Exploit
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Owasp Modsecurity Core Rule Set