Hi Max,
On Wed, Apr 10, 2024 at 08:33:23AM -0700, F wrote:
> Hi
>
> We found a Server Side Template Injection vulnerability within one of our
> applications. It seems that Apache Velocity engine is being used.
> Sample bad input used as a POST parameter:
>
thanks for reporting.
First, I really hope this is a public PoC against the mentioned
bug/issue. Anyway, in these cases it would be fine to send this
kind of questions to
secu...@coreruleset.org.
> Are there any CRS configs that would help to defend against such inputs?
I'm afraid actually there is no any solution. You can try that
with our Sandbox, eg.:
curl -v -X POST -d "q=$YOUR.MENTIONED.QUERY" -H "x-format-output: txt-matched-rules" "
https://sandbox.coreruleset.org/"
For more information (try different versions/backends) see the
Sandbox's documenation:
https://coreruleset.org/2021/12/09/introducing-the-crs-sandbox/
If you want to explain the attack in details, please do it
through
secu...@coreruleset.org.
Thanks!
a.