exclusion for attack-lfi

25 views
Skip to first unread message

oma...@gmail.com

unread,
Oct 27, 2020, 5:50:33 AM10/27/20
to ModSecurity Core Rule Set project
Hello,
there are many occurrences of single double dot '/../' in sites I try to protect by CRS Project.

For example: 
    '/web/resources/css/../images/ico_checkbox2.png'
    '/catalog/view/theme/theme_web/stylesheet/../image.png'
    
For these examples I'm able to build exclusion like this: 

  SecRule REQUEST_URI_RAW "@beginsWith /catalog/view/theme/theme_onlinekoupelny/stylesheet/../" \
      "id:'000025', \
      phase:2, \
      nolog, \
      ctl:ruleRemoveByTag='attack-lfi', \
      pass"
      
I would like to ask you, is there any possibility to solve it with only one universal exclusion? I just need to exclude single occurence of this in URI: /../. Occurence '/../../' should be marked as attack.

Thank you,
Standa
Reply all
Reply to author
Forward
0 new messages