owasp-modsecurity-crs icon indicating copy to clipboard operation
owasp-modsecurity-crs copied to clipboard

Published 20 hours ago verified publisher icon SpiderLabs

Merge new stuff from restricted-files.data into lfi-os-files.data

Open lifeforms opened this issue 6 years ago • 2 comments

#1292 brought us some new credentials/config file names for restricted-files.data.

All or most of these entries (depending a short review for FP) should also be added to lfi-os-files.data.

As discussed in #1292, what's the difference between those two data files?

  • restricted-files.data triggers on file paths, example: http://localhost/.docker/xxx
  • lfi-os-files.data triggers when used in a parameter, example: http://localhost/script_with_lfi_vuln.php?file=.docker/xxx

So to prevent LFI on these files, we should copy as many as possible to both rules.

lifeforms avatar Feb 04 '19 21:02 lifeforms

This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days

github-actions[bot] avatar Feb 18 '20 00:02 github-actions[bot]

I'm reopening this. I really think we should do this.

dune73 avatar Mar 03 '20 07:03 dune73