crowdsecurity
Add vpatch-CVE-2019-7276 rule and test
This rule targets the Optergy Proton/Enterprise backdoor console RCE (CVE-2019-7276). The attack is performed by sending a POST request to /tools/ajax/ConsoleResult.html with a command parameter containing a shell command (e.g., cat /etc/passwd). The rule:
- Matches requests to the vulnerable endpoint by checking if the URI contains
/tools/ajax/consoleresult.html(case-insensitive). - Checks if the
commandparameter in the body contains the stringcat /etc/passwd(case-insensitive, URL-decoded), which is a strong indicator of exploitation attempts. - The rule avoids false positives by focusing on the specific endpoint and parameter used in the exploit.
- All
value:fields are lowercase, andtransformincludeslowercaseandurldecodefor normalization. - The test nuclei template is adapted to send a POST request with the exploit payload and expects a 403 response, as per the detection rule's blocking behavior.
Hello @crowdsec-automation,
Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hello @crowdsec-automation and thank you for your contribution!
:heavy_exclamation_mark: It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:
:red_circle: crowdsecurity/vpatch-CVE-2019-7276 :red_circle:
Hello @seemanne,
:white_check_mark: The new VPATCH Rule is compliant, thank you for your contribution!
Hello @seemanne,
Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!
Hello @seemanne,
:white_check_mark: The new VPATCH Rule is compliant, thank you for your contribution!
Hello @seemanne,
Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!
Hello @seemanne,
Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!
