From 83e10813cfc729661aefde08a13826da025d4282 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 26 Aug 2024 10:10:54 +0200 Subject: [PATCH] Update snuffleupagus rules (cherry picked from commit cf1088f1c58ddf3dc79f34acc14a14664c1e04df) --- towncrier/newsfragments/3384.bugfix | 1 + webmails/snuffleupagus.rules | 9 +++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 towncrier/newsfragments/3384.bugfix diff --git a/towncrier/newsfragments/3384.bugfix b/towncrier/newsfragments/3384.bugfix new file mode 100644 index 00000000..e82c78d8 --- /dev/null +++ b/towncrier/newsfragments/3384.bugfix @@ -0,0 +1 @@ +Ensure that file:// protocol is not allowed in CURL diff --git a/webmails/snuffleupagus.rules b/webmails/snuffleupagus.rules index 4cbe966d..10390d45 100644 --- a/webmails/snuffleupagus.rules +++ b/webmails/snuffleupagus.rules @@ -39,7 +39,9 @@ sp.disable_function.function("chmod").param("permissions").value("438").drop(); sp.disable_function.function("chmod").param("permissions").value("511").drop(); # Prevent various `mail`-related vulnerabilities +# Uncommend the second rule if you're using php8.3+ sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); +sp.disable_function.function("mail").param("additional_params").value_r("\\-").drop(); # Since it's now burned, me might as well mitigate it publicly sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop() @@ -52,8 +54,7 @@ sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").dro sp.disable_function.function("extract").param("array").value_r("^_").drop() sp.disable_function.function("extract").param("flags").value("0").drop() -# This is also burned: -# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd')); +# See https://dustri.org/b/ini_set-based-open_basedir-bypass.html # Since we have no way of matching on two parameters at the same time, we're # blocking calls to open_basedir altogether: nobody is using it via ini_set anyway. # Moreover, there are non-public bypasses that are also using this vector ;) @@ -119,6 +120,10 @@ sp.disable_function.function("curl_setopt").param("value").value("2").allow(); sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off."); sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off."); +# Ensure that file:// protocol is not allowed in CURL +sp.disable_function.function("curl_setopt").param("value").value_r("file://").drop().alias("file:// protocol is disabled"); +sp.disable_function.function("curl_init").param("url").value_r("file://").drop().alias("file:// protocol is disabled"); + # File upload sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop(); sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop();