From 241d3cb6dd872114ab782d4baa9989bd6257bdac Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Wed, 13 Aug 2025 09:50:09 +0200 Subject: [PATCH] Add snuffleupagus rules from upstream --- webmails/snuffleupagus.rules | 38 ++++++++++++++++++++++++------------ 1 file changed, 26 insertions(+), 12 deletions(-) diff --git a/webmails/snuffleupagus.rules b/webmails/snuffleupagus.rules index ba6947e8..90601207 100644 --- a/webmails/snuffleupagus.rules +++ b/webmails/snuffleupagus.rules @@ -42,35 +42,38 @@ sp.disable_function.function("chmod").param("permissions").value("511").drop(); # Prevent various `mail`-related vulnerabilities # Uncommend the second rule if you're using php8.3+ +@condition PHP_VERSION_ID < 80300; sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); +@condition PHP_VERSION_ID >= 80300; sp.disable_function.function("mail").param("additional_params").value_r("\\-").drop(); +@end_condition; # Since it's now burned, me might as well mitigate it publicly -sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop() -sp.disable_function.function("putenv").param("assignment").value("PATH").drop() +sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop(); +sp.disable_function.function("putenv").param("assignment").value("PATH").drop(); # This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80 -sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop() +sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop(); # Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector -sp.disable_function.function("extract").param("array").value_r("^_").drop() -sp.disable_function.function("extract").param("flags").value("0").drop() +sp.disable_function.function("extract").param("array").value_r("^_").drop(); +sp.disable_function.function("extract").param("flags").value("0").drop(); # See https://dustri.org/b/ini_set-based-open_basedir-bypass.html # Since we have no way of matching on two parameters at the same time, we're # blocking calls to open_basedir altogether: nobody is using it via ini_set anyway. # Moreover, there are non-public bypasses that are also using this vector ;) -sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop() +sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop(); # Prevent various `include`-related vulnerabilities sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow(); sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow(); sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow(); sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow(); -sp.disable_function.function("require_once").drop() -sp.disable_function.function("include_once").drop() -sp.disable_function.function("require").drop() -sp.disable_function.function("include").drop() +sp.disable_function.function("require_once").drop(); +sp.disable_function.function("include_once").drop(); +sp.disable_function.function("require").drop(); +sp.disable_function.function("include").drop(); # Prevent `system`-related injections sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); @@ -129,11 +132,22 @@ sp.disable_function.function("curl_init").param("url").value_r("file://").drop() # File upload sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop(); sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop(); +sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop(); +sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop(); # Logging lockdown -sp.disable_function.function("ini_set").param("option").value_r("error_log").drop() +sp.disable_function.function("ini_set").param("option").value_r("error_log").drop(); sp.disable_function.function("ini_set").param("option").value_r("display_errors").filename_r("/var/www/snappymail/snappymail/v/[0-9]+\.[0-9]+\.[0-9]+/app/libraries/snappymail/shutdown.php").allow(); -sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop() +sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop(); + +# Classic webshells patterns +sp.disable_function.function("system>base64_decode").drop(); +sp.disable_function.function("shell_exec>base64_decode").drop(); +sp.disable_function.function("exec>base64_decode").drop(); +sp.disable_function.function("passthru>base64_decode").drop(); +sp.disable_function.function("proc_open>base64_decode").drop(); +# TODO: enable this for real +sp.eval_blacklist.list("system,exec,shell_exec,passthru,proc_open").simulation(); sp.auto_cookie_secure.enable(); # TODO: consider encrypting the cookies?