self-hosted/Mailu
1
0
Fork 0
mirror of https://github.com/Mailu/Mailu.git synced 2025-09-16 09:06:32 +02:00
Code Issues Releases Activity

Add snuffleupagus rules from upstream

Browse Source
This commit is contained in:
Florent Daigniere
2025-08-13 09:50:09 +02:00
parent c72fa20e41
commit 241d3cb6dd
1 changed files with 26 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
webmails/snuffleupagus.rules
View File

@@ -42,35 +42,38 @@ sp.disable_function.function("chmod").param("permissions").value("511").drop();
# Prevent various `mail`-related vulnerabilities
# Uncommend the second rule if you're using php8.3+
@condition PHP_VERSION_ID < 80300;
sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
@condition PHP_VERSION_ID >= 80300;
sp.disable_function.function("mail").param("additional_params").value_r("\\-").drop();
@end_condition;
# Since it's now burned, me might as well mitigate it publicly
sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop()
sp.disable_function.function("putenv").param("assignment").value("PATH").drop()
sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop();
sp.disable_function.function("putenv").param("assignment").value("PATH").drop();
# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop()
sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop();
# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
sp.disable_function.function("extract").param("array").value_r("^_").drop()
sp.disable_function.function("extract").param("flags").value("0").drop()
sp.disable_function.function("extract").param("array").value_r("^_").drop();
sp.disable_function.function("extract").param("flags").value("0").drop();
# See https://dustri.org/b/ini_set-based-open_basedir-bypass.html
# Since we have no way of matching on two parameters at the same time, we're
# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
# Moreover, there are non-public bypasses that are also using this vector ;)
sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop()
sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop();
# Prevent various `include`-related vulnerabilities
sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("require_once").drop()
sp.disable_function.function("include_once").drop()
sp.disable_function.function("require").drop()
sp.disable_function.function("include").drop()
sp.disable_function.function("require_once").drop();
sp.disable_function.function("include_once").drop();
sp.disable_function.function("require").drop();
sp.disable_function.function("include").drop();
# Prevent `system`-related injections
sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
@@ -129,11 +132,22 @@ sp.disable_function.function("curl_init").param("url").value_r("file://").drop()
# File upload
sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop();
sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop();
sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
# Logging lockdown
sp.disable_function.function("ini_set").param("option").value_r("error_log").drop()
sp.disable_function.function("ini_set").param("option").value_r("error_log").drop();
sp.disable_function.function("ini_set").param("option").value_r("display_errors").filename_r("/var/www/snappymail/snappymail/v/[0-9]+\.[0-9]+\.[0-9]+/app/libraries/snappymail/shutdown.php").allow();
sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop()
sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop();
# Classic webshells patterns
sp.disable_function.function("system>base64_decode").drop();
sp.disable_function.function("shell_exec>base64_decode").drop();
sp.disable_function.function("exec>base64_decode").drop();
sp.disable_function.function("passthru>base64_decode").drop();
sp.disable_function.function("proc_open>base64_decode").drop();
# TODO: enable this for real
sp.eval_blacklist.list("system,exec,shell_exec,passthru,proc_open").simulation();
sp.auto_cookie_secure.enable();
# TODO: consider encrypting the cookies?