Skip to content

feat: detect generic config filenames #4102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jun 21, 2025
Merged

feat: detect generic config filenames #4102

merged 7 commits into from
Jun 21, 2025

Conversation

@EsadCetiner
Copy link
Member

@EsadCetiner EsadCetiner commented Apr 21, 2025

This PR adds generic entries to restricted-files.data and friends to detect most config filenames and permutations of them.

Since I've added a large list of generic filenames, should I remove or comment out the duplicate entries? there are a fair few entries that are redundant because of this change.

@github-actions
Copy link
Contributor

github-actions bot commented Apr 21, 2025
edited
Loading

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@fzipi
Copy link
Member

fzipi commented Apr 28, 2025

Yes, removing duplicates makes sense.

@EsadCetiner
Copy link
Member Author

EsadCetiner commented Apr 29, 2025

Done, I got a few more ideas after removing duplicates so I've made some improvements.

@dune73
Copy link
Member

dune73 commented Apr 29, 2025

Do we really want to block phpinfo.php at PL1?

Rest is very cool.

@EsadCetiner
Copy link
Member Author

EsadCetiner commented Apr 29, 2025

@dune73 I think it's fine since it's only targeting REQUEST_FILENAME and this file shouldn't be accessed on a production system anyways. We're already blocking phpinfo.php at PL-1 by 933150 but that was most likely not intentional which is why I added it to restricted-files.data just in case the behavior of that rule changes.

In the case of CVE-2023-49103 accessing this file can result in the admin password, email password, and database password being leaked in containerized deployments and not just the configuration of PHP.

@dune73
Copy link
Member

dune73 commented Apr 29, 2025

I was not aware of CVE-2023-49103. It's still a tough call for me (since it's used as a PoC of successful installation by so many people), but this CVE tilts it in favor of blocking for me.

@EsadCetiner EsadCetiner added the release:new-detection In this PR we introduce a new detection label May 2, 2025
@fzipi fzipi mentioned this pull request May 5, 2025
Closed
@github-actions github-actions bot added the Stale label Jun 2, 2025
@fzipi fzipi mentioned this pull request Jun 2, 2025
Closed
@EsadCetiner EsadCetiner removed the Stale label Jun 6, 2025
@fzipi
Copy link
Member

fzipi commented Jun 19, 2025

What is needed here? Do we merge?

@EsadCetiner
Copy link
Member Author

EsadCetiner commented Jun 20, 2025

@fzipi I'm just waiting for someone to review and approve. Everything else is ready.

fzipi
fzipi reviewed Jun 21, 2025
View reviewed changes
fzipi
fzipi approved these changes Jun 21, 2025
View reviewed changes
Copy link
Member

@fzipi fzipi left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Let's see how this goes. I think if people really wants to show the phpinfo, they can do it in their own file with their naming. They don't need to call the file phpinfo.php. So it will be an explicit disclosure, not an ocassional, unintended one.

@fzipi fzipi added this pull request to the merge queue Jun 21, 2025
Merged via the queue into coreruleset:main with commit 35d132d Jun 21, 2025
6 checks passed
@EsadCetiner EsadCetiner deleted the feat-generic-config-filenames branch June 21, 2025 13:50
@fzipi fzipi mentioned this pull request Jul 7, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fzipi fzipi fzipi approved these changes

Assignees

No one assigned

Labels

release:new-detection In this PR we introduce a new detection

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@EsadCetiner @fzipi @dune73