From 457fe56c2f2021ea9b38a6851192146e7d690927 Mon Sep 17 00:00:00 2001 From: Michal Mikolas Date: Tue, 12 Mar 2024 17:13:27 +0100 Subject: [PATCH 1/4] htdeployment: Added '.htdeployment' cache file exposure template. --- http/exposures/files/htdeployment.yaml | 31 ++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 http/exposures/files/htdeployment.yaml diff --git a/http/exposures/files/htdeployment.yaml b/http/exposures/files/htdeployment.yaml new file mode 100644 index 0000000000..d95b7b7b06 --- /dev/null +++ b/http/exposures/files/htdeployment.yaml @@ -0,0 +1,31 @@ +id: htdeployment + +info: + name: .htdeployment - files tree cache file + author: Michal Mikolas (nanuqcz) + severity: medium + description: FTP Deployment cache file that contains whole files structure with paths to potentially sensitive files. + remediation: Block access to the file using `.htaccess` on the server. The best-practise is to block all the folders/files beginning with `.` except `.well-known` folder. + reference: + - https://github.com/dg/ftp-deployment/tree/master + - https://github.com/dg/ftp-deployment/blob/master/src/Deployment/Deployer.php#L206 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + metadata: + verified: true + vendor: dg + product: ftp-deployment + tags: files,exposure,php,deployment,cache + +http: + - method: GET + path: + - "{{BaseURL}}/.htdeployment" + - "{{BaseURL}}/.deployment" + + matchers-condition: and + matchers: + - type: status + status: + - 200 From 23a968d8199ac946c6f1835c0ab507bc20ca64e1 Mon Sep 17 00:00:00 2001 From: Michal Mikolas Date: Wed, 13 Mar 2024 09:44:22 +0100 Subject: [PATCH 2/4] htdeployment: Improved matchers, lowering false positive chance (by added negative ' Date: Thu, 28 Mar 2024 13:52:14 +0530 Subject: [PATCH 3/4] Updated matcher --- http/exposures/files/htdeployment.yaml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/http/exposures/files/htdeployment.yaml b/http/exposures/files/htdeployment.yaml index ca0fe62fa5..2e36d49873 100644 --- a/http/exposures/files/htdeployment.yaml +++ b/http/exposures/files/htdeployment.yaml @@ -26,12 +26,14 @@ http: matchers-condition: and matchers: - - type: status - status: - - 200 - - type: word part: body - negative: true words: - - " Date: Wed, 17 Apr 2024 17:54:00 +0530 Subject: [PATCH 4/4] Update and rename htdeployment.yaml to ht-deployment.yaml --- .../files/{htdeployment.yaml => ht-deployment.yaml} | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) rename http/exposures/files/{htdeployment.yaml => ht-deployment.yaml} (77%) diff --git a/http/exposures/files/htdeployment.yaml b/http/exposures/files/ht-deployment.yaml similarity index 77% rename from http/exposures/files/htdeployment.yaml rename to http/exposures/files/ht-deployment.yaml index 2e36d49873..a7d88a54b4 100644 --- a/http/exposures/files/htdeployment.yaml +++ b/http/exposures/files/ht-deployment.yaml @@ -1,10 +1,11 @@ -id: htdeployment +id: ht-deployment info: - name: .htdeployment - files tree cache file - author: Michal Mikolas (nanuqcz) + name: .htdeployment - Files Tree Cache File + author: Michal-Mikolas severity: medium - description: FTP Deployment cache file that contains whole files structure with paths to potentially sensitive files. + description: | + FTP Deployment cache file that contains whole files structure with paths to potentially sensitive files. remediation: Block access to the file using `.htaccess` on the server. The best-practise is to block all the folders/files beginning with `.` except `.well-known` folder. reference: - https://github.com/dg/ftp-deployment/tree/master @@ -16,6 +17,7 @@ info: verified: true vendor: dg product: ftp-deployment + max-request: 2 tags: files,exposure,php,deployment,cache http: @@ -30,6 +32,8 @@ http: part: body words: - "[config]" + - "1F 8B" + condition: or - type: word part: header