Add vpatch-CVE-2023-3197 rule and test#1738
Conversation
|
Hello @crowdsec-automation and thank you for your contribution! ❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection: 🔴 crowdsecurity/vpatch-CVE-2023-3197 🔴 |
|
Hello @crowdsec-automation and thank you for your contribution! I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information. The following items have errors: crowdsecurity/crs-exclusion-plugin-cpanel:
crowdsecurity/crs-exclusion-plugin-dokuwiki:
crowdsecurity/crs-exclusion-plugin-drupal:
crowdsecurity/crs-exclusion-plugin-nextcloud:
crowdsecurity/crs-exclusion-plugin-phpbb:
crowdsecurity/crs-exclusion-plugin-phpmyadmin:
crowdsecurity/crs-exclusion-plugin-wordpress:
crowdsecurity/crs-exclusion-plugin-xenforo:
Mitre ATT&CKInformation about mitre attack can be found here.
Expected format is (where labels:
classification:
- attack.TXXXXCVEsIf your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it. Expected format is (where labels:
classification:
- cve.CVE-XXX-XXXBehaviorsPlease identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here. Expected format is (where labels:
behavior: <behavior>See the labels documentation for more information. |
|
@copilot please fix the search condition to look for non a-z0-9 patterns |
Agent-Logs-Url: https://github.com/crowdsecurity/hub/sessions/97af246c-3508-4526-bc57-e58fdcad9fbc Co-authored-by: buixor <990714+buixor@users.noreply.github.com>
Updated in fa4c7a8 — changed the |
|
Hello @Copilot, ✅ The new VPATCH Rule is compliant, thank you for your contribution! |
|
Hello @Copilot and thank you for your contribution! I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information. The following items have errors: crowdsecurity/crs-exclusion-plugin-cpanel:
crowdsecurity/crs-exclusion-plugin-dokuwiki:
crowdsecurity/crs-exclusion-plugin-drupal:
crowdsecurity/crs-exclusion-plugin-nextcloud:
crowdsecurity/crs-exclusion-plugin-phpbb:
crowdsecurity/crs-exclusion-plugin-phpmyadmin:
crowdsecurity/crs-exclusion-plugin-wordpress:
crowdsecurity/crs-exclusion-plugin-xenforo:
Mitre ATT&CKInformation about mitre attack can be found here.
Expected format is (where labels:
classification:
- attack.TXXXXCVEsIf your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it. Expected format is (where labels:
classification:
- cve.CVE-XXX-XXXBehaviorsPlease identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here. Expected format is (where labels:
behavior: <behavior>See the labels documentation for more information. |
|
@copilot move it to the wordpress vpatch collection |
Agent-Logs-Url: https://github.com/crowdsecurity/hub/sessions/a074b18e-c43e-471c-bc0d-cd618d811c83 Co-authored-by: buixor <990714+buixor@users.noreply.github.com>
|
Hello @buixor and thank you for your contribution! ❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection: 🔴 crowdsecurity/vpatch-CVE-2023-6360 🔴 |
|
Hello @buixor and thank you for your contribution! I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information. The following items have errors: crowdsecurity/crs-exclusion-plugin-cpanel:
crowdsecurity/crs-exclusion-plugin-dokuwiki:
crowdsecurity/crs-exclusion-plugin-drupal:
crowdsecurity/crs-exclusion-plugin-nextcloud:
crowdsecurity/crs-exclusion-plugin-phpbb:
crowdsecurity/crs-exclusion-plugin-phpmyadmin:
crowdsecurity/crs-exclusion-plugin-wordpress:
crowdsecurity/crs-exclusion-plugin-xenforo:
Mitre ATT&CKInformation about mitre attack can be found here.
Expected format is (where labels:
classification:
- attack.TXXXXCVEsIf your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it. Expected format is (where labels:
classification:
- cve.CVE-XXX-XXXBehaviorsPlease identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here. Expected format is (where labels:
behavior: <behavior>See the labels documentation for more information. |
* Add vpatch-CVE-2023-3197 rule * Add vpatch-CVE-2023-3197 test config * Add CVE-2023-3197.yaml test * Add vpatch-CVE-2023-3197 rule to vpatch collection * Fix id parameter match to use regex for non a-z0-9 characters Agent-Logs-Url: https://github.com/crowdsecurity/hub/sessions/97af246c-3508-4526-bc57-e58fdcad9fbc Co-authored-by: buixor <990714+buixor@users.noreply.github.com> * Move vpatch-CVE-2023-3197 to wordpress appsec collection Agent-Logs-Url: https://github.com/crowdsecurity/hub/sessions/a074b18e-c43e-471c-bc0d-cd618d811c83 Co-authored-by: buixor <990714+buixor@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: buixor <990714+buixor@users.noreply.github.com> Co-authored-by: Thibault "bui" Koechlin <thibault@crowdsec.net>
Description
Adds a new AppSec rule
crowdsecurity/vpatch-CVE-2023-3197to detect unauthenticated SQL injection in the WordPress MStore API plugin, included in thecrowdsecurity/appsec-wordpresscollection.Detection logic:
/wp-json/api/flutter_multi_vendor/product-categories(case-insensitive, URL-decoded)idquery parameter contains any character outside[a-z0-9]after applyinglowercaseandurldecodetransforms (regex:[^a-z0-9])This regex-based approach is robust since a legitimate numeric category
idshould only contain alphanumeric characters. Any injected SQL characters (spaces, parentheses, quotes, operators, etc.) will trigger the rule. The rule is included in thecrowdsecurity/appsec-wordpresscollection, which is the appropriate collection for WordPress-specific virtual patching rules.A nuclei test template is included that verifies requests with a malicious
idparameter (containing a SQL injection payload) are blocked with a 403 status.Checklist