Add vpatch-CVE-2020-5847 rule and test

[crowdsec-automation]

This rule targets the UnRaid <=6.80 remote code execution vulnerability (CVE-2020-5847). The attack is performed by sending a GET request to the /webGui/images/green-on.png endpoint with a crafted site[x][text] parameter containing PHP code.

• The first rule condition matches requests to the vulnerable endpoint by checking if the URI contains /webgui/images/green-on.png (case-insensitive, URL-decoded).
• The second rule condition inspects the site[x][text] argument in the query string, looking for the presence of <?php (case-insensitive, URL-decoded), which is indicative of PHP code injection.
• The use of lowercase and urldecode in the transform ensures normalization and case-insensitive matching.
• The rule avoids false positives by targeting the specific parameter and endpoint involved in the exploit.

The test config and nuclei template are adapted to ensure the rule is triggered by the same payload as in the original nuclei template, but only checks for a 403 status code as required. All values are lowercase, and contains is used for matching as per guidelines.

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2020-5847 🔴

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

• labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

• labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

• labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

• labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

• labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

• labels not found

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

• T1110 for bruteforce attacks
• T1595 and T1190 for exploitation of public vulnerabilities
• T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.