dune73 · emphazer · Mar 30, 2017 · Mar 30, 2017 · Mar 30, 2017 · Mar 30, 2017
diff --git a/rules/REQUEST-903.9003-TYPO3-EXCLUSION-RULES.conf b/rules/REQUEST-903.9003-TYPO3-EXCLUSION-RULES.conf
@@ -132,4 +132,44 @@ SecRule REQUEST_URI "@endsWith /typo3/index.php" \
         ctl:ruleRemoveTargetById=942440;ARGS:data[sys_template][1][config]"
 
 
+# Important rule exclusion for Typo3 specific backend usage
+# ModSec Rule Exclusion: 930110 : Path Traversal Attack (/../)
+#
+SecRule &REQUEST_COOKIES_NAMES:be_typo_user "@gt 0" \
+        "id:'9003310',\
+        phase:2,\
+        nolog,\
+        noauditlog,\
+        pass,\
+        chain"
+                SecRule REQUEST_URI "/typo3/(ajax|alt_doc|alt_clickmenu|tce_file|thumbs)\.php$" \
+                        ctl:ruleRemoveTargetById=930110;REQUEST_URI
+
+
+
+SecRule &REQUEST_COOKIES_NAMES:be_typo_user "@gt 0" \
+        "id:'9003320',\
+        phase:2,\
+        nolog,\
+        noauditlog,\
+        pass,\
+        chain"
+                SecRule REQUEST_METHOD "@pm POST GET" chain
+                        SecRule REQUEST_FILENAME "@pmFromFile typo3-backend-files.data" \
+                        ctl:ruleRemoveTargetByTag=OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP;RESPONSE_BODY,\
+                        ctl:ruleRemoveTargetByTag=OWASP_CRS/LEAKAGE/SOURCE_CODE_ASP_JSP;RESPONSE_BODY,\
+                        ctl:ruleRemoveTargetByTag=OWASP_CRS/LEAKAGE/SOURCE_CODE;RESPONSE_BODY,\
+                        ctl:ruleRemoveTargetByTag=OWASP_CRS/MALICIOUS_CODE;RESPONSE_BODY,\
+                        ctl:ruleRemoveTargetByTag=OWASP_CRS/WEB_ATTACK/SQL_INJECTION;ARGS,\
+                        ctl:ruleRemoveTargetByTag=OWASP_CRS/WEB_ATTACK/SQL_INJECTION;TX,\
+                        ctl:ruleRemoveTargetByTag=OWASP_CRS/WEB_ATTACK/XSS;RESPONSE_BODY,\
+                        ctl:ruleRemoveTargetByTag=OWASP_CRS/WEB_ATTACK/XSS;ARGS,\
+                        ctl:ruleRemoveTargetByTag=OWASP_CRS/WEB_ATTACK/PHP_INJECTION;ARGS,\
+                        ctl:ruleRemoveTargetByTag=OWASP_CRS/WEB_ATTACK/LDAP_INJECTION;ARGS,\
+                        ctl:ruleRemoveTargetByTag=OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION;ARGS,\
+                        ctl:ruleRemoveTargetByTag=OWASP_CRS/PROTOCOL_VIOLATION/EVASION;RESPONSE_BODY,\
+                        ctl:ruleRemoveTargetByTag=OWASP_CRS/PROTOCOL_VIOLATION/EVASION;ARGS
+
+
+
 SecMarker END-TYPO3
diff --git a/rules/typo3-backend-files.data b/rules/typo3-backend-files.data
@@ -0,0 +1,23 @@
+/typo3/ajax.php
+/typo3/alt_clickmenu.php
+/typo3/alt_doc.php
+/typo3/alt_file_navframe.php
+/typo3/browse_links.php
+/typo3/browser.php
+/typo3/dummy.php
+/typo3/file_edit.php
+/typo3/login_frameset.php
+/typo3/mod.php
+/typo3/show_rechis.php
+/typo3/sysext/cms/layout/db_layout.php
+/typo3/sysext/filelist/mod1/file_list.php
+/typo3/sysext/form/Classes/Controller/Wizard.php
+/typo3/sysext/rtehtmlarea/mod3/browse_links.php
+/typo3/sysext/tstemplate/ts/index.php
+/typo3/sysext/install/Start/Install.php
+/typo3/tce_db.php
+/typo3/tce_file.php
+/typo3/thumbs.php
+/typo3/install/index.php
+/typo3/wizard_rte.php
+/typo3/file_rename.php