Skip to content

Conversation

crowdsec-automation
Copy link
Contributor

This rule detects path traversal (LFI) attempts in TRUfusion Enterprise's getCobrandingData endpoint. The detection is based on two conditions:

  1. The request URI must contain /trufusionportal/getcobrandingdata (case-insensitive, normalized).
  2. The cobrandingImageName argument in the query string must contain the sequence ../ (after URL decoding and lowercasing), which is a strong indicator of a path traversal attempt.

This approach minimizes false positives by:

  • Targeting only the relevant endpoint and parameter.
  • Looking for the traversal meta-characters rather than specific file paths.
  • Applying lowercase and urldecode transforms to ensure normalization and case insensitivity.

The test configuration uses the original nuclei template's request, but expects a 403 response to confirm the WAF rule is working. All value: fields are lowercase, and the rule uses contains for matching as per best practices. No regex is used where a simple substring match suffices.

Copy link

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2025-27222 🔴

Copy link

Hello @crowdsec-automation,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

Copy link
Member

@seemanne seemanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks gippity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants