Add vpatch-CVE-2019-18952 rule and test

[crowdsec-automation]

This rule detects attempts to exploit the arbitrary file upload vulnerability in SibSoft Xfilesharing (CVE-2019-18952). The attack is characterized by a POST request to the /cgi-bin/up.cgi endpoint with a file upload, specifically targeting files with a .php extension, which could allow remote code execution if the file is later accessed.

• The first rule condition matches requests to the vulnerable upload endpoint (/cgi-bin/up.cgi), using a case-insensitive match.
• The second rule condition inspects the uploaded filenames (from the multipart form data) and triggers if any file ends with .php, which is a common vector for uploading web shells or executable PHP code.
• The use of endsWith for .php ensures that only executable PHP files are flagged, reducing false positives from benign uploads.
• All value: fields are lowercase, and the lowercase transform is applied to ensure case-insensitive detection.
• No regex is used where a simple endsWith suffices, and the rule avoids matching on the full file content or other less relevant zones, focusing on the filename and endpoint as per best practices for file upload vulnerabilities.
• The test nuclei template is adapted to expect a 403 response, as required for CrowdSec WAF test validation.

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2019-18952 🔴

[github-actions]

Hello @crowdsec-automation,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!