From 2c56b8831b727c6c845b258dba3837c2b4f9a394 Mon Sep 17 00:00:00 2001
From: Laurence <laurence.jones@live.co.uk>
Date: Fri, 18 Oct 2024 13:40:43 +0100
Subject: [PATCH] enhance: Create a rule to stop requests going to root of
 wordpress uploads directory EG: directory listings

---
 .../config.yaml                               |  3 ++
 .../generic-wordpress-uploads-listing.yaml    | 30 ++++++++++++++++++
 .../generic-wordpress-uploads-listing.yaml    | 31 +++++++++++++++++++
 .../crowdsecurity/appsec-generic-rules.yaml   |  1 +
 .../crowdsecurity/appsec-wordpress.yaml       |  1 +
 5 files changed, 66 insertions(+)
 create mode 100644 .appsec-tests/generic-wordpress-uploads-listing/config.yaml
 create mode 100644 .appsec-tests/generic-wordpress-uploads-listing/generic-wordpress-uploads-listing.yaml
 create mode 100644 appsec-rules/crowdsecurity/generic-wordpress-uploads-listing.yaml

diff --git a/.appsec-tests/generic-wordpress-uploads-listing/config.yaml b/.appsec-tests/generic-wordpress-uploads-listing/config.yaml
new file mode 100644
index 00000000000..d0c57cf7a85
--- /dev/null
+++ b/.appsec-tests/generic-wordpress-uploads-listing/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/generic-wordpress-uploads-listing.yaml
+nuclei_template: generic-wordpress-uploads-listing.yaml
diff --git a/.appsec-tests/generic-wordpress-uploads-listing/generic-wordpress-uploads-listing.yaml b/.appsec-tests/generic-wordpress-uploads-listing/generic-wordpress-uploads-listing.yaml
new file mode 100644
index 00000000000..b4333c91856
--- /dev/null
+++ b/.appsec-tests/generic-wordpress-uploads-listing/generic-wordpress-uploads-listing.yaml
@@ -0,0 +1,30 @@
+id: generic-wordpress-uploads-listing
+info:
+  name: generic-wordpress-uploads-listing
+  author: crowdsec
+  severity: info
+  description: generic-wordpress-uploads-listing testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        GET /wp-content/uploads/ HTTP/1.1
+        Host: {{Hostname}}
+      - |
+        GET /wp-content/uploads/2024/ HTTP/1.1
+        Host: {{Hostname}}
+      - |
+        GET /wp-content/uploads/2024/10/ HTTP/1.1
+        Host: {{Hostname}}
+      - |
+        GET /wp-content/uploads/2024/10/fp-check.jpg HTTP/1.1
+        Host: {{Hostname}}
+    matchers:
+      - type: dsl
+        condition: and
+        dsl:
+          - "status_code_1 == 403"
+          - "status_code_2 == 403"
+          - "status_code_3 == 403"
+          - "status_code_4 == 404"
+
diff --git a/appsec-rules/crowdsecurity/generic-wordpress-uploads-listing.yaml b/appsec-rules/crowdsecurity/generic-wordpress-uploads-listing.yaml
new file mode 100644
index 00000000000..0c254d12c36
--- /dev/null
+++ b/appsec-rules/crowdsecurity/generic-wordpress-uploads-listing.yaml
@@ -0,0 +1,31 @@
+name: crowdsecurity/generic-wordpress-uploads-listing
+description: "Protect Wordpress uploads directory from listing files"
+rules:
+  - or:
+    - zones: 
+      - URI_FULL
+      transform:
+      - lowercase
+      - urldecode
+      match:
+        type: regex
+        value: '/wp-content/uploads/$'
+    - zones: 
+      - URI_FULL
+      transform:
+      - lowercase
+      - urldecode
+      match:
+        type: regex
+        value: '/wp-content/uploads/.*/$'
+    
+labels:
+   type: exploit
+   service: http
+   confidence: 2
+   spoofable: 0
+   behavior: "http:exploit"
+   label: "Protect Wordpress uploads directory from listing files"
+   classification:
+     - attack.T1595
+     - attack.T1190
\ No newline at end of file
diff --git a/collections/crowdsecurity/appsec-generic-rules.yaml b/collections/crowdsecurity/appsec-generic-rules.yaml
index 150f3d36a01..777f087e295 100644
--- a/collections/crowdsecurity/appsec-generic-rules.yaml
+++ b/collections/crowdsecurity/appsec-generic-rules.yaml
@@ -3,6 +3,7 @@ appsec-rules:
   - crowdsecurity/base-config
   - crowdsecurity/generic-freemarker-ssti
   - crowdsecurity/generic-wordpress-uploads-php
+  - crowdsecurity/generic-wordpress-uploads-listing
 appsec-configs:
   - crowdsecurity/generic-rules
   - crowdsecurity/appsec-default
diff --git a/collections/crowdsecurity/appsec-wordpress.yaml b/collections/crowdsecurity/appsec-wordpress.yaml
index 4ae06a6bac6..5886639741a 100644
--- a/collections/crowdsecurity/appsec-wordpress.yaml
+++ b/collections/crowdsecurity/appsec-wordpress.yaml
@@ -13,6 +13,7 @@ appsec-rules:
   - crowdsecurity/vpatch-CVE-2024-1061
   - crowdsecurity/vpatch-CVE-2024-1071
   - crowdsecurity/generic-wordpress-uploads-php
+  - crowdsecurity/generic-wordpress-uploads-listing
 appsec-configs:
   - crowdsecurity/virtual-patching
 description: "A virtual patching collection, suitable for WordPress websites"