From f33d425580d85b4c625e177e05f52c6b1cccba2a Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 9 May 2025 09:59:19 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2025-28367 rule --- .../crowdsecurity/vpatch-CVE-2025-28367.yaml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2025-28367.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-28367.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-28367.yaml new file mode 100644 index 00000000000..ff7bf9e1a28 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-28367.yaml @@ -0,0 +1,35 @@ +## autogenerated on 2025-05-09 09:59:16 +name: crowdsecurity/vpatch-CVE-2025-28367 +description: 'Detects directory traversal in mojoPortal BetterImageGallery API Controller (CVE-2025-28367)' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: /api/betterimagegallery/imagehandler + - zones: + - ARGS + variables: + - path + transform: + - lowercase + - urldecode + match: + type: contains + value: ../ + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'MojoPortal - LFI' + classification: + - cve.CVE-2025-28367 + - attack.T1006 + - cwe.CWE-284 From 92d59f7aa91dc57eddca89c2719c258ba198b6ca Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 9 May 2025 09:59:21 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2025-28367 test config --- .appsec-tests/vpatch-CVE-2025-28367/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-28367/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-28367/config.yaml b/.appsec-tests/vpatch-CVE-2025-28367/config.yaml new file mode 100644 index 00000000000..2ee2a1cf4b0 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-28367/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2025-05-09 09:59:16 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-28367.yaml +nuclei_template: CVE-2025-28367.yaml From d6a1638fb184099ac4bbe4221b6bf523e9b1a475 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 9 May 2025 09:59:23 +0200 Subject: [PATCH 3/4] Add CVE-2025-28367 test --- .../vpatch-CVE-2025-28367/CVE-2025-28367.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-28367/CVE-2025-28367.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-28367/CVE-2025-28367.yaml b/.appsec-tests/vpatch-CVE-2025-28367/CVE-2025-28367.yaml new file mode 100644 index 00000000000..02a3b6a074f --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-28367/CVE-2025-28367.yaml @@ -0,0 +1,17 @@ +## autogenerated on 2025-05-09 09:59:16 +id: CVE-2025-28367 +info: + name: CVE-2025-28367 + author: crowdsec + severity: info + description: CVE-2025-28367 testing + tags: appsec-testing +http: + - method: GET + path: + - "{{BaseURL}}/api/BetterImageGallery/imagehandler?path=../../../Web.Config" + cookie-reuse: true + matchers: + - type: status + status: + - 403 From c50cbf47da2913d3ba8d5f9e06024f1653801447 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 9 May 2025 09:59:24 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2025-28367 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index be69426f031..d0049dd92dc 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -90,6 +90,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2024-27292 - crowdsecurity/vpatch-CVE-2025-24893 - crowdsecurity/vpatch-CVE-2021-43798 +- crowdsecurity/vpatch-CVE-2025-28367 author: crowdsecurity contexts: - crowdsecurity/appsec_base