Prevent upload of possibly dangerous file types to Windchill

We have a similar requirement  as a part of initiative to enable supplier access to Windchill. If you rename an exe file to a txt file and upload it to Windchill, the MIME type is detected as "text/plain". We are reviewing a couple of options

1. Deploy an event listener to filter out banned file extensions like exes,windows scripts and so on.
2. Enable on-access scanning on default cache vault. I realize that this is a performance killer, but we are trying to mitigate performance issues by deploying a WC cluster with independent cache vault folders.

Funny that - exactly the same reason why I am looking at this 😉

It should be possible test the file mime-type accurately on the Windchill server before the upload is approved server-side using something like the linux file command (or windows equivalent, maybe something like trid perhaps).

In the short term, I am going to look into configuring modsecurity on the reverse proxy Apache server in the DMZ that external users come through to filter these file uploads before they get to the Windchill Server - it might be a bit untidy with a nasty apache error page, but if I can get it to work it should do the job. I have yet to prove that this is do-able, though.

I somehow doubt that modsecurity will prevent uploads if the Java Upload mechanism is configured, though and this configuration on the external apache on the DMZ will do nothing to prevent my internal users uploading nasties - hence why I raised the product idea.

That is what I was worried about mod_security, it might not intercept the traffic through our upload servlets. Were you thinking about using SecUploadApproveScript to filter the uploads? I too will spend sometime testing this.

I can confirm that modsecurity can only prevent basic browser uploads and not java applet uploads in my testing - presumably if you locked the site attachments preference to basic browser upload, this might be a solution.

The simple modsecurity rule that I came up with for blocking based on extension is this one:

SecRule FILES "@rx (\.sh|\.pl|\.php)$" "phase:2,t:none,log,deny,msg:'Malicous File Attachment Identified.',id:121356"

This seems to work, but is pretty nasty - the upload page just won't upload the file (as it is blocked) and gives no error message, you just have to cancel the upload page. You get the malicious file upload error in the apache logs.

I think it is possible to use @inspectFile and a script with modsecurity (the script then does some checking and must return a 1 or a 0 to allow the file upload), but I have not had chance to test this yet:

SecRule FILES_TMPNAMES "@inspectFile /etc/httpd/scripts/scanner.pl" "phase:2,t:none,log,deny,msg:'Malicous File Attachment Identified.',id:121314"

Again, it will only prevent a basic browser upload and the user will see no error, it will just prevent the file being attached to the add document window, so it's not really very nice/usable.

We have recently undertaken application security in depth testing on PDM by an industry accredited vendor and this was picked up and identified as a Medium Risk - It would be good if this could be addresses to remove the risk.