Add a mime type file upload inspection mechanism (rather than just file extension checking that can be subverted) that will inspect uploaded files and allow the administrator to configure either a blacklist of banned file upload mime-types or a whitelist of allowed file upload mime-types to prevent dangerous file types being uploaded to Windchill and Windchill being used as an hosting/attack mechanism against corporate networks.
We have a similar requirement as a part of initiative to enable supplier access to Windchill. If you rename an exe file to a txt file and upload it to Windchill, the MIME type is detected as "text/plain". We are reviewing a couple of options
Funny that - exactly the same reason why I am looking at this 😉
It should be possible test the file mime-type accurately on the Windchill server before the upload is approved server-side using something like the linux file command (or windows equivalent, maybe something like trid perhaps).
In the short term, I am going to look into configuring modsecurity on the reverse proxy Apache server in the DMZ that external users come through to filter these file uploads before they get to the Windchill Server - it might be a bit untidy with a nasty apache error page, but if I can get it to work it should do the job. I have yet to prove that this is do-able, though.
I somehow doubt that modsecurity will prevent uploads if the Java Upload mechanism is configured, though and this configuration on the external apache on the DMZ will do nothing to prevent my internal users uploading nasties - hence why I raised the product idea.
That is what I was worried about mod_security, it might not intercept the traffic through our upload servlets. Were you thinking about using SecUploadApproveScript to filter the uploads? I too will spend sometime testing this.
I can confirm that modsecurity can only prevent basic browser uploads and not java applet uploads in my testing - presumably if you locked the site attachments preference to basic browser upload, this might be a solution.
The simple modsecurity rule that I came up with for blocking based on extension is this one:
SecRule FILES "@rx (\.sh|\.pl|\.php)$" "phase:2,t:none,log,deny,msg:'Malicous File Attachment Identified.',id:121356"
This seems to work, but is pretty nasty - the upload page just won't upload the file (as it is blocked) and gives no error message, you just have to cancel the upload page. You get the malicious file upload error in the apache logs.
I think it is possible to use @inspectFile and a script with modsecurity (the script then does some checking and must return a 1 or a 0 to allow the file upload), but I have not had chance to test this yet:
SecRule FILES_TMPNAMES "@inspectFile /etc/httpd/scripts/scanner.pl" "phase:2,t:none,log,deny,msg:'Malicous File Attachment Identified.',id:121314"
Again, it will only prevent a basic browser upload and the user will see no error, it will just prevent the file being attached to the add document window, so it's not really very nice/usable.
We have recently undertaken application security in depth testing on PDM by an industry accredited vendor and this was picked up and identified as a Medium Risk - It would be good if this could be addresses to remove the risk.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.