


























A vulnerability was identified in OWASP CRS where whitespace padding in filenames can bypass file upload extension checks, allowing uploads of dangerous files such as .php, .phar, .jsp, and .jspx. This issue has been assigned CVE‑2026‑33691. Impact: Attackers may evade CRS protections and upload web shells disguised with whitespace‑padded extensions. Exploitation is most practical on Windows backends that normalize whitespace in filenames before execution, In linux harder because it require a backend that use like `.strip()` and `.trim()` and other whitespace trimming methods depending on the language here vulnerable to that or the webserver strip whitespaces or the backend on general, If not they not vulnerable to that. Fix: Patched in CRS v3.3.9, v4.25.x LTS, and v4.8.x. Security fixes are always backported to supported branches. References: Full advisory: https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w Credits: Reported by RelunSec (aka @HackingRepo on Github). _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。