Bypassing PHP Script Uploads Rules with X.Filename in OWASP ModSecurity CRS 3.0.2

Bypassing PHP Script Uploads Rules with X.Filename in OWASP ModSecurity CRS 3.0.2

CVE-2019-13464 · MEDIUM Severity

AV:N/AC:L/AU:N/C:N/I:P/A:N

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Use of X.Filename instead of X_Filename can bypass some PHP Script Uploads rules, because PHP automatically transforms dots into underscores in certain contexts where dots are invalid.

Learn more about our Web Application Penetration Testing UK.