Google

Edit File: polyshell.conf

##### Magento 2 PolyShell Protection

# ── Rule 0 — Ensure the raw body is available for JSON requests ──────────
#
# Without a recognised body processor, ModSecurity 2.9.x will not populate
# REQUEST_BODY for JSON requests.  We do NOT set
# requestBodyProcessor=URLENCODED because that consumes the body into
# ARGS_POST and leaves REQUEST_BODY empty.
#
# forceRequestBodyVariable=On ensures REQUEST_BODY is populated regardless
# of whether SecStreamInBodyInspection is enabled.  This allows Rules 1–2
# to inspect STREAM_INPUT_BODY|REQUEST_BODY and match on whichever
# variable the server configuration makes available.
#
# Scoped to Magento REST V1 endpoints — the only paths where body
# inspection is needed by this ruleset.
SecRule REQUEST_URI "@rx /rest(?:/[^/]+)?/V1/" \
    "id:4091099,\
    phase:1,\
    t:none,\
    pass,\
    nolog,\
    chain"
    SecRule REQUEST_HEADERS:Content-Type "application/json" \
        "t:none,t:lowercase,\
        ctl:forceRequestBodyVariable=On"

# ── Rule 1 — Block PHP extensions in file_info uploads ───────────────────
#
# Catches filenames like test.php, shell.phtml, backdoor.phar, etc. inside
# a file_info JSON object sent to any REST V1 endpoint.
# Targets both STREAM_INPUT_BODY and REQUEST_BODY so the rule matches
# regardless of the server's SecStreamInBodyInspection setting.
SecRule REQUEST_URI "@rx /rest(?:/[^/]+)?/V1/" \
    "id:4091101,\
    phase:2,\
    t:none,\
    deny,\
    status:403,\
    log,\
    auditlog,\
    msg:'POLYSHELL: PHP extension in Magento API file_info upload',\
    tag:'platform-magento',\
    tag:'attack-file-upload',\
    severity:'CRITICAL',\
    chain"
    SecRule STREAM_INPUT_BODY|REQUEST_BODY "@rx file_info[^}]*\\.ph(?:p[345s7]?|tml|ar)" "t:none"

# ── Rule 2 — Detect base64 GIF89a + PHP polyglots ───────────────────────
#
# The attack embeds <?php inside a GIF89a header so the file passes image
# validation but executes as PHP.  In base64 the PHP open tag appears as
# one of three alignment variants:
#   Alignment 0: PD9w      (<?p at offset 0 mod 3)
#   Alignment 1: w/cGhw    (<?php at offset 1 mod 3)
#   Alignment 2: 8P3Bo     (<?ph at offset 2 mod 3)
# R0lGODlh is the base64 of "GIF89a" + first width byte.
SecRule REQUEST_URI "@rx /rest(?:/[^/]+)?/V1/" \
    "id:4091102,\
    phase:2,\
    t:none,\
    deny,\
    status:403,\
    log,\
    auditlog,\
    msg:'POLYSHELL: base64 GIF89a+PHP polyglot detected in API upload',\
    tag:'platform-magento',\
    tag:'attack-file-upload',\
    severity:'CRITICAL',\
    chain"
    SecRule STREAM_INPUT_BODY|REQUEST_BODY "@rx file_info[^}]*R0lGODlh[A-Za-z0-9+/]{0,300}(?:PD9w|w/cGhw|8P3Bo)" "t:none"

# ── Rule 3 — Block PHP execution in /media/ directory ────────────────────
#
# Defence-in-depth: even if a polyglot file is uploaded, block direct
# execution of any PHP-handleable extension under /media/.
SecRule REQUEST_URI "@rx /media/.*\\.ph(?:p[345s7]?|tml|ar)" \
    "id:4091103,\
    phase:1,\
    t:none,\
    deny,\
    status:403,\
    log,\
    auditlog,\
    msg:'POLYSHELL: PHP execution blocked in Magento media directory',\
    tag:'platform-magento',\
    tag:'attack-file-upload',\
    severity:'CRITICAL'"