OWASP Core Rule Set Whitespace Padding Bypass Vulnerability Allowing Dangerous File Uploads

A vulnerability exists in the OWASP Core Rule Set (CRS) versions prior to 3.3.9 and 4.25.0, allowing the upload of files with dangerous extensions such as .php, .phar, .jsp, and .jspx. This bypass is achieved by inserting whitespace padding in the filename, which the affected rules do not properly normalize before checking the file extension. As a result, the extension check fails to identify the file as potentially harmful. Exploitation of this vulnerability is most effective on Windows systems that trim whitespace from filenames before execution, but can also occur on Linux systems under certain conditions.

Impact

Exploitation allows for the upload of web shells disguised with whitespace-padded extensions, which can then be executed on the server.

Reproduction

The vulnerability can be reproduced by uploading a file through a web application that uses the affected OWASP CRS version. Insert whitespace before the file extension to bypass the upload restrictions. This can be done either through the file upload interface or by manipulating the request headers to include a filename with added whitespace.

Remediation

Users should upgrade to OWASP CRS versions 3.3.9, 4.25.0, or 4.8.x. Security fixes are backported to supported branches.