CVE-2026-33691:利用 Whitespace Padding 绕过 OWASP CRS 实现 RCE 攻击
嗯,用户让我总结一篇文章的内容,控制在一百个字以内,而且不需要特定的开头。我得先仔细看看这篇文章讲的是什么。 文章提到CVE-2026-33691,这是一个OWASP CRS的漏洞。攻击者可以通过在文件名中添加空白字符来绕过上传检查,上传危险文件,比如.php或者.jsp。这会影响Windows、Linux和Mac系统。如果WAF没有打补丁,旧的漏洞CVE-2015-10138就会被触发,导致远程代码执行。 文章还提到修复版本是CRS v3.3.9、v4.25.x LTS和v4.8.x。影响方面,在Windows上更容易被利用,因为系统会规范化文件名中的空白字符。Linux则需要特定的处理方法才会受影响。 用户的需求是简明扼要地总结内容,所以我要抓住关键点:漏洞名称、影响范围、攻击方式、后果以及修复措施。 现在组织语言,确保在一百字以内。可能需要合并一些信息,比如影响范围和攻击方式可以放在一起说。 最后检查一下有没有遗漏的重要信息,比如WAF未补丁导致旧漏洞激活这一点也很重要。 </think> OWASP CRS存在空白字符绕过文件上传检查漏洞(CVE-2026-33691),攻击者可上传恶意文件(如.php、.jsp),尤其影响Windows系统。未补丁WAF易受攻击,修复版本为CRS v3.3.9及以上。 2026-4-16 19:44:0 Author: seclists.org(查看原文) 阅读量:14 收藏
嗯,用户让我总结一篇文章的内容,控制在一百个字以内,而且不需要特定的开头。我得先仔细看看这篇文章讲的是什么。 文章提到CVE-2026-33691,这是一个OWASP CRS的漏洞。攻击者可以通过在文件名中添加空白字符来绕过上传检查,上传危险文件,比如.php或者.jsp。这会影响Windows、Linux和Mac系统。如果WAF没有打补丁,旧的漏洞CVE-2015-10138就会被触发,导致远程代码执行。 文章还提到修复版本是CRS v3.3.9、v4.25.x LTS和v4.8.x。影响方面,在Windows上更容易被利用,因为系统会规范化文件名中的空白字符。Linux则需要特定的处理方法才会受影响。 用户的需求是简明扼要地总结内容,所以我要抓住关键点:漏洞名称、影响范围、攻击方式、后果以及修复措施。 现在组织语言,确保在一百字以内。可能需要合并一些信息,比如影响范围和攻击方式可以放在一起说。 最后检查一下有没有遗漏的重要信息,比如WAF未补丁导致旧漏洞激活这一点也很重要。 </think> OWASP CRS存在空白字符绕过文件上传检查漏洞(CVE-2026-33691),攻击者可上传恶意文件(如.php、.jsp),尤其影响Windows系统。未补丁WAF易受攻击,修复版本为CRS v3.3.9及以上。 2026-4-16 19:44:0 Author: seclists.org(查看原文) 阅读量:14 收藏
oss-sec mailing list archives
From: cyber security <cs7778503 () gmail com>
Date: Thu, 16 Apr 2026 15:37:21 -0400
Deep analysis by US confirm, that using CVE-2026-33691, in any
platform wheter windows or linux or mac, you can bypass unpatched CRS
and use CVE-2015-10138
as confirmed, as we see in that line
```
1 // Lines 493-498 of public/includes/UploadHandler.php
2 protected function trim_file_name($name, $type = null, $index =
null, $content_range = null) {
3 // Remove path information and dots around the filename...
4 // Also remove control characters and spaces (\x00..\x20)
around the filename:
5 $name = trim(basename(stripslashes($name)), ".\x00..\x20");
6 // ...
7 }
```
It unlocks the old CVE-2015-10138 and an attacker get RCE if WAFs are
not patched, that unlocks the old vuln power against a modern WAF,
most peoples rely only on the WAF alone and `Work The Flow File
Upload` plugin is never patched and even run **EOL** that is very
common, That is the danger, after that confirm, we see one wordpress
plugin confirmed trims whitespaces from uploaded files
On Sun, Mar 29, 2026 at 3:33 AM cyber security <cs7778503 () gmail com> wrote:
A vulnerability was identified in OWASP CRS where whitespace padding in filenames can bypass file upload extension checks, allowing uploads of dangerous files such as .php, .phar, .jsp, and .jspx. This issue has been assigned CVE‑2026‑33691. Impact: Attackers may evade CRS protections and upload web shells disguised with whitespace‑padded extensions. Exploitation is most practical on Windows backends that normalize whitespace in filenames before execution, In linux harder because it require a backend that use like `.strip()` and `.trim()` and other whitespace trimming methods depending on the language here vulnerable to that or the webserver strip whitespaces or the backend on general, If not they not vulnerable to that. Fix: Patched in CRS v3.3.9, v4.25.x LTS, and v4.8.x. Security fixes are always backported to supported branches. References: Full advisory: https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w Credits: Reported by RelunSec (aka @HackingRepo on Github).
Current thread:
- Re: [CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability cyber security (Apr 16)
文章来源: https://seclists.org/oss-sec/2026/q2/154
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh