File: //etc/modsecurity/mod_sec3_CRS/lfi-os-files.data
# This list comes from:
# - https://github.com/lightos/Panoptic
# - https://github.com/danielmiessler/SecLists
# /proc and /sys entries should be kept in sync with restricted-files.data
# Entries in this list generally use the shortest path that suffices for identifying them as dangerous.
# .ssh/id_rsa and .ssh/id_dsa for example, are both dangerous paths but are represented in this list as .ssh.
# The same applies to different log files below /var/log/mysql: var/log/mysql is enough to tell us that the request is suspicious.
# Additionally, similar paths with different roots are represented as a single entry.
# For example, the two entries usr/local/mysql/data/mysql.err and xampp/mysql/data/mysql.err are
# represented as mysal/data, as that is enough to identify the paths as being suspicious.
# Most of the dotfile entries can be generated from the following three commands.
# Unfortunately, the output contains many more entries, including some file
# extensions. There are also some entries that probably added by hand.
# curl -s https://raw.githubusercontent.com/lightos/Panoptic/master/home.txt | grep -E "^\." | awk '{ print tolower($0) }' | sort | uniq
# curl -s https://raw.githubusercontent.com/lightos/Panoptic/master/cases.xml | grep "file value" | cut -d'"' -f2 | grep -E "^\." | awk '{ print tolower($0) }' | sort | uniq
# curl -s https://raw.githubusercontent.com/danielmiessler/SecLists/master/Fuzzing/fuzz-Bo0oM.txt | grep -Ev '\\|\.\.|=\b|%' | grep -E "^\." | awk '{ print tolower($0) }' | sort | uniq
.addressbook
.anydesk/
.aptitude/config
.atom/
.aws/
.azure/
.bash_
.bashrc
.boto
.cache/notify-osd.log
.config/
.cshrc
.cups/
.dbus/
.docker
.drush/
.env
.eslintignore
.fbcindex
.forward
.gem/
.gitattributes
.gitconfig
.gnonme/
.gnupg/
.gsutil/
.hplip/hplip.conf
.htaccess
.htdigest
.htpasswd
.java/
.ksh_history
.kube/
.lesshst
.lftp/
.lhistory
.lighttpdpassword
.lldb-history
.local/share/mc/
.lynx_cookies
.minikube/
.my.cnf
.mysql_history
.nano_history
.netrc
.node_repl_history
.npm/
.nsconfig
.nsr
.nvm/
.oh-my-
.password-store
.pearrc
.pgpass
.php_history
.pinerc
.pki/
.proclog
.procmailrc
.profile
.psql_history
.python_history
.rediscli_history
.rhistory
.rhosts
.sh_history
.sqlite_history
.ssh/
.subversion/
.tconn/
.tcshrc
.thunderbird/
.tor/
.vidalia/
.vim/
.viminfo
.vimrc
.vmware/
.www_acl
.wwwacl
.xauthority
.zhistory
.zsh_history
.zshrc
/php.ini
/tmp/
# Apache httpd entries can be generated with the following command:
# curl -s https://raw.githubusercontent.com/lightos/Panoptic/master/cases.xml | grep "file value" | cut -d'"' -f2 | awk -F/ '{ { if (length($NF) > 0) {v1 = NF-1; v2 = NF} else {v1 = NF-2; v2 = NF-1} print tolower($v1"/"$v2) }) }' | grep apache | sort | uniq
apache/access.conf
apache/apache.conf
apache/apache2.conf
apache/audit_log
apache/conf
apache/default-server.conf
apache/error_log
apache/error.log
apache/httpd.conf
apache/log
apache2/apache.conf
apache2/apache2.conf
apache2/conf
apache2/default-server.conf
apache2/envvars
apache2/httpd.conf
apache2/httpd2.conf
apache2/logs
apache2/mods
apache2/ports.conf
apache2/sites
apache2/ssl-global.conf
apache2/vhosts.d
apache22/conf
apache22/httpd.conf
apache22/logs
apache24/conf
apache24/httpd.conf
apache24/logs
app/etc/local.xml
boot.ini
boot/grub/grub.cfg
boot/grub/menu.lst
config_dev.yml
config_prod.yml
config.sample.php
config_test.yml
config.inc.php
config.php
config.yml
config/app.php
config/custom.php
config/database.php
configuration.php
cpanel/logs
data/elasticsearch
data/kafka
defaults.inc.php
etc/.java
etc/acpi
etc/adduser.conf
etc/alias
etc/alsa
etc/alternatives
etc/anacrontab
etc/ansible
etc/apache/access.conf
etc/apache/apache.conf
etc/apache/default-server.conf
etc/apache/httpd.conf
etc/apache/vhosts.conf
etc/apache2
etc/apm
etc/apparmor
etc/apport
etc/apt
etc/asciidoc
etc/at.allow
etc/at.deny
etc/avahi
etc/bash_completion.d
etc/bash.bashrc
etc/bashrc
etc/bind
etc/binfmt.d
etc/bluetooth
etc/bonobo-activation
etc/bootptab
etc/brltty
etc/ca-certificates
etc/calendar
etc/casper.conf
etc/centos-release
etc/chatscripts
etc/chkrootkit.conf
etc/chromium-browser
etc/chrootusers
etc/chttp.conf
etc/clam.d
etc/clamav
etc/cni
etc/console-setup
etc/coraza-waf
etc/cracklib
etc/cron.allow
etc/cron.d
etc/cron.hourly
etc/cron.monthly
etc/cron.weekly
etc/crontab
etc/crypttab
etc/cups
etc/cvs-cron.conf
etc/cvs-pserver.conf
etc/dbus-1
etc/dconf
etc/debconf.conf
etc/debian_version
etc/default
etc/deluser.conf
etc/depmod.d
etc/dhcp
etc/dictionaries-common
etc/dkms
etc/dns2tcpd.conf
etc/dnsmasq.d
etc/dockeretc/dpkg
etc/e2fsck.conf
etc/elasticsearch
etc/emacs
etc/environment.d
etc/esound/esd.conf
etc/etter.conf
etc/exports
etc/fail2ban
etc/fedora-release
etc/firebird
etc/firefox
etc/firewall
etc/fonts
etc/foremost.conf
etc/freshclam.conf
etc/fstab
etc/ftpaccess
etc/ftpchroot
etc/ftphosts
etc/ftpusers
etc/fuse.conf
etc/fwupd
etc/gconf
etc/gdb
etc/gdm3
etc/geoclue
etc/ghostscript
etc/gimp
etc/glvnd
etc/gnome
etc/gnucash
etc/gnustep
etc/groff
etc/group
etc/grub.conf
etc/grub.d
etc/gshadow
etc/gss
etc/gtk-2.0
etc/gtk-3.0
etc/hdparm.conf
etc/host.conf
etc/hostname
etc/hosts
etc/hp
etc/http/conf
etc/http/httpd.conf
etc/httpd
etc/ifplugd
etc/imagemagick-6
etc/inetd.conf
etc/init
etc/insserv.conf.d
etc/ipfw
etc/iproute2
etc/iptables
etc/issue
etc/java
etc/kafka
etc/kbd/config
etc/kernel
etc/kibana
etc/ld.so.conf
etc/ldap
etc/libblockdev
etc/libibverbs.d
etc/libnl-3
etc/libpaper.d
etc/libreoffice
etc/lighttpd
etc/lilo.conf
etc/logcheck
etc/login.defs
etc/logrotate.conf
etc/logrotate.d
etc/logstash
etc/lsb-release
etc/ltrace.conf
etc/lvm
etc/lynx
etc/mail
etc/mandrake-release
etc/manpath.config
etc/mc
etc/menu
etc/miredo-server.conf
etc/miredo.conf
etc/miredo/miredo-server.conf
etc/miredo/miredo.conf
etc/modprobe.d
etc/modsecurity
etc/modulesf
etc/mongod.conf
etc/monit
etc/mono
etc/motd
etc/mplayer
etc/mpv
etc/mtab
etc/mtools.conf
etc/muddleftpd
etc/muddleftpd.com
etc/muttrc.d
etc/my.cnf
etc/my.conf
etc/mysql
etc/netplan
etc/network
etc/networkmanager
etc/newsyslog.conf
etc/newt
etc/nghttpx
etc/nginx/
etc/nikto
etc/npasswd
etc/nuxeo.conf
etc/odbcdatasources
etc/openal
etc/openldap/ldap.conf
etc/openmpi
etc/opt
etc/os-release
etc/osxhttpd
etc/osync
etc/packagekit
etc/pam.conf
etc/pam.d
etc/pam.d/proftpd
etc/passwd
etc/password
etc/pcmcia
etc/perl
etc/php
etc/pki
etc/pm
etc/polkit-1
etc/postfix
etc/postgresql
etc/ppp
etc/printcap
etc/profile
etc/proftp.conf
etc/proftpd
etc/pulse
etc/pure-ftpd
etc/pureftpd
etc/python
etc/rc.conf
etc/rc.d/rc.httpd
etc/rc0.d
etc/rc1.d
etc/rc2.d
etc/rc3.d
etc/rc4.d
etc/rc5.d
etc/rc6.d
etc/rcs.d
etc/redhat-release
etc/redis-sentinel.conf
etc/redis.conf
etc/resolv.conf
etc/resolvconf
etc/rsyslog.d
etc/samba
etc/sane.d
etc/scw-release
etc/security
etc/selinux
etc/sensors.conf
etc/sensors.d
etc/sensors3.conf
etc/sgml
etc/shadow
etc/signon-ui
etc/skel
etc/slackware-release
etc/smb.conf
etc/smbpasswd
etc/smi.conf
etc/snmp
etc/sound
etc/spamassassin
etc/speech-dispatcher
etc/squid
etc/squirrelmail
etc/ssh
etc/ssl
etc/sso
etc/stunnel
etc/subgid
etc/subuid
etc/subversion
etc/sudoers
etc/suse-release
etc/sw-cp-server/applications.d
etc/sysconfig
etc/sysctl.conf
etc/sysctl.d
etc/syslog.conf
etc/sysstat
etc/system-release-cpe
etc/systemd
etc/termcap
etc/terminfo
etc/texmf
etc/thermald
etc/thnuclnt
etc/thunderbird
etc/timezone
etc/timidity
etc/tinyproxy
etc/tmpfiles.d
etc/tor/tor-tsocks.conf
etc/tsocks.conf
etc/ubuntu-advantage
etc/udev
etc/udisks2
etc/ufw
etc/update-manager
etc/update-motd.d
etc/update-notifier
etc/updatedb.conf
etc/upower
etc/urlview
etc/usb_modeswitch.d
etc/utmp
etc/vhcs2/proftpd/proftpd.conf
etc/vim
etc/vmware
etc/vsftpd.chroot_list
etc/vsftpd.conf
etc/vsftpd/vsftpd.conf
etc/vulkan
etc/w3m
etc/webmin
etc/wicd
etc/wireshark
etc/wpa_supplicant
etc/wu-ftpd
etc/x11
etc/xdg
etc/xml
gruntfile.js
home/postgres
http/httpd.conf
httpd/conf/httpd.conf
inc/config.php
includes/config.php
includes/configure.php
inetpub/wwwroot/global.asa
jakarta/dist/tomcat
jakarta/tomcat/conf
jakarta/tomcat/logs
library/webserver/documents
lighttpd/conf
lighttpd/lighttpd.conf
lighttpd/log
localsettings.php
logs/access_log
logs/access.log
logs/error_log
logs/error.log
logs/pure-ftpd.log
logs/samba.log
logs/security_debug_log
logs/security_log
lsws/conf
lsws/logs
mysql/bin/my.ini
mysql/data
mysql/my.cnf
mysql/my.ini
nginx/conf/nginx.conf
npm-debug.log
opt/apache
opt/apache2
opt/httpd/apache.conf
opt/httpd/apache2.conf
opt/httpd/conf/
opt/jboss
opt/lampp
opt/nuxeo
opt/tomcat
opt/xampp
ormconfig.json
package-lock.json
package.json
parameters.yml
pgsql/bin/pg_passwd
pgsql/data
php/apache.conf
php/apache2.conf
php/httpd.conf
php5/apache.conf
php5/apache2.conf
php5/httpd.conf
postgresql/log/
proc/0
proc/1
proc/2
proc/3
proc/4
proc/5
proc/6
proc/7
proc/8
proc/9
proc/acpi
proc/asound
proc/bootconfig
proc/buddyinfo
proc/bus
proc/cgroups
proc/cmdline
proc/config.gz
proc/consoles
proc/cpuinfo
proc/crypto
proc/devices
proc/diskstats
proc/dma
proc/docker
proc/driver
proc/dynamic_debug
proc/execdomains
proc/fb
proc/filesystems
proc/fs
proc/interrupts
proc/iomem
proc/ioports
proc/ipmi
proc/irq
proc/kallsyms
proc/kcore
proc/key-users
proc/keys
proc/kmsg
proc/kpagecgroup
proc/kpagecount
proc/kpageflags
proc/latency_stats
proc/loadavg
proc/locks
proc/mdstat
proc/meminfo
proc/misc
proc/modules
proc/mounts
proc/mpt
proc/mtd
proc/mtrr
proc/net
proc/pagetypeinfo
proc/partitions
proc/pressure
proc/sched_debug
proc/schedstat
proc/scsi
proc/self
proc/slabinfo
proc/softirqs
proc/stat
proc/swaps
proc/sys
proc/sysrq-trigger
proc/sysvipc
proc/thread-self
proc/timer_list
proc/timer_stats
proc/tty
proc/uptime
proc/version
proc/version_signature
proc/vmallocinfo
proc/vmstat
proc/zoneinfo
program files
psa/admin
pureftpd/etc
root/anaconda-ks.cfg
routing.yml
samba/lib
sb/config
security.yml
server/default/conf
server/default/deploy
server/default/log
services.yml
sftp-config.json
sites/default/default.settings.php
sites/default/settings.local.php
sites/default/settings.php
squirrelmail/config/config.php
squirrelmail/www
sys/block
sys/bus
sys/class
sys/dev
sys/devices
sys/firmware
sys/fs
sys/hypervisor
sys/kernel
sys/module
sys/power
system/library/webobjects/adaptors
system32/config
system32/inetsrv/config
tmp/access.log
tmp/kafka-logs
tsconfig.json
typo3conf/localconf.php
usr/etc/pure-ftpd.conf
usr/home/user/lighttpd
usr/lib/cron/log
usr/lib/php
usr/lib/rpm/rpm.log
usr/lib/security
usr/local/zeus/web
usr/pkg/etc/httpd
usr/pkgsrc/net/pureftpd
usr/ports/contrib/pure-ftpd
usr/ports/ftp/pure-ftpd
usr/sbin/mudlogd
usr/sbin/mudpasswd
usr/sbin/pure-config.pl
usr/share/adduser
usr/share/logs
usr/share/squirrelmail
usr/share/tomcat
usr/spool/lp
usr/spool/mqueue
var/adm
var/apache/logs
var/apache2/config.inc
var/cpanel
var/cron/log
var/data/elasticsearch
var/data/mysql-bin
var/htmp
var/lib/elasticsearch
var/lib/mysql
var/lib/pgsql
var/lib/squirrelmail
var/lighttpd
var/local/www/conf
var/log
var/lp/logs
var/mail
var/mysql-bin
var/mysql.log
var/nm2/postgresql.conf
var/postgresql
var/run/utmp
var/saf/_log
var/saf/port/log
var/spool
var/webmin
var/www/conf
var/www/html/squirrelmail
var/www/log
volumes/macintosh_hd
volumes/webbackup
wamp/bin/apache
wamp/bin/mysql
wamp/bin/php
wamp/logs
web.config
webpack.config.js
windows/comsetup.log
windows/debug/netsetup.log
windows/odbc.ini
windows/repair/setup.log
windows/setupact.log
windows/setupapi.log
windows/setuperr.log
windows/system32
windows/updspapi.log
windows/windowsupdate.log
windows/wmsetup.log
winnt/repair
winnt/system32/logfiles
wp-config.
www/conf/httpd.conf
www/logs
xampp/apache/logs
xampp/filezillaftp
xampp/htdocs
xampp/mercurymail
xampp/mysql/data
xampp/php
xampp/sendmail
xampp/webalizer/webalizer.conf
yarn.lock