Merge branch 'master' into http-technology-probing

Author: buixor

.appsec-tests/vpatch-CVE-2026-41940/CVE-2026-41940.yaml

@@ -0,0 +1,32 @@
+id: CVE-2026-41940
+info:
+  name: CVE-2026-41940
+  author: crowdsec
+  severity: info
+  description: CVE-2026-41940 testing - cPanel WHM auth bypass via stripped ob cookie
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: whostmgrsession=%3aQSJN_sFdKZtCi2o_
+        Authorization: Basic cm9vdDp4DQpoYXNyb290PTENCnRmYV92ZXJpZmllZD0xDQp1c2VyPXJvb3Q=
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: whostmgrsession=%3aQSJN_sFdKZtCi2o_%2C
+        Authorization: Basic cm9vdDp4DQpoYXNyb290PTENCnRmYV92ZXJpZmllZD0xDQp1c2VyPXJvb3Q=
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: whostmgrsession=%3aQSJN_sFdKZtCi2o_%2Ctoto
+        Authorization: Basic cm9vdDp4DQpoYXNyb290PTENCnRmYV92ZXJpZmllZD0xDQp1c2VyPXJvb3Q=
+    cookie-reuse: true
+    matchers:
+    - type: dsl
+      condition: and
+      dsl:
+        - 'status_code_1 == 403'
+        - 'status_code_2 == 403'
+        - 'status_code_3 == 200'

.appsec-tests/vpatch-CVE-2026-41940/config.yaml

@@ -0,0 +1,4 @@
+appsec-rules:
+  - ./appsec-rules/crowdsecurity/base-config.yaml
+  - ./appsec-rules/crowdsecurity/vpatch-CVE-2026-41940.yaml
+nuclei_template: CVE-2026-41940.yaml

.index.json

@@ -6,3 +6,4 @@ Sep 28 10:38:41 pfSense filterlog: 6,,,1000102434,em0,match,block,out,4,0x0,,64,
 <134>1 2022-09-06T18:37:34+02:00 opnsense filterlog 69805 - [meta sequenceId="2633355"] 95,,,8a2005c53e3f5653fc9a2e2e81bde263,re0,match,pass,in,4,0x0,,117,35656,0,DF,6,tcp,52,96.235.167.197,10.0.0.200,61145,51918,0,S,349929896,,64240,,mss;nop;wscale;nop;nop;sackOK
 <134>1 2022-09-06T18:51:28+02:00 opnsense filterlog 69805 - [meta sequenceId="2654146"] 10,,,02f4bab031b57d1e30553ce08e0ec131,re0,match,block,in,4,0x0,,47,59064,0,DF,6,tcp,60,154.6.147.87,37.120.48.198,48473,13680,0,S,3023053886,,7300,,mss;sackOK;TS;nop;wscale
 <134>1 2022-09-06T19:00:06+02:00 opnsense filterlog 57126 - [meta sequenceId="2667099"] 98,,,881dd59a3e942966c90498ac104715a0,re0,match,pass,in,6,0x00,0x0ea87,51,udp,17,73,2008:8a0:702e:ce00:acc6:c7ee:fa01:2f8a,2c02:2454:ada:d900::1738,6881,51918,73
+<134>1 2022-09-06T19:00:06+02:00 opnsense filterlog 57126 - [meta sequenceId="2667099"] 98,,,64d253df-ef65-4b56-9df4-c03fc11b8ce4,re0,match,block,in,6,0x00,0x0ea87,51,udp,17,73,2008:8a0:702e:ce00:acc6:c7ee:fa01:2f8a,2c02:2454:ada:d900::1738,6881,51918,73

.tests/pf-logs/parser.assert

@@ -0,0 +1,27 @@
+name: crowdsecurity/vpatch-CVE-2026-41940
+description: 'Detects cPanel & WHM authentication bypass (CVE-2026-41940) by identifying a whostmgrsession cookie with a stripped ob segment (no comma separator)'
+rules:
+  - and:
+      - zones:
+          - COOKIES
+        variables:
+          - whostmgrsession
+        transform:
+          - lowercase
+          - urldecode
+          - trim
+        match:
+          type: regex
+          value: '^:[a-z0-9_]+,?$'
+
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: 'http:exploit'
+  label: 'cPanel WHM - Authentication Bypass'
+  classification:
+    - cve.CVE-2026-41940
+    - attack.T1190
+    - cwe.CWE-306

.tests/pf-logs/pf-logs.log

@@ -185,6 +185,7 @@ appsec-rules:
 - crowdsecurity/vpatch-CVE-2025-24582
 - crowdsecurity/vpatch-CVE-2025-15503
 - crowdsecurity/vpatch-CVE-2025-13956
+- crowdsecurity/vpatch-CVE-2026-41940
 author: crowdsecurity
 contexts:
 - crowdsecurity/appsec_base

appsec-rules/crowdsecurity/vpatch-CVE-2026-41940.yaml

@@ -11,7 +11,7 @@ pattern_syntax:
   PF_WORD: '%{USERNAME}'
 
   # rulenr, subrulenr, anchorname, label | "0", interface, reason, action, dir
-  PF_BASE: '%{INT:rule},(%{INT:sub_rule})?,(%{WORD:anchorname})?,(%{WORD:tracker}| 0),%{PF_WORD:iface},%{WORD:reason},%{WORD:action},%{WORD:direction}'
+  PF_BASE: '%{INT:rule},(%{INT:sub_rule})?,(%{WORD:anchorname})?,(%{DATA:tracker}| 0),%{PF_WORD:iface},%{WORD:reason},%{WORD:action},%{WORD:direction}'
 
   # tos, ecn, ttl, id, offset, flags, protonum, protoname, length, src, dst
   PF_IPV4_DATA: '%{BASE16NUM:ip4_tos},(%{INT:ip4_ecn})?,%{INT:ip4_ttl},%{INT:ip4_id},%{INT:ip4_offset},%{WORD:ip4_flags},%{INT:ip4_proto_id},%{WORD:ip4_proto}'

blockers.json

@@ -5,10 +5,10 @@ whitelist:
   reason: "Plex Allowlist"
   expression:
    - evt.Meta.http_status in ['200', '206', '403', '404'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/video/:/transcode/'
-   - evt.Meta.http_status in ['200', '206'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/photo/:/transcode/'
+   - evt.Meta.http_status in ['200', '206', '403', '404'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/photo/:/transcode/'
    - evt.Meta.http_status in ['200', '400', '403'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/:/timeline'
    - evt.Meta.http_status in ['200', '403', '404'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/library/metadata/'
    - evt.Meta.http_status == '200' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path == '/status/sessions'
    - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/playQueues/'
    - evt.Meta.http_status == '403' && evt.Meta.http_verb == 'POST' && evt.Parsed.request == '/log' && evt.Parsed.http_args contains 'X-Plex-Product=Plex%20Cast&X-Plex-Version='
-   - evt.Meta.http_status in ['200', '206'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/music/:/transcode/universal/session/'
+   - evt.Meta.http_status in ['200', '206', '403', '404'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/music/:/transcode/universal/session/'