Re: [CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability

[cyber security <cs7778503 () gmail com>]

Also you can use CVE-2026-33691, to disable security headers while bypassing CRS

More info at https://unlockoldupload.hashnode.dev/turn-off-security-headers-using-cve-2026-33691

On Sat, Apr 18, 2026 at 3:00 AM cyber security <cs7778503 () gmail com> wrote:
> After deep analysis we confirm, that CVE-2026-33691 aka it alias
> UnlockOldUpload, can even disable ModSecurity WAF
>
> More info at https://unlockoldupload.hashnode.dev/disable-modsecurity-waf-using-cve-2026-33691.
>
> On Thu, Apr 16, 2026 at 3:37 PM cyber security <cs7778503 () gmail com> wrote:
> > Deep analysis by US confirm, that using CVE-2026-33691, in any
> > platform wheter windows or linux or mac, you can bypass unpatched CRS
> > and use CVE-2015-10138
> >
> > as confirmed, as we see in that line
> >
> > ```
> >    1   // Lines 493-498 of public/includes/UploadHandler.php
> >    2   protected function trim_file_name($name, $type = null, $index =
> > null, $content_range = null) {
> >    3       // Remove path information and dots around the filename...
> >    4       // Also remove control characters and spaces (\x00..\x20)
> > around the filename:
> >    5       $name = trim(basename(stripslashes($name)), ".\x00..\x20");
> >    6       // ...
> >    7   }
> > ```
> >
> > It unlocks the old CVE-2015-10138 and an attacker get RCE if WAFs are
> > not patched, that unlocks the old vuln power against a modern WAF,
> > most peoples rely only on the WAF alone and `Work The Flow File
> > Upload` plugin is never patched and even run **EOL** that is very
> > common, That is the danger, after that confirm, we see one wordpress
> > plugin confirmed trims whitespaces from uploaded files
> >
> > On Sun, Mar 29, 2026 at 3:33 AM cyber security <cs7778503 () gmail com> wrote:
> > > A vulnerability was identified in OWASP CRS where whitespace padding
> > > in filenames can bypass file upload extension checks, allowing uploads
> > > of dangerous files such as .php, .phar, .jsp, and .jspx. This issue
> > > has been assigned CVE‑2026‑33691.
> > >
> > > Impact: Attackers may evade CRS protections and upload web shells
> > > disguised with whitespace‑padded extensions. Exploitation is most
> > > practical on Windows backends that normalize whitespace in filenames
> > > before execution, In linux harder because it require a backend that
> > > use like `.strip()` and `.trim()` and other whitespace trimming
> > > methods depending on the language here vulnerable to that or the
> > > webserver strip whitespaces or the backend on general, If not they not
> > > vulnerable to that.
> > >
> > > Fix: Patched in CRS v3.3.9, v4.25.x LTS, and v4.8.x. Security fixes
> > > are always backported to supported branches.
> > >
> > > References:
> > >
> > > Full advisory: https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w
> > >
> > > Credits: Reported by RelunSec (aka @HackingRepo on Github).