[Modsecurity] New releases
Michael Shinn
mike at gotroot.com
Tue Apr 4 09:34:38 EDT 2006
Diff of /etc/modsecurity/apache2-rules.conf
Diff of /etc/modsecurity/blacklist.conf
Diff of /etc/modsecurity/proxy.conf
Diff of /etc/modsecurity/rules.conf
Diff of /etc/modsecurity/blacklist2.conf
49d48
< SecFilterSelective THE_REQUEST "cyberspiderwebdesign\.com"
Diff of /etc/modsecurity/exclude.conf
Diff of /etc/modsecurity/rootkits.conf
Diff of /etc/modsecurity/useragents.conf
Diff of /etc/modsecurity/exclude.conf
Diff of /etc/modsecurity/badips.conf
Diff of /etc/modsecurity/recons.conf
Diff of /etc/modsecurity/jitp.conf
7c7
< # Version: N-20060403-01
---
> # Version: N-20060222-01
13c13
< # Copyright 2005 and 2006 by the Prometheus Group, all rights
reserved.
---
> # Copyright 2005 and 2006, all rights reserved.
37c37,38
< SecFilterSelective REQUEST_URI "/(formmail|mailform)(\x0a|\.pl\x0a)"
---
> SecFilterSelective REQUEST_URI "/(formmail|mailform)\x0a"
> SecFilterSelective REQUEST_URI "/(formmail|mailform)\.pl\x0a"
92a94,97
> # WEB-PHP Opt-X header.php remote file include attempt
> SecFilterSelective REQUEST_URI "/header\.php" chain
> SecFilter "systempath="
>
3854,4014d3858
<
< #ImpExData.php?systempath=
< SecFilterSelective REQUEST_URI "/ImpExData\.php" chain
< SecFilterSelective ARG_systempath "(http|https|ftp)\:/"
<
< #SQuery <= 4.5 Remote File Inclusion Exploit
< SecFilterSelective REQUEST_URI "lib/(armygame|ase|devi|doom3|et|
flashpoint.php|gameSpy|gameSpy2|gore|gsvari|halo|hlife|hlife2|igi2|
main.lib|netpanzer|old_hlife|pkill|q[23]a|qworlp|rene|rvbshld|savage|
simracer|sof1|sof2|unreal|ut2004|vietcong)\.php" chain
< SecFilterSelective ARG_libpath "(http|https|ftp)\:/"
<
< #MonAlbum Multiple SQL Injection Vulnerabilities
< SecFilterSelective REQUEST_URI "index\.php" chain
< SecFilterSelective ARG_pc "((select|grant|delete|insert|drop|alter|
replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|
\*| |\,]+[[:space:]]+(from|into|table|database|index|
view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
< SecFilterSelective REQUEST_URI "image_agrandir.php" chain
< SecFilterSelective ARG_pnom|ARG_pcourriel "((select|grant|delete|
insert|drop|alter|replace|truncate|update|create|rename|
describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|
database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|
UNION.*SELECT.*FROM)"
<
< #PHPNuke-Clan "vwar_root" File Inclusion Vulnerability
< #VWar <= 1.5.0 R12 Remote File Inclusion Exploit
< SecFilterSelective REQUEST_URI "(/includes/functions_(common|
install)|/includes/get_header)\.php" chain
< SecFilterSelective ARG_vwar_root "((http|https|ftp)\:/|\.\./\.\.)"
<
< #gtd-php Cross-Site Scripting and Script Insertion Vulnerabilities
< SecFilterSelective REQUEST_URI "new(Project|List|WaitingOn|
ChecklistContext|Category.php|Goal)\.php" chain
< SecFilterSelective ARGS "((javascript|script|about|applet|activex|
chrome)*\>|html|(http|https|ftp)\:/)"
< SecFilterSelective REQUEST_URI "listReport\.php" chain
< SecFilterSelective ARG_listTitle "((javascript|script|about|applet|
activex|chrome)*\>|html|(http|https|ftp)\:/)"
< SecFilterSelective REQUEST_URI "projectReport\.php" chain
< SecFilterSelective ARG_projectName "((javascript|script|about|applet|
activex|chrome)*\>|html|(http|https|ftp)\:/)"
< SecFilterSelective REQUEST_URI "checklistReport\.php" chain
< SecFilterSelective ARG_checklistTitle "((javascript|script|about|
applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"
<
< #aWebBB Multiple Vulnerabilities
< SecFilterSelective REQUEST_URI "post\.php"
"chain,id:390001,rev:1,severity:2,msg:'JITP: aWebBB XSS attack on
post.php'"
< SecFilterSelective ARG_tname|ARG_fpost "((javascript|script|about|
applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"
< SecFilterSelective REQUEST_URI "editac\.php"
"chain,id:390002,rev:1,severity:2,msg:'JITP: aWebBB XSS attack on
editac.php'"
< SecFilterSelective ARG_fullname|ARG_emailadd|ARG_country|ARG_sig|
ARG_otherav "((javascript|script|about|applet|activex|chrome)*\>|
html|(http|https|ftp)\:/)"
< SecFilterSelective REQUEST_URI "register\.php"
"chain,id:390003,rev:1,severity:2,msg:'JITP: aWebBB XSS attack on
register.php'"
< SecFilterSelective ARG_fullname|ARG_emailadd|ARG_country
"((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|
ftp)\:/)"
< SecFilterSelective REQUEST_URI "(accounts|changep|editac|feedback|
fpass|login|post|reply|reply_log)\.php"
"chain,id:390004,rev:1,severity:2,msg:'JITP: aWebBB XSS attack'"
< SecFilterSelective ARG_Username "((select|grant|delete|insert|drop|
alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|
a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|
view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
< SecFilterSelective REQUEST_URI "dpost\.php"
"chain,id:390004,rev:1,severity:2,msg:'JITP: aWebBB SQL attack'"
< SecFilterSelective ARG_p "((select|grant|delete|insert|drop|alter|
replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|
\*| |\,]+[[:space:]]+(from|into|table|database|index|
view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
< SecFilterSelective REQUEST_URI "(ndis|list)\.php"
"chain,id:390005,rev:1,severity:2,msg:'JITP: aWebBB SQL attack'"
< SecFilterSelective ARG_c "((select|grant|delete|insert|drop|alter|
replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|
\*| |\,]+[[:space:]]+(from|into|table|database|index|
view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
< SecFilterSelective REQUEST_URI "search\.php"
"chain,id:390005,rev:1,severity:2,msg:'JITP: aWebBB SQL attack'"
< SecFilterSelective ARG_q "((select|grant|delete|insert|drop|alter|
replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|
\*| |\,]+[[:space:]]+(from|into|table|database|index|
view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
<
< #phpBB "cur_password" Cross-Site Scripting Vulnerability
< SecFilterSelective REQUEST_URI "profile\.php"
"chain,id:390006,rev:1,severity:2,msg:'JITP: phpBB cur_password XSS
attack'"
< SecFilterSelective ARG_cur_password "((javascript|script|about|applet|
activex|chrome)*\>|html|(http|https|ftp)\:/)"
<
< #PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit
< SecFilterSelective REQUEST_URI
"modules/vWar_Account/includes/functions_common\.php"
"chain,id:390007,rev:1,severity:2,msg:'JITP: PHPNuke-Clan 3.0.1 Remote
File Inclusion Exploit'"
< SecFilterSelective ARG_vwar_root2 "(http|https|ftp)\:/"
<
< #Claroline <= 1.7.4 scormExport.inc.php remote command vuln
< SecFilterSelective REQUEST_URI "scormExport\.inc\.php"
"chain,id:390008,rev:1,severity:2,msg:'JITP: Claroline <= 1.7.4
scormExport.inc.php remote command vuln'"
< SecFilterSelective ARG_includePath "((http|https|ftp)\:/|\.\./\.\.)"
< SecFilterSelective REQUEST_URI "scormExport\.inc\.php\?cmd="
"id:390009,rev:1,severity:2,msg:'JITP: Claroline <= 1.7.4
scormExport.inc.php remote command vuln'"
<
< #Claroline <= 1.7.4 XSS and recursion attack
< SecFilterSelective REQUEST_URI "rqmkhtml\.php"
"chain,id:390010,rev:1,severity:2,msg:'JITP: Claroline <= 1.7.4 XSS
attack'"
< SecFilterSelective ARG_cmd "(rqEdit|rwEditHtml)" chain
< SecFilterSelective ARG_file "(><|\.\./\.\.)"
<
< #aWebNews Multiple Vulnerabilities
< SecFilterSelective REQUEST_URI "visview\.php"
"chain,id:390011,rev:1,severity:2,msg:'JITP: aWebNews XSS attack'"
< SecFilterSelective ARG_yname|ARG_emailadd|ARG_subject|ARG_comment
"((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|
ftp)\:/)"
< SecFilterSelective REQUEST_URI "(login|fpass)\.php"
"chain,id:390012,rev:1,severity:2,msg:'JITP: aWebBBNewsSQL attack'"
< SecFilterSelective ARG_user123 "((select|grant|delete|insert|drop|
alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|
a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|
view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
< SecFilterSelective REQUEST_URI "visview\.php"
"chain,id:390013,rev:1,severity:2,msg:'JITP: aWebBBNewsSQL attack'"
< SecFilterSelective ARG_cid "((select|grant|delete|insert|drop|alter|
replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|
\*| |\,]+[[:space:]]+(from|into|table|database|index|
view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
<
< #WebAPP Cross-Site Scripting Vulnerabilities
< SecFilterSelective REQUEST_URI "index\.cgi"
"chain,id:390014,rev:1,severity:2,msg:'JITP: aWebAPP XSS attack'"
< SecFilterSelective ARG_action|ARG_id|ARG_num|ARG_board|ARG_cat|
ARG_writer|ARG_viewcat|ARG_img|ARG_curcatname|ARG_vsSD "((javascript|
script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"
<
< #qliteNews "loginprocess.php" SQL Injection Vulnerability
< SecFilterSelective REQUEST_URI "loginprocess\.php"
"chain,id:390015,rev:1,severity:2,msg:'JITP: qliteNEws SQL injection
attack'"
< SecFilterSelective ARG_username "((select|grant|delete|insert|drop|
alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|
a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|
view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
<
< #RedCMS SQL Injection and Script Insertion Vulnerabilities
< SecFilterSelective REQUEST_URI "login\.php"
"chain,id:390016,rev:1,severity:2,msg:'JITP: RedCMS SQL Injection'"
< SecFilterSelective ARG_username "((select|grant|delete|insert|drop|
alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|
a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|
view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
< SecFilterSelective REQUEST_URI "profile\.php"
"chain,id:390017,rev:1,severity:2,msg:'JITP: RedCMS SQL Injection'"
< SecFilterSelective ARG_u "((select|grant|delete|insert|drop|alter|
replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|
\*| |\,]+[[:space:]]+(from|into|table|database|index|
view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
< SecFilterSelective REQUEST_URI "register\.php"
"chain,id:390018,rev:1,severity:2,msg:'JITP: RedCMS XSS attack'"
< SecFilterSelective ARG_Email|ARG_Location|ARG_Website "((javascript|
script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"
<
< #Oxygen "fid" SQL Injection Vulnerability
< SecFilterSelective REQUEST_URI "post\.php"
"chain,id:390019,rev:1,severity:2,msg:'JITP: Oxygen SQL Injection'"
< SecFilterSelective ARG_fid "((select|grant|delete|insert|drop|alter|
replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|
\*| |\,]+[[:space:]]+(from|into|table|database|index|
view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
<
< #Mantis Cross-Site Scripting Vulnerabilities
< SecFilterSelective REQUEST_URI "view_set_all\.php"
"chain,id:390020,rev:1,severity:2,msg:'JITP: Mantis XSS attack'"
< SecFilterSelective ARG_start_day|ARG_start_year|ARG_start_month
"((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|
ftp)\:/)"
<
< #vCounter "url" SQL Injection Vulnerability
< SecFilterSelective REQUEST_URI "vCounter\.php"
"chain,id:390021,rev:1,severity:2,msg:'JITP: Oxygen SQL Injection'"
< SecFilterSelective ARG_url "((select|grant|delete|insert|drop|alter|
replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|
\*| |\,]+[[:space:]]+(from|into|table|database|index|
view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
<
< #PHP Classifieds "searchword" Cross-Site Scripting Vulnerability
< SecFilterSelective REQUEST_URI "search\.php"
"chain,id:390022,rev:1,severity:2,msg:'JITP: Mantis XSS attack'"
< SecFilterSelective ARG_searchword "((javascript|script|about|applet|
activex|chrome)*\>|html|(http|https|ftp)\:/)"
<
< #PHPCollab v2.x / NetOffice v2.x sendpassword.php SQL Injection
< SecFilterSelective REQUEST_URI "/sendpassword\.php\?action=send"
"chain,id:390023,rev:1,severity:2,msg:'JITP: PHPCollab v2.x / NetOffice
v2.x sendpassword.php SQL Injection'"
< SecFilterSelective POST_PAYLOAD "UNION SELECT.*concat.*password.*admin
\.php"
<
< #Sourceworkshop newsletter "email" SQL Injection Vulnerability
< SecFilterSelective REQUEST_URI "/newsletter\.php"
"chain,id:390024,rev:1,severity:2,msg:'JITP: Sourceworkshop newsletter
SQL Injection Vulnerability'"
< SecFilterSelective ARG_newsletteremail "((select|grant|delete|insert|
drop|alter|replace|truncate|update|create|rename|
describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|
database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|
UNION.*SELECT.*FROM)"
<
< #X-Changer SQL Injection Vulnerabilities
< SecFilterSelective REQUEST_URI "/index\.php"
"chain,id:390025,rev:1,severity:2,msg:'JITP: X-Changer SQL Injection
Vulnerability'"
< SecFilterSelective ARG_from|ARG_into|ARG_id "((select|grant|delete|
insert|drop|alter|replace|truncate|update|create|rename|
describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|
database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|
UNION.*SELECT.*FROM)"
<
< #Cholod Mysql based message board Script Insertion and SQL Injection
< SecFilterSelective REQUEST_URI "/mb\.cgi"
"chain,id:390025,rev:1,severity:2,msg:'JITP: X-Changer SQL Injection
Vulnerability'"
< SecFilterSelective ARG_topicnumber|ARG_threadnumber "((select|grant|
delete|insert|drop|alter|replace|truncate|update|create|rename|
describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|
database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|
UNION.*SELECT.*FROM)"
< SecFilterSelective REQUEST_URI "/mb\.cgi"
"chain,id:390026,rev:1,severity:2,msg:'JITP: X-Changer XSS
Vulnerability'"
< SecFilterSelective ARG_Name|ARG_Subject|ARG_Message "((javascript|
script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"
<
< #Null news Multiple SQL Injection Vulnerabilities
< SecFilterSelective REQUEST_URI "/(sub|unsub)\.php"
"chain,id:390027,rev:1,severity:2,msg:'JITP: Null news Multiple SQL
Injection Vulnerabilities'"
< SecFilterSelective ARG_user_username "((select|grant|delete|insert|
drop|alter|replace|truncate|update|create|rename|
describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|
database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|
UNION.*SELECT.*FROM)"
< SecFilterSelective REQUEST_URI "/lostpass\.php"
"chain,id:390028,rev:1,severity:2,msg:'JITP: Null news Multiple SQL
Injection Vulnerabilities'"
< SecFilterSelective ARG_user_email "((select|grant|delete|insert|drop|
alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|
a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|
view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
<
< #VSNS Lemon SQL injection Vulnerabilities
< SecFilterSelective REQUEST_URI "/functions/final_functions\.php"
"chain,id:390029,rev:1,severity:2,msg:'JITP: Null news Multiple SQL
Injection Vulnerabilities'"
< SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|
replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|
\*| |\,]+[[:space:]]+(from|into|table|database|index|
view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
<
< #PHPLiveHelper 1.8 remote command execution Xploit
< SecFilterSelective REQUEST_URI "initiate\.php"
"chain,id:390030,rev:1,severity:2,msg:'JITP: PHPLiveHelper 1.8 remote
command execution Xploit'"
< SecFilterSelective ARG_abs_path "(http|https|ftp)\:/"
<
< #Pixel Motion Blog SQL Injection Vulnerabilities
< SecFilterSelective REQUEST_URI "admin/index\.php"
"chain,id:390031,rev:1,severity:2,msg:'JITP: Pixel Motion Blog SQL
Injection Vulnerabilities'"
< SecFilterSelective ARG_user|ARG_pass "((select|grant|delete|insert|
drop|alter|replace|truncate|update|create|rename|
describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|
database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|
UNION.*SELECT.*FROM)"
< SecFilterSelective REQUEST_URI "index\.php"
"chain,id:390032,rev:1,severity:2,msg:'JITP: Pixel Motion Blog SQL
Injection Vulnerabilities'"
< SecFilterSelective ARG_date "((select|grant|delete|insert|drop|alter|
replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|
\*| |\,]+[[:space:]]+(from|into|table|database|index|
view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
<
< #Nuked-Klan "m" SQL Injection Vulnerability
< SecFilterSelective REQUEST_URI "index\.php"
"chain,id:390033,rev:1,severity:2,msg:'JITP: Nuked-Klan SQL Injection
Vulnerability'"
< SecFilterSelective ARG_m "((select|grant|delete|insert|drop|alter|
replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|
\*| |\,]+[[:space:]]+(from|into|table|database|index|
view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
<
< #TFT Gallery "passwd" Exposure of User Credentials
< SecFilterSelective REQUEST_URI "admin/passwd$"
"id:390035,rev:1,severity:2,msg:'JITP: TFT Gallery passwd Exposure of
User Credentials'"
<
< #PHP Ticket "frm_search_in" SQL Injection Vulnerability
< SecFilterSelective REQUEST_URI "search\.php"
"chain,id:390036,rev:1,severity:2,msg:'JITP: Nuked-Klan SQL Injection
Vulnerability'"
< SecFilterSelective ARG_frm_search_in "((select|grant|delete|insert|
drop|alter|replace|truncate|update|create|rename|
describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|
database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|
UNION.*SELECT.*FROM)"
<
< #WEBalbum Local File Inclusion Vulnerability
< SecFilterSelective COOKIE_skin2 "\.\."
"id:390037,rev:1,severity:2,msg:'JITP: WEBalbum Local File Inclusion
Vulnerability'"
<
< #G-Book "g_message" Script Insertion Vulnerability
< SecFilterSelective REQUEST_URI "/guestbook\.php"
"chain,id:390038,rev:1,severity:2,msg:'JITP: G-Book g_message Script
Insertion Vulnerability'"
< SecFilterSelective ARG_g_message "((javascript|script|about|applet|
activex|chrome)*\>|html|(http|https|ftp)\:/)"
<
< #
--
Michael T. Shinn KeyID:0xDAE2EC86
Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
Got Root? http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls: http://troubleshootingfirewalls.com
More information about the Modsecurity
mailing list