[Modsecurity] PNphpBB2 rule fix

Who Knows quien-sabe at metaorg.com
Wed Jul 19 10:30:30 EDT 2006 

Attempting to email a link to a friend in PNphpBB2 the following error 
is generated:

==4ef6f40a==============================
Request: www.aidant.net 67.135.233.237 - - [19/Jul/2006:07:09:43 --0700] 
"GET 
/index.php?name=PNphpBB2&file=http://www.aidant.net/index&name=PNphpBB2&file=viewtopic&t=4 
HTTP/1.1" 406 382 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; 
rv:1.8.0.4) Gecko/20060614 Fedora/1.5.0.4-1.2.fc5 Firefox/1.5.0.4 
pango-text" - "-"
----------------------------------------
GET 
/index.php?name=PNphpBB2&file=http://www.aidant.net/index&name=PNphpBB2&file=viewtopic&t=4 
HTTP/1.1
Host: www.aidant.net
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.4) 
Gecko/20060614 Fedora/1.5.0.4-1.2.fc5 Firefox/1.5.0.4 pango-text
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: 
pnphpbb2mysql_data=a%3A1%3A%7Bs%3A6%3A%22userid%22%3Bs%3A1%3A%224%22%3B%7D; 
POSTNUKESID=0012264c999d035237289bec299e408e; 
pnphpbb2mysql_sid=e75f1de11e611e1360f393782a00fa94; 
pnphpbb2mysql_t=a%3A1%3A%7Bi%3A4%3Bi%3A1153316928%3B%7D
mod_security-action: 406
mod_security-message: Access denied with code 406. Pattern match 
"\\.php(3|4|5)?(\\?|&).*=(ht|f)tps?:/.*(\\?|&)" at REQUEST_URI [id 
"300018"] [rev "1"] [msg "Generic PHP code injection protection"] 
[severity "CRITICAL"]

HTTP/1.1 406 Not Acceptable
Content-Length: 382
Connection: close
Content-Type: text/html; charset=iso-8859-1
--4ef6f40a--


I was unable to create a local exclusion that would work, but the 
following patch to rules.conf did the trick.

--- rules.orig  2006-07-19 07:21:46.000000000 -0700
+++ rules.conf  2006-07-19 07:25:35.000000000 -0700
@@ -176,7 +176,7 @@
 #really broad furl_fopen attack sig
 #tune this for your system
 #MTS
-SecFilterSelective REQUEST_URI 
"!(/tiki-objectpermissions|aardvarkts/install/index|/gallery/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-server/adjs)" 
"chain,id:300018,rev:1,severity:2,msg:'Generic PHP code injection 
protection'"
+SecFilterSelective REQUEST_URI 
"!(/tiki-objectpermissions|aardvarkts/install/index|/gallery/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-server/adjs|PNphpBB2&file=http)" 
"chain,id:300018,rev:1,severity:2,msg:'Generic PHP code injection 
protection'"
 SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/.*(\?|&)"

 #Genenric PHP body attack

More information about the Modsecurity mailing list