[Modsecurity] new Horde rule
Ryan E. Helfter
rhelfter at datapipe.com
Mon Jun 5 17:06:11 EDT 2006
I have been noticing a lot of passthru injections to Horde.
(unfortunately, we cannot disable all passthru functions by default,
i.e. via php.ini)
So if you are like me.
Get line from apache logs
[28/May/2006:03:09:25 -0700] "GET
//horde//services/help/?show=about&module=;%22.passthru(%22w%22);'.
HTTP/1.1" 200 735 "-" "Nozilla/P.N (Just for IDS woring)"
Mod_security rule:
SecFilterSelective THE_REQUEST "GET
.*/services/help(/)?\?show=about\&modules=.*passthru.*"
Regards,
Ryan E. Helfter
UNIX Security Engineer
DataPipe Managed Hosting Services
- What It Means To Be Sure -
rhelfter at datapipe.com | http://www.datapipe.com
Tel: 201.792.1918 x300 | Fax: 201-792-3090
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20060605/9c09de53/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2357 bytes
Desc: image001.gif
Url : http://lists.gotroot.com/pipermail/modsecurity/attachments/20060605/9c09de53/attachment.gif
More information about the Modsecurity
mailing list