[Modsecurity] new Horde rule
Ryan E. Helfter
rhelfter at datapipe.com
Mon Jun 5 17:13:51 EDT 2006
Whoops: the rule should be:
SecFilterSelective THE_REQUEST "GET
.*/services/help(/)?\?(.*)?\&modules=.*passthru.*"
Regards,
Ryan E. Helfter
UNIX Security Engineer
DataPipe Managed Hosting Services
- What It Means To Be Sure -
rhelfter at datapipe.com | http://www.datapipe.com
Tel: 201.792.1918 x300 | Fax: 201-792-3090
________________________________
From: modsecurity-bounces at gotroot.com
[mailto:modsecurity-bounces at gotroot.com] On Behalf Of Ryan E. Helfter
Sent: Monday, June 05, 2006 5:06 PM
To: modsecurity at gotroot.com
Subject: [Modsecurity] new Horde rule
I have been noticing a lot of passthru injections to Horde.
(unfortunately, we cannot disable all passthru functions by default,
i.e. via php.ini)
So if you are like me.
Get line from apache logs
[28/May/2006:03:09:25 -0700] "GET
//horde//services/help/?show=about&module=;%22.passthru(%22w%22);'.
HTTP/1.1" 200 735 "-" "Nozilla/P.N (Just for IDS woring)"
Mod_security rule:
SecFilterSelective THE_REQUEST "GET
.*/services/help(/)?\?show=about\&modules=.*passthru.*"
Regards,
Ryan E. Helfter
UNIX Security Engineer
DataPipe Managed Hosting Services
- What It Means To Be Sure -
rhelfter at datapipe.com | http://www.datapipe.com
Tel: 201.792.1918 x300 | Fax: 201-792-3090
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20060605/e406ccb7/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2357 bytes
Desc: image001.gif
Url : http://lists.gotroot.com/pipermail/modsecurity/attachments/20060605/e406ccb7/attachment.gif
More information about the Modsecurity
mailing list