[Modsecurity] new Horde rule

Michael Shinn mike at gotroot.com
Mon Jun 5 18:03:08 EDT 2006 

Thanks for the Rule Ryan.  How about this one, would it work for as
well:

SecFilterSelective REQUEST_URI
"/services/help(/)?\?(.*)?\&module=.*passthru\(.*\)"
"id:390066,rev:1,severity:2,msg:'JITP: Horde passthru exploit'"


On Mon, 2006-06-05 at 17:13 -0400, Ryan E. Helfter wrote:
> Whoops:  the rule should be:
> 
>  
> 
> SecFilterSelective THE_REQUEST
> "GET .*/services/help(/)?\?(.*)?\&modules=.*passthru.*"
> 
>  
> 
> Regards,
> 
> Ryan E. Helfter
> UNIX Security Engineer
> 
> 
> DataPipe Managed Hosting Services
> 
> - What It Means To Be Sure - 
> 
> rhelfter at datapipe.com  |  http://www.datapipe.com
> Tel: 201.792.1918 x300  |  Fax: 201-792-3090
> 
>  
> 
> 
>                                    
> ______________________________________________________________________
> From: modsecurity-bounces at gotroot.com
> [mailto:modsecurity-bounces at gotroot.com] On Behalf Of Ryan E. Helfter
> Sent: Monday, June 05, 2006 5:06 PM
> To: modsecurity at gotroot.com
> Subject: [Modsecurity] new Horde rule
> 
> 
>  
> 
> I have been noticing a lot of passthru injections to Horde.
> (unfortunately, we cannot disable all passthru functions by default,
> i.e. via php.ini)
> 
>  
> 
> So if you are like me.
> 
>  
> 
> Get line from apache logs
> 
>  
> 
> [28/May/2006:03:09:25 -0700]
> "GET //horde//services/help/?show=about&module=;%22.passthru(%22w%
> 22);'. HTTP/1.1" 200 735 "-" "Nozilla/P.N (Just for IDS woring)"
> 
>  
> 
> Mod_security rule:
> 
>  
> 
> SecFilterSelective THE_REQUEST "GET .*/services/help(/)?\?show=about
> \&modules=.*passthru.*"
> 
>  
> 
>  
> 
>  
> 
> Regards,
> 
> Ryan E. Helfter
> UNIX Security Engineer
> 
> 
> DataPipe Managed Hosting Services
> 
> - What It Means To Be Sure - 
> 
> rhelfter at datapipe.com  |  http://www.datapipe.com
> Tel: 201.792.1918 x300  |  Fax: 201-792-3090
> 
>  
> 
>  
> 
> 
> _______________________________________________
> Modsecurity mailing list
> Modsecurity at gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity
-- 
Michael T. Shinn                                    KeyID:0xDAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
  
Got Root?  http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com

More information about the Modsecurity mailing list