[Modsecurity] new Horde rule
Michael Shinn
mike at gotroot.com
Mon Jun 5 20:50:21 EDT 2006
The change was deliberate. You can even see it in his audit_log entry
that the attack called module= and not modules=.
On Mon, 2006-06-05 at 18:09 -0400, Kevin Bonner wrote:
> On Monday 05 June 2006 18:03, Michael Shinn wrote:
> > Thanks for the Rule Ryan. How about this one, would it work for as
> > well:
> >
> > SecFilterSelective REQUEST_URI
> > "/services/help(/)?\?(.*)?\&module=.*passthru\(.*\)"
> > "id:390066,rev:1,severity:2,msg:'JITP: Horde passthru exploit'"
> >
> > On Mon, 2006-06-05 at 17:13 -0400, Ryan E. Helfter wrote:
> > > SecFilterSelective THE_REQUEST
> > > "GET .*/services/help(/)?\?(.*)?\&modules=.*passthru.*"
>
> Check your plurality please.
>
> modules != module
>
> Ryan's original post had "module=" in the GET string, but "modules=" in the
> rule. Which is correct?
>
> Thanks,
> Kevin Bonner
> _______________________________________________
> Modsecurity mailing list
> Modsecurity at gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity
--
Michael T. Shinn KeyID:0xDAE2EC86
Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
Got Root? http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls: http://troubleshootingfirewalls.com
More information about the Modsecurity
mailing list