[Modsecurity] new Horde rule

Ryan E. Helfter rhelfter at datapipe.com
Wed Jun 14 15:34:07 EDT 2006 

I apologize for not getting back to this sooner.

I mistakenly put "modules" into my original rule, which was incorrect.

I have verified that the following:

SecFilterSelective REQUEST_URI
"/services/help(/)?\?(.*)?\&module=.*passthru\(.*\)"
"id:390066,rev:1,severity:2,msg:'JITP: Horde passthru exploit'"

(obviously in one line, damn text wrap)

... does work.

Regards,

--
Ryan E. Helfter
UNIX Security Engineer

DataPipe Managed Hosting Services

- What It Means To Be Sure -

rhelfter at datapipe.com  | http://www.datapipe.com
Tel: 201.792.1918 x300 | Fax: 201-792-3090



-----Original Message-----
From: modsecurity-bounces at gotroot.com
[mailto:modsecurity-bounces at gotroot.com] On Behalf Of Michael Shinn
Sent: Monday, June 05, 2006 8:50 PM
To: Kevin Bonner
Cc: modsecurity at gotroot.com
Subject: Re: [Modsecurity] new Horde rule

The change was deliberate.  You can even see it in his audit_log entry
that the attack called module= and not modules=.

On Mon, 2006-06-05 at 18:09 -0400, Kevin Bonner wrote:
> On Monday 05 June 2006 18:03, Michael Shinn wrote:
> > Thanks for the Rule Ryan.  How about this one, would it work for as
> > well:
> >
> > SecFilterSelective REQUEST_URI
> > "/services/help(/)?\?(.*)?\&module=.*passthru\(.*\)"
> > "id:390066,rev:1,severity:2,msg:'JITP: Horde passthru exploit'"
> >
> > On Mon, 2006-06-05 at 17:13 -0400, Ryan E. Helfter wrote:
> > > SecFilterSelective THE_REQUEST
> > > "GET .*/services/help(/)?\?(.*)?\&modules=.*passthru.*"
> 
> Check your plurality please.
> 
> modules != module
> 
> Ryan's original post had "module=" in the GET string, but "modules="
in the 
> rule.  Which is correct?
> 
> Thanks,
> Kevin Bonner
> _______________________________________________
> Modsecurity mailing list
> Modsecurity at gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity
-- 
Michael T. Shinn                                    KeyID:0xDAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
  
Got Root?  http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com

_______________________________________________
Modsecurity mailing list
Modsecurity at gotroot.com
http://lists.gotroot.com/mailman/listinfo/modsecurity

More information about the Modsecurity mailing list