[Modsecurity] another rule based exclusion for postnuke
Who Knows
quien-sabe at metaorg.com
Sun May 7 17:25:00 EDT 2006
The patch below provides an exclusion to allow posting javascript in
postnuke admin messages.
i could not get it any better for matching than admin.php
You can see my audit record at: http://www.wtfo-guru.com/pub/auditentry1.bz2
Please note the entry may contain mature content by your standards.
My patch is:
--- rules.conf.orig 2006-05-07 12:18:26.000000000 -0700
+++ rules.conf 2006-05-07 14:04:25.000000000 -0700
@@ -445,7 +445,7 @@
#cross site scripting stealth attempt to execute Javascript code
#may false alarm for some language sets
-SecFilterSelective REQUEST_URI
"!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)"
chain
+SecFilterSelective REQUEST_URI
"!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=|/admin\.php)"
chain
SecFilter
"(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]"
#cross site scripting HTML Image tag set to javascript attempt
More information about the Modsecurity
mailing list