From michal at sabren.com Wed Sep 6 23:54:21 2006 From: michal at sabren.com (Michal Wallace) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] why 403 errors on some rules? Message-ID: Hey all, I must be missing something here. Take this url: x.php?delete+from+table+where+x+is+null It matches rule 300013 in rules.conf, and gives a 406 error. No problem, but say I don't want this. So I add this line to an .htaccess file: SecFilterRemove 300013 And I get: Forbidden You don't have permission to access x.php on this server. Why? A look int the audit_log shows I'm now matching rule 300015. No problem... But why is it giving me a 403 error instead of a 406 error? I have: SecFilterDefaultAction "deny,log,status:406" And I can't see *anything* that's calling for a 403 error or even an instance of the number "403" anywhere in my config files. Can someone else try this and see if you get the same problem? Or tell me what I'm doing wrong? Sincerely, Michal J Wallace Sabren Enterprises, Inc. ------------------------------------- contact: michal@sabren.com hosting: http://www.cornerhost.com/ my site: http://www.withoutane.com/ ------------------------------------- From James.Kratzer at ngc.com Thu Sep 7 11:30:23 2006 From: James.Kratzer at ngc.com (Kratzer, James (Xetron)) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] Strip object tags Message-ID: <85A664F2F3F2D1409EE003C7D3D52EE43C3CFF@xcgoh901.northgrum.com> Hi, Is there a mod_security rule I can use to strip

tags from html responses? I want to allow the page through and only strip the

blocks from the response so that activex controls are blocked. Thanks JK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20060907/a5d6b395/attachment.html From mike at gotroot.com Thu Sep 7 12:03:09 2006 From: mike at gotroot.com (Michael Shinn) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] Strip object tags In-Reply-To: <85A664F2F3F2D1409EE003C7D3D52EE43C3CFF@xcgoh901.northgrum.com> References: <85A664F2F3F2D1409EE003C7D3D52EE43C3CFF@xcgoh901.northgrum.com> Message-ID: <1157644989.3740.26.camel@localhost.localdomain> No, mod_security can not strip or scrub data (no search and replace, for example). On Thu, 2006-09-07 at 11:30 -0400, Kratzer, James (Xetron) wrote: > Hi, > > Is there a mod_security rule I can use to strip

> tags from html responses? I want to allow the page through and only > strip the

blocks from the response so that activex > controls are blocked. > > Thanks > JK > > _______________________________________________ > Modsecurity mailing list > Modsecurity@gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com From johan at sege.nu Mon Sep 11 05:27:53 2006 From: johan at sege.nu (Johan =?iso-8859-1?q?Segern=E4s?=) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] Problems with VulnScan v6 Message-ID: <200609111127.53416.johan@sege.nu> I have huge problems with a worm or something penetrating thru our system running VulnScan v6, I have jitp.conf and rules.conf on our system and some other rules made by us. We have around ~6000 web sites on our servers and probably a lot of old phpBB/Joomla/Mambo. Are there any new worms or something running around which isn't in jitp.conf/rules.conf? - Johan From johan at sege.nu Mon Sep 11 08:44:24 2006 From: johan at sege.nu (Johan =?iso-8859-1?q?Segern=E4s?=) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] Problems with VulnScan v6 In-Reply-To: <1157978104.26701.5.camel@localhost> References: <200609111127.53416.johan@sege.nu> <1157978104.26701.5.camel@localhost> Message-ID: <200609111444.25113.johan@sege.nu> m?ndag 11 september 2006 14:35 skrev steven collins: > I've seen a ton of this too. I added this to our config since we've seen > it come through 2 different ways: Hmm, wont that stop pretty much? Feels very general? I think our customers will kill me then.. =) /Johan From scollins at liquidweb.com Mon Sep 11 08:35:04 2006 From: scollins at liquidweb.com (steven collins) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] Problems with VulnScan v6 In-Reply-To: <200609111127.53416.johan@sege.nu> References: <200609111127.53416.johan@sege.nu> Message-ID: <1157978104.26701.5.camel@localhost> On Mon, 2006-09-11 at 11:27 +0200, Johan Segern?s wrote: > I have huge problems with a worm or something penetrating thru our system > running VulnScan v6, I have jitp.conf and rules.conf on our system and some > other rules made by us. > > We have around ~6000 web sites on our servers and probably a lot of old > phpBB/Joomla/Mambo. Are there any new worms or something running around which > isn't in jitp.conf/rules.conf? > > - Johan I've seen a ton of this too. I added this to our config since we've seen it come through 2 different ways: SecFilterSelective REQUEST_URI "\.php\?.*CONFIG_EXT\[LANGUAGES_DIR \]=(http|https|ftp)\:\/" SecFilterSelective REQUEST_URI "\.php\?.*dir\[inc\]=(http|https|ftp)\: \/" Hope that helps :) -steven From scollins at liquidweb.com Mon Sep 11 09:25:46 2006 From: scollins at liquidweb.com (scollins) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] Problems with VulnScan v6 In-Reply-To: <200609111444.25113.johan@sege.nu> References: <200609111127.53416.johan@sege.nu> <200609111444.25113.johan@sege.nu> Message-ID: <1157981146.6101.5.camel@snowcrash> On Mon, 2006-09-11 at 14:44 +0200, Johan Segern?s wrote: > m?ndag 11 september 2006 14:35 skrev steven collins: > > I've seen a ton of this too. I added this to our config since we've seen > > it come through 2 different ways: > > Hmm, wont that stop pretty much? Feels very general? I think our customers > will kill me then.. =) > > /Johan We have a script installed on about 100~ of our high traffic servers that parses the log and reports back to a central database so we can track what rules are getting hit and how often. To be honest I have not yet seen these rules get flagged erroneously. Not yet at least :) no one is perfect. But they are working to block the injections we've seen. -steven From johan at sege.nu Mon Sep 11 10:40:34 2006 From: johan at sege.nu (Johan =?utf-8?q?Segern=C3=A4s?=) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] Problems with VulnScan v6 In-Reply-To: <1157981146.6101.5.camel@snowcrash> References: <200609111127.53416.johan@sege.nu> <200609111444.25113.johan@sege.nu> <1157981146.6101.5.camel@snowcrash> Message-ID: <200609111640.34569.johan@sege.nu> m?ndag 11 september 2006 15:25 skrev du: > We have a script installed on about 100~ of our high traffic servers > that parses the log and reports back to a central database so we can > track what rules are getting hit and how often. To be honest I have not > yet seen these rules get flagged erroneously. Not yet at least :) no one > is perfect. But they are working to block the injections we've seen. Well then, I trust you. :-) Thanks! From mike at gotroot.com Mon Sep 11 11:13:59 2006 From: mike at gotroot.com (Michael Shinn) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] Rules update Message-ID: <1157987639.10415.231.camel@localhost.localdomain> Diff of /etc/modsecurity/jitp.conf 5c5 < # Version: N-20060911-01 --- > # Version: N-20060905-03 9,10c9 < # Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com) < # Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved. --- > # Created by The Prometheus Group (http://www.prometheus-group.com) 11a11 > # Copyright 2005 and 2006 by the Prometheus Group, all rights reserved. 197,199d196 < #General phpbb_root_path vulnerabilities < SecFilterSelective ARG_phpbb_root_path "((ht|f)tps?\:/|\.\./)" "id:390070,rev:1,severity:2,msg:'JITP: Generic phpbb_root_path exploit'" < 4121a4119,4121 > #General phpbb_root_path vulnerabilities > SecFilterSelective ARG_phpbb_root_path "((ht|f)tps?\:/|\.\./)" "id:390070,rev:1,severity:2,msg:'JITP: Generic phpbb_root_path exploit'" > 4227,4338d4226 < < #new pattern < SecFilterSelective REQUEST_URI "\.php\?" "chain,id:390101,rev:1,severity:2,msg:'JITP: possible vulnscan6 exploit'" < SecFilterSelective REQUEST_URI "(CONFIG_EXT\[LANGUAGES_DIR\]|dir\[inc \])=((ht|f)tps?:/|\.\./\.\.)" < < #Socketwiz Bookmarks "root_dir" File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "smarty_config\.php" "chain,id:390102,rev:1,severity:2,msg:'JITP: Socketwiz Bookmarks root_dir File Inclusion Vulnerability'" < SecFilterSelective ARG_root_dir "((ht|f)tps?:/|\.\./\.\.)" < < #MyABraCaDaWeb "base" File Inclusion Vulnerabilities < SecFilterSelective REQUEST_URI "(index|pop)\.php" "chain,id:390103,rev:1,severity:2,msg:'JITP: MyABraCaDaWeb base File Inclusion Vulnerabilities'" < SecFilterSelective ARG_base "((ht|f)tps?:/|\.\./\.\.)" < < #Vivvo Article Management CMS SQL Injection and File Inclusion < SecFilterSelective REQUEST_URI "pdf_version\.php" "chain,id:390104,rev:1,severity:2,msg:'JITP: Vivvo Article Management CMS SQL Injection'" < SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter| replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9| \*| |\,]+[[:space:]]+(from|into|table|database|index| view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" < < #Vivvo Article Management classified_path file inclusion < SecFilterSelective ARG_classified_path "((ht|f)tps?:/|\.\./\.\.)" "id:390105,rev:1,severity:2,msg:'JITP: Vivvo Article Management CMS File Inclusion'" < < #RaidenHTTPD "SoftParserFileXml" File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "raidenhttpd-admin/slice/check\.php" "chain,id:390106,rev:1,severity:2,msg:'JITP: RaidenHTTPD SoftParserFileXml File Inclusion Vulnerability'" < SecFilterSelective ARG_SoftParserFileXml "((ht|f)tps?:/|\.\./\.\.)" < < #mcGalleryPRO "path_to_folder" File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "random2\.php" "chain,id:390107,rev:1,severity:2,msg:'JITP: mcGalleryPRO path_to_folder File Inclusion Vulnerability'" < SecFilterSelective ARG_path_to_folder "((ht|f)tps?:/|\.\./\.\.)" < < #Timesheet PHP "username" Parameter SQL Injection < SecFilterSelective REQUEST_URI "username\.php" "chain,id:390108,rev:1,severity:2,msg:'JITP: Timesheet PHP username Parameter SQL Injection'" < SecFilterSelective ARG_username "((select|grant|delete|insert|drop| alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z| a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index| view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" < < #CCleague Pro "language" Parameter Local File Inclusion < SecFilterSelective ARG_language "((ht|f)tps?:/|\.\./\.\.)" "id:390109,rev:1,severity:2,msg:'JITP: CCleague Pro language Parameter Local File Inclusion'" < < #TWiki "filename" Parameter Disclosure of Sensitive Information < SecFilterSelective REQUEST_URI "/TWiki/" "chain,id:390110,rev:1,severity:2,msg:'JITP: TWiki filename Parameter Disclosure of Sensitive Information'" < SecFilterSelective ARG_filename "\.\./\.\." < < #photokorn "dir_path" File Inclusion Vulnerabilities < SecFilterSelective REQUEST_URI "(includes/cart\.inc\.php| extras/ext_cat\.php)" "chain,id:390111,rev:1,severity:2,msg:'JITP: photokorn dir_path File Inclusion Vulnerabilities'" < SecFilterSelective ARG_dir_path "((ht|f)tps?:/|\.\./\.\.)" < < #Somery "skindir" File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "admin/system/include\.php" "chain,id:390112,rev:1,severity:2,msg:'JITP: Somery skindir File Inclusion Vulnerability'" < SecFilterSelective ARG_skindir "((ht|f)tps?:/|\.\./\.\.)" < < #DokuWiki "TARGET_FN" Directory Traversal Vulnerability < SecFilterSelective REQUEST_URI "bin/dwpage\.php" "chain,id:390113,rev:1,severity:2,msg:'JITP: DokuWiki TARGET_FN Directory Traversal Vulnerability'" < SecFilterSelective ARG_TARGET_FN "((ht|f)tps?:/|\.\./\.\.)" < < #Fantastic News "CONFIG[script_path]" File Inclusion Vulnerabilities < SecFilterSelective REQUEST_URI "(archive|headlines)\.php" "chain,id:390114,rev:1,severity:2,msg:'JITP: Fantastic News CONFIG[script_path] File Inclusion Vulnerabilities'" < SecFilterSelective REQUEST_URI "CONFIG\[script_path\]=((ht|f)tps?:/| \.\./\.\.)" < < #BP News "bnrep" File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "bp_ncom\.php" "chain,id:390115,rev:1,severity:2,msg:'JITP: BP News bnrep File Inclusion Vulnerability'" < SecFilterSelective ARG_bnrep "((ht|f)tps?:/|\.\./\.\.)" < < #Akarru Social BookMarking Engine "bm_content" File Inclusion < SecFilterSelective REQUEST_URI "akarru\.gui/main_content\.php" "chain,id:390116,rev:1,severity:2,msg:'JITP: Akarru Social BookMarking Engine bm_content File Inclusion'" < SecFilterSelective ARG_bm_content "((ht|f)tps?:/|\.\./\.\.)" < < #Beautifier "BEAUT_PATH" Parameter File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "Beautifier/Core\.php" "chain,id:390117,rev:1,severity:2,msg:'JITP: Beautifier BEAUT_PATH Parameter File Inclusion Vulnerability'" < SecFilterSelective ARG_BEAUT_PATH "((ht|f)tps?:/|\.\./\.\.)" < < #phpFullAnnu "repmod" File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "modules/home\.module\.php" "chain,id:390118,rev:1,severity:2,msg:'JITP: phpFullAnnu repmod File Inclusion Vulnerability'" < SecFilterSelective ARG_repmod "((ht|f)tps?:/|\.\./\.\.)" < < #Sponge News "sndir" File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "news\.php" "chain,id:390119,rev:1,severity:2,msg:'JITP: Sponge News sndir File Inclusion Vulnerability'" < SecFilterSelective ARG_sndir "((ht|f)tps?:/|\.\./\.\.)" < < #ACGV News "PathNews" File Inclusion Vulnerabilities < SecFilterSelective REQUEST_URI "\.php\?" "chain,id:390120,rev:1,severity:2,msg:'JITP: ACGV News PathNews File Inclusion Vulnerabilities'" < SecFilterSelective ARG_PathNews "((ht|f)tps?:/|\.\./\.\.)" < < #MySpeach "my_ms[root]" Parameter File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "jscript\.php\?" "chain,id:390121,rev:1,severity:2,msg:'JITP: MySpeach my_ms[root] Parameter File Inclusion Vulnerability'" < SecFilterSelective REQUEST_URI "my_ms\[root\]=((ht|f)tps?:/| \.\./\.\.)" < < #annoncesV "page" Parameter File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "annonce\.php\?" "chain,id:390122,rev:1,severity:2,msg:'JITP: annoncesV page Parameter File Inclusion Vulnerability'" < SecFilterSelective ARG_page "((ht|f)tps?:/|\.\./\.\.)" < < #GrapAgenda "page" File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "index\.php\?" "chain,id:390123,rev:1,severity:2,msg:'JITP: GrapAgenda page File Inclusion Vulnerability'" < SecFilterSelective ARG_page "((ht|f)tps?:/|\.\./\.\.)" < < #C-News "path" File Inclusion Vulnerabilities < SecFilterSelective REQUEST_URI "/affichage/.*\.php\?" "chain,id:390124,rev:1,severity:2,msg:'JITP: C-News path File Inclusion Vulnerabilities'" < SecFilterSelective ARG_path "((ht|f)tps?:/|\.\./\.\.)" < < #PhpCommander "Directory" Local File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "download\.php\?" "chain,id:390125,rev:1,severity:2,msg:'JITP: PhpCommander Directory Local File Inclusion Vulnerability'" < SecFilterSelective ARG_Directory "((ht|f)tps?:/|\.\./\.\.)" < < #dyncms "x_admindir" File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "0_admin/modules/Wochenkarte/frontend/index\.php" "chain,id:390126,rev:1,severity:2,msg:'JITP: dyncms x_admindir File Inclusion Vulnerability'" < SecFilterSelective ARG_x_admindir "((ht|f)tps?:/|\.\./\.\.)" < < #MyBace Light Skript File Inclusion Vulnerabilities < SecFilterSelective REQUEST_URI "includes/login_check\.php" "chain,id:390127,rev:1,severity:2,msg:'JITP: MyBace Light Skript File Inclusion Vulnerabilities'" < SecFilterSelective ARG_hauptverzeichniss "((ht|f)tps?:/|\.\./\.\.)" < SecFilterSelective REQUEST_URI "dmin/login/content/user_daten\.php" "chain,id:390128,rev:1,severity:2,msg:'JITP: MyBace Light Skript File Inclusion Vulnerabilities'" < SecFilterSelective ARG_template_back "((ht|f)tps?:/|\.\./\.\.)" < < #YACS "context[path_to_root]" File Inclusion Vulnerabilities < SecFilterSelective REQUEST_URI "\.php\?" "chain,id:390129,rev:1,severity:2,msg:'JITP: YACS context[path_to_root] File Inclusion Vulnerabilities'" < SecFilterSelective REQUEST_URI "context\[path_to_root\]=((ht|f)tps?:/| \.\./\.\.)" -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com From mike at gotroot.com Mon Sep 11 12:06:41 2006 From: mike at gotroot.com (Michael Shinn) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] Problems with VulnScan v6 In-Reply-To: <200609111640.34569.johan@sege.nu> References: <200609111127.53416.johan@sege.nu> <1157981146.6101.5.camel@snowcrash> <200609111640.34569.johan@sege.nu> Message-ID: <1157990801.10415.236.camel@localhost.localdomain> I'm just put out a slew of new signatures, with more to come tonight, please let me know how they work for you. If you have any log entries for these new attacks, please send them to me and I'll work up some new signatures. On Mon, 2006-09-11 at 16:40 +0200, Johan Segern?s wrote: > m?ndag 11 september 2006 15:25 skrev du: > > We have a script installed on about 100~ of our high traffic servers > > that parses the log and reports back to a central database so we can > > track what rules are getting hit and how often. To be honest I have not > > yet seen these rules get flagged erroneously. Not yet at least :) no one > > is perfect. But they are working to block the injections we've seen. > > Well then, I trust you. :-) > > Thanks! > _______________________________________________ > Modsecurity mailing list > Modsecurity@gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com From mike at gotroot.com Mon Sep 11 19:01:44 2006 From: mike at gotroot.com (Michael Shinn) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] New release Message-ID: <1158015704.17014.100.camel@localhost.localdomain> Diff of /etc/modsecurity/apache2-rules.conf Diff of /etc/modsecurity/blacklist.conf Diff of /etc/modsecurity/proxy.conf Diff of /etc/modsecurity/rules.conf Diff of /etc/modsecurity/blacklist2.conf Diff of /etc/modsecurity/exclude.conf Diff of /etc/modsecurity/rootkits.conf Diff of /etc/modsecurity/useragents.conf Diff of /etc/modsecurity/exclude.conf Diff of /etc/modsecurity/badips.conf Diff of /etc/modsecurity/recons.conf Diff of /etc/modsecurity/jitp.conf 5c5 < # Version: N-20060911-02 --- > # Version: N-20060911-01 4291d4290 < #phpCodeGenie "BEAUT_PATH" File Inclusion Vulnerability 4338c4337 < SecFilterSelective REQUEST_URI "\.php" "chain,id:390129,rev:1,severity:2,msg:'JITP: YACS context[path_to_root] File Inclusion Vulnerabilities'" --- > SecFilterSelective REQUEST_URI "\.php\?" "chain,id:390129,rev:1,severity:2,msg:'JITP: YACS context[path_to_root] File Inclusion Vulnerabilities'" 4340,4395d4338 < < #Pheap "lpref" File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "lib/config\.php" "chain,id:390130,rev:1,severity:2,msg:'JITP: Pheap lpref File Inclusion Vulnerability'" < SecFilterSelective ARG_lpref "((ht|f)tps?:/|\.\./\.\.)" < < #phpECard "include_path" File Inclusion Vulnerabilities < SecFilterSelective REQUEST_URI "functions\.php" "chain,id:390131,rev:1,severity:2,msg:'JITP: phpECard include_path File Inclusion Vulnerabilities'" < SecFilterSelective ARG_include_path "((ht|f)tps?:/|\.\./\.\.)" < < #MiniBill "config[include_dir]" Parameter File Inclusion < SecFilterSelective REQUEST_URI "actions/ipn\.php" "chain,id:390132,rev:1,severity:2,msg:'JITP: MiniBill config[include_dir] File Inclusion Vulnerabilities'" < SecFilterSelective REQUEST_URI "config\[include_dir\]=((ht|f)tps?:/| \.\./\.\.)" < < #phpGroupWare Local File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "alendar/inc/class.holidaycalc\.inc \.php" "chain,id:390133,rev:1,severity:2,msg:'JITP: phpGroupWare Local File Inclusion Vulnerabilities'" < SecFilterSelective REQUEST_URI "phpgw_info\[user\]\[preferences \]\[common\]\[country\]=\.\./\.\." < < #ExBB Italia "exbb[home_path]" File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "modules/userstop/userstop\.php" "chain,id:390134,rev:1,severity:2,msg:'JITP: ExBB Italia exbb[home_path] File Inclusion Vulnerability'" < SecFilterSelective REQUEST_URI "exbb\[home_path\]=((ht|f)tps?:/| \.\./\.\.)" < < #Web3news "PHPSECURITYADMIN_PATH" File Inclusion < SecFilterSelective REQUEST_URI "security/include/_class\.security \.php" "chain,id:390135,rev:1,severity:2,msg:'JITP: Web3news PHPSECURITYADMIN_PATH File Inclusion Vulnerabilities'" < SecFilterSelective ARG_PHPSECURITYADMIN_PATH "((ht|f)tps?:/| \.\./\.\.)" < < #phpCOIN "_CCFG[_PKG_PATH_INCL]" File Inclusion < SecFilterSelective REQUEST_URI "\.php\?" "chain,id:390136,rev:1,severity:2,msg:'JITP: phpCOIN _CCFG[_PKG_PATH_INCL] File Inclusion'" < SecFilterSelective REQUEST_URI "_CCFG\[_PKG_PATH_INCL\]=((ht|f)tps?:/| \.\./\.\.)" < < #Wikepage "lng" Local File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "index\.php" "chain,id:390137,rev:1,severity:2,msg:'JITP: Wikepage lng Local File Inclusion Vulnerability'" < SecFilterSelective ARG_lng "((ht|f)tps?:/|\.\./\.\.)" < < #Empire CMS "check_path" File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "e/class/CheckLevel\.php" "chain,id:390138,rev:1,severity:2,msg:'JITP: Empire CMS check_path File Inclusion Vulnerability'" < SecFilterSelective ARG_check_path "((ht|f)tps?:/|\.\./\.\.)" < < #Dolphin "dir[inc]" File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "templates/tmpl_dfl/scripts/index.php" "chain,id:390139,rev:1,severity:2,msg:'JITP: Dolphin dir[inc] File Inclusion Vulnerability'" < SecFilterSelective REQUEST_URI "dir\[inc\]=((ht|f)tps?:/|\.\./\.\.)" < < #SportsPHool "mainnav" File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "includes/layout/plain\.footer\.php" "chain,id:390140,rev:1,severity:2,msg:'JITP: SportsPHool mainnav File Inclusion Vulnerability'" < SecFilterSelective ARG_mainnav "((ht|f)tps?:/|\.\./\.\.)" < < #NES Game & NES System "phphtmllib" File Inclusion < SecFilterSelective REQUEST_URI "\.php\?" "chain,id:390141,rev:1,severity:2,msg:'JITP: NES Game & NES System phphtmllib File Inclusion'" < SecFilterSelective ARG_phphtmllib "((ht|f)tps?:/|\.\./\.\.)" < < #PHlyMail Lite "_PM_[path][handler]" File Inclusion Vulnerability < SecFilterSelective REQUEST_URI "handlers/email/mod.listmail.php" "chain,id:390142,rev:1,severity:2,msg:'JITP: PHlyMail Lite _PM_[path][handler] File Inclusion Vulnerability'" < SecFilterSelective REQUEST_URI "_PM_\[path\]\[handler\]=((ht|f)tps?:/| \.\./\.\.)" < < #Sonium Enterprise Adressbook "folder" File Inclusion Vulnerabilities < SecFilterSelective REQUEST_URI "/plugins/(1_Adressbuch/new| 2_Branchen/edit|3_Typ/delete)\.php\?" "chain,id:390143,rev:1,severity:2,msg:'JITP: Sonium Enterprise Adressbook folder File Inclusion Vulnerabilities'" < SecFilterSelective ARG_folder "((ht|f)tps?:/|\.\./\.\.)" -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com From keb at pa.net Tue Sep 12 12:03:31 2006 From: keb at pa.net (Kevin Bonner) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] Minor typo in rules.conf (N-20060419-01) In-Reply-To: <200604241725.27912.keb@pa.net> References: <200604241725.27912.keb@pa.net> Message-ID: <200609121203.31911.keb@pa.net> On Monday 24 April 2006 17:25, Kevin Bonner wrote: > Attached is a short patch for rules.conf to fix a typo discovered. > > Kevin Bonner This typo still exists in the latest N-20060803-01 version. Is there a better spot to report this and/or submit patches? The typo can be seen in the rule below. == rules.conf N-20060803-01 == #Generic PHP remote file injection SecFilterSelective REQUEST_URI "!((galler(y|i)/do_command))" chain SecFilterSelective REQUEST_URI "\.php\?.*=(http|http|ftp)\:/.*(cmd|command)=" == end rules.conf == The following should be an acceptable change: SecFilterSelective REQUEST_URI "\.php\?.*=(ht|f)tps?\:/.*(cmd|command)=" Kevin Bonner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.gotroot.com/pipermail/modsecurity/attachments/20060912/2dd33307/attachment.bin From gerard at whitecurve.com Wed Sep 13 06:12:58 2006 From: gerard at whitecurve.com (Gerard Earley) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] permissions error Message-ID: The permissions on my Webserver got a little messed up and modsecurity is now not logging. The following is a typical error: [Wed Sep 13 10:21:59 2006] [error] [client xx.xx.xx.xx] mod_security: Access denied with code 500. Pattern match "!^127\\\\.0\\\\.0\\\\.1$" at REMOTE_ADDR [severity "EMERGENCY"] [hostname "www.DOMAINNAME.com"] [uri "/server-info/"] [unique_id "Urg@ctmgTNIAACDdX7kAAAAH"] [Wed Sep 13 10:21:59 2006] [error] [client xx.xx.xx.xx] mod_security: Audit log: Failed to create subdirectories: /var/log/httpd/audit_logs/20060913/20060913-1021 (Permission denied) [hostname "www.DOMAINNAME.com"] [uri "/server-info/"] [unique_id "Urg@ctmgTNIAACDdX7kAAAAH"] I thought I'd reset the permission by running the following #this resets all individual reports files in one go chmod -R 640 /var/log/httpd/audit_logs/20060* #then set the permissions of the day and minute folders chmod 750 /var/log/httpd/audit_logs/20060* chmod 750 /var/log/httpd/audit_logs/20060*/* #then set permission for the audit log chmod 777 /var/log/httpd/audit_logs/audit_log* Can anyone give me a pointer on what else could be wrong? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4491 bytes Desc: not available Url : http://lists.gotroot.com/pipermail/modsecurity/attachments/20060913/84a33ad3/smime.bin From James.Kratzer at ngc.com Fri Sep 22 12:53:53 2006 From: James.Kratzer at ngc.com (Kratzer, James (Xetron)) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] How to access response data from script Message-ID: <85A664F2F3F2D1409EE003C7D3D52EE43C3D08@xcgoh901.northgrum.com> Hi, Can I have a script execute on output match such as in the line below? SecFilterSelective OUTPUT "my search phrase" log,exec:myscript.pl Mod_security and my script will be running on a reverse proxy. I want myscript.pl to validate the response data before sending the response on to the client browser. How would myscript.pl access the response data? CGI.pm seems only good for requests. Browser <--------- reverse proxy <------ server mod-security myscript.pl Thanks James Kratzer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20060922/aa19bcdd/attachment.html From mario at linux-netwerk.be Tue Sep 26 15:22:22 2006 From: mario at linux-netwerk.be (Mario) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] 403 google bot rejected Message-ID: <1159298542.4361.11.camel@leo> Hi, This was an google bot request for google.com/analytics I have disabled the rule below to accept this request #SecFilterSelective HTTP_Host|HTTP_User-Agent|HTTP_Accept "^$" ==0808ae2f============================== Request: www.site. 66.249.65.111 - - [26/Sep/2006:20:34:25 +0200] "GET / HTTP/1.1" 403 4071 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" jk408s8s2kcAAF13GksAAAAs "-" ---------------------------------------- GET / HTTP/1.1 Host: www.site. Connection: Keep-alive User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Accept-Encoding: gzip mod_security-message: Access denied with code 403. Pattern match "^$" at HEADER("Accept") mod_security-action: 403 HTTP/1.1 403 Forbidden Accept-Ranges: bytes Content-Length: 4071 Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Content-Type: text/html --0808ae2f--