[Modsecurity] Rules update
Michael Shinn
mike at gotroot.com
Mon Sep 11 11:13:59 EDT 2006
Diff of /etc/modsecurity/jitp.conf
5c5
< # Version: N-20060911-01
---
> # Version: N-20060905-03
9,10c9
< # Created by Michael Shinn of the Prometheus Group
(http://www.prometheus-group.com)
< # Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group,
all rights reserved.
---
> # Created by The Prometheus Group (http://www.prometheus-group.com)
11a11
> # Copyright 2005 and 2006 by the Prometheus Group, all rights
reserved.
197,199d196
< #General phpbb_root_path vulnerabilities
< SecFilterSelective ARG_phpbb_root_path "((ht|f)tps?\:/|\.\./)"
"id:390070,rev:1,severity:2,msg:'JITP: Generic phpbb_root_path exploit'"
<
4121a4119,4121
> #General phpbb_root_path vulnerabilities
> SecFilterSelective ARG_phpbb_root_path "((ht|f)tps?\:/|\.\./)"
"id:390070,rev:1,severity:2,msg:'JITP: Generic phpbb_root_path exploit'"
>
4227,4338d4226
<
< #new pattern
< SecFilterSelective REQUEST_URI "\.php\?"
"chain,id:390101,rev:1,severity:2,msg:'JITP: possible vulnscan6
exploit'"
< SecFilterSelective REQUEST_URI "(CONFIG_EXT\[LANGUAGES_DIR\]|dir\[inc
\])=((ht|f)tps?:/|\.\./\.\.)"
<
< #Socketwiz Bookmarks "root_dir" File Inclusion Vulnerability
< SecFilterSelective REQUEST_URI "smarty_config\.php"
"chain,id:390102,rev:1,severity:2,msg:'JITP: Socketwiz Bookmarks
root_dir File Inclusion Vulnerability'"
< SecFilterSelective ARG_root_dir "((ht|f)tps?:/|\.\./\.\.)"
<
< #MyABraCaDaWeb "base" File Inclusion Vulnerabilities
< SecFilterSelective REQUEST_URI "(index|pop)\.php"
"chain,id:390103,rev:1,severity:2,msg:'JITP: MyABraCaDaWeb base File
Inclusion Vulnerabilities'"
< SecFilterSelective ARG_base "((ht|f)tps?:/|\.\./\.\.)"
<
< #Vivvo Article Management CMS SQL Injection and File Inclusion
< SecFilterSelective REQUEST_URI "pdf_version\.php"
"chain,id:390104,rev:1,severity:2,msg:'JITP: Vivvo Article Management
CMS SQL Injection'"
< SecFilterSelective ARG_id "((select|grant|delete|insert|drop|alter|
replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|
\*| |\,]+[[:space:]]+(from|into|table|database|index|
view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
<
< #Vivvo Article Management classified_path file inclusion
< SecFilterSelective ARG_classified_path "((ht|f)tps?:/|\.\./\.\.)"
"id:390105,rev:1,severity:2,msg:'JITP: Vivvo Article Management CMS File
Inclusion'"
<
< #RaidenHTTPD "SoftParserFileXml" File Inclusion Vulnerability
< SecFilterSelective REQUEST_URI "raidenhttpd-admin/slice/check\.php"
"chain,id:390106,rev:1,severity:2,msg:'JITP: RaidenHTTPD
SoftParserFileXml File Inclusion Vulnerability'"
< SecFilterSelective ARG_SoftParserFileXml "((ht|f)tps?:/|\.\./\.\.)"
<
< #mcGalleryPRO "path_to_folder" File Inclusion Vulnerability
< SecFilterSelective REQUEST_URI "random2\.php"
"chain,id:390107,rev:1,severity:2,msg:'JITP: mcGalleryPRO path_to_folder
File Inclusion Vulnerability'"
< SecFilterSelective ARG_path_to_folder "((ht|f)tps?:/|\.\./\.\.)"
<
< #Timesheet PHP "username" Parameter SQL Injection
< SecFilterSelective REQUEST_URI "username\.php"
"chain,id:390108,rev:1,severity:2,msg:'JITP: Timesheet PHP username
Parameter SQL Injection'"
< SecFilterSelective ARG_username "((select|grant|delete|insert|drop|
alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|
a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|
view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)"
<
< #CCleague Pro "language" Parameter Local File Inclusion
< SecFilterSelective ARG_language "((ht|f)tps?:/|\.\./\.\.)"
"id:390109,rev:1,severity:2,msg:'JITP: CCleague Pro language Parameter
Local File Inclusion'"
<
< #TWiki "filename" Parameter Disclosure of Sensitive Information
< SecFilterSelective REQUEST_URI "/TWiki/"
"chain,id:390110,rev:1,severity:2,msg:'JITP: TWiki filename Parameter
Disclosure of Sensitive Information'"
< SecFilterSelective ARG_filename "\.\./\.\."
<
< #photokorn "dir_path" File Inclusion Vulnerabilities
< SecFilterSelective REQUEST_URI "(includes/cart\.inc\.php|
extras/ext_cat\.php)" "chain,id:390111,rev:1,severity:2,msg:'JITP:
photokorn dir_path File Inclusion Vulnerabilities'"
< SecFilterSelective ARG_dir_path "((ht|f)tps?:/|\.\./\.\.)"
<
< #Somery "skindir" File Inclusion Vulnerability
< SecFilterSelective REQUEST_URI "admin/system/include\.php"
"chain,id:390112,rev:1,severity:2,msg:'JITP: Somery skindir File
Inclusion Vulnerability'"
< SecFilterSelective ARG_skindir "((ht|f)tps?:/|\.\./\.\.)"
<
< #DokuWiki "TARGET_FN" Directory Traversal Vulnerability
< SecFilterSelective REQUEST_URI "bin/dwpage\.php"
"chain,id:390113,rev:1,severity:2,msg:'JITP: DokuWiki TARGET_FN
Directory Traversal Vulnerability'"
< SecFilterSelective ARG_TARGET_FN "((ht|f)tps?:/|\.\./\.\.)"
<
< #Fantastic News "CONFIG[script_path]" File Inclusion Vulnerabilities
< SecFilterSelective REQUEST_URI "(archive|headlines)\.php"
"chain,id:390114,rev:1,severity:2,msg:'JITP: Fantastic News
CONFIG[script_path] File Inclusion Vulnerabilities'"
< SecFilterSelective REQUEST_URI "CONFIG\[script_path\]=((ht|f)tps?:/|
\.\./\.\.)"
<
< #BP News "bnrep" File Inclusion Vulnerability
< SecFilterSelective REQUEST_URI "bp_ncom\.php"
"chain,id:390115,rev:1,severity:2,msg:'JITP: BP News bnrep File
Inclusion Vulnerability'"
< SecFilterSelective ARG_bnrep "((ht|f)tps?:/|\.\./\.\.)"
<
< #Akarru Social BookMarking Engine "bm_content" File Inclusion
< SecFilterSelective REQUEST_URI "akarru\.gui/main_content\.php"
"chain,id:390116,rev:1,severity:2,msg:'JITP: Akarru Social BookMarking
Engine bm_content File Inclusion'"
< SecFilterSelective ARG_bm_content "((ht|f)tps?:/|\.\./\.\.)"
<
< #Beautifier "BEAUT_PATH" Parameter File Inclusion Vulnerability
< SecFilterSelective REQUEST_URI "Beautifier/Core\.php"
"chain,id:390117,rev:1,severity:2,msg:'JITP: Beautifier BEAUT_PATH
Parameter File Inclusion Vulnerability'"
< SecFilterSelective ARG_BEAUT_PATH "((ht|f)tps?:/|\.\./\.\.)"
<
< #phpFullAnnu "repmod" File Inclusion Vulnerability
< SecFilterSelective REQUEST_URI "modules/home\.module\.php"
"chain,id:390118,rev:1,severity:2,msg:'JITP: phpFullAnnu repmod File
Inclusion Vulnerability'"
< SecFilterSelective ARG_repmod "((ht|f)tps?:/|\.\./\.\.)"
<
< #Sponge News "sndir" File Inclusion Vulnerability
< SecFilterSelective REQUEST_URI "news\.php"
"chain,id:390119,rev:1,severity:2,msg:'JITP: Sponge News sndir File
Inclusion Vulnerability'"
< SecFilterSelective ARG_sndir "((ht|f)tps?:/|\.\./\.\.)"
<
< #ACGV News "PathNews" File Inclusion Vulnerabilities
< SecFilterSelective REQUEST_URI "\.php\?"
"chain,id:390120,rev:1,severity:2,msg:'JITP: ACGV News PathNews File
Inclusion Vulnerabilities'"
< SecFilterSelective ARG_PathNews "((ht|f)tps?:/|\.\./\.\.)"
<
< #MySpeach "my_ms[root]" Parameter File Inclusion Vulnerability
< SecFilterSelective REQUEST_URI "jscript\.php\?"
"chain,id:390121,rev:1,severity:2,msg:'JITP: MySpeach my_ms[root]
Parameter File Inclusion Vulnerability'"
< SecFilterSelective REQUEST_URI "my_ms\[root\]=((ht|f)tps?:/|
\.\./\.\.)"
<
< #annoncesV "page" Parameter File Inclusion Vulnerability
< SecFilterSelective REQUEST_URI "annonce\.php\?"
"chain,id:390122,rev:1,severity:2,msg:'JITP: annoncesV page Parameter
File Inclusion Vulnerability'"
< SecFilterSelective ARG_page "((ht|f)tps?:/|\.\./\.\.)"
<
< #GrapAgenda "page" File Inclusion Vulnerability
< SecFilterSelective REQUEST_URI "index\.php\?"
"chain,id:390123,rev:1,severity:2,msg:'JITP: GrapAgenda page File
Inclusion Vulnerability'"
< SecFilterSelective ARG_page "((ht|f)tps?:/|\.\./\.\.)"
<
< #C-News "path" File Inclusion Vulnerabilities
< SecFilterSelective REQUEST_URI "/affichage/.*\.php\?"
"chain,id:390124,rev:1,severity:2,msg:'JITP: C-News path File Inclusion
Vulnerabilities'"
< SecFilterSelective ARG_path "((ht|f)tps?:/|\.\./\.\.)"
<
< #PhpCommander "Directory" Local File Inclusion Vulnerability
< SecFilterSelective REQUEST_URI "download\.php\?"
"chain,id:390125,rev:1,severity:2,msg:'JITP: PhpCommander Directory
Local File Inclusion Vulnerability'"
< SecFilterSelective ARG_Directory "((ht|f)tps?:/|\.\./\.\.)"
<
< #dyncms "x_admindir" File Inclusion Vulnerability
< SecFilterSelective REQUEST_URI
"0_admin/modules/Wochenkarte/frontend/index\.php"
"chain,id:390126,rev:1,severity:2,msg:'JITP: dyncms x_admindir File
Inclusion Vulnerability'"
< SecFilterSelective ARG_x_admindir "((ht|f)tps?:/|\.\./\.\.)"
<
< #MyBace Light Skript File Inclusion Vulnerabilities
< SecFilterSelective REQUEST_URI "includes/login_check\.php"
"chain,id:390127,rev:1,severity:2,msg:'JITP: MyBace Light Skript File
Inclusion Vulnerabilities'"
< SecFilterSelective ARG_hauptverzeichniss "((ht|f)tps?:/|\.\./\.\.)"
< SecFilterSelective REQUEST_URI "dmin/login/content/user_daten\.php"
"chain,id:390128,rev:1,severity:2,msg:'JITP: MyBace Light Skript File
Inclusion Vulnerabilities'"
< SecFilterSelective ARG_template_back "((ht|f)tps?:/|\.\./\.\.)"
<
< #YACS "context[path_to_root]" File Inclusion Vulnerabilities
< SecFilterSelective REQUEST_URI "\.php\?"
"chain,id:390129,rev:1,severity:2,msg:'JITP: YACS context[path_to_root]
File Inclusion Vulnerabilities'"
< SecFilterSelective REQUEST_URI "context\[path_to_root\]=((ht|f)tps?:/|
\.\./\.\.)"
--
Michael T. Shinn KeyID:0xDAE2EC86
Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
Got Root? http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls: http://troubleshootingfirewalls.com
More information about the Modsecurity
mailing list