From admin at efastservers.com Mon Oct 8 12:48:33 2007 From: admin at efastservers.com (admin@efastservers.com) Date: Mon Jan 7 18:22:33 2008 Subject: [Modsecurity] Some type of file injection vuln going around Message-ID: One of my resellers contacted me today stating that one of his websites was hacked and possibly the server. He wanted to know what we were going to do about it. I checked the server but no other website is affected except for two of his own websites. There seems to be some type of javascript file injection vuln going around. I searched the logs but could not find anything obvious in his logs. I checked all sites and they are clean. Here is what was injected into his index.html file after the

tag. There is a small discussion about this at http://groups.google.com/group/stopbadware/browse_thread/thread/69bac2aaac70 e4d5/26405b950d361a23 Is there a mod_sec rule that can stop this? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20071008/1741261e/attachment.html From Crazy_Canucks at rogers.com Mon Oct 8 19:13:15 2007 From: Crazy_Canucks at rogers.com (Crazy Canucks) Date: Mon Jan 7 18:22:33 2008 Subject: [Modsecurity] Some type of file injection vuln going around Message-ID: <470AB98B.3010407@rogers.com> An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20071008/9278a60d/attachment.html From mike at gotroot.com Tue Oct 9 10:05:17 2007 From: mike at gotroot.com (Michael Shinn) Date: Mon Jan 7 18:22:34 2008 Subject: [Modsecurity] Some type of file injection vuln going around Message-ID: <1191938717.17235.10.camel@shrike.gotroot.com> Can you send me that index.html file? Also, if you can send me your users access_log, we might be able to find out the vector for the attack. On Mon, 2007-10-08 at 12:48 -0400, admin@efastservers.com wrote: > One of my resellers contacted me today stating that one of his > websites was hacked and possibly the server. He wanted to know what we > were going to do about it. > > I checked the server but no other website is affected except for two > of his own websites. > > > > There seems to be some type of javascript file injection vuln going > around. I searched the logs but could not find anything obvious in his > logs. I checked all sites and they are clean. > > > > Here is what was injected into his index.html file after the

> tag. > > > > > > > > > There is a small discussion about this at > http://groups.google.com/group/stopbadware/browse_thread/thread/69bac2aaac70e4d5/26405b950d361a23 > > > > Is there a mod_sec rule that can stop this? > > > > Thanks > > > _______________________________________________ > Modsecurity mailing list > Modsecurity@gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 SANS Advisory Board Member Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com From rcbarnett at gmail.com Tue Oct 9 10:18:57 2007 From: rcbarnett at gmail.com (Ryan Barnett) Date: Mon Jan 7 18:22:34 2008 Subject: [Modsecurity] Some type of file injection vuln going around In-Reply-To: <470a5f6b.0313360a.2f7b.ffffd99aSMTPIN_ADDED@mx.google.com> References: <470a5f6b.0313360a.2f7b.ffffd99aSMTPIN_ADDED@mx.google.com> Message-ID: This malicious JS is attempting to have the client's browser make multiple requests to loop through a few systems and eventually tries to exploit the MS06-005 vulnerability - http://www.microsoft.com/technet/security/Bulletin/MS06-005.mspx by downloading a specially crafted WMV file. Now, to answer you questions - 1) You need to try and identify how this JS code was added to the html page. Was it uploaded through the website in a comment form/blog post, etc...? Or was it added by a local user who could have uploaded a new html page or edited the file locally from a command shell on the web server? In the former case, if you have the ModSecurity SecAuditEngine turned On, then you can do some quick grepping through the audit logs to identify any transactions that have this data present. 2) As for ModSecurity rules, the Core Rules ( http://www.modsecurity.org/projects/rules/index.html) have numerous rules that will identify clients who are attempting to upload this type of malicious code. Identifying/blocking this type of data going OUTBOUND in the html sent to clients is a bit more difficult. See this recent OWASP presentation on Crimeware - http://www.owasp.org/images/8/83/OWASP_IL_8_Evasive_Crimeware_attacks_Business_drivers_and_Proposed.pdf. Breach is working on rules to help identify this type of malicious code to help hosting environments. Check out the www.modsecurity.org site for details. -- Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache ---------- Forwarded message ---------- From: admin@efastservers.com < admin@efastservers.com> Date: Oct 8, 2007 12:48 PM Subject: [Modsecurity] Some type of file injection vuln going around To: modsecurity@gotroot.com One of my resellers contacted me today stating that one of his websites was hacked and possibly the server. He wanted to know what we were going to do about it. I checked the server but no other website is affected except for two of his own websites. There seems to be some type of javascript file injection vuln going around. I searched the logs but could not find anything obvious in his logs. I checked all sites and they are clean. Here is what was injected into his index.html file after the

tag. There is a small discussion about this at http://groups.google.com/group/stopbadware/browse_thread/thread/69bac2aaac70e4d5/26405b950d361a23 Is there a mod_sec rule that can stop this? Thanks _______________________________________________ Modsecurity mailing list Modsecurity@gotroot.com http://lists.gotroot.com/mailman/listinfo/modsecurity -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20071009/f584f38c/attachment.html From mike at gotroot.com Tue Oct 9 10:31:42 2007 From: mike at gotroot.com (Michael Shinn) Date: Mon Jan 7 18:22:34 2008 Subject: [Modsecurity] Some type of file injection vuln going around In-Reply-To: References: <470a5f6b.0313360a.2f7b.ffffd99aSMTPIN_ADDED@mx.google.com> Message-ID: <1191940302.17235.21.camel@shrike.gotroot.com> On Tue, 2007-10-09 at 10:18 -0400, Ryan Barnett wrote: > Now, to answer you questions - > 1) You need to try and identify how this JS code was added to the html page. Was it uploaded through the website in a comment form/blog post, etc...? Or was it added by a local user who could have uploaded a new html page or edited the file locally from a command shell on the web server? In the former case, if you have the ModSecurity SecAuditEngine turned On, then you can do some quick grepping through the audit logs to identify any transactions that have this data present. This really is the key. Its not likely this happened any other way than thru either an upload, or an injection that allowed an upload or modification of the code. To that end, is the JS in the index.html file itself, or just in the content rendered by the page? If the later, how does the site dynamically generate any of its content? -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 SANS Advisory Board Member Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com From cristian at livadaru.net Thu Oct 11 05:28:54 2007 From: cristian at livadaru.net (Cristian Livadaru) Date: Mon Jan 7 18:22:34 2008 Subject: [Modsecurity] A little problem with excludes Message-ID: <6A11C504-5A94-4FCF-8AE9-C19DB6D17227@livadaru.net> Hi modsecurity list, I seem to have a little problem with the excludes I have this in my Audit log: ==6d394431============================== Request: www.foo.com 127.0.0.1 - - [11/Oct/2007:09:25:57 +0200] "POST /index.php? option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f6c69737 4696e677326616d703b656469743d3336392661646d696e3d74727565 HTTP/1.1" 403 285 "http://www.foo.com/component/option,com_cmsrealty/Itemid,4/ openrealty, 616374696f6e3d656469745f6c697374696e677326616d703b656469743d333639266164 6d696e3d74727565/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv: 1.8.1.7) Gecko/20070914 Firefox/2.0.0.7" - "-" ---------------------------------------- POST /index.php? option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f6c69737 4696e677326616d703b656469743d3336392661646d696e3d74727565 HTTP/ 1.1 Host: www.foo.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv: 1.8.1.7) Gecko/20070914 Firefox/ 2.0.0.7 Accept: text/xml,application/ xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/ png,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.foo.com/component/option,com_cmsrealty/Itemid,4/ openrealty, 616374696f6e3d656469745f6c697374696e677326616d703b656469743d333639266164 6d696e3d74727565/ Content-Type: application/x-www-form-urlencoded Content-Length: 510 mod_security-action: 403 mod_security-message: Access denied with code 403. Pattern match "((alter|create|drop)[[:space:]]+(column|database|procedure|table)| delete[[:space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"] [rev "1"] [msg "Generic SQL injection protection"] [severity "CRITICAL"] 510 action=update_listing&edit=369&title=Altbau-Miete&pclass%5B% 5D=4&featured=no&edit_active=yes&mlsexport=no&or_owner=9¬es=&Adresse= Staudgasse&Stadt=Wien&Postleitzahl=1180&Preis=530&betr_kosten=&miete=&fu ll_desc=Nette+Kleine+Zimmer+und+Kabinett+Wohnung%2C+Einbauk%FCche%2C +sehr+ger%E4umig%2C+Fliesenbad%2C+Toilette+Etagenheizung.Ruhelage+und +AKH+N% E4he&Zimmer=2&Badezimmer=1&year_built=1970&sq_feet=45&status=Aktiv&home_ features%5B%5D=Einbauk%FCche&home_features%5B% 5D=Gasetagenheizung&home_features%5B%5D=Lift HTTP/1.1 403 Forbidden Content-Length: 285 Keep-Alive: timeout=15, max=89 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 --6d394431-- but in excludes.conf I have added: # cms_realty SecFilterRemove 300015 I don't understand why this is still blocking. What am I doing wrong? Regards, Cristian -- Cristian Livadaru http://livadaru.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20071011/d84d8b88/attachment.html From thomas.ammermann at digicol.de Thu Oct 11 05:48:29 2007 From: thomas.ammermann at digicol.de (Thomas Ammermann) Date: Mon Jan 7 18:22:34 2008 Subject: ****SPAM**** LOW * AW: [Modsecurity] A little problem with excludes In-Reply-To: <6A11C504-5A94-4FCF-8AE9-C19DB6D17227@livadaru.net> References: <6A11C504-5A94-4FCF-8AE9-C19DB6D17227@livadaru.net> Message-ID: <002801c80beb$e0b3a9b0$a21afd10$@ammermann@digicol.de> Hi Christian, I usually exclude rules like this: SecRuleRemoveById 300018 Maybe this helps ... Kind regards, Thomas -----Urspr?ngliche Nachricht----- Von: modsecurity-bounces@gotroot.com [mailto:modsecurity-bounces@gotroot.com] Im Auftrag von Cristian Livadaru Gesendet: Donnerstag, 11. Oktober 2007 11:29 An: modsecurity@gotroot.com Betreff: [Modsecurity] A little problem with excludes Hi modsecurity list, I seem to have a little problem with the excludes I have this in my Audit log: ==6d394431============================== Request: www.foo.com 127.0.0.1 - - [11/Oct/2007:09:25:57 +0200] "POST /index.php?option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565 HTTP/1.1" 403 285 "http://www.foo.com/component/option,com_cmsrealty/Itemid,4/openrealty,61637 4696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d696e3d7 4727565/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7" - "-" ---------------------------------------- POST /index.php?option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565 HTTP/1.1 Host: www.foo.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q= 0.8,image/png,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.foo.com/component/option,com_cmsrealty/Itemid,4/openrealty,616374 696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d696e3d74 727565/ Content-Type: application/x-www-form-urlencoded Content-Length: 510 mod_security-action: 403 mod_security-message: Access denied with code 403. Pattern match "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[: space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"] [rev "1"] [msg "Generic SQL injection protection"] [severity "CRITICAL"] 510 action=update_listing&edit=369&title=Altbau-Miete&pclass%5B%5D=4&featured=no &edit_active=yes&mlsexport=no&or_owner=9¬es=&Adresse=Staudgasse&Stadt=Wie n&Postleitzahl=1180&Preis=530&betr_kosten=&miete=&full_desc=Nette+Kleine+Zim mer+und+Kabinett+Wohnung%2C+Einbauk%FCche%2C+sehr+ger%E4umig%2C+Fliesenbad%2 C+Toilette+Etagenheizung.Ruhelage+und+AKH+N%E4he&Zimmer=2&Badezimmer=1&year_ built=1970&sq_feet=45&status=Aktiv&home_features%5B%5D=Einbauk%FCche&home_fe atures%5B%5D=Gasetagenheizung&home_features%5B%5D=Lift HTTP/1.1 403 Forbidden Content-Length: 285 Keep-Alive: timeout=15, max=89 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 --6d394431-- but in excludes.conf I have added: # cms_realty SecFilterRemove 300015 I don't understand why this is still blocking. What am I doing wrong? Regards, Cristian -- Cristian Livadaru http://livadaru.net From cristian at livadaru.net Thu Oct 11 05:55:23 2007 From: cristian at livadaru.net (Cristian Livadaru) Date: Mon Jan 7 18:22:34 2008 Subject: ****SPAM**** MEDIUM * Re: LOW * AW: [Modsecurity] A little problem with excludes In-Reply-To: <002801c80beb$e0b3a9b0$a21afd10$@ammermann@digicol.de> References: <6A11C504-5A94-4FCF-8AE9-C19DB6D17227@livadaru.net> <002801c80beb$e0b3a9b0$a21afd10$@ammermann@digicol.de> Message-ID: <5EE46D7B-1FAD-4A89-AF23-64053BC973B8@livadaru.net> Hi, this doesn't seem to work with Version 1.9.4 Invalid command 'SecRuleRemoveById', perhaps misspelled or defined by a module not included in the server configuration It's the same way the original excludes.conf is configured. I somehow think my Location doesn't quite match but I don't see why. Cris On Oct 11, 2007, at 11:48 , Thomas Ammermann wrote: > Hi Christian, > > I usually exclude rules like this: > > > SecRuleRemoveById 300018 > > > Maybe this helps ... > > Kind regards, > Thomas > > > -----Urspr?ngliche Nachricht----- > Von: modsecurity-bounces@gotroot.com > [mailto:modsecurity-bounces@gotroot.com] Im Auftrag von Cristian > Livadaru > Gesendet: Donnerstag, 11. Oktober 2007 11:29 > An: modsecurity@gotroot.com > Betreff: [Modsecurity] A little problem with excludes > > Hi modsecurity list, > > I seem to have a little problem with the excludes > > I have this in my Audit log: > > > ==6d394431============================== > > Request: www.foo.com 127.0.0.1 - - [11/Oct/2007:09:25:57 +0200] "POST > /index.php? > option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f > 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565 > HTTP/1.1" > 403 285 > "http://www.foo.com/component/option,com_cmsrealty/Itemid,4/ > openrealty,61637 > 4696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d6 > 96e3d7 > 4727565/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7) > Gecko/20070914 Firefox/2.0.0.7" - "-" > ---------------------------------------- > POST > /index.php? > option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f > 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565 > HTTP/1.1 > Host: www.foo.com > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7) > Gecko/20070914 Firefox/2.0.0.7 > Accept: > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/ > plain;q= > 0.8,image/png,*/*;q=0.5 > Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: > http://www.foo.com/component/option,com_cmsrealty/Itemid,4/ > openrealty,616374 > 696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d69 > 6e3d74 > 727565/ > Content-Type: application/x-www-form-urlencoded > Content-Length: 510 > mod_security-action: 403 > mod_security-message: Access denied with code 403. Pattern match > "((alter|create|drop)[[:space:]]+(column|database|procedure|table)| > delete[[: > space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"] [rev > "1"] [msg > "Generic SQL injection protection"] [severity "CRITICAL"] > > 510 > action=update_listing&edit=369&title=Altbau-Miete&pclass%5B% > 5D=4&featured=no > &edit_active=yes&mlsexport=no&or_owner=9¬es=&Adresse=Staudgasse&Sta > dt=Wie > n&Postleitzahl=1180&Preis=530&betr_kosten=&miete=&full_desc=Nette > +Kleine+Zim > mer+und+Kabinett+Wohnung%2C+Einbauk%FCche%2C+sehr+ger%E4umig%2C > +Fliesenbad%2 > C+Toilette+Etagenheizung.Ruhelage+und+AKH+N% > E4he&Zimmer=2&Badezimmer=1&year_ > built=1970&sq_feet=45&status=Aktiv&home_features%5B%5D=Einbauk% > FCche&home_fe > atures%5B%5D=Gasetagenheizung&home_features%5B%5D=Lift > > HTTP/1.1 403 Forbidden > Content-Length: 285 > Keep-Alive: timeout=15, max=89 > Connection: Keep-Alive > Content-Type: text/html; charset=iso-8859-1 > --6d394431-- > > > but in excludes.conf I have added: > > # cms_realty > > SecFilterRemove 300015 > > > I don't understand why this is still blocking. What am I doing wrong? > > Regards, Cristian > > > -- > Cristian Livadaru > http://livadaru.net > > > > > > > _______________________________________________ > Modsecurity mailing list > Modsecurity@gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity > -- Cristian Livadaru http://livadaru.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20071011/c07c2b42/attachment.html From mike at gotroot.com Thu Oct 11 10:08:40 2007 From: mike at gotroot.com (Michael Shinn) Date: Mon Jan 7 18:22:34 2008 Subject: ****SPAM**** MEDIUM * Re: LOW * AW: [Modsecurity] A little problem with excludes In-Reply-To: <5EE46D7B-1FAD-4A89-AF23-64053BC973B8@livadaru.net> References: <6A11C504-5A94-4FCF-8AE9-C19DB6D17227@livadaru.net> <002801c80beb$e0b3a9b0$a21afd10$@ammermann@digicol.de> <5EE46D7B-1FAD-4A89-AF23-64053BC973B8@livadaru.net> Message-ID: <1192111721.4203.95.camel@shrike.gotroot.com> Unfortunately, the exclude support is a little lacking in modsec right now. You can't exclude via Location matches with regexps, only literals (index.php will work, index.php?foo=.*bar=.*) What you have to do is write a chained rule to exclude, like this: Say you have a rule (it sounds like you using 1.9.x, so I'll stick to that syntax): SecFilterSelective ARGS "foo+bar" To exclude your case for this, you need to add this: SecFilterSelective REQUEST_URI "!(^/index\.php \?option=com_cmsrealty&Itemid=[0-9]&openrealty=)" chain SecFilterSelective ARGS "foo+bar" On Thu, 2007-10-11 at 11:55 +0200, Cristian Livadaru wrote: > Hi, this doesn't seem to work with Version 1.9.4 > > > Invalid command 'SecRuleRemoveById', perhaps misspelled or defined by > a module not included in the server configuration > It's the same way the original excludes.conf is configured. > I somehow think my Location doesn't quite match but I don't see why. > > > Cris > > On Oct 11, 2007, at 11:48 , Thomas Ammermann wrote: > > > Hi Christian, > > > > > > I usually exclude rules like this: > > > > > > > > SecRuleRemoveById 300018 > > > > > > > > Maybe this helps ... > > > > > > Kind regards, > > Thomas > > > > > > > > > > -----Urspr?ngliche Nachricht----- > > Von: modsecurity-bounces@gotroot.com > > [mailto:modsecurity-bounces@gotroot.com] Im Auftrag von Cristian > > Livadaru > > Gesendet: Donnerstag, 11. Oktober 2007 11:29 > > An: modsecurity@gotroot.com > > Betreff: [Modsecurity] A little problem with excludes > > > > > > Hi modsecurity list, > > > > > > I seem to have a little problem with the excludes > > > > > > I have this in my Audit log: > > > > > > > > > > ==6d394431============================== > > > > > > Request: www.foo.com 127.0.0.1 - - [11/Oct/2007:09:25:57 +0200] > > "POST > > /index.php?option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f > > 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565 > > HTTP/1.1" > > 403 285 > > "http://www.foo.com/component/option,com_cmsrealty/Itemid,4/openrealty,61637 > > 4696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d696e3d7 > > 4727565/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7) > > Gecko/20070914 Firefox/2.0.0.7" - "-" > > ---------------------------------------- > > POST > > /index.php?option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f > > 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565 > > HTTP/1.1 > > Host: www.foo.com > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7) > > Gecko/20070914 Firefox/2.0.0.7 > > Accept: > > text/xml,application/xml,application/xhtml > > +xml,text/html;q=0.9,text/plain;q= > > 0.8,image/png,*/*;q=0.5 > > Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 > > Accept-Encoding: gzip,deflate > > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > > Keep-Alive: 300 > > Connection: keep-alive > > Referer: > > http://www.foo.com/component/option,com_cmsrealty/Itemid,4/openrealty,616374 > > 696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d696e3d74 > > 727565/ > > Content-Type: application/x-www-form-urlencoded > > Content-Length: 510 > > mod_security-action: 403 > > mod_security-message: Access denied with code 403. Pattern match > > "((alter|create|drop)[[:space:]]+(column|database|procedure|table)| > > delete[[: > > space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"] [rev > > "1"] [msg > > "Generic SQL injection protection"] [severity "CRITICAL"] > > > > > > 510 > > action=update_listing&edit=369&title=Altbau-Miete&pclass%5B% > > 5D=4&featured=no > > &edit_active=yes&mlsexport=no&or_owner=9¬es=&Adresse=Staudgasse&Stadt=Wie > > n&Postleitzahl=1180&Preis=530&betr_kosten=&miete=&full_desc=Nette > > +Kleine+Zim > > mer+und+Kabinett+Wohnung%2C+Einbauk%FCche%2C+sehr+ger%E4umig%2C > > +Fliesenbad%2 > > C+Toilette+Etagenheizung.Ruhelage+und+AKH+N% > > E4he&Zimmer=2&Badezimmer=1&year_ > > built=1970&sq_feet=45&status=Aktiv&home_features%5B%5D=Einbauk% > > FCche&home_fe > > atures%5B%5D=Gasetagenheizung&home_features%5B%5D=Lift > > > > > > HTTP/1.1 403 Forbidden > > Content-Length: 285 > > Keep-Alive: timeout=15, max=89 > > Connection: Keep-Alive > > Content-Type: text/html; charset=iso-8859-1 > > --6d394431-- > > > > > > > > > > but in excludes.conf I have added: > > > > > > # cms_realty > > > > SecFilterRemove 300015 > > > > > > > > I don't understand why this is still blocking. What am I doing > > wrong? > > > > > > Regards, Cristian > > > > > > > > > > -- > > Cristian Livadaru > > http://livadaru.net > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > Modsecurity mailing list > > Modsecurity@gotroot.com > > http://lists.gotroot.com/mailman/listinfo/modsecurity > > > > > > -- > Cristian Livadaru > http://livadaru.net > > > > > > > > > _______________________________________________ > Modsecurity mailing list > Modsecurity@gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 SANS Advisory Board Member Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com From mike at gotroot.com Thu Oct 11 10:30:36 2007 From: mike at gotroot.com (Michael Shinn) Date: Mon Jan 7 18:22:34 2008 Subject: ****SPAM**** MEDIUM * Re: LOW * AW: [Modsecurity] A little problem with excludes In-Reply-To: <1192111721.4203.95.camel@shrike.gotroot.com> References: <6A11C504-5A94-4FCF-8AE9-C19DB6D17227@livadaru.net> <002801c80beb$e0b3a9b0$a21afd10$@ammermann@digicol.de> <5EE46D7B-1FAD-4A89-AF23-64053BC973B8@livadaru.net> <1192111721.4203.95.camel@shrike.gotroot.com> Message-ID: <1192113036.4203.113.camel@shrike.gotroot.com> On Thu, 2007-10-11 at 14:08 +0000, Michael Shinn wrote: > Unfortunately, the exclude support is a little lacking in modsec right > now. You can't exclude via Location matches with regexps, only literals > (index.php will work, index.php?foo=.*bar=.*) This should say: index.php will work, index.php?foo=.*bar=.* will not. > What you have to do is > write a chained rule to exclude, like this: > > Say you have a rule (it sounds like you using 1.9.x, so I'll stick to > that syntax): > > SecFilterSelective ARGS "foo+bar" > > To exclude your case for this, you need to add this: > > SecFilterSelective REQUEST_URI "!(^/index\.php > \?option=com_cmsrealty&Itemid=[0-9]&openrealty=)" chain > SecFilterSelective ARGS "foo+bar" > > On Thu, 2007-10-11 at 11:55 +0200, Cristian Livadaru wrote: > > Hi, this doesn't seem to work with Version 1.9.4 > > > > > > Invalid command 'SecRuleRemoveById', perhaps misspelled or defined by > > a module not included in the server configuration > > It's the same way the original excludes.conf is configured. > > I somehow think my Location doesn't quite match but I don't see why. > > > > > > Cris > > > > On Oct 11, 2007, at 11:48 , Thomas Ammermann wrote: > > > > > Hi Christian, > > > > > > > > > I usually exclude rules like this: > > > > > > > > > > > > SecRuleRemoveById 300018 > > > > > > > > > > > > Maybe this helps ... > > > > > > > > > Kind regards, > > > Thomas > > > > > > > > > > > > > > > -----Urspr?ngliche Nachricht----- > > > Von: modsecurity-bounces@gotroot.com > > > [mailto:modsecurity-bounces@gotroot.com] Im Auftrag von Cristian > > > Livadaru > > > Gesendet: Donnerstag, 11. Oktober 2007 11:29 > > > An: modsecurity@gotroot.com > > > Betreff: [Modsecurity] A little problem with excludes > > > > > > > > > Hi modsecurity list, > > > > > > > > > I seem to have a little problem with the excludes > > > > > > > > > I have this in my Audit log: > > > > > > > > > > > > > > > ==6d394431============================== > > > > > > > > > Request: www.foo.com 127.0.0.1 - - [11/Oct/2007:09:25:57 +0200] > > > "POST > > > /index.php?option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f > > > 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565 > > > HTTP/1.1" > > > 403 285 > > > "http://www.foo.com/component/option,com_cmsrealty/Itemid,4/openrealty,61637 > > > 4696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d696e3d7 > > > 4727565/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7) > > > Gecko/20070914 Firefox/2.0.0.7" - "-" > > > ---------------------------------------- > > > POST > > > /index.php?option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f > > > 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565 > > > HTTP/1.1 > > > Host: www.foo.com > > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7) > > > Gecko/20070914 Firefox/2.0.0.7 > > > Accept: > > > text/xml,application/xml,application/xhtml > > > +xml,text/html;q=0.9,text/plain;q= > > > 0.8,image/png,*/*;q=0.5 > > > Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 > > > Accept-Encoding: gzip,deflate > > > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > > > Keep-Alive: 300 > > > Connection: keep-alive > > > Referer: > > > http://www.foo.com/component/option,com_cmsrealty/Itemid,4/openrealty,616374 > > > 696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d696e3d74 > > > 727565/ > > > Content-Type: application/x-www-form-urlencoded > > > Content-Length: 510 > > > mod_security-action: 403 > > > mod_security-message: Access denied with code 403. Pattern match > > > "((alter|create|drop)[[:space:]]+(column|database|procedure|table)| > > > delete[[: > > > space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"] [rev > > > "1"] [msg > > > "Generic SQL injection protection"] [severity "CRITICAL"] > > > > > > > > > 510 > > > action=update_listing&edit=369&title=Altbau-Miete&pclass%5B% > > > 5D=4&featured=no > > > &edit_active=yes&mlsexport=no&or_owner=9¬es=&Adresse=Staudgasse&Stadt=Wie > > > n&Postleitzahl=1180&Preis=530&betr_kosten=&miete=&full_desc=Nette > > > +Kleine+Zim > > > mer+und+Kabinett+Wohnung%2C+Einbauk%FCche%2C+sehr+ger%E4umig%2C > > > +Fliesenbad%2 > > > C+Toilette+Etagenheizung.Ruhelage+und+AKH+N% > > > E4he&Zimmer=2&Badezimmer=1&year_ > > > built=1970&sq_feet=45&status=Aktiv&home_features%5B%5D=Einbauk% > > > FCche&home_fe > > > atures%5B%5D=Gasetagenheizung&home_features%5B%5D=Lift > > > > > > > > > HTTP/1.1 403 Forbidden > > > Content-Length: 285 > > > Keep-Alive: timeout=15, max=89 > > > Connection: Keep-Alive > > > Content-Type: text/html; charset=iso-8859-1 > > > --6d394431-- > > > > > > > > > > > > > > > but in excludes.conf I have added: > > > > > > > > > # cms_realty > > > > > > SecFilterRemove 300015 > > > > > > > > > > > > I don't understand why this is still blocking. What am I doing > > > wrong? > > > > > > > > > Regards, Cristian > > > > > > > > > > > > > > > -- > > > Cristian Livadaru > > > http://livadaru.net > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Modsecurity mailing list > > > Modsecurity@gotroot.com > > > http://lists.gotroot.com/mailman/listinfo/modsecurity > > > > > > > > > > -- > > Cristian Livadaru > > http://livadaru.net > > > > > > > > > > > > > > > > > > _______________________________________________ > > Modsecurity mailing list > > Modsecurity@gotroot.com > > http://lists.gotroot.com/mailman/listinfo/modsecurity -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 SANS Advisory Board Member Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com From cristian at livadaru.net Thu Oct 11 10:33:37 2007 From: cristian at livadaru.net (Cristian Livadaru) Date: Mon Jan 7 18:22:34 2008 Subject: ****SPAM**** HIGH * Re: ****SPAM**** MEDIUM * Re: LOW * AW: [Modsecurity] A little problem with excludes In-Reply-To: <1192111721.4203.95.camel@shrike.gotroot.com> References: <6A11C504-5A94-4FCF-8AE9-C19DB6D17227@livadaru.net> <002801c80beb$e0b3a9b0$a21afd10$@ammermann@digicol.de> <5EE46D7B-1FAD-4A89-AF23-64053BC973B8@livadaru.net> <1192111721.4203.95.camel@shrike.gotroot.com> Message-ID: <15EEA406-BE0F-4CBB-81A4-272E851D2BA6@livadaru.net> aahhhh! it's like I can see again now after being blind :) now a lot of confusion has just gone. Thanks a lot! I will play around and see if I can get it running. Cris On Oct 11, 2007, at 16:08 , Michael Shinn wrote: > Unfortunately, the exclude support is a little lacking in modsec right > now. You can't exclude via Location matches with regexps, only > literals > (index.php will work, index.php?foo=.*bar=.*) What you have to do is > write a chained rule to exclude, like this: > > Say you have a rule (it sounds like you using 1.9.x, so I'll stick to > that syntax): > > SecFilterSelective ARGS "foo+bar" > > To exclude your case for this, you need to add this: > > SecFilterSelective REQUEST_URI "!(^/index\.php > \?option=com_cmsrealty&Itemid=[0-9]&openrealty=)" chain > SecFilterSelective ARGS "foo+bar" > > On Thu, 2007-10-11 at 11:55 +0200, Cristian Livadaru wrote: >> Hi, this doesn't seem to work with Version 1.9.4 >> >> >> Invalid command 'SecRuleRemoveById', perhaps misspelled or defined by >> a module not included in the server configuration >> It's the same way the original excludes.conf is configured. >> I somehow think my Location doesn't quite match but I don't see why. >> >> >> Cris >> >> On Oct 11, 2007, at 11:48 , Thomas Ammermann wrote: >> >>> Hi Christian, >>> >>> >>> I usually exclude rules like this: >>> >>> >>> >>> SecRuleRemoveById 300018 >>> >>> >>> >>> Maybe this helps ... >>> >>> >>> Kind regards, >>> Thomas >>> >>> >>> >>> >>> -----Urspr?ngliche Nachricht----- >>> Von: modsecurity-bounces@gotroot.com >>> [mailto:modsecurity-bounces@gotroot.com] Im Auftrag von Cristian >>> Livadaru >>> Gesendet: Donnerstag, 11. Oktober 2007 11:29 >>> An: modsecurity@gotroot.com >>> Betreff: [Modsecurity] A little problem with excludes >>> >>> >>> Hi modsecurity list, >>> >>> >>> I seem to have a little problem with the excludes >>> >>> >>> I have this in my Audit log: >>> >>> >>> >>> >>> ==6d394431============================== >>> >>> >>> Request: www.foo.com 127.0.0.1 - - [11/Oct/2007:09:25:57 +0200] >>> "POST >>> /index.php? >>> option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f >>> 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565 >>> HTTP/1.1" >>> 403 285 >>> "http://www.foo.com/component/option,com_cmsrealty/Itemid,4/ >>> openrealty,61637 >>> 4696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646 >>> d696e3d7 >>> 4727565/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7) >>> Gecko/20070914 Firefox/2.0.0.7" - "-" >>> ---------------------------------------- >>> POST >>> /index.php? >>> option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f >>> 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565 >>> HTTP/1.1 >>> Host: www.foo.com >>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7) >>> Gecko/20070914 Firefox/2.0.0.7 >>> Accept: >>> text/xml,application/xml,application/xhtml >>> +xml,text/html;q=0.9,text/plain;q= >>> 0.8,image/png,*/*;q=0.5 >>> Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 >>> Accept-Encoding: gzip,deflate >>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 >>> Keep-Alive: 300 >>> Connection: keep-alive >>> Referer: >>> http://www.foo.com/component/option,com_cmsrealty/Itemid,4/ >>> openrealty,616374 >>> 696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d >>> 696e3d74 >>> 727565/ >>> Content-Type: application/x-www-form-urlencoded >>> Content-Length: 510 >>> mod_security-action: 403 >>> mod_security-message: Access denied with code 403. Pattern match >>> "((alter|create|drop)[[:space:]]+(column|database|procedure|table)| >>> delete[[: >>> space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"] [rev >>> "1"] [msg >>> "Generic SQL injection protection"] [severity "CRITICAL"] >>> >>> >>> 510 >>> action=update_listing&edit=369&title=Altbau-Miete&pclass%5B% >>> 5D=4&featured=no >>> &edit_active=yes&mlsexport=no&or_owner=9¬es=&Adresse=Staudgasse&S >>> tadt=Wie >>> n&Postleitzahl=1180&Preis=530&betr_kosten=&miete=&full_desc=Nette >>> +Kleine+Zim >>> mer+und+Kabinett+Wohnung%2C+Einbauk%FCche%2C+sehr+ger%E4umig%2C >>> +Fliesenbad%2 >>> C+Toilette+Etagenheizung.Ruhelage+und+AKH+N% >>> E4he&Zimmer=2&Badezimmer=1&year_ >>> built=1970&sq_feet=45&status=Aktiv&home_features%5B%5D=Einbauk% >>> FCche&home_fe >>> atures%5B%5D=Gasetagenheizung&home_features%5B%5D=Lift >>> >>> >>> HTTP/1.1 403 Forbidden >>> Content-Length: 285 >>> Keep-Alive: timeout=15, max=89 >>> Connection: Keep-Alive >>> Content-Type: text/html; charset=iso-8859-1 >>> --6d394431-- >>> >>> >>> >>> >>> but in excludes.conf I have added: >>> >>> >>> # cms_realty >>> >>> SecFilterRemove 300015 >>> >>> >>> >>> I don't understand why this is still blocking. What am I doing >>> wrong? >>> >>> >>> Regards, Cristian >>> >>> >>> >>> >>> -- >>> Cristian Livadaru >>> http://livadaru.net >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Modsecurity mailing list >>> Modsecurity@gotroot.com >>> http://lists.gotroot.com/mailman/listinfo/modsecurity >>> >>> >> >> -- >> Cristian Livadaru >> http://livadaru.net >> >> >> >> >> >> >> >> >> _______________________________________________ >> Modsecurity mailing list >> Modsecurity@gotroot.com >> http://lists.gotroot.com/mailman/listinfo/modsecurity > -- > Michael T. Shinn KeyID:0xDAE2EC86 > Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 > SANS Advisory Board Member > > Got Root? http://www.gotroot.com > modsecurity rules: http://www.modsecurityrules.com > Troubleshooting Firewalls: http://troubleshootingfirewalls.com > > -- Cristian Livadaru http://livadaru.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20071011/b92089c6/attachment.html From cristian at livadaru.net Thu Oct 11 11:01:04 2007 From: cristian at livadaru.net (Cristian Livadaru) Date: Mon Jan 7 18:22:34 2008 Subject: ****SPAM**** HIGH * Re: ****SPAM**** MEDIUM * Re: LOW * AW: [Modsecurity] A little problem with excludes In-Reply-To: <1192113036.4203.113.camel@shrike.gotroot.com> References: <6A11C504-5A94-4FCF-8AE9-C19DB6D17227@livadaru.net> <002801c80beb$e0b3a9b0$a21afd10$@ammermann@digicol.de> <5EE46D7B-1FAD-4A89-AF23-64053BC973B8@livadaru.net> <1192111721.4203.95.camel@shrike.gotroot.com> <1192113036.4203.113.camel@shrike.gotroot.com> Message-ID: <59DF9787-D9D1-41A6-853E-C9F80E8DCEDB@livadaru.net> So, if I got everything right my rules.conf has to be modified like this: #Generic SQL sigs SecFilterSelective REQUEST_URI "!(^/index\.php\? option=com_cmsrealty&Itemid=[0-9]&openrealty=)" "chain,id::300015,rev: 1,severity:2,msg:'Generic SQL injection protection'" SecFilterSelective ARGS "((alter|create|drop)[[:space:]]+(column| database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" But by this I am not able to use automatic updates anymore :( oh well, I will have to do them manually by doning a diff over everything. Cris On Oct 11, 2007, at 16:30 , Michael Shinn wrote: > On Thu, 2007-10-11 at 14:08 +0000, Michael Shinn wrote: >> Unfortunately, the exclude support is a little lacking in modsec >> right >> now. You can't exclude via Location matches with regexps, only >> literals >> (index.php will work, index.php?foo=.*bar=.*) > This should say: > > > index.php will work, index.php?foo=.*bar=.* will not. > >> What you have to do is >> write a chained rule to exclude, like this: >> >> Say you have a rule (it sounds like you using 1.9.x, so I'll stick to >> that syntax): >> >> SecFilterSelective ARGS "foo+bar" >> >> To exclude your case for this, you need to add this: >> >> SecFilterSelective REQUEST_URI "!(^/index\.php >> \?option=com_cmsrealty&Itemid=[0-9]&openrealty=)" chain >> SecFilterSelective ARGS "foo+bar" >> >> On Thu, 2007-10-11 at 11:55 +0200, Cristian Livadaru wrote: >>> Hi, this doesn't seem to work with Version 1.9.4 >>> >>> >>> Invalid command 'SecRuleRemoveById', perhaps misspelled or >>> defined by >>> a module not included in the server configuration >>> It's the same way the original excludes.conf is configured. >>> I somehow think my Location doesn't quite match but I don't see why. >>> >>> >>> Cris >>> >>> On Oct 11, 2007, at 11:48 , Thomas Ammermann wrote: >>> >>>> Hi Christian, >>>> >>>> >>>> I usually exclude rules like this: >>>> >>>> >>>> >>>> SecRuleRemoveById 300018 >>>> >>>> >>>> >>>> Maybe this helps ... >>>> >>>> >>>> Kind regards, >>>> Thomas >>>> >>>> >>>> >>>> >>>> -----Urspr?ngliche Nachricht----- >>>> Von: modsecurity-bounces@gotroot.com >>>> [mailto:modsecurity-bounces@gotroot.com] Im Auftrag von Cristian >>>> Livadaru >>>> Gesendet: Donnerstag, 11. Oktober 2007 11:29 >>>> An: modsecurity@gotroot.com >>>> Betreff: [Modsecurity] A little problem with excludes >>>> >>>> >>>> Hi modsecurity list, >>>> >>>> >>>> I seem to have a little problem with the excludes >>>> >>>> >>>> I have this in my Audit log: >>>> >>>> >>>> >>>> >>>> ==6d394431============================== >>>> >>>> >>>> Request: www.foo.com 127.0.0.1 - - [11/Oct/2007:09:25:57 +0200] >>>> "POST >>>> /index.php? >>>> option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f >>>> 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565 >>>> HTTP/1.1" >>>> 403 285 >>>> "http://www.foo.com/component/option,com_cmsrealty/Itemid,4/ >>>> openrealty,61637 >>>> 4696f6e3d656469745f6c697374696e677326616d703b656469743d333639266164 >>>> 6d696e3d7 >>>> 4727565/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7) >>>> Gecko/20070914 Firefox/2.0.0.7" - "-" >>>> ---------------------------------------- >>>> POST >>>> /index.php? >>>> option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f >>>> 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565 >>>> HTTP/1.1 >>>> Host: www.foo.com >>>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv: >>>> 1.8.1.7) >>>> Gecko/20070914 Firefox/2.0.0.7 >>>> Accept: >>>> text/xml,application/xml,application/xhtml >>>> +xml,text/html;q=0.9,text/plain;q= >>>> 0.8,image/png,*/*;q=0.5 >>>> Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 >>>> Accept-Encoding: gzip,deflate >>>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 >>>> Keep-Alive: 300 >>>> Connection: keep-alive >>>> Referer: >>>> http://www.foo.com/component/option,com_cmsrealty/Itemid,4/ >>>> openrealty,616374 >>>> 696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646 >>>> d696e3d74 >>>> 727565/ >>>> Content-Type: application/x-www-form-urlencoded >>>> Content-Length: 510 >>>> mod_security-action: 403 >>>> mod_security-message: Access denied with code 403. Pattern match >>>> "((alter|create|drop)[[:space:]]+(column|database|procedure|table)| >>>> delete[[: >>>> space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"] [rev >>>> "1"] [msg >>>> "Generic SQL injection protection"] [severity "CRITICAL"] >>>> >>>> >>>> 510 >>>> action=update_listing&edit=369&title=Altbau-Miete&pclass%5B% >>>> 5D=4&featured=no >>>> &edit_active=yes&mlsexport=no&or_owner=9¬es=&Adresse=Staudgasse& >>>> Stadt=Wie >>>> n&Postleitzahl=1180&Preis=530&betr_kosten=&miete=&full_desc=Nette >>>> +Kleine+Zim >>>> mer+und+Kabinett+Wohnung%2C+Einbauk%FCche%2C+sehr+ger%E4umig%2C >>>> +Fliesenbad%2 >>>> C+Toilette+Etagenheizung.Ruhelage+und+AKH+N% >>>> E4he&Zimmer=2&Badezimmer=1&year_ >>>> built=1970&sq_feet=45&status=Aktiv&home_features%5B%5D=Einbauk% >>>> FCche&home_fe >>>> atures%5B%5D=Gasetagenheizung&home_features%5B%5D=Lift >>>> >>>> >>>> HTTP/1.1 403 Forbidden >>>> Content-Length: 285 >>>> Keep-Alive: timeout=15, max=89 >>>> Connection: Keep-Alive >>>> Content-Type: text/html; charset=iso-8859-1 >>>> --6d394431-- >>>> >>>> >>>> >>>> >>>> but in excludes.conf I have added: >>>> >>>> >>>> # cms_realty >>>> >>>> SecFilterRemove 300015 >>>> >>>> >>>> >>>> I don't understand why this is still blocking. What am I doing >>>> wrong? >>>> >>>> >>>> Regards, Cristian >>>> >>>> >>>> >>>> >>>> -- >>>> Cristian Livadaru >>>> http://livadaru.net >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Modsecurity mailing list >>>> Modsecurity@gotroot.com >>>> http://lists.gotroot.com/mailman/listinfo/modsecurity >>>> >>>> >>> >>> -- >>> Cristian Livadaru >>> http://livadaru.net >>> >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Modsecurity mailing list >>> Modsecurity@gotroot.com >>> http://lists.gotroot.com/mailman/listinfo/modsecurity > -- > Michael T. Shinn KeyID:0xDAE2EC86 > Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 > SANS Advisory Board Member > > Got Root? http://www.gotroot.com > modsecurity rules: http://www.modsecurityrules.com > Troubleshooting Firewalls: http://troubleshootingfirewalls.com > > -- Cristian Livadaru http://livadaru.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20071011/6256aa49/attachment.html From mike at gotroot.com Thu Oct 11 13:09:30 2007 From: mike at gotroot.com (Michael Shinn) Date: Mon Jan 7 18:22:34 2008 Subject: [Modsecurity] A little problem with excludes In-Reply-To: <59DF9787-D9D1-41A6-853E-C9F80E8DCEDB@livadaru.net> References: <6A11C504-5A94-4FCF-8AE9-C19DB6D17227@livadaru.net> <002801c80beb$e0b3a9b0$a21afd10$@ammermann@digicol.de> <5EE46D7B-1FAD-4A89-AF23-64053BC973B8@livadaru.net> <1192111721.4203.95.camel@shrike.gotroot.com> <1192113036.4203.113.camel@shrike.gotroot.com> <59DF9787-D9D1-41A6-853E-C9F80E8DCEDB@livadaru.net> Message-ID: <1192122570.4203.118.camel@shrike.gotroot.com> Yes, assuming thats the way your app works. I can't tell you for sure if that the regexp is perfect, as I'm not sure what the variables do. You may have to tweak the regexp a little, for example, if Itemid is something other than 0-9, or if option is something other than com_cmsrealty. On Thu, 2007-10-11 at 17:01 +0200, Cristian Livadaru wrote: > So, if I got everything right my rules.conf has to be modified like > this: > > > #Generic SQL sigs > SecFilterSelective REQUEST_URI "!(^/index\.php > \?option=com_cmsrealty&Itemid=[0-9]&openrealty=)" > "chain,id::300015,rev:1,severity:2,msg:'Generic SQL injection > protection'" > SecFilterSelective ARGS "((alter|create|drop)[[:space:]]+(column| > database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" > > > > But by this I am not able to use automatic updates anymore :( oh well, > I will have to do them manually by doning a diff over everything. > > > Cris > > On Oct 11, 2007, at 16:30 , Michael Shinn wrote: > > > On Thu, 2007-10-11 at 14:08 +0000, Michael Shinn wrote: > > > Unfortunately, the exclude support is a little lacking in modsec > > > right > > > now. You can't exclude via Location matches with regexps, only > > > literals > > > (index.php will work, index.php?foo=.*bar=.*) > > This should say: > > > > > > > > > > index.php will work, index.php?foo=.*bar=.* will not. > > > > > > > What you have to do is > > > write a chained rule to exclude, like this: > > > > > > > > > Say you have a rule (it sounds like you using 1.9.x, so I'll stick > > > to > > > that syntax): > > > > > > > > > SecFilterSelective ARGS "foo+bar" > > > > > > > > > To exclude your case for this, you need to add this: > > > > > > > > > SecFilterSelective REQUEST_URI "!(^/index\.php > > > \?option=com_cmsrealty&Itemid=[0-9]&openrealty=)" chain > > > SecFilterSelective ARGS "foo+bar" > > > > > > > > > On Thu, 2007-10-11 at 11:55 +0200, Cristian Livadaru wrote: > > > > Hi, this doesn't seem to work with Version 1.9.4 > > > > > > > > > > > > > > > > > > > > Invalid command 'SecRuleRemoveById', perhaps misspelled or > > > > defined by > > > > a module not included in the server configuration > > > > It's the same way the original excludes.conf is configured. > > > > I somehow think my Location doesn't quite match but I don't see > > > > why. > > > > > > > > > > > > > > > > > > > > Cris > > > > > > > > > > > > On Oct 11, 2007, at 11:48 , Thomas Ammermann wrote: > > > > > > > > > > > > > Hi Christian, > > > > > > > > > > > > > > > > > > > > > > > > > I usually exclude rules like this: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > SecRuleRemoveById 300018 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Maybe this helps ... > > > > > > > > > > > > > > > > > > > > > > > > > Kind regards, > > > > > Thomas > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Urspr?ngliche Nachricht----- > > > > > Von: modsecurity-bounces@gotroot.com > > > > > [mailto:modsecurity-bounces@gotroot.com] Im Auftrag von > > > > > Cristian > > > > > Livadaru > > > > > Gesendet: Donnerstag, 11. Oktober 2007 11:29 > > > > > An: modsecurity@gotroot.com > > > > > Betreff: [Modsecurity] A little problem with excludes > > > > > > > > > > > > > > > > > > > > > > > > > Hi modsecurity list, > > > > > > > > > > > > > > > > > > > > > > > > > I seem to have a little problem with the excludes > > > > > > > > > > > > > > > > > > > > > > > > > I have this in my Audit log: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ==6d394431============================== > > > > > > > > > > > > > > > > > > > > > > > > > Request: www.foo.com 127.0.0.1 - - [11/Oct/2007:09:25:57 > > > > > +0200] > > > > > "POST > > > > > /index.php?option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f > > > > > 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565 > > > > > HTTP/1.1" > > > > > 403 285 > > > > > "http://www.foo.com/component/option,com_cmsrealty/Itemid,4/openrealty,61637 > > > > > 4696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d696e3d7 > > > > > 4727565/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; > > > > > rv:1.8.1.7) > > > > > Gecko/20070914 Firefox/2.0.0.7" - "-" > > > > > ---------------------------------------- > > > > > POST > > > > > /index.php?option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f > > > > > 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565 > > > > > HTTP/1.1 > > > > > Host: www.foo.com > > > > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; > > > > > rv:1.8.1.7) > > > > > Gecko/20070914 Firefox/2.0.0.7 > > > > > Accept: > > > > > text/xml,application/xml,application/xhtml > > > > > +xml,text/html;q=0.9,text/plain;q= > > > > > 0.8,image/png,*/*;q=0.5 > > > > > Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 > > > > > Accept-Encoding: gzip,deflate > > > > > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > > > > > Keep-Alive: 300 > > > > > Connection: keep-alive > > > > > Referer: > > > > > http://www.foo.com/component/option,com_cmsrealty/Itemid,4/openrealty,616374 > > > > > 696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d696e3d74 > > > > > 727565/ > > > > > Content-Type: application/x-www-form-urlencoded > > > > > Content-Length: 510 > > > > > mod_security-action: 403 > > > > > mod_security-message: Access denied with code 403. Pattern > > > > > match > > > > > "((alter|create|drop)[[:space:]]+(column|database|procedure| > > > > > table)| > > > > > delete[[: > > > > > space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"] > > > > > [rev > > > > > "1"] [msg > > > > > "Generic SQL injection protection"] [severity "CRITICAL"] > > > > > > > > > > > > > > > > > > > > > > > > > 510 > > > > > action=update_listing&edit=369&title=Altbau-Miete&pclass%5B% > > > > > 5D=4&featured=no > > > > > &edit_active=yes&mlsexport=no&or_owner=9¬es=&Adresse=Staudgasse&Stadt=Wie > > > > > n&Postleitzahl=1180&Preis=530&betr_kosten=&miete=&full_desc=Nette > > > > > +Kleine+Zim > > > > > mer+und+Kabinett+Wohnung%2C+Einbauk%FCche%2C+sehr+ger%E4umig% > > > > > 2C > > > > > +Fliesenbad%2 > > > > > C+Toilette+Etagenheizung.Ruhelage+und+AKH+N% > > > > > E4he&Zimmer=2&Badezimmer=1&year_ > > > > > built=1970&sq_feet=45&status=Aktiv&home_features%5B%5D=Einbauk > > > > > % > > > > > FCche&home_fe > > > > > atures%5B%5D=Gasetagenheizung&home_features%5B%5D=Lift > > > > > > > > > > > > > > > > > > > > > > > > > HTTP/1.1 403 Forbidden > > > > > Content-Length: 285 > > > > > Keep-Alive: timeout=15, max=89 > > > > > Connection: Keep-Alive > > > > > Content-Type: text/html; charset=iso-8859-1 > > > > > --6d394431-- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > but in excludes.conf I have added: > > > > > > > > > > > > > > > > > > > > > > > > > # cms_realty > > > > > > > > > > SecFilterRemove 300015 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I don't understand why this is still blocking. What am I doing > > > > > wrong? > > > > > > > > > > > > > > > > > > > > > > > > > Regards, Cristian > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Cristian Livadaru > > > > > http://livadaru.net > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > Modsecurity mailing list > > > > > Modsecurity@gotroot.com > > > > > http://lists.gotroot.com/mailman/listinfo/modsecurity > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Cristian Livadaru > > > > http://livadaru.net > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > Modsecurity mailing list > > > > Modsecurity@gotroot.com > > > > http://lists.gotroot.com/mailman/listinfo/modsecurity > > -- > > Michael T. Shinn KeyID:0xDAE2EC86 > > Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 > > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 > > SANS Advisory Board Member > > > > > > Got Root? http://www.gotroot.com > > modsecurity rules: http://www.modsecurityrules.com > > Troubleshooting Firewalls: http://troubleshootingfirewalls.com > > > > > > > > > > -- > Cristian Livadaru > http://livadaru.net > > > > > > > > -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 SANS Advisory Board Member Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com From cristian at livadaru.net Thu Oct 11 13:57:37 2007 From: cristian at livadaru.net (Cristian Livadaru) Date: Mon Jan 7 18:22:34 2008 Subject: ****SPAM**** MEDIUM * Re: [Modsecurity] A little problem with excludes In-Reply-To: <1192122570.4203.118.camel@shrike.gotroot.com> References: <6A11C504-5A94-4FCF-8AE9-C19DB6D17227@livadaru.net> <002801c80beb$e0b3a9b0$a21afd10$@ammermann@digicol.de> <5EE46D7B-1FAD-4A89-AF23-64053BC973B8@livadaru.net> <1192111721.4203.95.camel@shrike.gotroot.com> <1192113036.4203.113.camel@shrike.gotroot.com> <59DF9787-D9D1-41A6-853E-C9F80E8DCEDB@livadaru.net> <1192122570.4203.118.camel@shrike.gotroot.com> Message-ID: <7E3B8A1A-7A6A-423A-9396-09BB0CD13F46@livadaru.net> Tahnks. I will keep an eye on the audit log and tweek it as needed. Just needed a hint what I was doing wrong. Would it work if I create a separate rules file and load it AFTER the original rules.conf and by that overwriting the original rule? I want to be able to do automated updates but also overwrite rules that don't work for me. Cris On Oct 11, 2007, at 7:09 PM, Michael Shinn wrote: > Yes, assuming thats the way your app works. I can't tell you for sure > if that the regexp is perfect, as I'm not sure what the variables do. > You may have to tweak the regexp a little, for example, if Itemid is > something other than 0-9, or if option is something other than > com_cmsrealty. > > On Thu, 2007-10-11 at 17:01 +0200, Cristian Livadaru wrote: >> So, if I got everything right my rules.conf has to be modified like >> this: >> >> >> #Generic SQL sigs >> SecFilterSelective REQUEST_URI "!(^/index\.php >> \?option=com_cmsrealty&Itemid=[0-9]&openrealty=)" >> "chain,id::300015,rev:1,severity:2,msg:'Generic SQL injection >> protection'" >> SecFilterSelective ARGS "((alter|create|drop)[[:space:]]+(column| >> database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" >> >> >> >> But by this I am not able to use automatic updates anymore :( oh >> well, >> I will have to do them manually by doning a diff over everything. >> >> >> Cris >> >> On Oct 11, 2007, at 16:30 , Michael Shinn wrote: >> >>> On Thu, 2007-10-11 at 14:08 +0000, Michael Shinn wrote: >>>> Unfortunately, the exclude support is a little lacking in modsec >>>> right >>>> now. You can't exclude via Location matches with regexps, only >>>> literals >>>> (index.php will work, index.php?foo=.*bar=.*) >>> This should say: >>> >>> >>> >>> >>> index.php will work, index.php?foo=.*bar=.* will not. >>> >>> >>>> What you have to do is >>>> write a chained rule to exclude, like this: >>>> >>>> >>>> Say you have a rule (it sounds like you using 1.9.x, so I'll stick >>>> to >>>> that syntax): >>>> >>>> >>>> SecFilterSelective ARGS "foo+bar" >>>> >>>> >>>> To exclude your case for this, you need to add this: >>>> >>>> >>>> SecFilterSelective REQUEST_URI "!(^/index\.php >>>> \?option=com_cmsrealty&Itemid=[0-9]&openrealty=)" chain >>>> SecFilterSelective ARGS "foo+bar" >>>> >>>> >>>> On Thu, 2007-10-11 at 11:55 +0200, Cristian Livadaru wrote: >>>>> Hi, this doesn't seem to work with Version 1.9.4 >>>>> >>>>> >>>>> >>>>> >>>>> Invalid command 'SecRuleRemoveById', perhaps misspelled or >>>>> defined by >>>>> a module not included in the server configuration >>>>> It's the same way the original excludes.conf is configured. >>>>> I somehow think my Location doesn't quite match but I don't see >>>>> why. >>>>> >>>>> >>>>> >>>>> >>>>> Cris >>>>> >>>>> >>>>> On Oct 11, 2007, at 11:48 , Thomas Ammermann wrote: >>>>> >>>>> >>>>>> Hi Christian, >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> I usually exclude rules like this: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> SecRuleRemoveById 300018 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Maybe this helps ... >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Kind regards, >>>>>> Thomas >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -----Urspr?ngliche Nachricht----- >>>>>> Von: modsecurity-bounces@gotroot.com >>>>>> [mailto:modsecurity-bounces@gotroot.com] Im Auftrag von >>>>>> Cristian >>>>>> Livadaru >>>>>> Gesendet: Donnerstag, 11. Oktober 2007 11:29 >>>>>> An: modsecurity@gotroot.com >>>>>> Betreff: [Modsecurity] A little problem with excludes >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Hi modsecurity list, >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> I seem to have a little problem with the excludes >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> I have this in my Audit log: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ==6d394431============================== >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Request: www.foo.com 127.0.0.1 - - [11/Oct/2007:09:25:57 >>>>>> +0200] >>>>>> "POST >>>>>> /index.php? >>>>>> option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f >>>>>> 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565 >>>>>> HTTP/1.1" >>>>>> 403 285 >>>>>> "http://www.foo.com/component/option,com_cmsrealty/Itemid,4/ >>>>>> openrealty,61637 >>>>>> 4696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661 >>>>>> 646d696e3d7 >>>>>> 4727565/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; >>>>>> rv:1.8.1.7) >>>>>> Gecko/20070914 Firefox/2.0.0.7" - "-" >>>>>> ---------------------------------------- >>>>>> POST >>>>>> /index.php? >>>>>> option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f >>>>>> 6c697374696e677326616d703b656469743d3336392661646d696e3d74727565 >>>>>> HTTP/1.1 >>>>>> Host: www.foo.com >>>>>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; >>>>>> rv:1.8.1.7) >>>>>> Gecko/20070914 Firefox/2.0.0.7 >>>>>> Accept: >>>>>> text/xml,application/xml,application/xhtml >>>>>> +xml,text/html;q=0.9,text/plain;q= >>>>>> 0.8,image/png,*/*;q=0.5 >>>>>> Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 >>>>>> Accept-Encoding: gzip,deflate >>>>>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 >>>>>> Keep-Alive: 300 >>>>>> Connection: keep-alive >>>>>> Referer: >>>>>> http://www.foo.com/component/option,com_cmsrealty/Itemid,4/ >>>>>> openrealty,616374 >>>>>> 696f6e3d656469745f6c697374696e677326616d703b656469743d33363926616 >>>>>> 46d696e3d74 >>>>>> 727565/ >>>>>> Content-Type: application/x-www-form-urlencoded >>>>>> Content-Length: 510 >>>>>> mod_security-action: 403 >>>>>> mod_security-message: Access denied with code 403. Pattern >>>>>> match >>>>>> "((alter|create|drop)[[:space:]]+(column|database|procedure| >>>>>> table)| >>>>>> delete[[: >>>>>> space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"] >>>>>> [rev >>>>>> "1"] [msg >>>>>> "Generic SQL injection protection"] [severity "CRITICAL"] >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> 510 >>>>>> action=update_listing&edit=369&title=Altbau-Miete&pclass%5B% >>>>>> 5D=4&featured=no >>>>>> &edit_active=yes&mlsexport=no&or_owner=9¬es=&Adresse=Staudgass >>>>>> e&Stadt=Wie >>>>>> n&Postleitzahl=1180&Preis=530&betr_kosten=&miete=&full_desc=Nette >>>>>> +Kleine+Zim >>>>>> mer+und+Kabinett+Wohnung%2C+Einbauk%FCche%2C+sehr+ger%E4umig% >>>>>> 2C >>>>>> +Fliesenbad%2 >>>>>> C+Toilette+Etagenheizung.Ruhelage+und+AKH+N% >>>>>> E4he&Zimmer=2&Badezimmer=1&year_ >>>>>> built=1970&sq_feet=45&status=Aktiv&home_features%5B%5D=Einbauk >>>>>> % >>>>>> FCche&home_fe >>>>>> atures%5B%5D=Gasetagenheizung&home_features%5B%5D=Lift >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> HTTP/1.1 403 Forbidden >>>>>> Content-Length: 285 >>>>>> Keep-Alive: timeout=15, max=89 >>>>>> Connection: Keep-Alive >>>>>> Content-Type: text/html; charset=iso-8859-1 >>>>>> --6d394431-- >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> but in excludes.conf I have added: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> # cms_realty >>>>>> >>>>>> SecFilterRemove 300015 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> I don't understand why this is still blocking. What am I doing >>>>>> wrong? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Regards, Cristian >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Cristian Livadaru >>>>>> http://livadaru.net >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Modsecurity mailing list >>>>>> Modsecurity@gotroot.com >>>>>> http://lists.gotroot.com/mailman/listinfo/modsecurity >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Cristian Livadaru >>>>> http://livadaru.net >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Modsecurity mailing list >>>>> Modsecurity@gotroot.com >>>>> http://lists.gotroot.com/mailman/listinfo/modsecurity >>> -- >>> Michael T. Shinn KeyID:0xDAE2EC86 >>> Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 >>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 >>> SANS Advisory Board Member >>> >>> >>> Got Root? http://www.gotroot.com >>> modsecurity rules: http://www.modsecurityrules.com >>> Troubleshooting Firewalls: http://troubleshootingfirewalls.com >>> >>> >>> >>> >> >> -- >> Cristian Livadaru >> http://livadaru.net >> >> >> >> >> >> >> >> > -- > Michael T. Shinn KeyID:0xDAE2EC86 > Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 > SANS Advisory Board Member > > Got Root? http://www.gotroot.com > modsecurity rules: http://www.modsecurityrules.com > Troubleshooting Firewalls: http://troubleshootingfirewalls.com > > -- Cristian Livadaru http://livadaru.net