Scribd Logo
Importer

Bienvenue sur Scribd !

  • Cac Cau Lenh Trong Linux

    Transféré par

    Mrbeoja
    169 vues55 pages
    If you use curl or wget in your scripts, ModSecurity will filter these out. Comment out the appropriate rules if this is the case. Use these rules with caution, you will need to monitor the error_log.

    Description originale:

    Titre original

    cac cau lenh trong linux

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formats disponibles

    DOCX, PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    If you use curl or wget in your scripts, ModSecurity will filter these out. Comment out the appropriate rules if this is the case. Use these rules with caution, you will need to monitor the error_log.

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme DOCX, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    169 vues55 pages

    Cac Cau Lenh Trong Linux

    Transféré par

    Mrbeoja
    If you use curl or wget in your scripts, ModSecurity will filter these out. Comment out the appropriate rules if this is the case. Use these rules with caution, you will need to monitor the error_log.

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme DOCX, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 55

    ModSecurity Rules

    Note: if you use curl or wget in your scripts, ModSecurity will filter these out. Comment out the appropriate rules if this is the case. Note: Use these rules with caution, you will need to monitor the error_log and adjust the rules as necessary to best fit your configuration and site needs.

    #################################### # GENERAL CONFIG ####################################

    # Turn the filtering engine On or Off SecFilterEngine On

    # Make sure that URL encoding is valid SecFilterCheckURLEncoding Off

    # Unicode encoding check SecFilterCheckUnicodeEncoding Off

    # Only allow bytes from this range SecFilterForceByteRange 0 255

    # Only log suspicious requests SecAuditEngine RelevantOnly

    # The name of the audit log file SecAuditLog /var/log/httpd/audit_log

    # Debug level set to a minimum SecFilterDebugLog /var/log/httpd/modsec_debug_log SecFilterDebugLevel 0

    # Should mod_security inspect POST payloads SecFilterScanPOST On

    # By default log and deny suspicious requests # with HTTP status 500 SecFilterDefaultAction "deny,log,status:403"

    # no ban to localhost SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow

    #################################### # Frontpage Compatibility Rules #################################### SecFilter "_vti_bin" allow SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" pass SecFilterSelective THE_REQUEST "/fpremadm\.exe" pass SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" pass SecFilterSelective THE_REQUEST "/scripts/Fpadmcgi\.exe" pass

    SecFilterSelective THE_REQUEST "/_private/orders\.txt" pass SecFilterSelective THE_REQUEST "/_private/form_results\.txt" pass SecFilterSelective THE_REQUEST "/_private/registrations\.htm" pass SecFilterSelective THE_REQUEST "/cfgwiz\.exe" pass SecFilterSelective THE_REQUEST "/authors\.pwd" pass SecFilterSelective THE_REQUEST "/_vti_bin/_vti_aut/author\.exe" pass SecFilterSelective THE_REQUEST "/administrators\.pwd" pass SecFilterSelective THE_REQUEST "/_private/form_results\.htm" pass SecFilterSelective THE_REQUEST "/_vti_pvt/access\.cnf" pass SecFilterSelective THE_REQUEST "/_private/register\.txt" pass SecFilterSelective THE_REQUEST "/_private/registrations\.txt" pass SecFilterSelective THE_REQUEST "/_vti_pvt/service\.cnf" pass SecFilterSelective THE_REQUEST "/service\.pwd" pass SecFilterSelective THE_REQUEST "/_vti_pvt/service\.stp" pass SecFilterSelective THE_REQUEST "/_vti_pvt/services\.cnf" pass SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" pass SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" pass SecFilterSelective THE_REQUEST "/users\.pwd" pass SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" pass SecFilterSelective THE_REQUEST "/dvwssr\.dll" pass SecFilterSelective THE_REQUEST "/_private/register\.htm" pass SecFilterSelective THE_REQUEST "/_vti_bin/" pass

    #################################### # GENERAL WEB AND SPAM ATTACKS

    #################################### SecFilter "tftp\x20" SecFilter "wget\x20" SecFilter "uname\x20-a" SecFilter "g\+\+\x20" SecFilter "gcc\x20-o" SecFilter "nmap\x20" SecFilter "/etc/shadow" SecFilter "/etc/passwd" Secfilter "bcc: "

    SecFilterSelective THE_REQUEST "bcc:|Bcc:|BCc:|BCC:|bCc:|bCC:|bcC:|BcC:" # Allow added to fix blocking problem with the To: filter in squirrelmail Secfilter "/src/compose.php" allow Secfilter "To: "

    SecFilterSelective THE_REQUEST "/bin/ps" SecFilterSelective THE_REQUEST "/bin/sh" SecFilterSelective THE_REQUEST "/tmp/sh" SecFilterSelective THE_REQUEST "/usr/bin/id" SecFilterSelective THE_REQUEST "/bin/kill" SecFilterSelective THE_REQUEST "/usr/bin/gcc" SecFilterSelective THE_REQUEST "/usr/bin/cc" SecFilterSelective THE_REQUEST "/usr/bin/g\+\+" SecFilterSelective THE_REQUEST "/bin/ping" SecFilterSelective THE_REQUEST "/bin/mail"

    SecFilterSelective THE_REQUEST "/bin/ls" SecFilterSelective THE_REQUEST "/usr/sbin/httpd"

    SecFilterSelective THE_REQUEST "lsof\x20" chain SecFilterSelective !POST_PAYLOAD "lsof\x20"

    SecFilterSelective THE_REQUEST "perl\x20" chain SecFilterSelective !POST_PAYLOAD "perl\x20"

    #SecFilter "Content-Type\:" chain #SecFilter "Content-Type\:"

    #################################### # Formmail - allows cPanel formmail #################################### SecFilter "/cgi-sys/formmail.cgi" allow SecFilter "/cgi-sys/formmail.pl" allow SecFilter "/cgi-sys/FormMail.cgi" allow SecFilter "/cgi-sys/FormMail.pl" allow SecFilter "formmail.php$|formmail.php*/$" SecFilter "formmail.cgi$|formmail.cgi*/$" SecFilter "formmail.pl$|formmail.pl*/$"

    #################################### # GENERAL BAD STUFF

    ####################################

    # *%0a.pl access SecFilterSelective THE_REQUEST "/*\x0a\.pl"

    # cross site scripting \(img src=javascript\) attempt SecFilter "img src=javascript"

    #################################### # SYSTEM FILE/COMMAND PROTECTION ####################################

    SecFilterSelective ARGS "wget " SecFilterSelective ARGS "lynx "

    # Disabled due to too many complaines #SecFilterSelective ARGS "curl "

    # .bash_history access SecFilterSelective THE_REQUEST "/\.bash_history"

    # Apache Chunked-Encoding worm attempt SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA"

    ####################################

    # SYSTEM USER PROTECTION ####################################

    # /~nobody access SecFilterSelective THE_REQUEST "/~nobody"

    # /~root access SecFilterSelective THE_REQUEST "/~root"

    # /~ftp access SecFilterSelective THE_REQUEST "/~ftp"

    # /~cpanel access SecFilterSelective THE_REQUEST "/~cpanel"

    #################################### # RootKits and /tmp, /dev/shm hacks ####################################

    SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" chain SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tm p|asp)\x20?\?" SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" chain SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tm p|asp)\?"

    SecFilterSelective REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?" SecFilterSelective THE_REQUEST "/(cse|cmd)\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) " SecFilterSelective REQUEST_URI "/terminatorX-exp.*\.(gif|jpg|txt|bmp|php|png)\?" SecFilterSelective REQUEST_URI "/\.it/viewde" SecFilterSelective REQUEST_URI "/cmd\?&(command|cmd)=" SecFilterSelective REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)=" SecFilterSelective REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)=" SecFilterSelective REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpg|jpeg|png|sh|txt|b mp|dat|txt|js|htm| html|tmp|php|asp).\?&(cmd|command)=" SecFilterSelective REQUEST_URI "/(new(cmd|command)|(cmd|command)[09]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|j pg|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?" SecFilterSelective REQUEST_URI "/[a-z]?(cmd|command)[09]?\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "/(gif|jpg|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?" SecFilterSelective REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"

    #Known rootkits SecFilterSelective THE_REQUEST "perl (xpl\.pl|kut|viewde|httpd\.txt)" SecFilterSelective THE_REQUEST "\./xkernel\;" SecFilterSelective THE_REQUEST "/kaiten\.c" SecFilterSelective THE_REQUEST "/mampus\?&(cmd|command)"

    #Generic remote perl execution with .pl and .txt extension SecFilterSelective REQUEST_URI "perl .*\.pl(\s|\t)*\;" SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.pl" SecFilterSelective REQUEST_URI "perl .*\.txt(\s|\t)*\;" SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.txt"

    #Known rootkit Defacing Tool 2.0 SecFilterSelective REQUEST_URI "/tool(12)?[09]?\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)=" SecFilterSelective REQUEST_URI "/tool\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)=" SecFilterSelective REQUEST_URI "/tool25\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)=" SecFilterSelective REQUEST_URI "/therules25\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)="

    #other known tools SecFilterSelective REQUEST_URI "/xpl\.php\?&(cmd|command)=" SecFilterSelective REQUEST_URI "/(ssh2?|sfdg2)\.php" SecFilter "/tmp/sh"

    #################################### # PHPFanBase v2.0 #################################### SecFilterSelective REQUEST_URI "protection.php\?action=logout&siteurl=(http|https|ftp)\:/"

    #################################### # Advanced Guestbook #################################### # http://securitydot.net/xpl/exploits/vulnerabilities/articles/856/exploit.html SecFilterSelective THE_REQUEST "/admin/addentry\.php\?" SecFilterSelective THE_REQUEST "/addentry\.php\?"

    #################################### # eSupport #################################### SecFilterSelective THE_REQUEST "autoclose.php" chain SecFilterSelective ARG_subd ".*(http|https|ftp)\:/"

    #################################### # FlashChat #################################### SecFilterSelective THE_REQUEST "aedating4CMS.php\?dir\[inc\]=(http|https|ftp)\:/" SecFilterSelective THE_REQUEST "aedatingCMS.php\?dir\[inc\]=(http|https|ftp)\:/"

    SecFilterSelective THE_REQUEST "dbal.php\?eqdkp_root_path=(http|https|ftp)\:/"

    ################################### #EXTCALENDAR ###################################

    10

    SecFilterSelective THE_REQUEST "admin_events.php\?CONFIG_EXT\[LANGUAGES_DIR\]=(http|https|ftp)\:/"

    #New kit SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)(\;|\w)" SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)\.(txt|php|gif|jpg|dat|bmp|png)(\;|\w)"

    #new kir SecFilterSelective REQUEST_URI "/dblib\.php\?&(cmd|command)="

    #suntzu SecFilterSelective THE_REQUEST|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="

    #proxysx.gif? SecFilterSelective THE_REQUEST "/proxysx\.(gif|jpg|bmp|txt|asp|png)\?"

    #phpbackdoor SecFilterSelective THE_REQUEST "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="

    #new unknown kit SecFilterSelective REQUEST_URI "/oops?&"

    # known PHP attack shells #value of these sigs, pretty low, but here to catch

    11

    # any lose threads, honeypoting, etc. SecFilterSelective THE_REQUEST SecFilterSelective THE_REQUEST "(wiki_up|temp)/(gif|ion|jpg|lala)\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST SecFilterSelective REQUEST_URI "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)" "/phpterm" "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"

    #Fantastico worm SecFilterSelective THE_REQUEST "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"

    #new unknown kits SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI "/iblis\.htm\?" "/gif\.gif\?" "/go\.php\.txt\?" "/sh[0-9]\.(gif|jpg|txt|bmp|png)\?" "/iys\.(gif|jpg|txt|bmp|png)\?" "/shell[0-9]\.(gif|jpg|txt|bmp|png)\?" "/zehir\.asp" "/aflast\.txt\?" "/sikat\.txt\?&cmd" "/t\.gif\?" "/phpbb_patch\?&" "/phpbb2_patch\?&" "/lukka\?&"

    12

    #new kit SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI "/c99shell\.txt" "/c99\.txt\?"

    #remote bash shell SecFilterSelective REQUEST_URI "/shell\.php\&cmd=" SecFilterSelective ARGS "/shell\.php\&cmd="

    #zencart exploit SecFilterSelective REQUEST_URI "/ipn\.php\?cmd="

    #new pattern SecFilterSelective REQUEST_URI "btn_lists\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "dsoul/tool\?"

    #generic suntzu payload SecFilterSelective THE_REQUEST SecFilterSelective THE_REQUEST SecFilterSelective REQUEST_URI "HiMaster\!\<\?php system\(" "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system" "help_text_vars\.php\?suntzu="

    #25dec new one SecFilterSelective REQUEST_URI "anggands\.(gif|jpg|txt|bmp|png)\?"

    #26dec new kit SecFilterSelective REQUEST_URI "newfile[0-9]\.(gif|jpg|txt|bmp|png)\?"

    13

    SecFilterSelective REQUEST_URI

    "/vsf\.vsf\?&"

    #27dec SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI "/scan1\.0/scan/" "test\.txt\?&"

    #30dec SecFilterSelective REQUEST_URI #31dec SecFilterSelective REQUEST_URI "/php\.txt\?" "\.k4ka\.txt\?"

    #1 jan SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI "/sql\.txt\?" "bind\.(gif|jpg|txt|bmp|png)\?"

    #22feb SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI "/juax\.(gif|jpg|txt|bmp|png)\?" "/linuxdaybot/\.(gif|jpg|txt|bmp|png)\?"

    #24mar SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI "/docLib/cmd\.asp" "\.asp\?pageName=AppFileExplorer" "\.asp\?.*showUpload&thePath=" "\.asp\?.*theAct=inject&thePath="

    14

    #some broken attack program SecFilterSelective THE_REQUEST "PUT /.*_@@RNDSTR@@" SecFilterSelective THE_REQUEST "trojan\.htm"

    SecFilterSelective REQUEST_URI "/r57en\.php"

    #c99 rootshell SecFilterSelective REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)"

    #generic shell SecFilterSelective REQUEST_URI "shell\.txt"

    #wormsign SecFilterSelective POST_PAYLOAD "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"

    #dm mass mailer SecFilter "dm.pl\x20" SecFilter "dm.cgi\x20" SecFilter "unziper.pl\x20" SecFilter "unziper.cgi\x20" Secfilter "cmd.txt" Secfilter "miro$"

    #mdarui

    15

    SecFilterSelective THE_REQUEST ".php\?incl=(http|https|ftp)"

    ######################################################################## ## CMS and other PHP-based script patches ########################################################################

    #################################### # Bingo News #################################### SecFilterSelective THE_REQUEST "bp_ncom.php\?bnrep=(http|https|ftp)"

    #################################### # Coppermine Photo Gallery #################################### SecFilterSelective THE_REQUEST "/index.php\?lang=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|h ttps|ftp):/)" SecFilterSelective THE_REQUEST "/theme.php\?THEME_DIR=(http|https|ftp)/:/"

    #################################### # e107 #################################### SecFilterSelective SCRIPT_FILENAME "news.php$" chain

    16

    SecFilterSelective ARG_list "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:spa ce:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)"

    #################################### # eGroupWare #################################### SecFilterSelective THE_REQUEST "/index.php?menuaction=preferences.uicategories.index&cats_app=*(delete|insert|drop |do|alter|replace| truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|se lect)" SecFilterSelective THE_REQUEST "/tts/index.php?filter=*(delete|insert|drop|do|alter|replace|truncate|update|create |rename|describe|s elect|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|select)" SecFilterSelective THE_REQUEST "/sitemgr/sitemgrsite/?category_id=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|h ttps|ftp):/)" SecFilterSelective THE_REQUEST "/index.php?page=RecentChanges.*((javascript|script|about|applet|activex|chrome)*>| html|(http|https|f tp):/)" SecFilterSelective THE_REQUEST "/index.php?action=history&page=.*=.*((javascript|script|about|applet|activex|ch rome)*>|html|(http|h ttps|ftp):/)"

    17

    SecFilterSelective THE_REQUEST "/index.php?menuaction=addressbook.uiaddressbook.edit&ab_id=.*((javascript|script|a bout|applet|active x|chrome)*>|html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/index.php?menuaction=manual.uimanual.view&page=ManualAddressbook.*((javascript|sc ript|about|applet| activex|chrome)*>|html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/index.php?menuaction=forum.uiforum.post&type=new.*((javascript|script|about|apple t|activex|chrome)* >|html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/index.php?menuaction=wiki.uiwiki.edit&page=setup.*((javascript|script|about|apple t|activex|chrome)* >|html|(http|https|ftp):/)"

    #################################### # Exhibit Engine #################################### #http://securitydot.net/xpl/exploits/vulnerabilities/articles/1974/exploit.html SecFilterSelective THE_REQUEST "styles.php\?toroot=(http|https|ftp)"

    #################################### # Invision Power Board #################################### SecFilterSelective THE_REQUEST "/ad_member.php" chain SecFilter "emailer.php" SecFilterSelective THE_REQUEST "/ipchat.php*root_path*conf_global.php"

    18

    SecFilterSelective THE_REQUEST "/forums/index.php\?act=.*&max_results=.*&filter=.*&sort_order=.*&sort_key=.*&st=*( UNION|SELECT|DELET E|INSERT)"

    #################################### #Mambo #################################### SecFilterSelective THE_REQUEST "mosConfig_absolute_path=(http|https|ftp):/" #SecFilterSelective REQUEST_URI "/modules/mod_mainmenu.php\?mosConfig_absolute_path=(http|https|ftp):/" SecFilterSelective THE_REQUEST "/coppermine/displayimage/meta=lastcom/cat=.*((javascript|script|about|applet|activ ex|chrome)*>|(http |https|ftp):/).*/pos=.*.html" SecFilterSelective THE_REQUEST "/components/com_facileforms/facileforms.frame.php" chain SecFilterSelective ARG_ff_compath ".*(http|https|ftp)\:/"

    #################################### # ModernBill Remote File Include Vulnerability patch # http://archives.neohapsis.com/archives/bugtraq/2005-04/0129.html #################################### SecFilter "samples/news.php" SecFilter "samples/domain_search.php" SecFilter "samples/faq.php" SecFilter "samples/login.sample.php"

    19

    #################################### # OpenBB #################################### SecFilterSelective THE_REQUEST "/(board|read|member).php" chain SecFilterSelective ARG_FID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[AZ|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/(board|read|member).php" chain SecFilterSelective ARG_TID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[AZ|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/(board|read|member).php" chain SecFilterSelective ARG_UID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[AZ|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

    #################################### # OSCommerce #################################### SecFilterSelective THE_REQUEST "/default.php?(error_message|info_message)=.*((javascript|script|about|applet|activ ex|chrome)*>|(http |https|ftp):/)"

    ####################################

    20

    # osTicket #################################### SecFilterSelective THE_REQUEST "/attachments.php\?file=../.." SecFilterSelective THE_REQUEST "include/main.php\?config.*=.*\&include_dir=(http|https|ftp):/" SecFilterSelective THE_REQUEST "/admin.php\?a=view&id=*(delete|insert|drop|do|alter|replace|truncate|update|create |rename|describe|s elect|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]]+(from|into|table|database|index|view|select)" SecFilterSelective THE_REQUEST "/view.php?s=.*&query=*&cat=*(delete|insert|drop|do|alter|replace|truncate|update|c reate|rename|descr ibe|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|select)" SecFilterSelective THE_REQUEST "/view.php" chain SecFilterSelective ARG_t ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename| describe)[[:space:]]+[AZ|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

    #################################### # Owl #################################### SecFilterSelective THE_REQUEST "/browse.php?sess=.*parent=.*(select|grant|delete|insert|drop|do|alter|replace|trun cate|update|create |rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

    21

    #################################### # phpAds #################################### SecFilterSelective THE_REQUEST "view.inc.php\?phpAds_path=(http|https|ftp)"

    #################################### # PHP-Wiki #################################### SecFilterSelective THE_REQUEST "<script"

    #################################### # phpCOIN #################################### SecFilterSelective THE_REQUEST "api.php?_CCFG" SecFilterSelective THE_REQUEST "common.php?_CCFG" SecFilterSelective THE_REQUEST "constants.php?_CCFG" SecFilterSelective THE_REQUEST "core.php?_CCFG" SecFilterSelective THE_REQUEST "custom.php?_CCFG" SecFilterSelective THE_REQUEST "db.php?_CCFG" root@claire [/usr/local/apache/conf]# cat # Last Updated 12/19/2006 #################################### # GENERAL CONFIG #################################### modsec.conf

    22

    # Turn the filtering engine On or Off SecFilterEngine On

    # Make sure that URL encoding is valid SecFilterCheckURLEncoding Off

    # Unicode encoding check SecFilterCheckUnicodeEncoding Off

    # Only allow bytes from this range SecFilterForceByteRange 0 255

    # Only log suspicious requests SecAuditEngine RelevantOnly

    # The name of the audit log file SecAuditLog /var/log/httpd/audit_log

    # Debug level set to a minimum SecFilterDebugLog /var/log/httpd/modsec_debug_log SecFilterDebugLevel 0

    # Should mod_security inspect POST payloads SecFilterScanPOST On

    23

    # By default log and deny suspicious requests # with HTTP status 500 SecFilterDefaultAction "deny,log,status:403"

    # no ban to localhost SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow

    #################################### # Frontpage Compatibility Rules #################################### SecFilter "_vti_bin" allow SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" pass SecFilterSelective THE_REQUEST "/fpremadm\.exe" pass SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" pass SecFilterSelective THE_REQUEST "/scripts/Fpadmcgi\.exe" pass SecFilterSelective THE_REQUEST "/_private/orders\.txt" pass SecFilterSelective THE_REQUEST "/_private/form_results\.txt" pass SecFilterSelective THE_REQUEST "/_private/registrations\.htm" pass SecFilterSelective THE_REQUEST "/cfgwiz\.exe" pass SecFilterSelective THE_REQUEST "/authors\.pwd" pass SecFilterSelective THE_REQUEST "/_vti_bin/_vti_aut/author\.exe" pass SecFilterSelective THE_REQUEST "/administrators\.pwd" pass SecFilterSelective THE_REQUEST "/_private/form_results\.htm" pass SecFilterSelective THE_REQUEST "/_vti_pvt/access\.cnf" pass SecFilterSelective THE_REQUEST "/_private/register\.txt" pass

    24

    SecFilterSelective THE_REQUEST "/_private/registrations\.txt" pass SecFilterSelective THE_REQUEST "/_vti_pvt/service\.cnf" pass SecFilterSelective THE_REQUEST "/service\.pwd" pass SecFilterSelective THE_REQUEST "/_vti_pvt/service\.stp" pass SecFilterSelective THE_REQUEST "/_vti_pvt/services\.cnf" pass SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" pass SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" pass SecFilterSelective THE_REQUEST "/users\.pwd" pass SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" pass SecFilterSelective THE_REQUEST "/dvwssr\.dll" pass SecFilterSelective THE_REQUEST "/_private/register\.htm" pass SecFilterSelective THE_REQUEST "/_vti_bin/" pass

    #################################### # GENERAL WEB AND SPAM ATTACKS #################################### SecFilter "tftp\x20" SecFilter "wget\x20" SecFilter "uname\x20-a" SecFilter "g\+\+\x20" SecFilter "gcc\x20-o" SecFilter "nmap\x20" SecFilter "/etc/shadow" SecFilter "/etc/passwd" Secfilter "bcc: "

    25

    SecFilterSelective THE_REQUEST "bcc:|Bcc:|BCc:|BCC:|bCc:|bCC:|bcC:|BcC:" # Allow added to fix blocking problem with the To: filter in squirrelmail Secfilter "/src/compose.php" allow Secfilter "To: "

    SecFilterSelective THE_REQUEST "/bin/ps" SecFilterSelective THE_REQUEST "/bin/sh" SecFilterSelective THE_REQUEST "/tmp/sh" SecFilterSelective THE_REQUEST "/usr/bin/id" SecFilterSelective THE_REQUEST "/bin/kill" SecFilterSelective THE_REQUEST "/usr/bin/gcc" SecFilterSelective THE_REQUEST "/usr/bin/cc" SecFilterSelective THE_REQUEST "/usr/bin/g\+\+" SecFilterSelective THE_REQUEST "/bin/ping" SecFilterSelective THE_REQUEST "/bin/mail" SecFilterSelective THE_REQUEST "/bin/ls" SecFilterSelective THE_REQUEST "/usr/sbin/httpd"

    SecFilterSelective THE_REQUEST "lsof\x20" chain SecFilterSelective !POST_PAYLOAD "lsof\x20"

    SecFilterSelective THE_REQUEST "perl\x20" chain SecFilterSelective !POST_PAYLOAD "perl\x20"

    #SecFilter "Content-Type\:" chain

    26

    #SecFilter "Content-Type\:"

    #################################### # Formmail - allows cPanel formmail #################################### SecFilter "/cgi-sys/formmail.cgi" allow SecFilter "/cgi-sys/formmail.pl" allow SecFilter "/cgi-sys/FormMail.cgi" allow SecFilter "/cgi-sys/FormMail.pl" allow SecFilter "formmail.php$|formmail.php*/$" SecFilter "formmail.cgi$|formmail.cgi*/$" SecFilter "formmail.pl$|formmail.pl*/$"

    #################################### # GENERAL BAD STUFF ####################################

    # *%0a.pl access SecFilterSelective THE_REQUEST "/*\x0a\.pl"

    # cross site scripting \(img src=javascript\) attempt SecFilter "img src=javascript"

    #################################### # SYSTEM FILE/COMMAND PROTECTION

    27

    ####################################

    SecFilterSelective ARGS "wget " SecFilterSelective ARGS "lynx "

    # Disabled due to too many complaines #SecFilterSelective ARGS "curl "

    # .bash_history access SecFilterSelective THE_REQUEST "/\.bash_history"

    # Apache Chunked-Encoding worm attempt SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA"

    #################################### # SYSTEM USER PROTECTION ####################################

    # /~nobody access SecFilterSelective THE_REQUEST "/~nobody"

    # /~root access SecFilterSelective THE_REQUEST "/~root"

    # /~ftp access

    28

    SecFilterSelective THE_REQUEST "/~ftp"

    # /~cpanel access SecFilterSelective THE_REQUEST "/~cpanel"

    #################################### # RootKits and /tmp, /dev/shm hacks ####################################

    SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" chain SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tm p|asp)\x20?\?" SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" chain SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tm p|asp)\?" SecFilterSelective REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?" SecFilterSelective THE_REQUEST "/(cse|cmd)\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) " SecFilterSelective REQUEST_URI "/terminatorX-exp.*\.(gif|jpg|txt|bmp|php|png)\?" SecFilterSelective REQUEST_URI "/\.it/viewde" SecFilterSelective REQUEST_URI "/cmd\?&(command|cmd)=" SecFilterSelective REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)=" SecFilterSelective REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)=" SecFilterSelective REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpg|jpeg|png|sh|txt|b mp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)="

    29

    SecFilterSelective REQUEST_URI "/(new(cmd|command)|(cmd|command)[09]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpg|jpeg|png|sh|txt |bmp|dat|txt|js|htm|html|tmp|php|asp)\?" SecFilterSelective REQUEST_URI "/[a-z]?(cmd|command)[09]?\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "/(gif|jpg|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?" SecFilterSelective REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"

    #Known rootkits SecFilterSelective THE_REQUEST "perl (xpl\.pl|kut|viewde|httpd\.txt)" SecFilterSelective THE_REQUEST "\./xkernel\;" SecFilterSelective THE_REQUEST "/kaiten\.c" SecFilterSelective THE_REQUEST "/mampus\?&(cmd|command)"

    #Generic remote perl execution with .pl and .txt extension SecFilterSelective REQUEST_URI "perl .*\.pl(\s|\t)*\;" SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.pl" SecFilterSelective REQUEST_URI "perl .*\.txt(\s|\t)*\;" SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.txt"

    #Known rootkit Defacing Tool 2.0 SecFilterSelective REQUEST_URI "/tool(12)?[09]?\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)=" SecFilterSelective REQUEST_URI "/tool\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)=" SecFilterSelective REQUEST_URI "/tool25\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)="

    30

    SecFilterSelective REQUEST_URI "/therules25\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)="

    #other known tools SecFilterSelective REQUEST_URI "/xpl\.php\?&(cmd|command)=" SecFilterSelective REQUEST_URI "/(ssh2?|sfdg2)\.php" SecFilter "/tmp/sh"

    #################################### # PHPFanBase v2.0 #################################### SecFilterSelective REQUEST_URI "protection.php\?action=logout&siteurl=(http|https|ftp)\:/"

    #################################### # Advanced Guestbook #################################### # http://securitydot.net/xpl/exploits/vulnerabilities/articles/856/exploit.html SecFilterSelective THE_REQUEST "/admin/addentry\.php\?" SecFilterSelective THE_REQUEST "/addentry\.php\?"

    #################################### # eSupport #################################### SecFilterSelective THE_REQUEST "autoclose.php" chain

    31

    SecFilterSelective ARG_subd ".*(http|https|ftp)\:/"

    #################################### # FlashChat #################################### SecFilterSelective THE_REQUEST "aedating4CMS.php\?dir\[inc\]=(http|https|ftp)\:/" SecFilterSelective THE_REQUEST "aedatingCMS.php\?dir\[inc\]=(http|https|ftp)\:/"

    SecFilterSelective THE_REQUEST "dbal.php\?eqdkp_root_path=(http|https|ftp)\:/"

    ################################### #EXTCALENDAR ################################### SecFilterSelective THE_REQUEST "admin_events.php\?CONFIG_EXT\[LANGUAGES_DIR\]=(http|https|ftp)\:/"

    #New kit SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)(\;|\w)" SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)\.(txt|php|gif|jpg|dat|bmp|png)(\;|\w)"

    #new kir SecFilterSelective REQUEST_URI "/dblib\.php\?&(cmd|command)="

    #suntzu

    32

    SecFilterSelective THE_REQUEST|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="

    #proxysx.gif? SecFilterSelective THE_REQUEST "/proxysx\.(gif|jpg|bmp|txt|asp|png)\?"

    #phpbackdoor SecFilterSelective THE_REQUEST "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="

    #new unknown kit SecFilterSelective REQUEST_URI "/oops?&"

    # known PHP attack shells #value of these sigs, pretty low, but here to catch # any lose threads, honeypoting, etc. SecFilterSelective THE_REQUEST SecFilterSelective THE_REQUEST "(wiki_up|temp)/(gif|ion|jpg|lala)\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST SecFilterSelective REQUEST_URI "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)" "/phpterm" "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"

    #Fantastico worm SecFilterSelective THE_REQUEST "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"

    #new unknown kits

    33

    SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI

    "/iblis\.htm\?" "/gif\.gif\?" "/go\.php\.txt\?" "/sh[0-9]\.(gif|jpg|txt|bmp|png)\?" "/iys\.(gif|jpg|txt|bmp|png)\?" "/shell[0-9]\.(gif|jpg|txt|bmp|png)\?" "/zehir\.asp" "/aflast\.txt\?" "/sikat\.txt\?&cmd" "/t\.gif\?" "/phpbb_patch\?&" "/phpbb2_patch\?&" "/lukka\?&"

    #new kit SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI "/c99shell\.txt" "/c99\.txt\?"

    #remote bash shell SecFilterSelective REQUEST_URI "/shell\.php\&cmd=" SecFilterSelective ARGS "/shell\.php\&cmd="

    #zencart exploit SecFilterSelective REQUEST_URI "/ipn\.php\?cmd="

    34

    #new pattern SecFilterSelective REQUEST_URI "btn_lists\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "dsoul/tool\?"

    #generic suntzu payload SecFilterSelective THE_REQUEST SecFilterSelective THE_REQUEST SecFilterSelective REQUEST_URI "HiMaster\!\<\?php system\(" "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system" "help_text_vars\.php\?suntzu="

    #25dec new one SecFilterSelective REQUEST_URI "anggands\.(gif|jpg|txt|bmp|png)\?"

    #26dec new kit SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI "newfile[0-9]\.(gif|jpg|txt|bmp|png)\?" "/vsf\.vsf\?&"

    #27dec SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI "/scan1\.0/scan/" "test\.txt\?&"

    #30dec SecFilterSelective REQUEST_URI #31dec SecFilterSelective REQUEST_URI "/php\.txt\?" "\.k4ka\.txt\?"

    35

    #1 jan SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI "/sql\.txt\?" "bind\.(gif|jpg|txt|bmp|png)\?"

    #22feb SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI "/juax\.(gif|jpg|txt|bmp|png)\?" "/linuxdaybot/\.(gif|jpg|txt|bmp|png)\?"

    #24mar SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI "/docLib/cmd\.asp" "\.asp\?pageName=AppFileExplorer" "\.asp\?.*showUpload&thePath=" "\.asp\?.*theAct=inject&thePath="

    #some broken attack program SecFilterSelective THE_REQUEST "PUT /.*_@@RNDSTR@@" SecFilterSelective THE_REQUEST "trojan\.htm"

    SecFilterSelective REQUEST_URI "/r57en\.php"

    #c99 rootshell SecFilterSelective REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)"

    #generic shell SecFilterSelective REQUEST_URI "shell\.txt"

    36

    #wormsign SecFilterSelective POST_PAYLOAD "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"

    #dm mass mailer SecFilter "dm.pl\x20" SecFilter "dm.cgi\x20" SecFilter "unziper.pl\x20" SecFilter "unziper.cgi\x20" Secfilter "cmd.txt" Secfilter "miro$"

    #mdarui SecFilterSelective THE_REQUEST ".php\?incl=(http|https|ftp)"

    ######################################################################## ## CMS and other PHP-based script patches ########################################################################

    #################################### # Bingo News #################################### SecFilterSelective THE_REQUEST "bp_ncom.php\?bnrep=(http|https|ftp)"

    37

    #################################### # Coppermine Photo Gallery #################################### SecFilterSelective THE_REQUEST "/index.php\?lang=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|h ttps|ftp):/)" SecFilterSelective THE_REQUEST "/theme.php\?THEME_DIR=(http|https|ftp)/:/"

    #################################### # e107 #################################### SecFilterSelective SCRIPT_FILENAME "news.php$" chain SecFilterSelective ARG_list "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:spa ce:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)"

    #################################### # eGroupWare #################################### SecFilterSelective THE_REQUEST "/index.php?menuaction=preferences.uicategories.index&cats_app=*(delete|insert|drop |do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[ A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|select)" SecFilterSelective THE_REQUEST "/tts/index.php?filter=*(delete|insert|drop|do|alter|replace|truncate|update|create |rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|select)"

    38

    SecFilterSelective THE_REQUEST "/sitemgr/sitemgrsite/?category_id=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|h ttps|ftp):/)" SecFilterSelective THE_REQUEST "/index.php?page=RecentChanges.*((javascript|script|about|applet|activex|chrome)*>| html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/index.php?action=history&page=.*=.*((javascript|script|about|applet|activex|ch rome)*>|html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/index.php?menuaction=addressbook.uiaddressbook.edit&ab_id=.*((javascript|script|a bout|applet|activex|chrome)*>|html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/index.php?menuaction=manual.uimanual.view&page=ManualAddressbook.*((javascript|sc ript|about|applet|activex|chrome)*>|html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/index.php?menuaction=forum.uiforum.post&type=new.*((javascript|script|about|apple t|activex|chrome)*>|html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/index.php?menuaction=wiki.uiwiki.edit&page=setup.*((javascript|script|about|apple t|activex|chrome)*>|html|(http|https|ftp):/)"

    #################################### # Exhibit Engine #################################### #http://securitydot.net/xpl/exploits/vulnerabilities/articles/1974/exploit.html SecFilterSelective THE_REQUEST "styles.php\?toroot=(http|https|ftp)"

    #################################### # Invision Power Board ####################################

    39

    SecFilterSelective THE_REQUEST "/ad_member.php" chain SecFilter "emailer.php" SecFilterSelective THE_REQUEST "/ipchat.php*root_path*conf_global.php" SecFilterSelective THE_REQUEST "/forums/index.php\?act=.*&max_results=.*&filter=.*&sort_order=.*&sort_key=.*&st=*( UNION|SELECT|DELETE|INSERT)"

    #################################### #Mambo #################################### SecFilterSelective THE_REQUEST "mosConfig_absolute_path=(http|https|ftp):/" #SecFilterSelective REQUEST_URI "/modules/mod_mainmenu.php\?mosConfig_absolute_path=(http|https|ftp):/" SecFilterSelective THE_REQUEST "/coppermine/displayimage/meta=lastcom/cat=.*((javascript|script|about|applet|activ ex|chrome)*>|(http|https|ftp):/).*/pos=.*.html" SecFilterSelective THE_REQUEST "/components/com_facileforms/facileforms.frame.php" chain SecFilterSelective ARG_ff_compath ".*(http|https|ftp)\:/"

    #################################### # ModernBill Remote File Include Vulnerability patch # http://archives.neohapsis.com/archives/bugtraq/2005-04/0129.html #################################### SecFilter "samples/news.php" SecFilter "samples/domain_search.php" SecFilter "samples/faq.php"

    40

    SecFilter "samples/login.sample.php"

    #################################### # OpenBB #################################### SecFilterSelective THE_REQUEST "/(board|read|member).php" chain SecFilterSelective ARG_FID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/(board|read|member).php" chain SecFilterSelective ARG_TID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/(board|read|member).php" chain SecFilterSelective ARG_UID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

    #################################### # OSCommerce #################################### SecFilterSelective THE_REQUEST "/default.php?(error_message|info_message)=.*((javascript|script|about|applet|activ ex|chrome)*>|(http|https|ftp):/)"

    #################################### # osTicket

    41

    #################################### SecFilterSelective THE_REQUEST "/attachments.php\?file=../.." SecFilterSelective THE_REQUEST "include/main.php\?config.*=.*\&include_dir=(http|https|ftp):/" SecFilterSelective THE_REQUEST "/admin.php\?a=view&id=*(delete|insert|drop|do|alter|replace|truncate|update|create |rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]]+(from|into|table|database|index|view|select)" SecFilterSelective THE_REQUEST "/view.php?s=.*&query=*&cat=*(delete|insert|drop|do|alter|replace|truncate|update|c reate|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|select)" SecFilterSelective THE_REQUEST "/view.php" chain SecFilterSelective ARG_t ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename| describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

    #################################### # Owl #################################### SecFilterSelective THE_REQUEST "/browse.php?sess=.*parent=.*(select|grant|delete|insert|drop|do|alter|replace|trun cate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

    #################################### # phpAds #################################### SecFilterSelective THE_REQUEST "view.inc.php\?phpAds_path=(http|https|ftp)"

    42

    #################################### # PHP-Wiki #################################### SecFilterSelective THE_REQUEST "<script"

    #################################### # phpCOIN #################################### SecFilterSelective THE_REQUEST "api.php?_CCFG" SecFilterSelective THE_REQUEST "common.php?_CCFG" SecFilterSelective THE_REQUEST "constants.php?_CCFG" SecFilterSelective THE_REQUEST "core.php?_CCFG" SecFilterSelective THE_REQUEST "custom.php?_CCFG" SecFilterSelective THE_REQUEST "db.php?_CCFG" SecFilterSelective THE_REQUEST "redirect.php?_CCFG" SecFilterSelective THE_REQUEST "session_set.php?_CCFG"

    #################################### # PHPLIB #################################### SecFilter "_PHPLIB\[libdir\]"

    #################################### # PHPNuke ####################################

    43

    SecFilter "/modules/My_eGallery/" SecFilterSelective THE_REQUEST "/setup/" chain SecFilter "GALLERY_BASEDIR=(http|https|ftp):/" SecFilterSelective THE_REQUEST "/banners.php?op=EmailStats&name=.*&bid=.*((javascript|script|about|applet|activex| chrome)*>|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/modules.php?name=.*((javascript|script|about|applet|activex|chrome)*>|(http|https |ftp):/)" SecFilterSelective THE_REQUEST "/modules.php?name=Search&author=.*&topic=.*&min.*((javascript|script|about|applet| activex|chrome)*>|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/modules.php?name=FAQ&.*=.*&id_cat=.*&categories=.*((javascript|script|about|apple t|activex|chrome)*>|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/modules.php?op=EmailStats&login=.*&cid=.*&bid=.*((javascript|script|about|applet| activex|chrome)*>|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/modules.php?name=Encyclopedia&file=.*&op=.*&eid.*1&ltr=.*((javascript|script|abou t|applet|activex|chrome)*>|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/modules.php?name=Top&querylang=.*(UNION|SELECT|DELETE|INSERT).*," SecFilterSelective SCRIPT_FILENAME "modules.php$" chain SecFilterSelective ARG_email "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules.php$" chain SecFilterSelective ARG_ratenum "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)"

    44

    SecFilterSelective SCRIPT_FILENAME "modules.php$" chain SecFilterSelective ARG_min "(dselect|grant|elete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules.php$" chain SecFilterSelective ARG_show "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules.php$" chain SecFilterSelective ARG_orderby "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules.php$" chain SecFilterSelective ARG_url "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules.php$" chain SecFilterSelective ARG_category "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:spa ce:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "modules.php?name=Surveys&pollID=.*&forwarder=.*((javascript|script|about|applet|ac tivex|chrome)*>|html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/modules.php?name=Downloads&d_op=.*&title=.*&url=.*&description=.*&email=',*(delet e|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:spa ce:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/modules.php?name=Downloads&d_op=.*&url=',*(delete|insert|drop|do|alter|replace|tr uncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)"

    45

    SecFilterSelective THE_REQUEST "/modules.php?name=Downloads&d_op=viewsdownload&min=*(delete|insert|drop|do|alter|r eplace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|09|*]+(from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/modules.php?name=Downloads&d_op=search&min=*(delete|insert|drop|do|alter|replace| truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/admin_styles.php?phpbb_root_path=(http|https|ftp):/"

    #################################### # PHPBB Vulnerabilities #################################### SecFilterSelective QUERY_STRING|POST_PAYLOAD|ARGS "echr\(" SecFilterSelective "THE_REQUEST" "(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite)\s*\(" SecFilter "viewtopic\.php\?" chain SecFilter "chr\(([0-9]{1,3})\)" "deny,log" SecFilterSelective THE_REQUEST "&highlight='\.mysql_query\(" SecFilter "&highlight=\x2527\x252Esystem\(" SecFilter "/tmp/php" SecFilterSelective THE_REQUEST "/quick-reply.php" chain SecFilter "phpbb_root_path=" SecFilterSelective ARG_highlight "(x27|%27|x2527|%2527)" SecFilterSelective THE_REQUEST "/viewtopic.php?" chain SecFilterSelective ARGS "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|p roc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|pos

    46

    ix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)(([0-9a-fAFx]{1,3}))" SecFilterSelective REQUEST_URI "admin/admin_styles.php?mode=addnew&install_to=../../" SecFilterSelective THE_REQUEST "/downloads.php?cat=.*(UNION|SELECT|delete|insert)*user_password.*phpbb_users" SecFilterSelective THE_REQUEST "/cal_view_month.php?month=.*&year=.*&category=.*(UNION|SELECT|DELETE|INSERT)" SecFilterSelective THE_REQUEST "/links.php?func=show&id='" SecFilterSelective THE_REQUEST "/dlman.php?func=file_info&file_id='" SecFilterSelective THE_REQUEST "/groupcp.php?g=.*sid='" SecFilterSelective THE_REQUEST "/index.php?(c|mark)=*'" SecFilterSelective THE_REQUEST "/portal.php?article=*'" SecFilterSelective THE_REQUEST "/viewforum.php?f=.*sid='" SecFilterSelective THE_REQUEST "/viewtopic.php?p=.*sid='" SecFilterSelective THE_REQUEST "/album_search.php?mode='" SecFilterSelective THE_REQUEST "/album_cat.php?cat_id=.*sid='" SecFilterSelective THE_REQUEST "/album_comment.php?pic_id=.*sid='" SecFilterSelective THE_REQUEST "/moddb/mod.php?id='" SecFilterSelective THE_REQUEST "/auction_rating.php?mode=.*&u=.*'" SecFilterSelective THE_REQUEST "/auction_offer.php?mode=.*&ar=.*'" SecFilterSelective THE_REQUEST "/profile.php?mode=viewprofile&u=.*((javascript|script|about|applet|activex|chrome) *>|html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/viewtopic.php?p=.*&highlight=.*((javascript|script|about|applet|activex|chrome)*> |html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/posting_notes.php?mode=editpost&*(delete|insert|drop|do|alter|replace|truncate|up

    47

    date|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|select)" SecFilterSelective THE_REQUEST "/(viewtopic|privmsg|bbcode).php?" chain SecFilterSelective THE_REQUEST "/admin_forums.php?" chain

    #################################### # pmachine #################################### SecFilterSelective THE_REQUEST "lib.inc.php" chain SecFilter "pm_path=(http|https|ftp):/" SecFilterSelective THE_REQUEST "lib.inc.php.*pm_path.*(http|https|ftp):/"

    #################################### # Phorum #################################### SecFilterSelective THE_REQUEST "/support/common.php"

    #################################### # Phorm #################################### SecFilterSelective THE_REQUEST "/phorm.php" chain SecFilterSelective ARG_PHORM_* "(http|https|ftp):/"

    #################################### # phpSysInfo ####################################

    48

    SecFilterSelective THE_REQUEST "/index.php?sensor_program=.*(script|(http|https|ftp):/)"

    #################################### # PunBB #################################### SecFilterSelective THE_REQUEST "/profile.php" chain SecFilterSelective ARG_temp "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "redirect_url.*(http|https|ftp):/.*cmd="

    #################################### # phpWebSite #################################### SecFilterSelective THE_REQUEST "index.php" chain SecFilterSelective ARG_mod "(../|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rena me|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view))" SecFilterSelective THE_REQUEST "index.php" chain SecFilterSelective ARG_module "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

    #################################### # PHP Surveyor

    49

    #################################### SecFilterSelective THE_REQUEST "/admin/" chain SecFilterSelective ARG_sid "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/admin/" chain SecFilterSelective ARG_start "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/admin/" chain SecFilterSelective ARG_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/admin/" chain SecFilterSelective ARG_lid "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

    #################################### # PHPlist #################################### SecFilterSelective THE_REQUEST "lists/admin/?page=admin&id=*(select|grant|delete|insert|drop|do|alter|replace|trun cate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

    #################################### # PHP-Fusion

    50

    #################################### SecFilterSelective THE_REQUEST "/messages.php?msg_view='"

    #################################### # Santy.e Worm Patch #################################### SecFilter "visualcoders\.net/spy\.gif\?\&cmd" SecFilterSelective THE_REQUEST "&highlight='\.fwrite\(fopen\("

    #################################### # Squirrel Mail #################################### SecFilterSelective THE_REQUEST "/left_main\.php" chain SecFilter "cmdd="

    #################################### # Soholaunch #################################### #http://www.milw0rm.com/exploits/2724 SecFilterSelective THE_REQUEST "shared_functions.php\?_SESSION\[docroot_path\]=(http|https|ftp)" SecFilterSelective THE_REQUEST "pgmshopping_css.inc.php\?_SESSION\[docroot_path\]=(http|https|ftp)"

    #################################### # TikiWiki

    51

    #################################### SecFilter "/tiki-map.phtml?mapfile=../../" SecFilterSelective THE_REQUEST "/tiki-list_faqs.php?offset=(http|https|ftp):/"

    #################################### # Typo3 #################################### SecFilterSelective THE_REQUEST "/translations.php" chain SecFilter "ONLY=x2e" SecFilterSelective THE_REQUEST "/dev/translations.php?ONLY=x2ex2e/x2ex2e/x2ex2e/x2ex2e/x2ex2e/.*x00"

    #################################### # UBB #################################### SecFilterSelective THE_REQUEST "/printthread.php*(delete|insert|drop|do|alter|replace|truncate|update|create|renam e|describe|select)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/download.php?Number=.*(select|grant|delete|insert|drop|do|alter|replace|truncate| update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/calendar.php?Cat=.*&month=.*&year=.*(select|grant|delete|insert|drop|do|alter|rep lace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/calendar.php?Cat=&month=.*(select|grant|delete|insert|drop|do|alter|replace|trunc ate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view).*year=.*"

    52

    SecFilterSelective THE_REQUEST "/modifypost.phpCat=.*&Username=.*&Number=*(select|grant|delete|insert|drop|do|alte r|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view).*&Board=UBB8" SecFilterSelective THE_REQUEST "/mailthread.php?Cat=.*&Board=.*&Number=*(select|grant|delete|insert|drop|do|alter| replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/viewmessage.php?Cat=&message=*(select|grant|delete|insert|drop|do|alter|replace|t runcate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/(addfav|notifymod|grabnext).php?Cat=.*&Board=.*&main=.*(select|grant|delete|inser t|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|az|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

    #################################### # vBulletin #################################### SecFilterSelective THE_REQUEST "/calendar.php?calbirthdays=.*&action=getday&day=.*&comma=x22;" SecFilterSelective THE_REQUEST ".php\?step=(http|https|ftp)"

    #################################### # WebChat #################################### SecFilterSelective THE_REQUEST "/defines.php" chain SecFilter "db_mysql.php" SecFilterSelective THE_REQUEST "/defines.php" chain SecFilter "english.php"

    53

    #################################### # WordPress #################################### SecFilterSelective REQUEST_URI "/wordpress/" chain SecFilterSelective ARG_cat "!^[0-9]*$"

    #################################### # XMB #################################### SecFilterSelective THE_REQUEST "/xmb.php" chain SecFilterSelective ARG_in "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "include/u2u.inc.php" chain SecFilterSelective ARG_u2u_select "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

    #################################### # Xoops #################################### SecFilterSelective THE_REQUEST "/modules/newbb/index.php?viewcat='" SecFilterSelective THE_REQUEST "/modules/sections/index.php?op=viewarticle&artid=9x2c+9x2c+9"

    54

    SecFilterSelective THE_REQUEST "modules/newbb/viewforum.php?sortname=p.post_time&sortorder=.*&sortdays=.*((javascr ipt|script|about|applet|activex|chrome)*>|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/modules/newbb/index.php?viewcat=.*((javascript|script|about|applet|activex|chrome )*>|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/xmlrpc.php" chain SecFilterSelective POST_PAYLOAD "blogger.getUsersBlogs" chain

    #################################### # YaBB SE #################################### SecFilterSelective THE_REQUEST "/packages.php" chain SecFilter "packer.php"

    55

    Vous aimerez peut-être aussi