Académique Documents
Professionnel Documents
Culture Documents
Note: if you use curl or wget in your scripts, ModSecurity will filter these out. Comment out the appropriate rules if this is the case. Note: Use these rules with caution, you will need to monitor the error_log and adjust the rules as necessary to best fit your configuration and site needs.
# By default log and deny suspicious requests # with HTTP status 500 SecFilterDefaultAction "deny,log,status:403"
#################################### # Frontpage Compatibility Rules #################################### SecFilter "_vti_bin" allow SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" pass SecFilterSelective THE_REQUEST "/fpremadm\.exe" pass SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" pass SecFilterSelective THE_REQUEST "/scripts/Fpadmcgi\.exe" pass
SecFilterSelective THE_REQUEST "/_private/orders\.txt" pass SecFilterSelective THE_REQUEST "/_private/form_results\.txt" pass SecFilterSelective THE_REQUEST "/_private/registrations\.htm" pass SecFilterSelective THE_REQUEST "/cfgwiz\.exe" pass SecFilterSelective THE_REQUEST "/authors\.pwd" pass SecFilterSelective THE_REQUEST "/_vti_bin/_vti_aut/author\.exe" pass SecFilterSelective THE_REQUEST "/administrators\.pwd" pass SecFilterSelective THE_REQUEST "/_private/form_results\.htm" pass SecFilterSelective THE_REQUEST "/_vti_pvt/access\.cnf" pass SecFilterSelective THE_REQUEST "/_private/register\.txt" pass SecFilterSelective THE_REQUEST "/_private/registrations\.txt" pass SecFilterSelective THE_REQUEST "/_vti_pvt/service\.cnf" pass SecFilterSelective THE_REQUEST "/service\.pwd" pass SecFilterSelective THE_REQUEST "/_vti_pvt/service\.stp" pass SecFilterSelective THE_REQUEST "/_vti_pvt/services\.cnf" pass SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" pass SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" pass SecFilterSelective THE_REQUEST "/users\.pwd" pass SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" pass SecFilterSelective THE_REQUEST "/dvwssr\.dll" pass SecFilterSelective THE_REQUEST "/_private/register\.htm" pass SecFilterSelective THE_REQUEST "/_vti_bin/" pass
#################################### SecFilter "tftp\x20" SecFilter "wget\x20" SecFilter "uname\x20-a" SecFilter "g\+\+\x20" SecFilter "gcc\x20-o" SecFilter "nmap\x20" SecFilter "/etc/shadow" SecFilter "/etc/passwd" Secfilter "bcc: "
SecFilterSelective THE_REQUEST "bcc:|Bcc:|BCc:|BCC:|bCc:|bCC:|bcC:|BcC:" # Allow added to fix blocking problem with the To: filter in squirrelmail Secfilter "/src/compose.php" allow Secfilter "To: "
SecFilterSelective THE_REQUEST "/bin/ps" SecFilterSelective THE_REQUEST "/bin/sh" SecFilterSelective THE_REQUEST "/tmp/sh" SecFilterSelective THE_REQUEST "/usr/bin/id" SecFilterSelective THE_REQUEST "/bin/kill" SecFilterSelective THE_REQUEST "/usr/bin/gcc" SecFilterSelective THE_REQUEST "/usr/bin/cc" SecFilterSelective THE_REQUEST "/usr/bin/g\+\+" SecFilterSelective THE_REQUEST "/bin/ping" SecFilterSelective THE_REQUEST "/bin/mail"
#################################### # Formmail - allows cPanel formmail #################################### SecFilter "/cgi-sys/formmail.cgi" allow SecFilter "/cgi-sys/formmail.pl" allow SecFilter "/cgi-sys/FormMail.cgi" allow SecFilter "/cgi-sys/FormMail.pl" allow SecFilter "formmail.php$|formmail.php*/$" SecFilter "formmail.cgi$|formmail.cgi*/$" SecFilter "formmail.pl$|formmail.pl*/$"
####################################
####################################
SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" chain SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tm p|asp)\x20?\?" SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" chain SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tm p|asp)\?"
SecFilterSelective REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?" SecFilterSelective THE_REQUEST "/(cse|cmd)\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) " SecFilterSelective REQUEST_URI "/terminatorX-exp.*\.(gif|jpg|txt|bmp|php|png)\?" SecFilterSelective REQUEST_URI "/\.it/viewde" SecFilterSelective REQUEST_URI "/cmd\?&(command|cmd)=" SecFilterSelective REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)=" SecFilterSelective REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)=" SecFilterSelective REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpg|jpeg|png|sh|txt|b mp|dat|txt|js|htm| html|tmp|php|asp).\?&(cmd|command)=" SecFilterSelective REQUEST_URI "/(new(cmd|command)|(cmd|command)[09]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|j pg|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?" SecFilterSelective REQUEST_URI "/[a-z]?(cmd|command)[09]?\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "/(gif|jpg|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?" SecFilterSelective REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"
#Known rootkits SecFilterSelective THE_REQUEST "perl (xpl\.pl|kut|viewde|httpd\.txt)" SecFilterSelective THE_REQUEST "\./xkernel\;" SecFilterSelective THE_REQUEST "/kaiten\.c" SecFilterSelective THE_REQUEST "/mampus\?&(cmd|command)"
#Generic remote perl execution with .pl and .txt extension SecFilterSelective REQUEST_URI "perl .*\.pl(\s|\t)*\;" SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.pl" SecFilterSelective REQUEST_URI "perl .*\.txt(\s|\t)*\;" SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.txt"
#Known rootkit Defacing Tool 2.0 SecFilterSelective REQUEST_URI "/tool(12)?[09]?\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)=" SecFilterSelective REQUEST_URI "/tool\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)=" SecFilterSelective REQUEST_URI "/tool25\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)=" SecFilterSelective REQUEST_URI "/therules25\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)="
#other known tools SecFilterSelective REQUEST_URI "/xpl\.php\?&(cmd|command)=" SecFilterSelective REQUEST_URI "/(ssh2?|sfdg2)\.php" SecFilter "/tmp/sh"
#################################### # Advanced Guestbook #################################### # http://securitydot.net/xpl/exploits/vulnerabilities/articles/856/exploit.html SecFilterSelective THE_REQUEST "/admin/addentry\.php\?" SecFilterSelective THE_REQUEST "/addentry\.php\?"
#################################### # eSupport #################################### SecFilterSelective THE_REQUEST "autoclose.php" chain SecFilterSelective ARG_subd ".*(http|https|ftp)\:/"
10
# known PHP attack shells #value of these sigs, pretty low, but here to catch
11
# any lose threads, honeypoting, etc. SecFilterSelective THE_REQUEST SecFilterSelective THE_REQUEST "(wiki_up|temp)/(gif|ion|jpg|lala)\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST SecFilterSelective REQUEST_URI "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)" "/phpterm" "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
#new unknown kits SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI "/iblis\.htm\?" "/gif\.gif\?" "/go\.php\.txt\?" "/sh[0-9]\.(gif|jpg|txt|bmp|png)\?" "/iys\.(gif|jpg|txt|bmp|png)\?" "/shell[0-9]\.(gif|jpg|txt|bmp|png)\?" "/zehir\.asp" "/aflast\.txt\?" "/sikat\.txt\?&cmd" "/t\.gif\?" "/phpbb_patch\?&" "/phpbb2_patch\?&" "/lukka\?&"
12
#generic suntzu payload SecFilterSelective THE_REQUEST SecFilterSelective THE_REQUEST SecFilterSelective REQUEST_URI "HiMaster\!\<\?php system\(" "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system" "help_text_vars\.php\?suntzu="
13
SecFilterSelective REQUEST_URI
"/vsf\.vsf\?&"
#24mar SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI "/docLib/cmd\.asp" "\.asp\?pageName=AppFileExplorer" "\.asp\?.*showUpload&thePath=" "\.asp\?.*theAct=inject&thePath="
14
#some broken attack program SecFilterSelective THE_REQUEST "PUT /.*_@@RNDSTR@@" SecFilterSelective THE_REQUEST "trojan\.htm"
#dm mass mailer SecFilter "dm.pl\x20" SecFilter "dm.cgi\x20" SecFilter "unziper.pl\x20" SecFilter "unziper.cgi\x20" Secfilter "cmd.txt" Secfilter "miro$"
#mdarui
15
#################################### # Coppermine Photo Gallery #################################### SecFilterSelective THE_REQUEST "/index.php\?lang=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|h ttps|ftp):/)" SecFilterSelective THE_REQUEST "/theme.php\?THEME_DIR=(http|https|ftp)/:/"
16
#################################### # eGroupWare #################################### SecFilterSelective THE_REQUEST "/index.php?menuaction=preferences.uicategories.index&cats_app=*(delete|insert|drop |do|alter|replace| truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|se lect)" SecFilterSelective THE_REQUEST "/tts/index.php?filter=*(delete|insert|drop|do|alter|replace|truncate|update|create |rename|describe|s elect|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|select)" SecFilterSelective THE_REQUEST "/sitemgr/sitemgrsite/?category_id=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|h ttps|ftp):/)" SecFilterSelective THE_REQUEST "/index.php?page=RecentChanges.*((javascript|script|about|applet|activex|chrome)*>| html|(http|https|f tp):/)" SecFilterSelective THE_REQUEST "/index.php?action=history&page=.*=.*((javascript|script|about|applet|activex|ch rome)*>|html|(http|h ttps|ftp):/)"
17
SecFilterSelective THE_REQUEST "/index.php?menuaction=addressbook.uiaddressbook.edit&ab_id=.*((javascript|script|a bout|applet|active x|chrome)*>|html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/index.php?menuaction=manual.uimanual.view&page=ManualAddressbook.*((javascript|sc ript|about|applet| activex|chrome)*>|html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/index.php?menuaction=forum.uiforum.post&type=new.*((javascript|script|about|apple t|activex|chrome)* >|html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/index.php?menuaction=wiki.uiwiki.edit&page=setup.*((javascript|script|about|apple t|activex|chrome)* >|html|(http|https|ftp):/)"
#################################### # Invision Power Board #################################### SecFilterSelective THE_REQUEST "/ad_member.php" chain SecFilter "emailer.php" SecFilterSelective THE_REQUEST "/ipchat.php*root_path*conf_global.php"
18
#################################### #Mambo #################################### SecFilterSelective THE_REQUEST "mosConfig_absolute_path=(http|https|ftp):/" #SecFilterSelective REQUEST_URI "/modules/mod_mainmenu.php\?mosConfig_absolute_path=(http|https|ftp):/" SecFilterSelective THE_REQUEST "/coppermine/displayimage/meta=lastcom/cat=.*((javascript|script|about|applet|activ ex|chrome)*>|(http |https|ftp):/).*/pos=.*.html" SecFilterSelective THE_REQUEST "/components/com_facileforms/facileforms.frame.php" chain SecFilterSelective ARG_ff_compath ".*(http|https|ftp)\:/"
#################################### # ModernBill Remote File Include Vulnerability patch # http://archives.neohapsis.com/archives/bugtraq/2005-04/0129.html #################################### SecFilter "samples/news.php" SecFilter "samples/domain_search.php" SecFilter "samples/faq.php" SecFilter "samples/login.sample.php"
19
#################################### # OpenBB #################################### SecFilterSelective THE_REQUEST "/(board|read|member).php" chain SecFilterSelective ARG_FID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[AZ|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/(board|read|member).php" chain SecFilterSelective ARG_TID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[AZ|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/(board|read|member).php" chain SecFilterSelective ARG_UID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[AZ|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
####################################
20
# osTicket #################################### SecFilterSelective THE_REQUEST "/attachments.php\?file=../.." SecFilterSelective THE_REQUEST "include/main.php\?config.*=.*\&include_dir=(http|https|ftp):/" SecFilterSelective THE_REQUEST "/admin.php\?a=view&id=*(delete|insert|drop|do|alter|replace|truncate|update|create |rename|describe|s elect|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]]+(from|into|table|database|index|view|select)" SecFilterSelective THE_REQUEST "/view.php?s=.*&query=*&cat=*(delete|insert|drop|do|alter|replace|truncate|update|c reate|rename|descr ibe|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|select)" SecFilterSelective THE_REQUEST "/view.php" chain SecFilterSelective ARG_t ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename| describe)[[:space:]]+[AZ|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
21
#################################### # phpCOIN #################################### SecFilterSelective THE_REQUEST "api.php?_CCFG" SecFilterSelective THE_REQUEST "common.php?_CCFG" SecFilterSelective THE_REQUEST "constants.php?_CCFG" SecFilterSelective THE_REQUEST "core.php?_CCFG" SecFilterSelective THE_REQUEST "custom.php?_CCFG" SecFilterSelective THE_REQUEST "db.php?_CCFG" root@claire [/usr/local/apache/conf]# cat # Last Updated 12/19/2006 #################################### # GENERAL CONFIG #################################### modsec.conf
22
23
# By default log and deny suspicious requests # with HTTP status 500 SecFilterDefaultAction "deny,log,status:403"
#################################### # Frontpage Compatibility Rules #################################### SecFilter "_vti_bin" allow SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" pass SecFilterSelective THE_REQUEST "/fpremadm\.exe" pass SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" pass SecFilterSelective THE_REQUEST "/scripts/Fpadmcgi\.exe" pass SecFilterSelective THE_REQUEST "/_private/orders\.txt" pass SecFilterSelective THE_REQUEST "/_private/form_results\.txt" pass SecFilterSelective THE_REQUEST "/_private/registrations\.htm" pass SecFilterSelective THE_REQUEST "/cfgwiz\.exe" pass SecFilterSelective THE_REQUEST "/authors\.pwd" pass SecFilterSelective THE_REQUEST "/_vti_bin/_vti_aut/author\.exe" pass SecFilterSelective THE_REQUEST "/administrators\.pwd" pass SecFilterSelective THE_REQUEST "/_private/form_results\.htm" pass SecFilterSelective THE_REQUEST "/_vti_pvt/access\.cnf" pass SecFilterSelective THE_REQUEST "/_private/register\.txt" pass
24
SecFilterSelective THE_REQUEST "/_private/registrations\.txt" pass SecFilterSelective THE_REQUEST "/_vti_pvt/service\.cnf" pass SecFilterSelective THE_REQUEST "/service\.pwd" pass SecFilterSelective THE_REQUEST "/_vti_pvt/service\.stp" pass SecFilterSelective THE_REQUEST "/_vti_pvt/services\.cnf" pass SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" pass SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" pass SecFilterSelective THE_REQUEST "/users\.pwd" pass SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" pass SecFilterSelective THE_REQUEST "/dvwssr\.dll" pass SecFilterSelective THE_REQUEST "/_private/register\.htm" pass SecFilterSelective THE_REQUEST "/_vti_bin/" pass
#################################### # GENERAL WEB AND SPAM ATTACKS #################################### SecFilter "tftp\x20" SecFilter "wget\x20" SecFilter "uname\x20-a" SecFilter "g\+\+\x20" SecFilter "gcc\x20-o" SecFilter "nmap\x20" SecFilter "/etc/shadow" SecFilter "/etc/passwd" Secfilter "bcc: "
25
SecFilterSelective THE_REQUEST "bcc:|Bcc:|BCc:|BCC:|bCc:|bCC:|bcC:|BcC:" # Allow added to fix blocking problem with the To: filter in squirrelmail Secfilter "/src/compose.php" allow Secfilter "To: "
SecFilterSelective THE_REQUEST "/bin/ps" SecFilterSelective THE_REQUEST "/bin/sh" SecFilterSelective THE_REQUEST "/tmp/sh" SecFilterSelective THE_REQUEST "/usr/bin/id" SecFilterSelective THE_REQUEST "/bin/kill" SecFilterSelective THE_REQUEST "/usr/bin/gcc" SecFilterSelective THE_REQUEST "/usr/bin/cc" SecFilterSelective THE_REQUEST "/usr/bin/g\+\+" SecFilterSelective THE_REQUEST "/bin/ping" SecFilterSelective THE_REQUEST "/bin/mail" SecFilterSelective THE_REQUEST "/bin/ls" SecFilterSelective THE_REQUEST "/usr/sbin/httpd"
26
#SecFilter "Content-Type\:"
#################################### # Formmail - allows cPanel formmail #################################### SecFilter "/cgi-sys/formmail.cgi" allow SecFilter "/cgi-sys/formmail.pl" allow SecFilter "/cgi-sys/FormMail.cgi" allow SecFilter "/cgi-sys/FormMail.pl" allow SecFilter "formmail.php$|formmail.php*/$" SecFilter "formmail.cgi$|formmail.cgi*/$" SecFilter "formmail.pl$|formmail.pl*/$"
27
####################################
# /~ftp access
28
SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" chain SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tm p|asp)\x20?\?" SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" chain SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tm p|asp)\?" SecFilterSelective REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?" SecFilterSelective THE_REQUEST "/(cse|cmd)\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) " SecFilterSelective REQUEST_URI "/terminatorX-exp.*\.(gif|jpg|txt|bmp|php|png)\?" SecFilterSelective REQUEST_URI "/\.it/viewde" SecFilterSelective REQUEST_URI "/cmd\?&(command|cmd)=" SecFilterSelective REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)=" SecFilterSelective REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)=" SecFilterSelective REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpg|jpeg|png|sh|txt|b mp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)="
29
SecFilterSelective REQUEST_URI "/(new(cmd|command)|(cmd|command)[09]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpg|jpeg|png|sh|txt |bmp|dat|txt|js|htm|html|tmp|php|asp)\?" SecFilterSelective REQUEST_URI "/[a-z]?(cmd|command)[09]?\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "/(gif|jpg|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?" SecFilterSelective REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"
#Known rootkits SecFilterSelective THE_REQUEST "perl (xpl\.pl|kut|viewde|httpd\.txt)" SecFilterSelective THE_REQUEST "\./xkernel\;" SecFilterSelective THE_REQUEST "/kaiten\.c" SecFilterSelective THE_REQUEST "/mampus\?&(cmd|command)"
#Generic remote perl execution with .pl and .txt extension SecFilterSelective REQUEST_URI "perl .*\.pl(\s|\t)*\;" SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.pl" SecFilterSelective REQUEST_URI "perl .*\.txt(\s|\t)*\;" SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.txt"
#Known rootkit Defacing Tool 2.0 SecFilterSelective REQUEST_URI "/tool(12)?[09]?\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)=" SecFilterSelective REQUEST_URI "/tool\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)=" SecFilterSelective REQUEST_URI "/tool25\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)="
30
#other known tools SecFilterSelective REQUEST_URI "/xpl\.php\?&(cmd|command)=" SecFilterSelective REQUEST_URI "/(ssh2?|sfdg2)\.php" SecFilter "/tmp/sh"
#################################### # Advanced Guestbook #################################### # http://securitydot.net/xpl/exploits/vulnerabilities/articles/856/exploit.html SecFilterSelective THE_REQUEST "/admin/addentry\.php\?" SecFilterSelective THE_REQUEST "/addentry\.php\?"
31
#suntzu
32
# known PHP attack shells #value of these sigs, pretty low, but here to catch # any lose threads, honeypoting, etc. SecFilterSelective THE_REQUEST SecFilterSelective THE_REQUEST "(wiki_up|temp)/(gif|ion|jpg|lala)\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST SecFilterSelective REQUEST_URI "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)" "/phpterm" "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
33
SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI
"/iblis\.htm\?" "/gif\.gif\?" "/go\.php\.txt\?" "/sh[0-9]\.(gif|jpg|txt|bmp|png)\?" "/iys\.(gif|jpg|txt|bmp|png)\?" "/shell[0-9]\.(gif|jpg|txt|bmp|png)\?" "/zehir\.asp" "/aflast\.txt\?" "/sikat\.txt\?&cmd" "/t\.gif\?" "/phpbb_patch\?&" "/phpbb2_patch\?&" "/lukka\?&"
34
#generic suntzu payload SecFilterSelective THE_REQUEST SecFilterSelective THE_REQUEST SecFilterSelective REQUEST_URI "HiMaster\!\<\?php system\(" "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system" "help_text_vars\.php\?suntzu="
35
#24mar SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI SecFilterSelective REQUEST_URI "/docLib/cmd\.asp" "\.asp\?pageName=AppFileExplorer" "\.asp\?.*showUpload&thePath=" "\.asp\?.*theAct=inject&thePath="
#some broken attack program SecFilterSelective THE_REQUEST "PUT /.*_@@RNDSTR@@" SecFilterSelective THE_REQUEST "trojan\.htm"
36
#dm mass mailer SecFilter "dm.pl\x20" SecFilter "dm.cgi\x20" SecFilter "unziper.pl\x20" SecFilter "unziper.cgi\x20" Secfilter "cmd.txt" Secfilter "miro$"
37
#################################### # Coppermine Photo Gallery #################################### SecFilterSelective THE_REQUEST "/index.php\?lang=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|h ttps|ftp):/)" SecFilterSelective THE_REQUEST "/theme.php\?THEME_DIR=(http|https|ftp)/:/"
#################################### # e107 #################################### SecFilterSelective SCRIPT_FILENAME "news.php$" chain SecFilterSelective ARG_list "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:spa ce:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)"
#################################### # eGroupWare #################################### SecFilterSelective THE_REQUEST "/index.php?menuaction=preferences.uicategories.index&cats_app=*(delete|insert|drop |do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[ A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|select)" SecFilterSelective THE_REQUEST "/tts/index.php?filter=*(delete|insert|drop|do|alter|replace|truncate|update|create |rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|select)"
38
SecFilterSelective THE_REQUEST "/sitemgr/sitemgrsite/?category_id=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|h ttps|ftp):/)" SecFilterSelective THE_REQUEST "/index.php?page=RecentChanges.*((javascript|script|about|applet|activex|chrome)*>| html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/index.php?action=history&page=.*=.*((javascript|script|about|applet|activex|ch rome)*>|html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/index.php?menuaction=addressbook.uiaddressbook.edit&ab_id=.*((javascript|script|a bout|applet|activex|chrome)*>|html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/index.php?menuaction=manual.uimanual.view&page=ManualAddressbook.*((javascript|sc ript|about|applet|activex|chrome)*>|html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/index.php?menuaction=forum.uiforum.post&type=new.*((javascript|script|about|apple t|activex|chrome)*>|html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/index.php?menuaction=wiki.uiwiki.edit&page=setup.*((javascript|script|about|apple t|activex|chrome)*>|html|(http|https|ftp):/)"
39
SecFilterSelective THE_REQUEST "/ad_member.php" chain SecFilter "emailer.php" SecFilterSelective THE_REQUEST "/ipchat.php*root_path*conf_global.php" SecFilterSelective THE_REQUEST "/forums/index.php\?act=.*&max_results=.*&filter=.*&sort_order=.*&sort_key=.*&st=*( UNION|SELECT|DELETE|INSERT)"
#################################### #Mambo #################################### SecFilterSelective THE_REQUEST "mosConfig_absolute_path=(http|https|ftp):/" #SecFilterSelective REQUEST_URI "/modules/mod_mainmenu.php\?mosConfig_absolute_path=(http|https|ftp):/" SecFilterSelective THE_REQUEST "/coppermine/displayimage/meta=lastcom/cat=.*((javascript|script|about|applet|activ ex|chrome)*>|(http|https|ftp):/).*/pos=.*.html" SecFilterSelective THE_REQUEST "/components/com_facileforms/facileforms.frame.php" chain SecFilterSelective ARG_ff_compath ".*(http|https|ftp)\:/"
#################################### # ModernBill Remote File Include Vulnerability patch # http://archives.neohapsis.com/archives/bugtraq/2005-04/0129.html #################################### SecFilter "samples/news.php" SecFilter "samples/domain_search.php" SecFilter "samples/faq.php"
40
SecFilter "samples/login.sample.php"
#################################### # OpenBB #################################### SecFilterSelective THE_REQUEST "/(board|read|member).php" chain SecFilterSelective ARG_FID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/(board|read|member).php" chain SecFilterSelective ARG_TID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/(board|read|member).php" chain SecFilterSelective ARG_UID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
#################################### # osTicket
41
#################################### SecFilterSelective THE_REQUEST "/attachments.php\?file=../.." SecFilterSelective THE_REQUEST "include/main.php\?config.*=.*\&include_dir=(http|https|ftp):/" SecFilterSelective THE_REQUEST "/admin.php\?a=view&id=*(delete|insert|drop|do|alter|replace|truncate|update|create |rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]]+(from|into|table|database|index|view|select)" SecFilterSelective THE_REQUEST "/view.php?s=.*&query=*&cat=*(delete|insert|drop|do|alter|replace|truncate|update|c reate|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|select)" SecFilterSelective THE_REQUEST "/view.php" chain SecFilterSelective ARG_t ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename| describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
42
#################################### # phpCOIN #################################### SecFilterSelective THE_REQUEST "api.php?_CCFG" SecFilterSelective THE_REQUEST "common.php?_CCFG" SecFilterSelective THE_REQUEST "constants.php?_CCFG" SecFilterSelective THE_REQUEST "core.php?_CCFG" SecFilterSelective THE_REQUEST "custom.php?_CCFG" SecFilterSelective THE_REQUEST "db.php?_CCFG" SecFilterSelective THE_REQUEST "redirect.php?_CCFG" SecFilterSelective THE_REQUEST "session_set.php?_CCFG"
43
SecFilter "/modules/My_eGallery/" SecFilterSelective THE_REQUEST "/setup/" chain SecFilter "GALLERY_BASEDIR=(http|https|ftp):/" SecFilterSelective THE_REQUEST "/banners.php?op=EmailStats&name=.*&bid=.*((javascript|script|about|applet|activex| chrome)*>|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/modules.php?name=.*((javascript|script|about|applet|activex|chrome)*>|(http|https |ftp):/)" SecFilterSelective THE_REQUEST "/modules.php?name=Search&author=.*&topic=.*&min.*((javascript|script|about|applet| activex|chrome)*>|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/modules.php?name=FAQ&.*=.*&id_cat=.*&categories=.*((javascript|script|about|apple t|activex|chrome)*>|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/modules.php?op=EmailStats&login=.*&cid=.*&bid=.*((javascript|script|about|applet| activex|chrome)*>|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/modules.php?name=Encyclopedia&file=.*&op=.*&eid.*1<r=.*((javascript|script|abou t|applet|activex|chrome)*>|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/modules.php?name=Top&querylang=.*(UNION|SELECT|DELETE|INSERT).*," SecFilterSelective SCRIPT_FILENAME "modules.php$" chain SecFilterSelective ARG_email "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules.php$" chain SecFilterSelective ARG_ratenum "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)"
44
SecFilterSelective SCRIPT_FILENAME "modules.php$" chain SecFilterSelective ARG_min "(dselect|grant|elete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules.php$" chain SecFilterSelective ARG_show "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules.php$" chain SecFilterSelective ARG_orderby "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules.php$" chain SecFilterSelective ARG_url "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules.php$" chain SecFilterSelective ARG_category "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:spa ce:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "modules.php?name=Surveys&pollID=.*&forwarder=.*((javascript|script|about|applet|ac tivex|chrome)*>|html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/modules.php?name=Downloads&d_op=.*&title=.*&url=.*&description=.*&email=',*(delet e|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:spa ce:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/modules.php?name=Downloads&d_op=.*&url=',*(delete|insert|drop|do|alter|replace|tr uncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)"
45
SecFilterSelective THE_REQUEST "/modules.php?name=Downloads&d_op=viewsdownload&min=*(delete|insert|drop|do|alter|r eplace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|09|*]+(from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/modules.php?name=Downloads&d_op=search&min=*(delete|insert|drop|do|alter|replace| truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/admin_styles.php?phpbb_root_path=(http|https|ftp):/"
#################################### # PHPBB Vulnerabilities #################################### SecFilterSelective QUERY_STRING|POST_PAYLOAD|ARGS "echr\(" SecFilterSelective "THE_REQUEST" "(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite)\s*\(" SecFilter "viewtopic\.php\?" chain SecFilter "chr\(([0-9]{1,3})\)" "deny,log" SecFilterSelective THE_REQUEST "&highlight='\.mysql_query\(" SecFilter "&highlight=\x2527\x252Esystem\(" SecFilter "/tmp/php" SecFilterSelective THE_REQUEST "/quick-reply.php" chain SecFilter "phpbb_root_path=" SecFilterSelective ARG_highlight "(x27|%27|x2527|%2527)" SecFilterSelective THE_REQUEST "/viewtopic.php?" chain SecFilterSelective ARGS "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|p roc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|pos
46
ix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)(([0-9a-fAFx]{1,3}))" SecFilterSelective REQUEST_URI "admin/admin_styles.php?mode=addnew&install_to=../../" SecFilterSelective THE_REQUEST "/downloads.php?cat=.*(UNION|SELECT|delete|insert)*user_password.*phpbb_users" SecFilterSelective THE_REQUEST "/cal_view_month.php?month=.*&year=.*&category=.*(UNION|SELECT|DELETE|INSERT)" SecFilterSelective THE_REQUEST "/links.php?func=show&id='" SecFilterSelective THE_REQUEST "/dlman.php?func=file_info&file_id='" SecFilterSelective THE_REQUEST "/groupcp.php?g=.*sid='" SecFilterSelective THE_REQUEST "/index.php?(c|mark)=*'" SecFilterSelective THE_REQUEST "/portal.php?article=*'" SecFilterSelective THE_REQUEST "/viewforum.php?f=.*sid='" SecFilterSelective THE_REQUEST "/viewtopic.php?p=.*sid='" SecFilterSelective THE_REQUEST "/album_search.php?mode='" SecFilterSelective THE_REQUEST "/album_cat.php?cat_id=.*sid='" SecFilterSelective THE_REQUEST "/album_comment.php?pic_id=.*sid='" SecFilterSelective THE_REQUEST "/moddb/mod.php?id='" SecFilterSelective THE_REQUEST "/auction_rating.php?mode=.*&u=.*'" SecFilterSelective THE_REQUEST "/auction_offer.php?mode=.*&ar=.*'" SecFilterSelective THE_REQUEST "/profile.php?mode=viewprofile&u=.*((javascript|script|about|applet|activex|chrome) *>|html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/viewtopic.php?p=.*&highlight=.*((javascript|script|about|applet|activex|chrome)*> |html|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/posting_notes.php?mode=editpost&*(delete|insert|drop|do|alter|replace|truncate|up
47
date|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|select)" SecFilterSelective THE_REQUEST "/(viewtopic|privmsg|bbcode).php?" chain SecFilterSelective THE_REQUEST "/admin_forums.php?" chain
#################################### # pmachine #################################### SecFilterSelective THE_REQUEST "lib.inc.php" chain SecFilter "pm_path=(http|https|ftp):/" SecFilterSelective THE_REQUEST "lib.inc.php.*pm_path.*(http|https|ftp):/"
#################################### # Phorm #################################### SecFilterSelective THE_REQUEST "/phorm.php" chain SecFilterSelective ARG_PHORM_* "(http|https|ftp):/"
48
#################################### # PunBB #################################### SecFilterSelective THE_REQUEST "/profile.php" chain SecFilterSelective ARG_temp "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "redirect_url.*(http|https|ftp):/.*cmd="
#################################### # phpWebSite #################################### SecFilterSelective THE_REQUEST "index.php" chain SecFilterSelective ARG_mod "(../|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rena me|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view))" SecFilterSelective THE_REQUEST "index.php" chain SecFilterSelective ARG_module "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
49
#################################### SecFilterSelective THE_REQUEST "/admin/" chain SecFilterSelective ARG_sid "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/admin/" chain SecFilterSelective ARG_start "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/admin/" chain SecFilterSelective ARG_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/admin/" chain SecFilterSelective ARG_lid "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
#################################### # PHP-Fusion
50
#################################### # Santy.e Worm Patch #################################### SecFilter "visualcoders\.net/spy\.gif\?\&cmd" SecFilterSelective THE_REQUEST "&highlight='\.fwrite\(fopen\("
#################################### # Squirrel Mail #################################### SecFilterSelective THE_REQUEST "/left_main\.php" chain SecFilter "cmdd="
#################################### # Soholaunch #################################### #http://www.milw0rm.com/exploits/2724 SecFilterSelective THE_REQUEST "shared_functions.php\?_SESSION\[docroot_path\]=(http|https|ftp)" SecFilterSelective THE_REQUEST "pgmshopping_css.inc.php\?_SESSION\[docroot_path\]=(http|https|ftp)"
#################################### # TikiWiki
51
#################################### # Typo3 #################################### SecFilterSelective THE_REQUEST "/translations.php" chain SecFilter "ONLY=x2e" SecFilterSelective THE_REQUEST "/dev/translations.php?ONLY=x2ex2e/x2ex2e/x2ex2e/x2ex2e/x2ex2e/.*x00"
#################################### # UBB #################################### SecFilterSelective THE_REQUEST "/printthread.php*(delete|insert|drop|do|alter|replace|truncate|update|create|renam e|describe|select)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/download.php?Number=.*(select|grant|delete|insert|drop|do|alter|replace|truncate| update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/calendar.php?Cat=.*&month=.*&year=.*(select|grant|delete|insert|drop|do|alter|rep lace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/calendar.php?Cat=&month=.*(select|grant|delete|insert|drop|do|alter|replace|trunc ate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view).*year=.*"
52
SecFilterSelective THE_REQUEST "/modifypost.phpCat=.*&Username=.*&Number=*(select|grant|delete|insert|drop|do|alte r|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view).*&Board=UBB8" SecFilterSelective THE_REQUEST "/mailthread.php?Cat=.*&Board=.*&Number=*(select|grant|delete|insert|drop|do|alter| replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/viewmessage.php?Cat=&message=*(select|grant|delete|insert|drop|do|alter|replace|t runcate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/(addfav|notifymod|grabnext).php?Cat=.*&Board=.*&main=.*(select|grant|delete|inser t|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|az|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
#################################### # WebChat #################################### SecFilterSelective THE_REQUEST "/defines.php" chain SecFilter "db_mysql.php" SecFilterSelective THE_REQUEST "/defines.php" chain SecFilter "english.php"
53
#################################### # WordPress #################################### SecFilterSelective REQUEST_URI "/wordpress/" chain SecFilterSelective ARG_cat "!^[0-9]*$"
#################################### # XMB #################################### SecFilterSelective THE_REQUEST "/xmb.php" chain SecFilterSelective ARG_in "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "include/u2u.inc.php" chain SecFilterSelective ARG_u2u_select "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|de scribe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
54
SecFilterSelective THE_REQUEST "modules/newbb/viewforum.php?sortname=p.post_time&sortorder=.*&sortdays=.*((javascr ipt|script|about|applet|activex|chrome)*>|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/modules/newbb/index.php?viewcat=.*((javascript|script|about|applet|activex|chrome )*>|(http|https|ftp):/)" SecFilterSelective THE_REQUEST "/xmlrpc.php" chain SecFilterSelective POST_PAYLOAD "blogger.getUsersBlogs" chain
55