diff -Nru modsecurity-crs-2.1.2/base_rules/modsecurity_35_bad_robots.data modsecurity-crs-2.2.0/base_rules/modsecurity_35_bad_robots.data --- modsecurity-crs-2.1.2/base_rules/modsecurity_35_bad_robots.data 2010-02-05 17:37:07.000000000 +0000 +++ modsecurity-crs-2.2.0/base_rules/modsecurity_35_bad_robots.data 2011-03-02 19:38:02.000000000 +0000 @@ -4,6 +4,7 @@ prowebwalker hanzoweb email +toata dragostea mea pentru diavola gameBoy, powered by nintendo missigua poe-component-client diff -Nru modsecurity-crs-2.1.2/base_rules/modsecurity_crs_20_protocol_violations.conf modsecurity-crs-2.2.0/base_rules/modsecurity_crs_20_protocol_violations.conf --- modsecurity-crs-2.1.2/base_rules/modsecurity_crs_20_protocol_violations.conf 2011-01-27 16:35:58.000000000 +0000 +++ modsecurity-crs-2.2.0/base_rules/modsecurity_crs_20_protocol_violations.conf 2011-05-26 18:18:01.000000000 +0000 @@ -1,8 +1,9 @@ # --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.2.1.2 +# Core ModSecurity Rule Set ver.2.2.0 # Copyright (C) 2006-2011 Trustwave All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under GPL version 2 +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- @@ -20,6 +21,7 @@ # Validate request line against the format specified in the HTTP RFC # # -=[ Rule Logic ]=- +# # Uses rule negation against the regex for positive security. The regex specifies the proper # construction of URI request lines such as: # @@ -28,13 +30,31 @@ # It also outlines proper construction for CONNECT, OPTIONS and GET requests. # # -=[ References ]=- +# https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960911 # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 # SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ - "t:none,t:lowercase,phase:1,rev:'2.1.2',block,msg:'Invalid HTTP Request Line',id:'960911',severity:'4',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'" + "phase:1,t:none,t:lowercase,block,msg:'Invalid HTTP Request Line',id:'960911',severity:'4',rev:'2.2.0',logdata:'%{request_line}',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1',tag:'RULE_MATURITY/8',tag:'RULE_ACCURACY/8',setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'" + + +# +# Identify Invalid URIs Blocked by Apache +# +# -=[ Rule Logic ]=- +# +# There are some request violations that Apache will handle internally, prior to the +# ModSecurity phase:1 POST-READ-REQUEST hook. For these requests, we can still get +# visibility by running a check in phase:5 logging to look for the Apache error msg. +# +# -=[ References ]=- +# https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-981227 +# +SecRule WEBSERVER_ERROR_LOG "@contains Invalid URI in request" "phase:5,t:none,log,pass,msg:'Apache Error: Invalid URI in Request',id:'981227',rev:'2.2.0',logdata:'%{matched_var}',severity:'4',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1',tag:'RULE_MATURITY/0',tag:'RULE_ACCURACY/9',setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'" + # # Identify multipart/form-data name evasion attempts +# # There are possible impedance mismatches between how # ModSecurity interprets multipart file names and how # a destination app server such as PHP might parse the @@ -47,9 +67,69 @@ # either the file or file name variables. # # -=[ References ]=- +# https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960000 # http://www.ietf.org/rfc/rfc2183.txt # -SecRule FILES_NAMES|FILES "['\";=]" "phase:2,id:'960000',rev:'2.1.2',pass,t:none,nolog,auditlog,capture,msg:'Attempted multipart/form-data bypass',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{tx.0}" +SecRule FILES_NAMES|FILES "['\";=]" "phase:2,t:none,id:'960000',rev:'2.2.0',block,capture,msg:'Attempted multipart/form-data bypass',logdata:'%{matched_var}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',tag:'RULE_MATURITY/7',tag:'RULE_ACCURACY/7',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{tx.0}" + + +# +# Verify that we've correctly processed the request body. +# +# As a rule of thumb, when failing to process a request body +# you should reject the request (when deployed in blocking mode) +# or log a high-severity alert (when deployed in detection-only mode). +# +# -=[ Rule Logic ]=- +# Checks for the existence of the REQBODY_ERROR variable that is created +# by the request body processor if it encounters errors. +# +# -=[ References ]=- +# https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#REQBODY_ERROR +# +SecRule REQBODY_ERROR "!@eq 0" \ + "phase:2,t:none,block,msg:'Failed to parse request body.',id:'960912',logdata:'%{reqbody_error_msg}',severity:2,setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',tag:'RULE_MATURITY/7',tag:'RULE_ACCURACY/8',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}" + + +# +# Strict Multipart Parsing Checks +# +# -=[ Rule Logic ]=- +# By default be strict with what we accept in the multipart/form-data +# request body. If the rule below proves to be too strict for your +# environment consider changing it to detection-only. You are encouraged +# _not_ to remove it altogether. +# +# -=[ References ]=- +# https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#MULTIPART_STRICT_ERROR +# +SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ + "phase:2,t:none,block,msg:'Multipart request body failed strict validation: \ +PE %{REQBODY_PROCESSOR_ERROR}, \ +BQ %{MULTIPART_BOUNDARY_QUOTED}, \ +BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ +DB %{MULTIPART_DATA_BEFORE}, \ +DA %{MULTIPART_DATA_AFTER}, \ +HF %{MULTIPART_HEADER_FOLDING}, \ +LF %{MULTIPART_LF_LINE}, \ +SM %{MULTIPART_SEMICOLON_MISSING}, \ +IQ %{MULTIPART_INVALID_QUOTING}, \ +IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ +IH %{MULTIPART_FILE_LIMIT_EXCEEDED}',id:'960914',severity:2,setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',tag:'RULE_MATURITY/7',tag:'RULE_ACCURACY/8',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}" + + +# +# Multipart Unmatched Boundary Check +# +# -=[ Rule Logic ]=- +# Check for the MULTIPART_UNMATCHED_BOUNDARY flag and alert +# +# -=[ References ]=- +# https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#MULTIPART_UNMATCHED_BOUNDARY +# +SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ + "phase:2,t:none,block,msg:'Multipart parser detected a possible unmatched boundary.',id:'960915',severity:2,setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',tag:'RULE_MATURITY/7',tag:'RULE_ACCURACY/8',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}" + # # Accept only digits in content length @@ -61,7 +141,7 @@ # -=[ References ]=- # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13 # -SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "phase:1,rev:'2.1.2',t:none,block,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'WASCTC/WASC-26',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}" +SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "phase:1,rev:'2.2.0',t:none,block,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'WASCTC/WASC-26',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{matched_var}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13',setvar:'tx.msg=%{rule.msg}',setvar:tx.id=%{rule.id},tag:'RULE_MATURITY/9',tag:'RULE_ACCURACY/9',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}" # # Do not accept GET or HEAD requests with bodies @@ -78,8 +158,8 @@ # -=[ References ]=- # http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.3 # -SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:1,rev:'2.1.2',t:none,block,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.3'" - SecRule REQUEST_HEADERS:Content-Length "!^0?$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" +SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:1,rev:'2.2.0',t:none,block,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'RULE_MATURITY/9',tag:'RULE_ACCURACY/9',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.3'" + SecRule REQUEST_HEADERS:Content-Length "!^0?$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.id=%{rule.id},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" # # Require Content-Length to be provided with every POST request. @@ -91,8 +171,8 @@ # -=[ References ]=- # http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5 # -SecRule REQUEST_METHOD "^POST$" "chain,phase:1,rev:'2.1.2',t:none,block,msg:'POST request must have a Content-Length header',id:'960012',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5'" - SecRule &REQUEST_HEADERS:Content-Length "@eq 0" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" +SecRule REQUEST_METHOD "^POST$" "chain,phase:1,rev:'2.2.0',t:none,block,msg:'POST request must have a Content-Length header',id:'960012',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',tag:'RULE_MATURITY/9',tag:'RULE_ACCURACY/9',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5'" + SecRule &REQUEST_HEADERS:Content-Length "@eq 0" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.id=%{rule.id},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" # # Deny inbound compressed content @@ -107,7 +187,7 @@ # -=[ References ]=- # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html # -SecRule REQUEST_HEADERS:Content-Encoding "!^Identity$" "phase:1,rev:'2.1.2',t:none,block,msg:'ModSecurity does not support content encodings',id:'960902',severity:'4',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.5',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/ENCODING_RESTRICTED-%{matched_var_name}=%{matched_var}" +SecRule REQUEST_HEADERS:Content-Encoding "^Identity$" "phase:1,rev:'2.2.0',t:none,block,msg:'ModSecurity does not support content encodings',id:'960902',severity:'4',setvar:tx.id=%{rule.id},tag:'RULE_MATURITY/9',tag:'RULE_ACCURACY/9',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.5',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/ENCODING_RESTRICTED-%{matched_var_name}=%{matched_var}" # # Expect header is an HTTP/1.1 protocol feature @@ -121,8 +201,8 @@ # -=[ References ]=- # http://www.bad-behavior.ioerror.us/documentation/how-it-works/ # -SecRule REQUEST_HEADERS:Expect "100-continue" "chain,phase:2,rev:'2.1.2',t:none,nolog,pass,auditlog,msg:'Expect Header Not Allowed.',severity:'5',id:'960022',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/'" - SecRule REQUEST_PROTOCOL "@streq HTTP/1.0" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" +SecRule REQUEST_HEADERS:Expect "100-continue" "chain,phase:2,rev:'2.2.0',t:none,block,msg:'Expect Header Not Allowed for HTTP 1.0.',severity:'5',id:'960022',tag:'RULE_MATURITY/4',tag:'RULE_ACCURACY/8',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/'" + SecRule REQUEST_PROTOCOL "@streq HTTP/1.0" "setvar:'tx.msg=%{rule.msg}',setvar:tx.id=%{rule.id},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" # # Pragma Header requires a Cache-Control Header @@ -137,9 +217,9 @@ # -=[ References ]=- # http://www.bad-behavior.ioerror.us/documentation/how-it-works/ # -SecRule &REQUEST_HEADERS:Pragma "@eq 1" "chain,phase:2,rev:'2.1.2',t:none,pass,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:'5',id:'960020',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/'" +SecRule &REQUEST_HEADERS:Pragma "@eq 1" "chain,phase:2,rev:'2.2.0',t:none,block,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:'5',id:'960020',tag:'RULE_MATURITY/5',tag:'RULE_ACCURACY/7',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/'" SecRule &REQUEST_HEADERS:Cache-Control "@eq 0" "chain" - SecRule REQUEST_PROTOCOL "@streq HTTP/1.1" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" + SecRule REQUEST_PROTOCOL "@streq HTTP/1.1" "setvar:'tx.msg=%{rule.msg}',setvar:tx.id=%{rule.id},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" # # Range Header exists and begins with 0 - normal browsers don't do this. @@ -151,7 +231,7 @@ # -=[ References ]=- # http://www.bad-behavior.ioerror.us/documentation/how-it-works/ # -SecRule REQUEST_HEADERS:Range "@contains =0-" "phase:2,rev:'2.1.2',t:none,pass,nolog,auditlog,msg:'Range: field exists and begins with 0.',severity:'5',id:'958291',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" +SecRule REQUEST_HEADERS:Range "@streq bytes=0-" "phase:2,rev:'2.2.0',t:none,block,msg:'Range: field exists and begins with 0.',logdata:'%{matched_var}'severity:'5',id:'958291',tag:'RULE_MATURITY/5',tag:'RULE_ACCURACY/7',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/',setvar:'tx.msg=%{rule.msg}',setvar:tx.id=%{rule.id},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" # # Broken/Malicous clients often have duplicate or conflicting headers @@ -164,7 +244,7 @@ # -=[ References ]=- # http://www.bad-behavior.ioerror.us/documentation/how-it-works/ # -SecRule REQUEST_HEADERS:Connection "\b(keep-alive|close),\s?(keep-alive|close)\b" "phase:2,rev:'2.1.2',t:none,pass,nolog,auditlog,status:400,msg:'Multiple/Conflicting Connection Header Data Found.',id:'958295',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" +SecRule REQUEST_HEADERS:Connection "\b(keep-alive|close),\s?(keep-alive|close)\b" "phase:2,rev:'2.2.0',t:none,block,msg:'Multiple/Conflicting Connection Header Data Found.',id:'958295',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'RULE_MATURITY/5',tag:'RULE_ACCURACY/8',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.id=%{rule.id},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" # # Check URL encodings @@ -178,16 +258,17 @@ # http://www.ietf.org/rfc/rfc1738.txt # SecRule REQUEST_URI "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \ - "chain,phase:2,rev:'2.1.2',t:none,pass,nolog,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5'" + "chain,phase:2,rev:'2.2.0',t:none,block,msg:'URL Encoding Abuse Attack Attempt',id:'950107',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5'" SecRule REQUEST_URI "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" SecRule ARGS "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \ - "phase:2,rev:'2.1.2',t:none,pass,nolog,auditlog,status:400,msg:'Multiple URL Encoding Detected',id:'950109',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" + "phase:2,rev:'2.2.0',t:none,block,msg:'Multiple URL Encoding Detected',id:'950109',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" + +SecRule REQUEST_HEADERS:Content-Type "^(application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" \ + "chain,phase:2,rev:'2.2.0',t:none,pass,nolog,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950108',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5'" + SecRule REQUEST_BODY|XML:/* "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain" + SecRule REQUEST_BODY|XML:/* "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" -SecRule REQUEST_HEADERS:Content-Type "^application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" \ - "chain,phase:2,rev:'2.1.2',t:none,pass,nolog,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950108',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5'" - SecRule REQUEST_BODY "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain" - SecRule REQUEST_BODY "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" # # Check UTF enconding @@ -198,7 +279,7 @@ # This chained rule first checks to see if the admin has set the TX:CRS_VALIDATE_UTF8_ENCODING # variable in the modsecurity_crs_10_config.conf file. # -SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" "chain,phase:2,rev:'2.1.2',t:none,block,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/6.5.2',severity:'5'" +SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" "chain,phase:2,rev:'2.2.0',t:none,block,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/6.5.2',severity:'5'" SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" @@ -213,7 +294,7 @@ # http://www.kb.cert.org/vuls/id/739224 # SecRule REQUEST_URI|REQUEST_BODY "\%u[fF]{2}[0-9a-fA-F]{2}" \ - "t:none,phase:2,rev:'2.1.2',block,msg:'Unicode Full/Half Width Abuse Attack Attempt',id:'950116',severity:'5',setvar:'tx.msg=%{rule.msg}',tag:'http://www.kb.cert.org/vuls/id/739224',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" + "t:none,phase:2,rev:'2.2.0',block,msg:'Unicode Full/Half Width Abuse Attack Attempt',id:'950116',severity:'5',setvar:'tx.msg=%{rule.msg}',tag:'http://www.kb.cert.org/vuls/id/739224',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" # # Proxy access attempt @@ -221,15 +302,15 @@ # included in case Apache proxy is misconfigured. # NOTE There are some clients (mobile devices) that will send a full URI even when connecting to # your local application and this rule allows it. -# NOTE Need to have UseCononicalName On in Apache config to properly set the SERVER_NAME variable. -# If you have set UseCononicalName, the you can uncomment this rule. +# NOTE Need to have UseCanonicalName On in Apache config to properly set the SERVER_NAME variable. +# If you have set UseCanonicalName, the you can uncomment this rule. # # -=[ Rule Logic ]=- # This chained rule first inspects the URI to see if a full domain name is specified. # If it is, then this data is compared against the Cononical SERVER_NAME. If it does # not match, then the client is making a request for an off-site location. # -#SecRule REQUEST_URI_RAW ^\w+:/ "chain,phase:2,rev:'2.1.2',t:none,block,msg:'Proxy access attempt', severity:'2',id:'960014',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS',tag:'WASCTC/WASC-14',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.10'" +#SecRule REQUEST_URI_RAW ^\w+:/ "chain,phase:2,rev:'2.2.0',t:none,block,msg:'Proxy access attempt', severity:'2',id:'960014',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS',tag:'WASCTC/WASC-14',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.10'" # SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/PROXY_ACCESS-%{matched_var_name}=%{matched_var}" # @@ -249,10 +330,10 @@ # SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateByteRange 1-255" \ - "phase:2,rev:'2.1.2',block,msg:'Invalid character in request',id:'960901',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-28',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE3',tag:'PCI/6.5.2',severity:'4',t:none,t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',tag:'http://i-technica.com/whitestuff/asciichart.html',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" + "phase:2,rev:'2.2.0',block,msg:'Invalid character in request',id:'960901',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-28',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE3',tag:'PCI/6.5.2',severity:'4',t:none,t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',tag:'http://i-technica.com/whitestuff/asciichart.html',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" -SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.1.2',block,msg:'Invalid character in request',id:'960018',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-28',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE3',tag:'PCI/6.5.2',severity:'4',t:none,t:urlDecodeUni,tag:'http://i-technica.com/whitestuff/asciichart.html'" +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.2.0',block,msg:'Invalid character in request',id:'960018',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-28',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE3',tag:'PCI/6.5.2',severity:'4',t:none,t:urlDecodeUni,tag:'http://i-technica.com/whitestuff/asciichart.html'" SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA \ "@validateByteRange 32-126" \ - "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" + "t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" diff -Nru modsecurity-crs-2.1.2/base_rules/modsecurity_crs_21_protocol_anomalies.conf modsecurity-crs-2.2.0/base_rules/modsecurity_crs_21_protocol_anomalies.conf --- modsecurity-crs-2.1.2/base_rules/modsecurity_crs_21_protocol_anomalies.conf 2011-01-27 16:35:58.000000000 +0000 +++ modsecurity-crs-2.2.0/base_rules/modsecurity_crs_21_protocol_anomalies.conf 2011-05-03 19:01:25.000000000 +0000 @@ -1,8 +1,9 @@ # --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.2.1.2 +# Core ModSecurity Rule Set ver.2.2.0 # Copyright (C) 2006-2011 Trustwave All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under GPL version 2 +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- @@ -25,9 +26,9 @@ SecMarker BEGIN_HOST_CHECK SecRule &REQUEST_HEADERS:Host "@eq 0" \ - "skipAfter:END_HOST_CHECK,phase:2,rev:'2.1.2',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" + "skipAfter:END_HOST_CHECK,phase:2,rev:'2.2.0',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" SecRule REQUEST_HEADERS:Host "^$" \ - "phase:2,rev:'2.1.2',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" + "phase:2,rev:'2.2.0',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" SecMarker END_HOST_CHECK @@ -43,10 +44,10 @@ SecMarker BEGIN_ACCEPT_CHECK SecRule REQUEST_METHOD "!^OPTIONS$" \ - "skipAfter:END_ACCEPT_CHECK,chain,phase:2,rev:'2.1.2',t:none,block,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10'" + "skipAfter:END_ACCEPT_CHECK,chain,phase:2,rev:'2.2.0',t:none,block,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10'" SecRule &REQUEST_HEADERS:Accept "@eq 0" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" SecRule REQUEST_METHOD "!^OPTIONS$" \ - "chain,phase:2,rev:'2.1.2',t:none,block,msg:'Request Has an Empty Accept Header', severity:'2',id:'960021',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT'" + "chain,phase:2,rev:'2.2.0',t:none,block,msg:'Request Has an Empty Accept Header', severity:'2',id:'960021',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT'" SecRule REQUEST_HEADERS:Accept "^$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" SecMarker END_ACCEPT_CHECK @@ -62,7 +63,7 @@ SecMarker BEGIN_UA_CHECK SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ - "skipAfter:END_UA_CHECK,phase:2,rev:'2.1.2',t:none,block,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_UA',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" + "skipAfter:END_UA_CHECK,phase:2,rev:'2.2.0',t:none,block,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_UA',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" SecRule REQUEST_HEADERS:User-Agent "^$" \ "t:none,block,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_UA',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" @@ -80,7 +81,7 @@ # SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ - "chain,phase:2,rev:'2.1.2',t:none,block,msg:'Request Containing Content, but Missing Content-Type header',id:'960904',severity:'5'" + "chain,phase:2,rev:'2.2.0',t:none,block,msg:'Request Containing Content, but Missing Content-Type header',id:'960904',severity:'5'" SecRule REQUEST_HEADERS:Content-Length "!^0$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" # Check that the host header is not an IP address @@ -94,7 +95,7 @@ # http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx # -SecRule REQUEST_HEADERS:Host "^[\d.:]+$" "phase:2,rev:'2.1.2',t:none,block,msg:'Host header is a numeric IP address', severity:'2',id:'960017',tag:'PROTOCOL_VIOLATION/IP_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}'" +SecRule REQUEST_HEADERS:Host "^[\d.:]+$" "phase:2,rev:'2.2.0',t:none,block,msg:'Host header is a numeric IP address', severity:'2',id:'960017',tag:'PROTOCOL_VIOLATION/IP_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}'" # Log a security event when the request is rejected by apache # diff -Nru modsecurity-crs-2.1.2/base_rules/modsecurity_crs_23_request_limits.conf modsecurity-crs-2.2.0/base_rules/modsecurity_crs_23_request_limits.conf --- modsecurity-crs-2.1.2/base_rules/modsecurity_crs_23_request_limits.conf 2011-01-27 16:35:58.000000000 +0000 +++ modsecurity-crs-2.2.0/base_rules/modsecurity_crs_23_request_limits.conf 2011-05-03 19:01:25.000000000 +0000 @@ -1,8 +1,9 @@ # --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.2.1.2 +# Core ModSecurity Rule Set ver.2.2.0 # Copyright (C) 2006-2011 Trustwave All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under GPL version 2 +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- @@ -19,29 +20,29 @@ ## -- Arguments limits -- # Limit argument name length -SecRule &TX:ARG_NAME_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument name too long',id:'960209',severity:'4',rev:'2.1.2'" +SecRule &TX:ARG_NAME_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument name too long',id:'960209',severity:'4',rev:'2.2.0'" SecRule &ARGS_NAMES "@gt %{tx.arg_name_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" # Limit value name length -SecRule &TX:ARG_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument value too long',id:'960208',severity:'4',rev:'2.1.2'" +SecRule &TX:ARG_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument value too long',id:'960208',severity:'4',rev:'2.2.0'" SecRule &ARGS "@gt %{tx.arg_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" # Maximum number of arguments in request limited -SecRule &TX:MAX_NUM_ARGS "@eq 1" "chain,phase:2,t:none,block,msg:'Too many arguments in request',id:'960335',severity:'4',rev:'2.1.2'" +SecRule &TX:MAX_NUM_ARGS "@eq 1" "chain,phase:2,t:none,block,msg:'Too many arguments in request',id:'960335',severity:'4',rev:'2.2.0'" SecRule &ARGS "@gt %{tx.max_num_args}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" # Limit arguments total length -SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Total arguments size exceeded',id:'960341',severity:'4',rev:'2.1.2'" +SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Total arguments size exceeded',id:'960341',severity:'4',rev:'2.2.0'" SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" ## -- File upload limits -- # Individual file size is limited -SecRule &TX:MAX_FILE_SIZE "@eq 1" "chain,phase:2,t:none,block,msg:'Uploaded file size too large',id:'960342',severity:'4',rev:'2.1.2'" +SecRule &TX:MAX_FILE_SIZE "@eq 1" "chain,phase:2,t:none,block,msg:'Uploaded file size too large',id:'960342',severity:'4',rev:'2.2.0'" SecRule FILES_SIZES "@gt %{tx.max_file_size}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" # Combined file size is limited -SecRule &TX:COMBINED_FILE_SIZES "@eq 1" "chain,phase:2,t:none,block,msg:'Total uploaded files size too large',id:'960343',severity:'4',rev:'2.1.2'" +SecRule &TX:COMBINED_FILE_SIZES "@eq 1" "chain,phase:2,t:none,block,msg:'Total uploaded files size too large',id:'960343',severity:'4',rev:'2.2.0'" SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" diff -Nru modsecurity-crs-2.1.2/base_rules/modsecurity_crs_30_http_policy.conf modsecurity-crs-2.2.0/base_rules/modsecurity_crs_30_http_policy.conf --- modsecurity-crs-2.1.2/base_rules/modsecurity_crs_30_http_policy.conf 2011-01-27 16:35:58.000000000 +0000 +++ modsecurity-crs-2.2.0/base_rules/modsecurity_crs_30_http_policy.conf 2011-05-03 19:01:25.000000000 +0000 @@ -1,8 +1,9 @@ # --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.2.1.2 +# Core ModSecurity Rule Set ver.2.2.0 # Copyright (C) 2006-2011 Trustwave All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under GPL version 2 +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- diff -Nru modsecurity-crs-2.1.2/base_rules/modsecurity_crs_35_bad_robots.conf modsecurity-crs-2.2.0/base_rules/modsecurity_crs_35_bad_robots.conf --- modsecurity-crs-2.1.2/base_rules/modsecurity_crs_35_bad_robots.conf 2011-01-27 16:35:58.000000000 +0000 +++ modsecurity-crs-2.2.0/base_rules/modsecurity_crs_35_bad_robots.conf 2011-05-03 19:01:25.000000000 +0000 @@ -1,8 +1,9 @@ # --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.2.1.2 +# Core ModSecurity Rule Set ver.2.2.0 # Copyright (C) 2006-2011 Trustwave All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under GPL version 2 +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- @@ -16,14 +17,14 @@ # site. SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_scanners.data" \ - "phase:2,rev:'2.1.2',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" + "phase:2,rev:'2.2.0',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \ - "phase:2,rev:'2.1.2',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" + "phase:2,rev:'2.2.0',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" SecRule REQUEST_FILENAME "^/nessustest" \ - "phase:2,rev:'2.1.2',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" + "phase:2,rev:'2.2.0',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_bad_robots.data" \ - "phase:2,rev:'2.1.2',t:none,block,msg:'Rogue web site crawler',id:'990012',tag:'AUTOMATION/MALICIOUS',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',capture,logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}" + "phase:2,rev:'2.2.0',t:none,block,msg:'Rogue web site crawler',id:'990012',tag:'AUTOMATION/MALICIOUS',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',capture,logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}" SecMarker END_ROBOT_CHECK diff -Nru modsecurity-crs-2.1.2/base_rules/modsecurity_crs_40_generic_attacks.conf modsecurity-crs-2.2.0/base_rules/modsecurity_crs_40_generic_attacks.conf --- modsecurity-crs-2.1.2/base_rules/modsecurity_crs_40_generic_attacks.conf 2011-01-27 16:35:58.000000000 +0000 +++ modsecurity-crs-2.2.0/base_rules/modsecurity_crs_40_generic_attacks.conf 2011-05-26 18:18:01.000000000 +0000 @@ -1,8 +1,9 @@ # --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.2.1.2 +# Core ModSecurity Rule Set ver.2.2.0 # Copyright (C) 2006-2011 Trustwave All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under GPL version 2 +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- @@ -21,9 +22,9 @@ # http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project # SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \ - "phase:2,rev:'2.1.2',capture,t:none,t:normalisePath,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1" + "phase:2,rev:'2.2.0',capture,t:none,t:normalisePath,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1" -SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.1.2',t:none,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'959907',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2'" +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.2.0',t:none,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'959907',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2'" SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs|User-Agent)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" \ "(?:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \ "t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}" @@ -40,9 +41,9 @@ # http://www.adobe.com/devnet/security/security_zone/asb99-10.html # SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\b" \ - "phase:2,rev:'2.1.2',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'Session Fixation',id:'950009',tag:'WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.cf_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_CF_INJECTION" + "phase:2,rev:'2.2.0',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'Session Fixation',id:'950009',tag:'WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.cf_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_CF_INJECTION" -SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.1.2',t:none,ctl:auditLogParts=+E,block,msg:'Injection of Undocumented ColdFusion Tags',id:'950008',tag:'WEB_ATTACK/CF_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2'" +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.2.0',t:none,ctl:auditLogParts=+E,block,msg:'Injection of Undocumented ColdFusion Tags',id:'950008',tag:'WEB_ATTACK/CF_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2'" SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\b" \ "capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.cf_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{tx.0}" @@ -58,9 +59,9 @@ # http://technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspx # SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \ - "phase:2,rev:'2.1.2',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'LDAP Injection Attack',id:'950010',tag:'WEB_ATTACK/LDAP_INJECTION',tag:'WASCTC/WASC-29',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.ldap_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_LDAP_INJECTION" + "phase:2,rev:'2.2.0',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'LDAP Injection Attack',id:'950010',tag:'WEB_ATTACK/LDAP_INJECTION',tag:'WASCTC/WASC-29',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.ldap_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_LDAP_INJECTION" -SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.1.2',t:none,id:'950912',severity:'4',msg:'LDAP Injection Attack',logdata:'%{TX.0}',tag:WEB_ATTACK/LDAP_INJECTION,ctl:auditLogParts=+E,pass,nolog,auditlog" +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.2.0',t:none,id:'950912',severity:'4',msg:'LDAP Injection Attack',logdata:'%{TX.0}',tag:WEB_ATTACK/LDAP_INJECTION,ctl:auditLogParts=+E,pass,nolog,auditlog" SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \ "capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.ldap_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{tx.0}" @@ -76,9 +77,9 @@ # http://projects.webappsec.org/SSI-Injection # SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* ")|(?:[^*]\/\*|\*\/[^*])|(?:(?:[\W\d]#|--|{)$)|(?:\/{3,}.*$)|(?:)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects common comment types',id:'9000035',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects common comment types',id:'9000035',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:--[^\n]*$)|(?:\)|(?:[^*]\/\*|\*\/[^*])|(?:(?:[\W\d]#|--|{)$)|(?:\/{3,}.*$)|(?:)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:%c0%ae\/)|(?:(?:\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\\\))|(?:(?:\/|\\\\)inetpub|localstart\.asp|boot\.ini)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects specific directory and path traversal',id:'9000011',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/DT-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects specific directory and path traversal',id:'9000011',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:%c0%ae\/)|(?:(?:\/|\\\\\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\\\\\\\))|(?:(?:\/|\\\\\\\\)inetpub|localstart\.asp|boot\.ini)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/DT-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*[\"=()])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects chained SQL injection attempts 1/2',id:'9000048',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects chained SQL injection attempts 1/2',id:'9000048',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*[\"=()])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:(^|\W)const\s+[\w\-]+\s*=)|(?:(?:do|for|while)\s*\([^;]+;+\))|(?:(?:^|\W)on\w+\s*=[\w\W]*(?:on\w+|alert|eval|print|confirm|prompt))|(?:groups=\d+\(\w+\))|(?:(.)\1{128,})" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects basic XSS DoS attempts',id:'9000065',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/DOS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/DOS-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects basic XSS DoS attempts',id:'9000065',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/DOS'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(^|\W)const\s+[\w\-]+\s*=)|(?:(?:do|for|while)\s*\([^;]+;+\))|(?:(?:^|\W)on\w+\s*=[\w\W]*(?:on\w+|alert|eval|print|confirm|prompt))|(?:groups=\d+\(\w+\))|(?:(.)\1{128,})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/DOS-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:binding\s?=|moz-binding|behavior\s?=)|(?:[\s\/]style\s*=\s*[-\\\\])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects bindings and behavior injections',id:'9000029',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects bindings and behavior injections',id:'9000029',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/RFE'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:binding\s?=|moz-binding|behavior\s?=)|(?:[\s\/]style\s*=\s*[-\\\\\\\\])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',id:'9000050',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',id:'9000050',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:\\\\x[01fe][\db-ce-f])|(?:%[01fe][\db-ce-f])|(?:&#[01fe][\db-ce-f])|(?:\\\\[01fe][\db-ce-f])|(?:&#x[01fe][\db-ce-f])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects nullbytes and other dangerous characters',id:'9000039',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects nullbytes and other dangerous characters',id:'9000039',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/XSS'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\\\\\\\\x[01fe][\db-ce-f])|(?:%[01fe][\db-ce-f])|(?:&#[01fe][\db-ce-f])|(?:\\\\\\\\[01fe][\db-ce-f])|(?:&#x[01fe][\db-ce-f])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:\.pl\?\w+=\w?\|\w+;)|(?:\|\(\w+=\*)|(?:\*\s*\)+\s*;)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects perl echo shellcode injection and LDAP vectors',id:'9000064',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects perl echo shellcode injection and LDAP vectors',id:'9000064',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/RFE'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\.pl\?\w+=\w?\|\w+;)|(?:\|\(\w+=\*)|(?:\*\s*\)+\s*;)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:@[\w-]+\s*\()|(?:]\s*\(\s*[\"!]\s*\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*\".*\"))|(?:;\s*\{\W*\w+\s*\()" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects code injection attempts 1/3',id:'9000058',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects code injection attempts 1/3',id:'9000058',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:@[\w-]+\s*\()|(?:]\s*\(\s*[\"!]\s*\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*\".*\"))|(?:;\s*\{\W*\w+\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects conditional SQL injection attempts',id:'9000041',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects conditional SQL injection attempts',id:'9000041',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:etc\/\W*passwd)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects etc/passwd inclusion attempts',id:'9000012',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/DT-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects etc/passwd inclusion attempts',id:'9000012',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:etc\/\W*passwd)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/DT-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "([^*:\s\w,.\/?+-]\s*)?(?\-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|option|useragent)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.+\-]))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript DOM/miscellaneous properties and methods',id:'9000015',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript DOM/miscellaneous properties and methods',id:'9000015',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "([^*:\s\w,.\/?+-]\s*)?(?\-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|option|useragent)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:alter\s*\w+.*character\s+set\s+\w+)|(\";\s*waitfor\s+time\s+\")|(?:\";.*:\s*goto)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MySQL charset switch and MSSQL DoS attempts',id:'9000052',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MySQL charset switch and MSSQL DoS attempts',id:'9000052',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:alter\s*\w+.*character\s+set\s+\w+)|(\";\s*waitfor\s+time\s+\")|(?:\";.*:\s*goto)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:(?:[;]+|(<[?%](?:php)?)).*[^\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\s*rm\s+-\w+\s+)|(?:;.*{.*\$\w+\s*=)|(?:\$\w+\s*\[\]\s*=\s*)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects code injection attempts 3/3',id:'9000060',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects code injection attempts 3/3',id:'9000060',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(?:[;]+|(<[?%](?:php)?)).*[^\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\s*rm\s+-\w+\s+)|(?:;.*{.*\$\w+\s*=)|(?:\$\w+\s*\[\]\s*=\s*)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:merge.*using\s*\()|(execute\s*immediate\s*\")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections',id:'9000056',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections',id:'9000056',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:merge.*using\s*\()|(execute\s*immediate\s*\")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*\"\%)|(?:\"\s*like\W*[\"\d])|(?:\"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:\"\s*\*\s*\w+\W+\")|(?:\"\s*[^?\w\s=.,;)(]+\s*[(@\"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 2/3',id:'9000045',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 2/3',id:'9000045',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*\"\%)|(?:\"\s*like\W*[\"\d])|(?:\"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:\"\s*\*\s*\w+\W+\")|(?:\"\s*[^?\w\s=.,;)(]+\s*[(@\"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "([^*:\s\w,.\/?+-]\s*)?(?\-\|])(\s*return\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%\"]|(?:\s*[^@\s\w%,.+\-]))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript string properties and methods',id:'9000019',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript string properties and methods',id:'9000019',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "([^*:\s\w,.\/?+-]\s*)?(?\-\|])(\s*return\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%\"]|(?:\s*[^@\s\w%,.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:function[^(]*\([^)]*\))|(?:(?:delete|void|throw|instanceof|new|typeof)[^\w.]+\w+\s*[([])|([)\]]\s*\.\s*\w+\s*=)|(?:\(\s*new\s+\w+\s*\)\.)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects common function declarations and special JS operators',id:'9000062',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects common function declarations and special JS operators',id:'9000062',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:function[^(]*\([^)]*\))|(?:(?:delete|void|throw|instanceof|new|typeof)[^\w.]+\w+\s*[([])|([)\]]\s*\.\s*\w+\s*=)|(?:\(\s*new\s+\w+\s*\)\.)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?\"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',id:'9000054',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',id:'9000054',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?\"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects unknown attack vectors based on PHPIDS Centrifuge detection',id:'9000067',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects unknown attack vectors based on PHPIDS Centrifuge detection',id:'9000067',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds basic MongoDB SQL injection attempts',id:'9000070',tag:'WEB_ATTACK/SQLI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds basic MongoDB SQL injection attempts',id:'9000070',tag:'WEB_ATTACK/SQLI'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:[\s\/\"]+[-\w\/\\\\\*]+\s*=.+(?:\/\s*>))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds attribute breaking injections including obfuscated attributes',id:'9000068',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds attribute breaking injections including obfuscated attributes',id:'9000068',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[\s\/\"]+[-\w\/\\\\\\\\\*]+\s*=.+(?:\/\s*>))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:\"+.*[<=]\s*\"[^\"]+\")|(?:\"\w+\s*=)|(?:>\w=\/)|(?:#.+\)[\"\s]*>)|(?:\"\s*(?:src|style|on\w+)\s*=\s*\")|(?:[^\"]?\"[,;\s]+\w*[\[\(])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds attribute breaking injections including whitespace attacks',id:'900002',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds attribute breaking injections including whitespace attacks',id:'900002',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\"+.*[<=]\s*\"[^\"]+\")|(?:\"\w+\s*=)|(?:>\w=\/)|(?:#.+\)[\"\s]*>)|(?:\"\s*(?:src|style|on\w+)\s*=\s*\")|(?:[^\"]?\"[,;\s]+\w*[\[\(])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "([^*:\s\w,.\/?+-]\s*)?(?])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%\"]|(?:\s*[^@\/\s\w%.+\-]))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript object properties and methods',id:'9000017',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript object properties and methods',id:'9000017',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "([^*:\s\w,.\/?+-]\s*)?(?])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%\"]|(?:\s*[^@\/\s\w%.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:\"[^\"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>\")" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds html breaking injections including whitespace attacks',id:'900001',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds html breaking injections including whitespace attacks',id:'900001',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\"[^\"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:=\s*\w+\s*\+\s*\")|(?:\+=\s*\(\s\")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:\"\s*\+\s*\")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:\"\s*[&|]+\s*\")|(?:\/\s*\?\s*\")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects common XSS concatenation patterns 1/2',id:'9000030',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects common XSS concatenation patterns 1/2',id:'9000030',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:=\s*\w+\s*\+\s*\")|(?:\+=\s*\(\s\")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:\"\s*\+\s*\")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:\"\s*[&|]+\s*\")|(?:\/\s*\?\s*\")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:=\s*[$\w]\s*[\(\[])|(?:\(\s*(?:this|top|window|self|parent|_?content)\s*\))|(?:src\s*=s*(?:\w+:|\/\/))|(?:\w+\[(\"\w+\"|\w+\|\|))|(?:[\d\W]\|\|[\d\W]|\W=\w+,)|(?:\/\s*\+\s*[a-z\"])|(?:=\s*\$[^([]*\()|(?:=\s*\(\s*\")" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects obfuscated JavaScript script injections',id:'9000025',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects obfuscated JavaScript script injections',id:'9000025',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:=\s*[$\w]\s*[\(\[])|(?:\(\s*(?:this|top|window|self|parent|_?content)\s*\))|(?:src\s*=s*(?:\w+:|\/\/))|(?:\w+\[(\"\w+\"|\w+\|\|))|(?:[\d\W]\|\|[\d\W]|\W=\w+,)|(?:\/\s*\+\s*[a-z\"])|(?:=\s*\$[^([]*\()|(?:=\s*\(\s*\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:firefoxurl:\w+\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\s*:\s*[\%&#xu\/]+)|(wyciwyg|firefoxurl\s*:\s*\/\s*\/)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution',id:'9000028',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution',id:'9000028',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/CSRF'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:firefoxurl:\w+\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\s*:\s*[\%&#xu\/]+)|(wyciwyg|firefoxurl\s*:\s*\/\s*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:\)\s*when\s*\d+\s*then)|(?:\"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MySQL comments, conditions and ch(a)r injections',id:'9000040',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MySQL comments, conditions and ch(a)r injections',id:'9000040',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\)\s*when\s*\d+\s*then)|(?:\"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:#@~\^\w+)|(?:\w+script:|@import[^\w]|;base64|base64,)|(?:\w+\s*\([\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+\))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects possible includes, VBSCript/JScript encodeed and packed functions',id:'9000014',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects possible includes, VBSCript/JScript encodeed and packed functions',id:'9000014',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:#@~\^\w+)|(?:\w+script:|@import[^\w]|;base64|base64,)|(?:\w+\s*\([\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+\))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:(?:msgbox|eval)\s*\+|(?:language\s*=\*vbscript))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds basic VBScript injection attempts',id:'9000069',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds basic VBScript injection attempts',id:'9000069',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(?:msgbox|eval)\s*\+|(?:language\s*=\*vbscript))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\w+|execute)\s*[\"(@])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects code injection attempts 2/3',id:'9000059',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects code injection attempts 2/3',id:'9000059',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\w+|execute)\s*[\"(@])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:\"\s+and\s*=\W)|(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w\"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+\"\w)|(?:\";\s*(?:if|while|begin))|(?:\"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects chained SQL injection attempts 2/2',id:'9000049',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects chained SQL injection attempts 2/2',id:'9000049',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\"\s+and\s*=\W)|(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w\"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+\"\w)|(?:\";\s*(?:if|while|begin))|(?:\"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:[\".]script\s*\()|(?:\$\$?\s*\(\s*[\w\"])|(?:\/[\w\s]+\/\.)|(?:=\s*\/\w+\/\s*\.)|(?:(?:this|window|top|parent|frames|self|content)\[\s*[(,\"]*\s*[\w\$])|(?:,\s*new\s+\w+\s*[,;)])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects basic obfuscated JavaScript script injections',id:'9000024',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects basic obfuscated JavaScript script injections',id:'9000024',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[\".]script\s*\()|(?:\$\$?\s*\(\s*[\w\"])|(?:\/[\w\s]+\/\.)|(?:=\s*\/\w+\/\s*\.)|(?:(?:this|window|top|parent|frames|self|content)\[\s*[(,\"]*\s*[\w\$])|(?:,\s*new\s+\w+\s*[,;)])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',id:'9000053',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',id:'9000053',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s*\w*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces',id:'9000022',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces',id:'9000022',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s*\w*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:\"\s*or\s*\d)|(?:\\\\x(?:23|27|3d))|(?:^.?\"$)|(?:^.*\\\\\".+(?^=]+\d\s*(=|or))|(?:\"\W+[\w+-]+\s*=\s*\d\W+\")|(?:\"\s*is\s*\d.+\"?\w)|(?:\"\|?[\w-]{3,}[^\w\s.,]+\")|(?:\"\s*is\s*[\d.]+\s*\W.*\")" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 3/3',id:'9000046',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 3/3',id:'9000046',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:in\s*\(+\s*select)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*\"|[=\d]+x))|(\"\s*\d\s*(?:--|#))|(?:\"[\%&<>^=]+\d\s*(=|or))|(?:\"\W+[\w+-]+\s*=\s*\d\W+\")|(?:\"\s*is\s*\d.+\"?\w)|(?:\"\|?[\w-]{3,}[^\w\s.,]+\")|(?:\"\s*is\s*[\d.]+\s*\W.*\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript location/document property access and window access obfuscation',id:'9000023',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript location/document property access and window access obfuscation',id:'9000023',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:%u(?:ff|00|e\d)\w\w)|(?:(?:%(?:e\w|c[^3\W]|))(?:%\w\w)(?:%\w\w)?)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects halfwidth/fullwidth encoded unicode HTML breaking attempts',id:'9000013',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects halfwidth/fullwidth encoded unicode HTML breaking attempts',id:'9000013',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:%u(?:ff|00|e\d)\w\w)|(?:(?:%(?:e\w|c[^3\W]|))(?:%\w\w)(?:%\w\w)?)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:with\s*\(\s*.+\s*\)\s*\w+\s*\()|(?:(?:do|while|for)\s*\([^)]*\)\s*\{)|(?:\/[\w\s]*\[\W*\w)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects self contained xss via with(), common loops and regex to string conversion',id:'900006',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects self contained xss via with(), common loops and regex to string conversion',id:'900006',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:with\s*\(\s*.+\s*\)\s*\w+\s*\()|(?:(?:do|while|for)\s*\([^)]*\)\s*\{)|(?:\/[\w\s]*\[\W*\w)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:^>[\w\s]*<\/?\w{2,}>)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds unquoted attribute breaking injections',id:'900003',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds unquoted attribute breaking injections',id:'900003',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:^>[\w\s]*<\/?\w{2,}>)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:\\\\u00[a-f0-9]{2})|(?:\\\\x0*[a-f0-9]{2})|(?:\\\\\d{2,3})" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects the IE octal, hex and unicode entities',id:'900009',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects the IE octal, hex and unicode entities',id:'900009',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\\\\\\\\u00[a-f0-9]{2})|(?:\\\\\\\\x0*[a-f0-9]{2})|(?:\\\\\\\\\d{2,3})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',id:'9000051',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',id:'9000051',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:[\d\W]\s+as\s*[\"\w]+\s*from)|(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|(\"\s+regexp\W)|(?:[\s(]load_file\s*\()" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',id:'9000047',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',id:'9000047',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[\d\W]\s+as\s*[\"\w]+\s*from)|(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|(\"\s+regexp\W)|(?:[\s(]load_file\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:\/\w*\s*\)\s*\()|(?:\(.*\/.+\/\w*\s*\))|(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?]\s*(?:location|referrer|name)\s*[^\/\w\s-])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects url-, name-, JSON, and referrer-contained payload attacks',id:'900004',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects url-, name-, JSON, and referrer-contained payload attacks',id:'900004',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[+\/]\s*name[\W\d]*[)+])|(?:;\W*url\s*=)|(?:[^\w\s\/?:>]\s*(?:location|referrer|name)\s*[^\/\w\s-])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:\<\/\w+\s\w+)|(?:@(?:cc_on|set)[\s@,\"=])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects attributes in closing tags and conditional compilation tokens',id:'9000034',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects attributes in closing tags and conditional compilation tokens',id:'9000034',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\<\/\w+\s\w+)|(?:@(?:cc_on|set)[\s@,\"=])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:\%+-][\w-]+[^\w\s]+\"[^,])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects classic SQL injection probings 2/2',id:'9000043',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects classic SQL injection probings 2/2',id:'9000043',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'" + SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\"\s*\*.+(?:or|id)\W*\"\d)|(?:\^\")|(?:^[\w\s\"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:\"[\s\d]*[^\w\s]+\W*\d\W*.*[\"\d])|(?:\"\s*[^\w\s?]+\s*[^\w\s]+\s*\")|(?:\"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:\".*\*\s*\d)|(?:\"\s*or\s[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+\"[^,])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'" + +SecRule TX:'/_normalized/' "(?:\W\s*hash\s*[^\w\s-])|(?:\w+=\W*[^,]*,[^\s(]\s*\()|(?:\?\"[^\s\"]\":)|(?:(?" "phase:2,id:'981146',t:none,nolog,pass,nolog,setvar:tx.restricted_char_payload=%{matched_var}" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ~" "phase:2,id:'981147',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains `" "phase:2,id:'981148',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains !" "phase:2,id:'981149',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains @" "phase:2,id:'981150',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains #" "phase:2,id:'981151',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains $" "phase:2,id:'981152',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains %" "phase:2,id:'981153',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ^" "phase:2,id:'981154',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains &" "phase:2,id:'981155',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains *" "phase:2,id:'981156',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains (" "phase:2,id:'981157',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains )" "phase:2,id:'981158',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains -" "phase:2,id:'981159',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains +" "phase:2,id:'981160',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains =" "phase:2,id:'981161',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains {" "phase:2,id:'981162',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains }" "phase:2,id:'981163',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains [" "phase:2,id:'981164',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ]" "phase:2,id:'981165',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains |" "phase:2,id:'981166',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains :" "phase:2,id:'981167',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ;" "phase:2,id:'981168',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains \"" "phase:2,id:'981169',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains '" "phase:2,id:'981170',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains <" "phase:2,id:'981171',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains >" "phase:2,id:'981172',t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_COUNT "@ge 5" "phase:2,t:none,block,nolog,auditlog,id:'960023',rev:'2.2.0',msg:'Restricted Character Anomaly Detection Alert - Total # of special characters exceeded',logdata:'%{matched_var}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score}" + +# +# This rule attempts to identify when multiple (3 or more) speciail, non-word characters are repeated +# +SecRule ARGS "\W{4,}" "phase:2,capture,t:none,block,nolog,auditlog,id:'960024',rev:'2.2.0',msg:'Restricted Character Anomaly Detection Alert - Repetative Non-Word Characters',logdata:'%{tx.0}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score}" + diff -Nru modsecurity-crs-2.1.2/trunk/experimental_rules/modsecurity_crs_55_response_profiling.conf modsecurity-crs-2.2.0/trunk/experimental_rules/modsecurity_crs_55_response_profiling.conf --- modsecurity-crs-2.1.2/trunk/experimental_rules/modsecurity_crs_55_response_profiling.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/experimental_rules/modsecurity_crs_55_response_profiling.conf 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,27 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +SecRuleScript profile_page_scripts.lua "phase:4,id:'981187',t:none,nolog,pass" + +SecRule &RESOURCE:'/(niframes|nscripts|nlinks|nimages)/' "@eq 0" "skipAfter:END_PAGE_PROFILE,phase:4,id:'981188',t:none,nolog,pass,setvar:resource.niframes=%{tx.niframes},setvar:resource.nscripts=%{tx.nscripts},setvar:resource.nlinks=%{tx.nlinks},setvar:resource.nimages=%{tx.nimages}" + +SecRule TX:NIFRAMES "@eq %{resource.niframes}" "phase:4,id:'981189',t:none,nolog,pass,setvar:resource.profile_confidence_counter=+1" +SecRule TX:NSCRIPTS "@eq %{resource.nscripts}" "phase:4,id:'981190',t:none,nolog,pass,setvar:resource.profile_confidence_counter=+1" +SecRule TX:NLINKS "@eq %{resource.nlinks}" "phase:4,id:'981191',t:none,nolog,pass,setvar:resource.profile_confidence_counter=+1" +SecRule TX:NIMAGES "@eq %{resource.nimages}" "phase:4,id:'981192',t:none,nolog,pass,setvar:resource.profile_confidence_counter=+1" + +SecRule RESOURCE:PROFILE_CONFIDENCE_COUNTER "@lt 40" "phase:4,id:'981193',t:none,nolog,pass,skipAfter:END_PAGE_PROFILE" + +SecRule TX:NIFRAMES "!@eq %{resource.niframes}" "phase:4,id:'981194',t:none,block,msg:'Number of IFrames in Page Have Changed.',logdata:'Previous #: %{resource.niframes} and Current #: %{tx.niframes}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-PROFILE/ANOMALY-%{matched_var_name}=%{tx.0}" +SecRule TX:NSCRIPTS "!@eq %{resource.nscripts}" "phase:4,id:'981195',t:none,block,msg:'Number of Scripts in Page Have Changed.',logdata:'Previous #: %{resource.nscripts} and Current #: %{tx.nscripts}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-PROFILE/ANOMALY-%{matched_var_name}=%{tx.0}" +SecRule TX:NLINKS "!@eq %{resource.nlinks}" "phase:4,id:'981196',t:none,block,msg:'Number of Links in Page Have Changed.',logdata:'Previous #: %{resource.nlinks} and Current #: %{tx.nlinks}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-PROFILE/ANOMALY-%{matched_var_name}=%{tx.0}" +SecRule TX:NIMAGES "!@eq %{resource.nimages}" "phase:4,id:'981197',t:none,block,msg:'Number of Images in Page Have Changed.',logdata:'Previous #: %{resource.nimages} and Current #: %{tx.nimages}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-PROFILE/ANOMALY-%{matched_var_name}=%{tx.0}" + +SecMarker END_PAGE_PROFILE diff -Nru modsecurity-crs-2.1.2/trunk/experimental_rules/modsecurity_crs_56_pvs_checks.conf modsecurity-crs-2.2.0/trunk/experimental_rules/modsecurity_crs_56_pvs_checks.conf --- modsecurity-crs-2.1.2/trunk/experimental_rules/modsecurity_crs_56_pvs_checks.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/experimental_rules/modsecurity_crs_56_pvs_checks.conf 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,13 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +SecRule &RESOURCE:OSVDB_CHECK "@eq 0" "chain,phase:5,id:'981198',t:none,nolog,pass" + SecRule RESPONSE_STATUS "@streq 200" "exec:/usr/local/apache/conf/modsec_current/base_rules/osvdb.lua" +SecRule TX:OSVDB_MSG "!^$" "phase:5,id:'981199',t:none,log,pass,msg:'Passive Vulnerabilty Check with OSVDB - %{matched_var}'" diff -Nru modsecurity-crs-2.1.2/trunk/experimental_rules/modsecurity_crs_61_ip_forensics.conf modsecurity-crs-2.2.0/trunk/experimental_rules/modsecurity_crs_61_ip_forensics.conf --- modsecurity-crs-2.1.2/trunk/experimental_rules/modsecurity_crs_61_ip_forensics.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/experimental_rules/modsecurity_crs_61_ip_forensics.conf 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,41 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# Gather IP/Host Data for Audit Logging +# +# - http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html +# + +# +# Execute the IP Lookup/Whois Check when anomaly scores are not 0 +# +# You must update the local path for the exec action to point to the lua script. +# +SecRule TX:ANOMALY_SCORE "@gt 0" "phase:5,t:none,pass,nolog,id:'960004',exec:/usr/local/apache/conf/crs/lua/gather_ip_data.lua" +SecRule TX:HOSTNAME ".*" "phase:5,t:none,pass,log,id;'960005',msg:'Client Nslookup/WHOIS Abuse Info.',logdata:'Hostname: %{tx.hostname} and WHOIS Abuse Contact: %{tx.abuse_contact}',setvar:'ip.hostname=Hostname: %{tx.hostname} and WHOIS Abuse Contact: %{tx.abuse_contact}',expirevar:ip.hostname=86400,skip:1" +SecRule TX:ANOMALY_SCORE "@gt 0" "phase:5,t:none,pass,log,id:'960006',msg:'Client Nslookup/WHOIS Abust Info.',logdata:'%{ip.hostname}'" + + +# +# Download the GeoIP DB from MaxMind +# +# GeoLite City - http://www.maxmind.com/app/geolitecity +# GeoLite Country - http://www.maxmind.com/app/geoip_country +# +# Define the proper path to the GeoIP DB +SecGeoLookupDb /usr/local/apache/conf/modsec_current/base_rules/GeoLiteCity.dat + +# +# Check the Transactional Anomaly Score - if it is not 0 then record the GeoIP data +# for the client in the audit log. +# +SecRule TX:ANOMALY_SCORE "@gt 0" "chain,phase:5,pass,t:none,log,id:'960007',severity:'5',msg:'Logging GeoIP Data due to anomaly score.',logdata:'Country Code=%{geo.country_code}, Country Code3=%{geo.country_code3}, Country Name=%{geo.country_name}, Country Continent=%{geo.country_continent}, City=%{geo.city}'" + SecRule REMOTE_ADDR "@geoLookup" diff -Nru modsecurity-crs-2.1.2/trunk/INSTALL modsecurity-crs-2.2.0/trunk/INSTALL --- modsecurity-crs-2.1.2/trunk/INSTALL 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/INSTALL 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,93 @@ +Core Rule Set Quick Setup +========================= + +To activate the rules for your web server installation: + + 1) Copy the modsecurity_crs_10_config.conf.example file to modsecurity_crs_10_config.conf + and customize the settings for your local environment. + + The modsecurity_crs_10_config.conf file includes management rules and directives + that can control important CRS functions. Pay attention to + the SecRuleEngine setting (On by default) and that the SecDefaultAction + directive is set to "pass". The 49 inbound blocking and 59 outbound blocking + rules files use the "block" action which + inherits this setting. The effectively means that you can toggle the + SecDefaultAction setting to decide if you would like to deny on an + anomaly scoring/correlation match. + + Update the PARANOID_MODE variable setting if you want to become more + aggressive in your detection. Caution - this will cause more false positives. + + Should also update the appropriate anomaly scoring levels that will be propagated + to the inbound/outbound blocking files. + + Update the TX policy settings for allowed Request Methods, File Extensions, etc... + + 2) Enable the CRS rules files you want to use by creating symlinks under the + "activated_rules" directory location. You will want to create symlinks for the + following: + + 1) The main modsecurity_crs_10_config.conf file + 2) Any rules from the base_rules directory + 3) Any remaining rules from the optional_rules, slr_rules or experimental_rules directories. + + $ pwd + /usr/local/apache/conf/crs + $ ls + CHANGELOG app_sensor modsecurity_crs_10_config.conf slr_rules + LICENSE base_rules modsecurity_crs_10_config.conf.example util + README experimental_rules modsecurity_crs_15_customrules.conf + activated_rules lua optional_rules + $ sudo ln -s /usr/local/apache/conf/crs/modsecurity_crs_10_config.conf activated_rules/modsecurity_crs_10_config.conf + $ for f in `ls base_rules/` ; do sudo ln -s /usr/local/apache/conf/crs/base_rules/$f activated_rules/$f ; done + $ for f in `ls optional_rules/ | grep comment_spam` ; do sudo ln -s /usr/local/apache/conf/crs/optional_rules/$f activated_rules/$f ; done + $ ls -l activated_rules + total 216 + lrwxr-xr-x 1 root wheel 52 May 17 14:01 GsbMalware.dat -> /usr/local/apache/conf/crs/base_rules/GsbMalware.dat + lrwxr-xr-x 1 root wheel 68 May 17 14:01 modsecurity_35_bad_robots.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_35_bad_robots.data + lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_35_scanners.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_35_scanners.data + lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_40_generic_attacks.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_40_generic_attacks.data + lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_41_sql_injection_attacks.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_41_sql_injection_attacks.data + lrwxr-xr-x 1 root wheel 74 May 17 14:14 modsecurity_42_comment_spam.data -> /usr/local/apache/conf/crs/optional_rules/modsecurity_42_comment_spam.data + lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_50_outbound.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_50_outbound.data + lrwxr-xr-x 1 root wheel 74 May 17 14:01 modsecurity_50_outbound_malware.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_50_outbound_malware.data + lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_14_customrules.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_14_customrules.conf + lrwxr-xr-x 1 root wheel 57 May 17 14:22 modsecurity_crs_10_config.conf -> /usr/local/apache/conf/crs/modsecurity_crs_10_config.conf + lrwxr-xr-x 1 root wheel 81 May 17 14:01 modsecurity_crs_20_protocol_violations.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_20_protocol_violations.conf + lrwxr-xr-x 1 root wheel 80 May 17 14:01 modsecurity_crs_21_protocol_anomalies.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf + lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_23_request_limits.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_23_request_limits.conf + lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_30_http_policy.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_30_http_policy.conf + lrwxr-xr-x 1 root wheel 72 May 17 14:01 modsecurity_crs_35_bad_robots.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_35_bad_robots.conf + lrwxr-xr-x 1 root wheel 77 May 17 14:01 modsecurity_crs_40_generic_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_40_generic_attacks.conf + lrwxr-xr-x 1 root wheel 83 May 17 14:01 modsecurity_crs_41_sql_injection_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf + lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_41_xss_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_xss_attacks.conf + lrwxr-xr-x 1 root wheel 78 May 17 14:14 modsecurity_crs_42_comment_spam.conf -> /usr/local/apache/conf/crs/optional_rules/modsecurity_crs_42_comment_spam.conf + lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_42_tight_security.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_42_tight_security.conf + lrwxr-xr-x 1 root wheel 69 May 17 14:01 modsecurity_crs_45_trojans.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_45_trojans.conf + lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_47_common_exceptions.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_47_common_exceptions.conf + lrwxr-xr-x 1 root wheel 86 May 17 14:01 modsecurity_crs_48_local_exceptions.conf.example -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_48_local_exceptions.conf.example + lrwxr-xr-x 1 root wheel 78 May 17 14:01 modsecurity_crs_49_inbound_blocking.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_49_inbound_blocking.conf + lrwxr-xr-x 1 root wheel 70 May 17 14:01 modsecurity_crs_50_outbound.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_50_outbound.conf + lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_59_outbound_blocking.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_59_outbound_blocking.conf + lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_60_correlation.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_60_correlation.conf + lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_60_customrules.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_60_customrules.conf + + + 3) Add the following line to your httpd.conf (assuming + you've placed the rule files into conf/crs/): + + + Include conf/crs/modsecurity_crs_10_config.conf + Include conf/crs/activated_rules/*.conf + + + 3) Restart web server. + + 4) Make sure your web sites are still running fine. + + 5) Simulate an attack against the web server. Then check + the attack was correctly logged in the Apache error log, + ModSecurity debug log (if you enabled it) and ModSecurity + audit log (if you enabled it). + + diff -Nru modsecurity-crs-2.1.2/trunk/LICENSE modsecurity-crs-2.2.0/trunk/LICENSE --- modsecurity-crs-2.1.2/trunk/LICENSE 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/LICENSE 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff -Nru modsecurity-crs-2.1.2/trunk/lua/advanced_filter_converter.lua modsecurity-crs-2.2.0/trunk/lua/advanced_filter_converter.lua --- modsecurity-crs-2.1.2/trunk/lua/advanced_filter_converter.lua 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/lua/advanced_filter_converter.lua 2010-12-29 16:46:58.000000000 +0000 @@ -0,0 +1,795 @@ +#!/opt/local/bin/lua +local rex = require "rex_pcre" +local B = require "bit" + +function main() + +function dec2hex(nValue) + if type(nValue) == "string" then + nValue = String.ToNumber(nValue); + end + nHexVal = string.format("%X", nValue); + sHexVal = nHexVal..""; + return sHexVal; +end + +function hex2dec (arg) + local dec = {} + for str in string.gfind(arg, "%w%w") do + local str = '0X'..str + table.insert(dec, tonumber(str)) + end + + return unpack(dec) +end + +function explode ( seperator, str ) + local pos, arr = 0, {} + for st, sp in function() return string.find( str, seperator, pos, true ) end + do + table.insert( arr, string.sub( str, pos, st-1 ) ); + pos = sp + 1; + end + table.insert( arr, string.sub( str, pos ) ); + return arr +end + + +function oct2dec(octstr) + local i, len, num; + + num = 0; + i = 0; + octstr = string.reverse(octstr); + len = string.len(octstr); + + if (len > 11) then + return 1; + end + + for str in string.gfind(octstr, "%w") do + number = tonumber(str); + if((number < 0) or (number > 7)) then + num = 0; + return 0; + end + + i = tonumber(i); + num_shr = B.lshift(number ,(i*3)); + num = B.bor(num,num_shr); + i = i + 1; + end + return num; +end + + +function str_split_unique(data) + a = {} + b = {} + -- use table to eliminate duplicates + for i=1,string.len(data) do + v = string.sub(data,i,i) + a[v] = v + end + -- insert into ordered array and sort + for k,v in pairs(a) do + table.insert(b,k) + end + table.sort(b) + return b +end + +function str_split(data) + a = {} + for i=1,string.len(data) do + a[i] = string.sub(data,i,i) + end + return a +end + +-- character table string +local b='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' + +-- base64 decoding +function base64decode(data) + data = string.gsub(data, '[^'..b..'=]', '') + return (data:gsub('.', function(x) + if (x == '=') then return '' end + local r,f='',(b:find(x)-1) + for i=6,1,-1 do r=r..(f%2^i-f%2^(i-1)>0 and '1' or '0') end + return r; + end):gsub('%d%d%d?%d?%d?%d?%d?%d?', function(x) + if (#x ~= 8) then return '' end + local c=0 + for i=1,8 do c=c+(x:sub(i,i)=='1' and 2^(8-i) or 0) end + return string.char(c) + end)) +end + +function urldecode(s) + return (string.gsub (string.gsub (s, "+", " "), + "%%(%x%x)", + function (str) + return string.char (tonumber (str, 16)) + end )) +end + +function urlencode(s) + return (string.gsub (s, "%W", + function (str) + return string.format ("%%%02X", string.byte (str)) + end )) +end + +function strip_tags(h) + local newstr = rex.gsub(h, "<(\/?)(\\w+)[^\>]*>", "%2", nil, 0, 0); + return newstr +end + +function hexdecode(s) + s = string.gsub(s, "%%(%x%x)", function (h) + return string.char(tonumber(h, 16)) + end) + return s +end + +function sql_hexdecode(s) + s = string.gsub(s, "(%x%x)", function (h) + return string.char(tonumber(h, 16)) + end) + return s +end + + +--[[ Retrieve all ARGS parameters from ModSec + + urlDecodeUni, htmlEntityDecode and jsDecode can be used here with the initial + extraction of data since they are able to decode any inline value vs. + other transformation functions which will attempt to decode the entire + string value. For those situations, we must create our own Lua functions +]] + +local args = {}; +args = m.getvars("ARGS", {"none"}); + +-- Only run checks if ARGS are present +if (#args == "0") then + m.log(4, "# of ARGS: " ..#args.. "."); + return nil; +end + + +-- Place ARGS data into key/value pairs for inspection +for k,v in pairs(args) do + name = v["name"]; + value = v["value"]; + original_value = value; + m.log(4, "Arg Name: " ..name.. " and Arg Value: " ..value.. "."); + +--[[ Start Converter code ]] + +--[[ Make sure the value to normalize and monitor doesn't contain + possibilities for a regex DoS.]] + -- remove obvious repetition patterns + value = rex.gsub(value, "(?:(.{2,})\\1{32,})|(?:[\-+=|@\\s]{128,})", "x", nil, 0, 0); + m.log(4, "Remove repetition patterns: " .. value .. ""); + +--[[ Check for comments and erases them if available ]] + -- check for existing comments + if rex.match(value, "(?ms:(?:\\|\\/\\*|\\*\\/|\\/\\/\\W*\\w+\\s*$)|(?:\-\-[^\\-]*\-))", 1) then + converted = rex.gsub(value, "(?ms:(?:(?:))|(?:(?:\\/\\*\\/*[^\\/\\*]*)+\\*\\/)|(?:\-\-[^\\-]*\-))", ";", nil, 0, 0); + value = (value .. "\n" .. converted); + m.log(4, "Check for Existing Comments: " .. value .. ""); + end + + -- make sure inline comments are detected and converted correctly + value = rex.gsub(value, "(?m:(<\\w+)\\/+(\\w+=?))", "%1/%2", nil, 0, 0); + m.log(4, "Remove Inline Comments1: " .. value .. ""); + value = rex.gsub(value, "(?m:[^\\\\:]\\/\\/(.*)$)", "/**/%1", nil, 0, 0); + m.log(4, "Remove Inline Comments2: " .. value .. ""); + +--[[ Strip newlines ]] + -- check for inline linebreaks + value = rex.gsub(value, "\\\\(r|n|f|t|v)", ";", nil, 0, 0); + m.log(4, "Check for inline linebreaks: " .. value .. ""); + -- replace replacement characters regular spaces + value = string.gsub(value, "�", ' ', nil, 0, 0); + m.log(4, "Replace replacement chars: " .. value .. ""); + -- convert real linebreaks + value = rex.gsub(value, "(?m:[\\r\\n\\f\\t\\v])", " ", nil, 0, 0); + m.log(4, "Convert real linebreaks: " .. value .. ""); + +--[[ Checks for common charcode pattern and decodes them ]] +function convertFromJSCharcode(value) + + local matches, matches2, matches3; + local changed = 0; + local sum = 0; + local chr = 0; + local converted = ""; + local tmp_value = value; + + -- check if value matches typical charCode pattern + + for line in rex.gmatch(tmp_value, "(?ms:(?:[\\d+-=\/\* ]+(?:\\s?,\\s?[\\d+-=\/\* ]+)){4,})", 0, 0) + do + if(matches ~= nil) then + matches = matches .. "," .. line; + else + matches = line; + end + end + + if(matches ~= nil) then + + matches = rex.gsub(matches,"(\\s)", ""); + matches = rex.gsub(matches,"(\\w+=)", ""); + + str = explode(",",matches); + + for i=1, table.getn(str) do + + chr = str[i]; + + if(string.len(str[i]) > 0) then + + chr = rex.gsub(chr,"(?s:\\W0)", ""); + + if(chr ~= nil) then + + for line2 in rex.gmatch(chr, "(\\d*[+-\/\* ]\\d+)",0, 0) + do + if(matches2 ~= nil) then + matches2 = matches2 .. "" .. line2; + else + matches2 = line2; + end + end + + if( matches2 ~= nil )then + for line3 in rex.split(matches2, "((\\W?\\d+))",0, 0) + do + if(line ~= nil) then + changed = 1; + sum = sum + tonumber(line3); + end + + if(matches3 ~= nil) then + matches3 = matches3 .. line3; + else + matches3 = line3; + end + end + end + + if(changed == 1) then + if(sum >= 20) then + if(sum <= 127) then + converted = converted .. string.char(sum); + end + end + end + + if(changed == 0) then + local num = 0; + if(string.len(chr) > 0) then + num = tonumber(chr); + end + converted = converted .. string.char(num); + end + end + + value = tmp_value .. "\n" .. converted; + end + end + end +end + +function convertFromJSCharcode_hex(value) + -- check for hexadecimal charcode pattern + local matches_hex = ""; + local converted = ""; + local tmp_value = value; + + for line in rex.gmatch(tmp_value, "(?ims:(?:(?:[\\\\]+\\w+\\s*){8,}))", 0, 0) + do + if(matches_hex ~= nil) then + matches_hex = matches_hex .. "," .. line; + else + matches_hex = line; + end + end + + if(matches_hex ~= nil) then + + matches_hex = rex.gsub(matches_hex,"([ux])", ""); + + converted = ""; + + str = explode(",",matches_hex); + + for i=1, table.getn(str) do + + chr = str[i]; + + if(tonumber(chr) ~= 0) then + converted = converted .. string.char(hex2dec(chr)); + end + end + + value = tmp_value .. "\n" .. converted; + end + + print(value); + return value; +end + +function convertFromJSCharcode_oct(value) + + local matches_oct = ""; + local converted_oct = ""; + local tmp_value = value; + + -- check for octal charcode pattern + + for line in rex.gmatch(tmp_value, "(?ims:(?:(?:[\\\\]+\\d+){8,}))", 0, 0) + do + if(matches_oct ~= nil) then + matches_oct = matches_oct .. "," .. line; + else + matches_oct = line; + end + end + + if(matches_oct ~= nil) then + + matches_oct = rex.gsub(matches_oct,"(\\s)", ""); + + str = explode(",",matches_oct); + + print(str); + + for i=1, table.getn(str) do + + chr = str[i]; + + if (tonumber(str[i]) ~= 0) then + + n = oct2dec(chr); + + n = dec2hex(n); + + if(n ~= 0)then + str2 = string.char(hex2dec(n)); + + if(converted_oct ~= nil) then + converted_oct = converted_oct .. str2; + else + converted_oct = str2; + end + end + end + end + + if(converted_oct ~= nil) then + value = tmp_value .. "\n" .. converted_oct; + else + value = tmp_value; + end + end + + print(value); + + return value; +end + +convertFromJSCharcode(value); + m.log(4, "convertFromJSCharcode: " .. value .. ""); +convertFromJSCharcode_hex(value); +m.log(4, "convertFromJSCharcode_hex: " .. value .. ""); +convertFromJSCharcode_oct(value); +m.log(4, "convertFromJSCharcode_oct: " .. value .. ""); + +--[[ Eliminate JS regex modifiers ]] + value = rex.gsub(value, "\/[gim]+", "\/", nil, 0, 0); + m.log(4, "Eliminate JS regex modifiers: " .. value .. "."); + +--[[ Converts from hex/dec entities ]] + + -- deal with double encoded payload +function htmlEntityDecode(value) + value = rex.gsub(value, "&", "&", nil, 0, 0); + local result; + local tmp_value = value; + + for line in rex.gmatch(tmp_value, "(?ms:&#x?([\\w]{2}\\d?);?)", 0, 0) + do + if(line ~= nil) then + if(result ~= nil) then + result = result .. line; + else + result = line; + end + end + end + + + if(result ~= nil) then + result = sql_hexdecode(result); + value = tmp_value .. "\n" .. result; + result = rex.gsub(result, ";;", ";", nil, 0, 0); + else + value = tmp_value; + end + + + print(result); + + return result; + +end + +htmlEntityDecode(value); + m.log(4, "Converts from hex/dex entities: " .. value .. "."); + + -- normalize obfuscated protocol handlers + value = rex.gsub(value, "(?ms:(?:j\\s*a\\s*v\\s*a\\s*s\\s*c\\s*r\\s*i\\s*p\\s*t\\s*)|(d\\s*a\\s*t\\s*a\\s*))", "javascript", nil, 0, 0); + +--[[ Normalize Quotes ]] + -- normalize different quotes to " + value = rex.gsub(value, "[\'\`\´\’\‘]", "\"", nil, 0, 0); + m.log(4, "Normalize Quotes: " .. value .. "."); + + -- make sure harmless quoted strings don't generate false alerts + value = rex.gsub(value, "^\"([^\"=\\!><~]+)\"$", "%1", nil, 0, 0); + m.log(4, "Harmless Quotes: " .. value .. "."); + + +--[[ Converts SQLHEX to plain text ]] + local tmp_value = value; + while true do + sql_hex_value = rex.match(tmp_value, "(?im:0x([a-fA-F\\d]{2,}[a-fA-F\\d]*)+)"); + if (sql_hex_value == nil) then break end + m.log(4, "SQL Hex Data: " .. sql_hex_value .. "."); + local sql_hex_decoded = sql_hexdecode(sql_hex_value); + m.log(4, "SQL Hex Data Decoded: " .. sql_hex_decoded .. "."); + tmp_value = rex.gsub(tmp_value, "(?im:0x([a-fA-F\\d]{2,}[a-fA-F\\d]*)+)", sql_hex_decoded, 1, 0, 0); + m.log(4, "SQL Hex Data Normalized: " .. tmp_value .. "."); + end + value = rex.gsub(tmp_value, "(?m:0x\\d+)", "1", nil, 0, 0); + +--[[ Converts basic SQL keywords and obfuscations ]] + value = rex.gsub(value, "(?ims:(?:IS\\s+null)|(LIKE\\s+null)|(?:(?:^|\\W)IN[\+\\s]*\([\\s\\d\"]+[^\(\)]*\)))", "\"=0", nil, 0, 0); + value = rex.gsub(value, "(?ims:\\W+\\s*like\\s*\\W+)", "1\" OR \"1\"", nil, 0, 0); + value = rex.gsub(value, "(?ims:null[,\"\\s])", ",0", nil, 0, 0); + value = rex.gsub(value, "(?ims:\\d+\\.)", " 1", nil, 0, 0); + value = rex.gsub(value, "(?ims:,null)", ",0", nil, 0, 0); + value = rex.gsub(value, "(?ims:between|mod)", "or", nil, 0, 0); + value = rex.gsub(value, "(?ims:and\\s+\\d+\.?\\d*)", "", nil, 0, 0); + value = rex.gsub(value, "(?ims:\\s+and\\s+)", " or ", nil, 0, 0); + value = rex.gsub(value, "(?ims:[^\\w,\(]NULL|\\\\N|TRUE|FALSE|UTC_TIME|LOCALTIME(?:STAMP)?|CURRENT_\\w+|BINARY|(?:(?:ASCII|SOUNDEX|FIND_IN_SET|MD5|R?LIKE)[\+\\s]*\\([^\(\)]+\\))|(?:\-+\\d))", "0", nil, 0, 0); + value = rex.gsub(value, "(?ims:(?:NOT\\s+BETWEEN)|(?:IS\\s+NOT)|(?:NOT\\s+IN)|(?:XOR|\\WDIV\\W|\\WNOT\\W|<>|RLIKE(?:\\s+BINARY)?)|(?:REGEXP\\s+BINARY)|(?:SOUNDS\\s+LIKE))", "!", nil, 0, 0); + value = rex.gsub(value, "\"\\s+\\d", "\"", nil, 0, 0); + value = rex.gsub(value, "\\/(?i:\\d+|null)", "", nil, 0, 0); + + m.log(4, "Convert SQL Keywords and Obfuscations: " .. value .. "."); + +--[[ Detects nullbytes and controls chars via ord() ]] + -- critical ctrl values + value = rex.gsub(value, "(?i:cha?r\\((0|1|2|3|4|5|6|7|8|11|12|14|15|16|17|18|19|24|25|192|193|238|255)\\))", "%%00", nil, 0, 0); + m.log(4, "Convert nullbytes and control chars via ord(): " .. value .. "."); + + -- take care for malicious unicode characters + value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%E(?:2|3)\%8(?:0|1)\%(?:A|8|9)\\w|\%EF\%BB\%BF|\%EF\%BF\%BD)|(?:&#(?:65|8)\\d{3};?))", "", nil, 0, 0)); + + value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%F0\%80\%BE))", ">", nil, 0, 0)); + value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%F0\%80\%BC))", "<", nil, 0, 0)); + value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%F0\%80\%A2))", "\"", nil, 0, 0)); + value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%F0\%80\%A7))", "\'", nil, 0, 0)); + value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%ff1c))", "<", nil, 0, 0)); + + value = rex.gsub(value, "(?i:(?:&[#x]*(200|820|200|820|zwn?j|lrm|rlm)\\w?;?))", "", nil, 0, 0); + value = rex.gsub(value, "(?i:(?:&#(?:65|8)\\d{3};?)|(?:&#(?:56|7)3\\d{2};?)|(?:&#x(?:fe|20)\\w{2};?)|(?:&#x(?:d[c-f])\\w{2};?))", "", nil, 0, 0); + value = rex.gsub(value, "(«|〈|<|‹|〈|⟨)", "<", nil, 0, 0); + value = rex.gsub(value, "(»|〉|>|›|〉|⟩)", ">", nil, 0, 0); + m.log(4, "Malicious unicode characters: " .. value .. ""); + + +--[[ This method matches and translates base64 strings and fragments + used in data URIs ]] + + tmp_value = value; + while true do + base64_value = rex.match(tmp_value, "([a-zA-Z0-9\+\/]{32,}={0,2})", 1, 0, 0); + if (base64_value == nil) then break end + m.log(4, "Base64 Data is: " .. base64_value .. "."); + base64_value_decoded = base64decode(base64_value); + m.log(4, "Base64 Data Decoded is: " .. base64_value_decoded .. "."); + tmp_value = rex.gsub(tmp_value, "([a-zA-Z0-9\+\/]{32,}={0,2})", base64_value_decoded, 1, 0, 0); + m.log(4, "Base64 Data Normalized: " .. tmp_value .. "."); + end + value = tmp_value; + + +--[[ Detects nullbytes and controls chars via ord() ]] + local mytable = {}; + mytable = str_split(value); + j = 1 + while mytable[j] do + if (string.byte(mytable[j]) >= 127) then + mytable[j] = rex.gsub(mytable[j], ".*", " ", nil, 0, 0); + end + j = j + 1 + end + + value = table.concat(mytable); + m.log(4, "Detect nullbytes and control chars via ord(): " .. value .. "."); + + +--[[ Strip XML patterns ]] + converted = strip_tags(value); + if (converted ~= value) then + value = (value .. "\n" .. converted); + m.log(4, "Strip XML patterns: " .. value .. "."); + end + +--[[ This method converts JS unicode code points to regular characters ]] + +function convertFromJSUnicode(args) + local new_value = ""; + + for line in rex.gmatch(args, "(?ims:\\\\u[0-9a-f]{4})", 0, 0) + do + hex = print(string.sub(line,3,6)) + chr = string.char(hex2dec(string.sub(line,5,7))); + if ( new_value == nil ) then + new_value = chr; + else + new_value = new_value .. chr; + end + end + + if ( string.len(new_value) > 0 ) then + value = new_value .. "\n\\u0001"; + end +end + + convertFromJSUnicode(value); + m.log(4, "Convert JS unicode code points to regular chars: " .. value .. ""); + + +--[[ Converts relevant UTF-7 tags to UTF-8 ]] + value = string.gsub(value,"+ACI-","\""); + value = string.gsub(value,"+ADw-","<"); + value = string.gsub(value,"+AD4-",">"); + value = string.gsub(value,"+AFs-","%["); + value = string.gsub(value,"+AF0-","]"); + value = string.gsub(value,"+AHs-","{"); + value = string.gsub(value,"+AH0-","}"); + value = string.gsub(value,"+AFw-","\\"); + value = string.gsub(value,"+ADs-",";"); + value = string.gsub(value,"+ACM-","#"); + value = string.gsub(value,"+ACY-","&"); + value = string.gsub(value,"+ACU-","%%"); + value = string.gsub(value,"+ACQ-","$"); + value = string.gsub(value,"+AD0-","="); + value = string.gsub(value,"+AGA-","`"); + value = string.gsub(value,"+ALQ-","\""); + value = string.gsub(value,"+IBg-","\""); + value = string.gsub(value,"+IBk-","\""); + value = string.gsub(value,"+AHw-","|"); + value = string.gsub(value,"+ACo-","*"); + value = string.gsub(value,"+AF4-","%^"); + value = string.gsub(value,"+ACIAPg-","\">"); + value = string.gsub(value,"+ACIAPgA8-","\">"); + m.log(4, "Convert relevant UTF-7 tags to UTF-8: " .. value .. ""); + + +--[[ Converts basic concatenations ]] +function stripslashes(args) + + local value = rex.gsub(args,"(\\\\(.?))",""); + + return value; +end + +function convertFromConcatenated(value) + + --normalize remaining backslashes + if (value ~= rex.gsub(value,"((\\w)\\\\)", "%1")) then + value = value .. rex.gsub(value,"((\\w)\\\\)", "%1"); + end + + local compare = stripslashes(value); + + pattern = { "(?s:(?:<\/\\w+>\+<\\w+>))", + "(?s:(?:\":\\d+[^\"\[]+\"))", + "(?s:(?:\"?\"\+\\w+\+\"))", + "(?s:(?:\"\\s*;[^\"]+\")|(?:\";[^\"]+:\\s*\"))", + "(?s:(?:\"\\s*(?:\;|\\+).{8,18}:\\s*\"))", + "(?s:(?:\";\\w+=)|(?:!\"\"&&\")|(?:~))", + "(?s:(?:\"?\"\\+\"\"?\\+?\"?)|(?:;\\w+=\")|(?:\"[|&]{2,}))", + "(?s:(?:\"\\s*\\W+\"))", + "(?s:(?:\";\\w\\s*\\+=\\s*\\w?\\s*\"))", + "(?s:(?:\"[|&;]+\\s*[^\|\&\\n]*[\|\&]+\\s*\"?))", + "(?s:(?:\";\\s*\\w+\\W+\\w*\\s*[\|\&]*\"))", + "(?s:(?:\"\\s*\"\\s*\.))", + "((?:\\s*new\\s+\\w+\\s*[\\+\\\"\,]))", + "((?:(?:^|\\s+)(?:do|else)\\s+))", + "((?:(?:^|\\s+)(?:do|else)\\s+))", + "((?:[{(]\\s*new\\s+\\w+\\s*[\)\}]))", + "((?:(this|self)\.))", + "((?:undefined))", + "((?:in\\s+))" }; + + for i=1, table.getn(pattern) do + -- strip out concatenations + converted = rex.gsub(compare,pattern[i],""); + end + + -- strip object traversal + converted = rex.gsub(converted,"(\\w(\.\\w\()))", "%1"); + + -- normalize obfuscated method calls + converted = rex.gsub(converted,"(\\)\\s*\+)", ")"); + + --convert JS special numbers + converted = rex.gsub(converted,"(?ims:(?:\\(*[.\\d]e[\+\-]*[^a-z\\W]+\\)*)|(?:NaN|Infinity)\\W)", "1"); + + if (converted ~= nil) then + if (compare ~= converted) then + value = value .. "\n" .. converted; + end + end + + -- return value; +end + + convertFromConcatenated(value); + m.log(4, "Convert basic concatenations: " .. value .. ""); + + +--[[ This method collects and decodes proprietary encoding types ]] + +function convertFromProprietaryEncodings(args) + + local value = args; + + --Xajax error reportings + value = rex.gsub(value,"(?im:)","%1", nil, 0, 0); + + --strip false alert triggering apostrophes + value = rex.gsub(value,"(?m:(\\w)\"(s))", "%1%2"); + + --strip quotes within typical search patterns + value = rex.gsub(value,"(^\"([^\"=\\!><~]+)\"/$)", "%1"); + + --OpenID login tokens + value = rex.gsub(value,"({[\\w-]{8,9}\}(?:\{[\w=]{8}\}){2})", ""); + + --convert Content and \sdo\s to null + value = rex.gsub(value,"(?s:Content|\\Wdo)", ""); + + --strip emoticons + value = rex.gsub(value, + "(?m:(?:\\s[:;]-[)\/PD]+)|(?:\\s;[)PD]+)|(?:\\s:[)PD]+)|-\.-|\^\^)", + ""); + + --normalize separation char repetion + value = rex.gsub(value,"(?m:([.+~=*_;\-])\1{2,})", "%1"); + + --normalize multiple single quotes + value = rex.gsub(value,"(?m:/\"{2,})", "\""); + + --normalize quoted numerical values and asterisks + value = rex.gsub(value,"(?m:\"(\\d+)\")", "%1"); + + --normalize pipe separated request parameters + value = rex.gsub(value,"(?m:\|(\\w+=\\w+))", "&%1"); + + --normalize ampersand listings + value = rex.gsub(value,"((\\w\\s)&\\s(\\w))", "%1%2"); + + --normalize escaped RegExp modifiers + value = rex.gsub(value,"(\/\\\\(\\w))", "/%1"); + +end + + convertFromProprietaryEncodings(value); + m.log(4, "convertFromProprietaryEncodings: " .. value .. ""); + + + + + + normalized_name = rex.gsub(name, "^(.*)$", "tx.%1_normalized"); + m.setvar(normalized_name, value); + + +--[[ This method is the centrifuge prototype ]] + m.log(4, "Starting Centrifuge.. Arg Name = " ..name.. " and Arg Value = " ..value.. "."); + + threshold = 3.49; + + -- Examine each value + if string.len(value) > 25 then + local name = name; + -- strip padding + tmp_value = rex.gsub(value, "\\s{4}|==$", "", nil, 0, 0); + m.log(4, "Strip Padding1 - name is: " .. name .. " and value is: " .. tmp_value .."."); + tmp_value = rex.gsub(tmp_value, "\\s{4}|[\\p{L}\\d\+\-\=\,\.\%\(\)]{8,}", "aaa", nil, 0, 0); + m.log(4, "Strip Padding2 - name is: " .. name .. " and value is: " .. tmp_value .."."); + + -- Check for the attack char ratio + tmp_value = rex.gsub(tmp_value, "([\*\.\!\?\+\-])\\1{1,}", "%1", nil, 0, 0); + tmp_value = rex.gsub(tmp_value, "\"[\\p{L}\\d\\s]+\"", "", nil, 0, 0); + + stripped_length = string.len(rex.gsub(tmp_value, "[\\d\\s\\p{L}\.\:\,\%\&\/\>\<\\-)\!\|]+", "", nil, 0, 0)); + m.log(4, "stripped_length is: " .. stripped_length .. "."); + overall_value = rex.gsub(tmp_value, "([\\d\\s\\p{L}\:\,\.]{3,})+", "aaa", nil, 0, 0); + m.log(4, "overall_value is: " .. overall_value .. "."); + overall_length = string.len(rex.gsub(overall_value, "\\s{2,}", "", nil, 0, 0)); + m.log(4, "overall_length is: " .. overall_length .. "."); + + if ((stripped_length ~= 0) and (overall_length/stripped_length <= threshold)) then + ratio_value = (overall_length/stripped_length); + ratio_name = rex.gsub(name, "^(.*)$", "tx.%1_centrifuge_ratio"); + m.setvar(ratio_name, ratio_value); + m.log(4, "Threshold is: " .. threshold .. " and Ratio Value is: " .. ratio_value .. "."); + end + end + + -- Examine each value + if string.len(value) > 40 then + + converted = value; + + mytable = str_split_unique(converted) + + j = 1 + while mytable[j] do + print(mytable[j]) + j = j + 1 + end + + converted = table.concat(mytable); + m.log(4, "Unique/Sorted: " .. converted .. "."); + + -- Replace all non-special chars + converted = rex.gsub(converted, "[\\w\\s\\p{L},\.:!]", ""); + m.log(4, "Replace non-special chars: " .. converted .. "."); + + + -- Normalize certain tokens + converted = rex.gsub(converted, "(\\~|\\^|\\||\\*|\\%|\\&|\\/)", "+"); + m.log(4, "Normalize certain tokens: " .. converted .. "."); + converted = rex.gsub(converted, "(\\+|\\-)\\s*\\d+", "+"); + m.log(4, "Normalize certain tokens: " .. converted .. "."); + converted = rex.gsub(converted, "(\\(|\\)|\\[|\\]|\\{|\\})", "("); + m.log(4, "Normalize certain tokens: " .. converted .. "."); + converted = rex.gsub(converted, "(\\!|\\?|\\:|\=)", ":"); + m.log(4, "Normalize certain tokens: " .. converted .. "."); + converted = rex.gsub(converted, "[^:(+]", ""); + m.log(4, "Normalize certain tokens: " .. converted .. "."); + converted = string.gsub(converted, "\\", ""); + m.log(4, "Normalize certain tokens: " .. converted .. "."); + + mytable = str_split(converted) + table.sort(mytable); + converted = table.concat(mytable); + m.log(4, "Sorted: " .. converted .. "."); + stripped_name = rex.gsub(name, "^(.*)$", "tx.%1_centrifuge_converted"); + m.setvar(stripped_name, converted); + + end + + + if value ~= "." then + + return ("Normalized Payload: " .. name .. " = " .. value .. ""); + else + -- Nothing wrong found. + return nil; + end +end +end diff -Nru modsecurity-crs-2.1.2/trunk/lua/gather_ip_data.lua modsecurity-crs-2.2.0/trunk/lua/gather_ip_data.lua --- modsecurity-crs-2.1.2/trunk/lua/gather_ip_data.lua 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/lua/gather_ip_data.lua 2011-04-15 18:25:15.000000000 +0000 @@ -0,0 +1,37 @@ +#!/opt/local/bin/lua +require("io"); + +function main() +local anomaly_score = m.getvar("TX.ANOMALY_SCORE", "none"); + m.log(4, "Anomaly Score is: " .. anomaly_score .. "."); +local remote_addr = m.getvar("ARGS.REMOTE_ADDR", "none"); + m.log(4, "Remote IP is: " .. remote_addr .. "."); +local ip_hostname = m.getvar("IP.HOSTNAME", "none"); + +if ((anomaly_score ~= nil) and (ip_hostname == nil)) then +local hostname = "NONE"; +local abuse_contact = "NONE"; + n = os.tmpname () + os.execute ("nslookup '" .. remote_addr .. "' > " .. n) + os.execute ("whois '" .. remote_addr .. "' >> " .. n) + for line in io.lines (n) do + if string.match(line, "name = ") then + hostname = line + end + + if string.match(line, "abuse") then + abuse_contact = line + end + end + m.log(4, "Hostname is: " .. hostname .. "."); + m.setvar("tx.hostname", hostname); + + m.log(4, "Abuse Contact is: " .. abuse_contact .. "."); + m.setvar("tx.abuse_contact", abuse_contact); + + os.remove (n) +return("Nslookup: " .. hostname .. " and WHOIS Abuse Info: " .. abuse_contact .. ""); + +end +return nil; +end diff -Nru modsecurity-crs-2.1.2/trunk/lua/osvdb.lua modsecurity-crs-2.2.0/trunk/lua/osvdb.lua --- modsecurity-crs-2.1.2/trunk/lua/osvdb.lua 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/lua/osvdb.lua 2011-02-23 14:19:26.000000000 +0000 @@ -0,0 +1,25 @@ +#!/opt/local/bin/lua + +local request_filename = m.getvar("REQUEST_FILENAME", "none") +local args = {}; +args = m.getvars("ARGS_NAMES", "none") + +function main () +for line in io.lines("/usr/local/apache/conf/modsec_current/base_rules/vulnerabilities.txt") do + if line:find(request_filename) then + if string.find(line, "^%d+\,") then + for k,v in pairs(args) do + local arg_name = v["value"] .. "="; + if string.find(line, arg_name) then + m.setvar("resource.osvdb_check", "1") + m.setvar("resource.osvdb_vulnerable", "1") + m.setvar("tx.osvdb_msg", line) + return(line) + end + end + end + end +end + m.setvar("resource.osvdb_check", "1") + return nil +end diff -Nru modsecurity-crs-2.1.2/trunk/lua/profile_page_scripts.lua modsecurity-crs-2.2.0/trunk/lua/profile_page_scripts.lua --- modsecurity-crs-2.1.2/trunk/lua/profile_page_scripts.lua 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/lua/profile_page_scripts.lua 2011-01-07 20:29:52.000000000 +0000 @@ -0,0 +1,40 @@ +#!/opt/local/bin/lua + +function main() + + local rex = require "rex_pcre" + + local response_body = m.getvar("RESPONSE_BODY", "none"); + + if response_body ~= "" then + + local _, nscripts = string.gsub(response_body, " +# +# Identify/Set the UserID name and collection +# Must correctly specify the parameter name that holds the username data (example ARGS:username) +# +#SecRule ARGS:username ".*" "phase:2,id:'981075',t:none,pass,nolog,noauditlog,capture,setvar:session.username=%{TX.0},setuid:%{TX.0}" + +# +# Password Complexity Check +# Must correctly specify the parameter name that holds the password data (example ARGS:password) +# The regex below requires 8 length, one upper, one lower, and one number. +# +#SecRule ARGS:password "^(?=[a-zA-Z0-9]*?[A-Z])(?=[a-zA-Z0-9]*?[a-z])(?=[a-zA-Z0-9]*?[0-9])[a-zA-Z0-9]{8,}$" "phase:2,id:'981076',t:none,block,log,msg:'Password does meet complexity requirements.',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-POLICY-%{matched_var_name}=%{matched_var}" + +# +# Sanitize the user's password data in the audit logs +# Set the appropriate password parameter name +#SecAction "phase:5,id:'981077',t:none,pass,nolog,sanitiseArg:password" + +# + diff -Nru modsecurity-crs-2.1.2/trunk/optional_rules/modsecurity_crs_25_cc_known.conf modsecurity-crs-2.2.0/trunk/optional_rules/modsecurity_crs_25_cc_known.conf --- modsecurity-crs-2.1.2/trunk/optional_rules/modsecurity_crs_25_cc_known.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/optional_rules/modsecurity_crs_25_cc_known.conf 2011-05-16 17:13:56.000000000 +0000 @@ -0,0 +1,110 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# Detect CC# in input, log transaction and sanitize +SecRule ARGS "@verifyCC (?:^|[^\d])(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})(?:[^\d]|$)" \ + "phase:2,id:'981078',t:none,pass,nolog,skip:1" + +SecAction "phase:2,id:'981079',t:none,pass,nolog,skipAfter:END_KNOWN_CC_INBOUND_CHECK" + + +# GSA SmartPay +SecRule ARGS "@verifyCC (?:^|[^\d])((?:5568|4(?:486|716))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|8699\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \ + "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'GSA SmartPay Credit Card Number detected in user input',id:'920019',tag:'PCI/10.2',severity:'5'" + +# MasterCard +SecRule ARGS "@verifyCC (?:^|[^\d])(5[1-5]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" \ + "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'MasterCard Credit Card Number detected in user input',id:'920005',tag:'PCI/10.2',severity:'5'" + +# Visa +SecRule ARGS "@verifyCC (?:^|[^\d])(4\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d(?:\d{3})??)(?:[^\d]|$)" \ + "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'Visa Credit Card Number detected in user input',id:'920007',tag:'PCI/10.2',severity:'5'" + +# American Express +SecRule ARGS "@verifyCC (?:^|[^\d])(3[47]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \ + "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'American Express Credit Card Number detected in user input',id:'920009',tag:'PCI/10.2',severity:'5'" + +# Diners Club +SecRule ARGS "@verifyCC (?:^|[^\d])((?:30[0-5]|3[68]\d)\d\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2})(?:[^\d]|$)" \ + "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'Diners Club Credit Card Number detected in user input',id:'920011',tag:'PCI/10.2',severity:'5'" + +# enRoute +#SecRule ARGS "(?:^|[^\d])(2(?:014|149)\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2}|55\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \ +# "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'enRoute Credit Card Number detected in user input',id:'920013',tag:'PCI/10.2',severity:'5'" + +# Discover +SecRule ARGS "@verifyCC (?:^|[^\d])(6(?:011|5\d{2})\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" \ + "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'Discover Credit Card Number detected in user input',id:'920015',tag:'PCI/10.2',severity:'5'" + +# JCB +SecRule ARGS "@verifyCC (?:^|[^\d])(3\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|(?:1800|21(?:31|00))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \ + "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'JCB Credit Card Number detected in user input',id:'920017',tag:'PCI/10.2',severity:'5'" + + +SecMarker END_KNOWN_CC_INBOUND_CHECK + +# Detect CC# in output and block transaction +SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?" "phase:2,t:none,nolog,pass,nolog,setvar:tx.restricted_char_payload=%{matched_var}" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ~" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains `" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains !" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains @" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains #" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains $" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains %" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ^" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains &" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains *" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains (" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains )" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains -" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains +" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains =" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains {" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains }" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains [" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ]" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains |" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains :" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ;" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains \"" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains '" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains <" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains >" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1" +SecRule TX:RESTRICTED_CHAR_COUNT "@ge 5" "phase:2,t:none,block,nolog,auditlog,id:'960023',rev:'2.0.10',msg:'Restricted Character Anomaly Detection Alert - Total # of special characters exceeded',logdata:'%{matched_var}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score}" + +# +# This rule attempts to identify when multiple (3 or more) speciail, non-word characters are repeated +# +SecRule ARGS "\W{4,}" "phase:2,capture,t:none,block,nolog,auditlog,id:'960024',rev:'2.0.10',msg:'Restricted Character Anomaly Detection Alert - Repetative Non-Word Characters',logdata:'%{tx.0}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score}" + +# +# HTTP Parameter Pollution (HPP) +# +# One HPP attack vector is to try evade signature filters by distributing the attack payload +# across multiple parameters with the same name. This works as many security devices only +# apply signatures to individual parameter payloads, however the back-end web application +# may (in the case of ASP.NET) consolidate all of the payloads into one thus making the +# attack payload active. +# +# -=[ Rules Logic }=- +# The ruleset below is not looking for attacks directly, but rather is a crude normalization +# function that mimics ASP.NET with regards to joining the payloads of parameters with the +# same name. These rules will create a new TX:HPP_DATA variable that will hold this data. +# If you have enabled PARANOID_MODE, then this variable data will also be searched against +# attack filters. +# +# -=[ References ]=- +# http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html +# + +SecRule ARGS "^" "chain,phase:2,t:none,nolog,pass,capture,id:'960022',rev:'2.0.10',setvar:tx.%{matched_var_name}=+1" + SecRule TX:/^ARGS:/ "@gt 1" "chain,t:none" + SecRule MATCHED_VAR_NAME "TX:(ARGS:.*)" "chain,capture,t:none,setvar:tx.hpp_names=%{tx.1}" + SecRule ARGS ".*" "chain,t:none,capture,setvar:tx.arg_counter=+1,setvar:'tx.hppnamedata_%{tx.arg_counter}=%{matched_var_name}=%{tx.0}'" + SecRule TX:/HPPNAMEDATA_/ "@contains %{tx.hpp_names}" "chain,setvar:tx.hpp_counter=+1,setvar:tx.hpp_counter_%{tx.hpp_counter}=%{matched_var}" + SecRule TX:/HPP_COUNTER_/ "ARGS:(.*)?=(.*)" "capture,setvar:'tx.hpp_data=%{tx.hpp_data},%{tx.2}'" + diff -Nru modsecurity-crs-2.1.2/trunk/optional_rules/modsecurity_crs_42_comment_spam.conf modsecurity-crs-2.2.0/trunk/optional_rules/modsecurity_crs_42_comment_spam.conf --- modsecurity-crs-2.1.2/trunk/optional_rules/modsecurity_crs_42_comment_spam.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/optional_rules/modsecurity_crs_42_comment_spam.conf 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,47 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# Comment spam is an attack against blogs, guestbooks, wikis and other types of +# interactive web sites that accept and display hyperlinks submitted by +# visitors. The spammers automatically post specially crafted random comments +# which include links that point to the spammer's web site. The links +# artificially increas the site's search engine ranking and may make the site +# more noticable in search results. +# + +SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" "phase:1,id:'981137',t:none,pass,nolog,skipAfter:END_RBL_LOOKUP" + SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org" "phase:1,id:'981138',t:none,pass,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},setvar:ip.spammer=1,expirevar:ip.spammer=86400,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400,skipAfter:END_RBL_CHECK" + + SecAction "phase:1,id:'981139',t:none,nolog,pass,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400" +SecMarker END_RBL_LOOKUP + +SecRule IP:SPAMMER "@eq 1" "phase:1,id:'981140',t:none,pass,nolog,auditlog,msg:'Request from Known SPAM Source (Previous RBL Match)',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}" + +SecMarker END_RBL_CHECK + +SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_42_comment_spam.data" \ + "chain,phase:2,rev:'2.2.0',t:none,t:lowercase,pass,nolog,auditlog,status:404,msg:'Common SPAM/Email Harvester crawler',id:'958297',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}'" + SecRule REQUEST_HEADERS:User-Agent "^(?:m(?:o(?:zilla\/4\.0\+?\(|vable type)|i(?:crosoft url|ssigua)|j12bot\/v1\.0\.8|sie)|e(?:mail(?:collector| ?siphon)|collector)|(?:blogsearchbot-marti|super happy fu)n|i(?:nternet explorer|sc systems irc)|ja(?:karta commons|va(?:\/| )1\.)|c(?:ore-project\/|herrypicker)|p(?:sycheclone|ussycat|ycurl)|(?:grub crawl|omniexplor)er|a(?:utoemailspider|dwords)|w(?:innie poh|ordpress)|nut(?:scrape/|chcvs)|8484 boston project|user(?:[- ]agent:)?|l(?:ibwww-perl|wp)|di(?:amond|gger)|trackback\/|httpproxy| first +SecRule ARGS|ARGS_NAMES "\bhttp:" "phase:2,rev:'2.2.0',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,skip:1,pass,nolog,id:'999010',severity:'6'" + +SecAction phase:2,rev:'2.2.0',pass,nolog,skipAfter:END_COMMENT_SPAM + + # Look for 2 ways of posting a link + SecRule ARGS|ARGS_NAMES "\[url\b" "phase:2,rev:'2.2.0',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,chain,ctl:auditLogParts=+E,block,msg:'Comment Spam',id:'950923',severity:'2'" + SecRule ARGS|ARGS_NAMES "\ +SecRule &ARGS "@ge 1" "chain,phase:2,id:'981143',t:none,block,msg:'CSRF Attack Detected - Missing CSRF Token.'" + SecRule &ARGS:CSRF_TOKEN "!@eq 1" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CSRF-%{matched_var_name}=%{matched_var}" + +SecRule &ARGS "@ge 1" "chain,phase:2,id:'981144',t:none,block,msg:'CSRF Attack Detected - Invalid Token.'" + SecRule ARGS:CSRF_TOKEN "!@streq %{SESSION.CSRF_TOKEN}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CSRF-%{matched_var_name}=%{matched_var}" + + + +# +# This rule will use Content Injection to append the CSRF Token +# +SecRule &SESSION:CSRF_TOKEN "@eq 1" "phase:4,id:'981145',t:none,nolog,pass,append:''" + + diff -Nru modsecurity-crs-2.1.2/trunk/optional_rules/modsecurity_crs_46_av_scanning.conf modsecurity-crs-2.2.0/trunk/optional_rules/modsecurity_crs_46_av_scanning.conf --- modsecurity-crs-2.1.2/trunk/optional_rules/modsecurity_crs_46_av_scanning.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/optional_rules/modsecurity_crs_46_av_scanning.conf 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,17 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# Modify the operator to use the correct AV scanning script/tool +# Example tools are in the util directory. +# + +SecRule FILES_TMPNAMES "@inspectFile /bin/runAV" \ + "phase:2,t:none,block,msg:'Virus found in uploaded file',id:'950115',tag:'MALICIOUS_SOFTWARE/VIRUS',tag:'PCI/5.1',severity:'2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/VIRUS-%{matched_var_name}=%{tx.0}" diff -Nru modsecurity-crs-2.1.2/trunk/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf modsecurity-crs-2.2.0/trunk/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf --- modsecurity-crs-2.1.2/trunk/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,21 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# This ruleset is a complementary to ruleset 34 - Ignore Static. By default, +# ruleset 34 doesn't skip inspection for leakages in html/documents. +# Adding this ruleset to your configuration will cause ModSecurity to also +# skip the rules in files +# + + +# Skip outbound inspection on requests for text content which have no parameters +SecRule TX:text_file_extension "@eq 1" "chain,phase:3,allow,nolog,id:'999008',severity:'6'" +SecRule TX:no_parameters "@eq 1" diff -Nru modsecurity-crs-2.1.2/trunk/optional_rules/modsecurity_crs_49_header_tagging.conf modsecurity-crs-2.2.0/trunk/optional_rules/modsecurity_crs_49_header_tagging.conf --- modsecurity-crs-2.1.2/trunk/optional_rules/modsecurity_crs_49_header_tagging.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/optional_rules/modsecurity_crs_49_header_tagging.conf 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,52 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# This file will add Request Header Tagging which allows ModSecurity to communicate +# any event/rule matches it finds with the downstream application server. The concept +# is similar to that of Anti-SPAM apps for Email (such as SpamAssassin). +# +# The idea is that if the WAF is in a DetectionOnly mode, it can still share data +# with the destination app server and then the app server may choose to inspect +# the new WAF request headers and factor in this data into a possible blocking +# decision. +# +# This concept is tremendously useful in a distributed architecture and/or when +# there are Fraud Detection Systems at the app server layer that can correlate +# the WAF data into the overall Fraud Score. This is also useful in Hosting +# Environments where the decision to block may not be as clear. +# + +SecRule TX:ANOMALY_SCORE "@eq 0" "phase:2,id:'981173',t:none,nolog,pass,skipAfter:END_HEADER_TAGGING" + +SecRule TX:/^\d/ "." "phase:2,id:'981174',t:none,nolog,pass,setvar:tx.counter=+1,setenv:matched_rule-%{tx.counter}=%{matched_var_name},setenv:anomaly_score=%{tx.anomaly_score},setenv:sql_injection_score=%{tx.sql_injection_score},setenv:xss_score=%{tx.xss_score}" + +RequestHeader append X-WAF-Events "%{matched_rule-1}e" env=matched_rule-1 +RequestHeader append X-WAF-Events "%{matched_rule-2}e" env=matched_rule-2 +RequestHeader append X-WAF-Events "%{matched_rule-3}e" env=matched_rule-3 +RequestHeader append X-WAF-Events "%{matched_rule-4}e" env=matched_rule-4 +RequestHeader append X-WAF-Events "%{matched_rule-5}e" env=matched_rule-5 +RequestHeader append X-WAF-Events "%{matched_rule-6}e" env=matched_rule-6 +RequestHeader append X-WAF-Events "%{matched_rule-7}e" env=matched_rule-7 +RequestHeader append X-WAF-Events "%{matched_rule-8}e" env=matched_rule-8 +RequestHeader append X-WAF-Events "%{matched_rule-9}e" env=matched_rule-9 +RequestHeader append X-WAF-Events "%{matched_rule-10}e" env=matched_rule-10 +RequestHeader append X-WAF-Events "%{matched_rule-11}e" env=matched_rule-11 +RequestHeader append X-WAF-Events "%{matched_rule-12}e" env=matched_rule-12 +RequestHeader append X-WAF-Events "%{matched_rule-13}e" env=matched_rule-13 +RequestHeader append X-WAF-Events "%{matched_rule-14}e" env=matched_rule-14 +RequestHeader append X-WAF-Events "%{matched_rule-15}e" env=matched_rule-15 +RequestHeader append X-WAF-Events "%{matched_rule-16}e" env=matched_rule-16 +RequestHeader append X-WAF-Events "%{matched_rule-17}e" env=matched_rule-17 +RequestHeader append X-WAF-Events "%{matched_rule-18}e" env=matched_rule-18 +RequestHeader append X-WAF-Events "%{matched_rule-19}e" env=matched_rule-19 +RequestHeader append X-WAF-Events "%{matched_rule-20}e" env=matched_rule-20 +RequestHeader set X-WAF-Score "Total=%{anomaly_score}e; sqli=%{sql_injection_score}e; xss=%{xss_score}e" env=anomaly_score + +SecMarker END_HEADER_TAGGING diff -Nru modsecurity-crs-2.1.2/trunk/optional_rules/modsecurity_crs_55_application_defects.conf modsecurity-crs-2.2.0/trunk/optional_rules/modsecurity_crs_55_application_defects.conf --- modsecurity-crs-2.1.2/trunk/optional_rules/modsecurity_crs_55_application_defects.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/optional_rules/modsecurity_crs_55_application_defects.conf 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,82 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# -=[ Watcher Checks ]=- +# +# Charset Checks: +# http://websecuritytool.codeplex.com/wikipage?title=Checks#charset +# +SecRule &GLOBAL:MISSING_CHARSET "@eq 0" "phase:4,t:none,nolog,pass,id:'981219',setvar:global.missing_charset=0" +SecRule GLOBAL:MISSING_CHARSET "@le 10" "chain,phase:4,t:none,pass,id:'981220',log,msg:'Character Set (Charset) Not Specified for Response Content.',logdata:'%{response_content_type}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://code.google.com/p/browsersec/wiki/Part1#Hypertext_Markup_Language'" + SecRule RESPONSE_STATUS "@rx ^2" "chain" + SecRule RESPONSE_HEADERS:Content-Length "!@streq 0" "chain" + SecRule RESPONSE_BODY "!@rx #])" "chain,t:none" + SecRule MATCHED_VAR "^.{15,}$" "chain,t:none,setvar:tx.inbound_meta-characters=%{matched_var}" + SecRule RESPONSE_BODY "@contains %{tx.inbound_meta-characters}" "ctl:auditLogParts=+E" + +# +# Check to see if TX XSS Data is already in the GLOBAL list. If it is - expire it. +SecRule GLOBAL:'/XSS_LIST_.*/' "@streq %{tx.inbound_meta-characters}" "phase:4,id:'981180',t:none,nolog,pass,skip:1" +SecRule TX:INBOUND_META-CHARACTERS ".*" "phase:4,id:'981181',t:none,nolog,pass,setvar:global.xss_list_%{time_epoch}=%{matched_var}" + +# +# Identifies Stored XSS +# If malicious input (with Meta-Characters) is echoed back on any page non-encoded. +SecRule GLOBAL:'/XSS_LIST_.*/' "@within %{response_body}" "phase:4,id:'981182',t:none,log,auditlog,pass,msg:'Potentially Malicious Meta-Characters in User Data Not Properly Output Encoded',tag:'WEB_ATTACK/XSS'" + +# +# Identifies SessiondIDs without HTTPOnly flag +# + +SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))" "phase:3,id:'981183',t:none,pass,nolog,setvar:tx.sessionid=%{matched_var}" + +SecRule TX:SESSIONID "!(?i:\;? ?httponly;?)" "phase:3,id:'981184',t:none,setenv:httponly_cookie=%{matched_var},pass,log,auditlog,msg:'AppDefect: Missing HttpOnly Cookie Flag.'" + +SecRule SERVER_PORT "@streq 443" "chain,phase:3,id:'981185',t:none,pass,log,auditlog,msg:'AppDefect: Missing Secure Cookie Flag.'" + SecRule TX:SESSIONID "!(?i:\;? ?secure;?)" "t:none,setenv:secure_cookie=%{matched_var}" + +SecRule TX:SESSIONID "!(?i:\;? ?httponly;?)" "chain,phase:3,id:'981186',t:none,setenv:httponly_cookie=%{matched_var},pass,log,auditlog,msg:'AppDefect: Missing HttpOnly and Secure Cookie Flag.'" + SecRule SERVER_PORT "@streq 443" "chain,t:none" + SecRule TX:SESSIONID "!(?i:\;? ?secure;?)" "t:none,setenv:secure_httponly_cookie=%{matched_var}" + +Header set Set-Cookie "%{httponly_cookie}e; HTTPOnly" env=httponly_cookie +Header set Set-Cookie "%{secure_cookie}e; Secure" env=secure_cookie +Header set Set-Cookie "%{secure_httponly_cookie}e; Secure; HTTPOnly" env=secure_httponly_cookie diff -Nru modsecurity-crs-2.1.2/trunk/optional_rules/modsecurity_crs_55_marketing.conf modsecurity-crs-2.2.0/trunk/optional_rules/modsecurity_crs_55_marketing.conf --- modsecurity-crs-2.1.2/trunk/optional_rules/modsecurity_crs_55_marketing.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/optional_rules/modsecurity_crs_55_marketing.conf 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,22 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# These rules do not have a security importance, but shows other benefits of +# monitoring and logging HTTP transactions. +# -- + +SecRule REQUEST_HEADERS:User-Agent "msn(?:bot|ptc)" \ + "phase:2,rev:'2.2.0',t:none,t:lowercase,block,msg:'MSN robot activity',id:'910008',severity:'6'" + +SecRule REQUEST_HEADERS:User-Agent "\byahoo(?:-(?:mmcrawler|blogs)|! slurp)\b" \ + "phase:2,rev:'2.2.0',t:none,t:lowercase,block,msg:'Yahoo robot activity',id:'910007',severity:'6'" + +SecRule REQUEST_HEADERS:User-Agent "(?:(?:gsa-crawler \(enterprise; s4-e9lj2b82fjjaa; me\@mycompany\.com|adsbot-google \(\+http:\/\/www\.google\.com\/adsbot\.html)\)|\b(?:google(?:-sitemaps|bot)|mediapartners-google)\b)" \ + "phase:2,rev:'2.2.0',t:none,t:lowercase,block,msg:'Google robot activity',id:'910006',severity:'6'" diff -Nru modsecurity-crs-2.1.2/trunk/README modsecurity-crs-2.2.0/trunk/README --- modsecurity-crs-2.1.2/trunk/README 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/README 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,341 @@ + +=============================== +ModSecurity Core Rule Set (CRS) +=============================== + +(c) 2006-2011 Trustwave + +The ModSecurity Core Rule Set is provided to you under the terms and +conditions of Apache Software License Version 2 (ASLv2) + +http://www.apache.org/licenses/LICENSE-2.0.txt + +This directory contains the files for Core ModSecurity Rule Set +The rules are compatible with ModSecurity 2.5 (as of version 1.4.3) + +Downloading +=========== + +You can manually download the latest CRS from the OWASP Project site - +http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#tab=Download + +You can optionally automatically download the latest rules by using the +rules-updater.pl script in the /util directory. Refer to the README file in the +/util dir. + +ModSecurity Blog Posts +====================== + +http://blog.spiderlabs.com/modsecurity/ + +ModSecurity Advanced Topic of the Week: Traditional vs. Anomaly Scoring Detection Modes +http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html + +ModSecurity Advanced Topic of the Week: Exception Handling +http://blog.spiderlabs.com/2010/11/modsecurity-advanced-topic-of-the-week-exception-handling.html + +Overview +======== + +Using ModSecurity requires rules. In order to enable users to take full +advantage of ModSecurity immediately, Trustwave is providing a free +Core rule set. Unlike intrusion detection and prevention systems which +rely on signature specific to known vulnerabilities, the Core Rule Set +provides generic protection from unknown vulnerabilities often found in web +application that are in most cases custom coded. This is what we call "Attack +Payload Detection." + +Keep in mind that a predefined rule set is only part of the work required to +protect your web site. We strongly urge you to consult Ivan Ristic's book, +"ModSecurity Handbook" http://store.feistyduck.com/products/modsecurity-handbook +and the ModSecurity Reference Manual - http://www.modsecurity.org/documentation/. +The CRS is heavily commented to allow it to be used as a step-by-step +deployment guide for ModSecurity. + +For more information refer to the OWASP Core Rule Set Project page at +http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project + +Core Rules Mail-list - +Suscribe here: https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set +Archive: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/ + + +CRS 2.0 Design Concepts +======================= + +-=[ CRS < 2.0 - Self-Contained Rules ]=- +Older (<2.0) CRS used individual, “self-contained†actions in rules + - If a rule triggered, it would either deny or pass and log + - No intelligence was shared between rules +Not optimal from a rules management perspective (handling false positives/exceptions) + - Editing the regex could blow it up + - Typical method was to copy/paste rules into custom rules files and then edit rule logic + and disable core rule ID. + - Heavily customized rules were less likely to be updated by the user +Not optimal from a security perspective + - Not every site had the same risk tolerance + - Lower severity alerts were largely ignored + - Individual low severity alerts are not important but several low severity events + in the same transaction are. + +-=[ CRS 2.0 - Collaborative Detection ]=- +== Rules - Detection and Management == +Rules logic has changed by decoupling the inspection/detection from the blocking functionality + - Rules log.pass and set transactional variables (tx) to track anomaly scores and to + store meta-data about the rule match + - This TX rule match data can be used by other 3rd party rules (converter Emerging Threats + Snort web attack rules) to more accurately correlate identified attacks with their + attack vector locations. + - TX data of previous strong rule matches can also be used to conditionally apply weaker signatures + that normally would have a high fasle positive rate. + - Rules also increase anomaly scores for both the attack category and global score which allows + users to set a threshold that is appropriate for them. + - This also allows several low severity events to trigger alerts while individual ones are suppressed. + - Exceptions may be handled by either increasing the overall anomaly score threshold, or + by adding rules to a local custom exceptions file where TX data of previous rule matches + may be inspected and anomaly scores re-adjusted based on the false positive criteria. + +User can now globally update which variables to inspect and the anomaly score settings in the +modsecurity_crs_10_config.conf file. + - PARANOID_MODE setting which will apply rules to locations that have a higher false positive rate + - INBOUND_ANOMALY_SCORE setting will be populated in the inbound blocking file and if a transaction + score at the end of phase:2 is equal to or greater than this number, it will be denied. + - OUTBOUND_ANOMALY_SCORE setting will be populated in the outbound blocking file and it a transaction + score at the end of phase:4 is equal to or greater than this number, it will be denied. + +== Inbound/Outbound Blocking == +The CRS rules themselves are configured with the pass action, which allows all the rules to be processed +and for the proposed anomaly scoring/collaborative detection concept to work. The inbound/outbound anomaly +score levels may be set in the modsecurity_crs_10_config.conf file. These scores will be evaluated in the +modsecurity_crs_49_inbound_blocking.conf and modsecurity_crs_59_outbound_blocking.conf files. + +== Alert Management - Correlated Event Creation == +One of the top feedback items we have heard is that the CRS events in the Apache error_log file +were very chatty. This was due to each rule triggering its own error_log entry. What most people +wanted was for 1 correlated event to be generated that would give the user a higher level +determination as to what the event category was. + +To that end- each CRS rule will generate an audit log event Message entry but they will not log +to the error_log on their own. These rules are now considered basic or reference events and +may be reviewed in the audit log if the user wants to see what individual events contributed +to the overall anomaly score and event designation. + +== Inbound/Outbound Correlation == +After the transaction has completed (in the logging phase), the rules in the +base_rules/modsecurity_crs_60_correlation.conf file will conduct further post-processing by +analyzing any inbound events with any outbound events in order to provide a more +intelligent/priority correlated event. + + - Was there an inbound attack? + - Was there an HTTP Status Code Error (4xx/5xx level)? + - Was there an application information leak? + +If an inbound attack was detected +and either an outbound application status code error or infolead was detected, then the overall +event severity is raised - + + - 0: Emergency - is generated from correlation where there is an inbound attack and + an outbound leakage. + - 1: Alert - is generated from correlation where there is an inbound attack and an + outbound application level error. + + +Core Rule Set Content +===================== + +In order to provide generic web applications protection, the Core Rule Set +uses the following techniques: + +-=[ HTTP Protocol Validation and Protection ]=- +Detecting violations of the HTTP protocol and a locally +defined usage policy. This first line of protection ensures that all abnormal HTTP +requests are detected. This line of defense eliminates a large number of +automated and non targeted attacks as well as protects the web server itself. + +== base_rules/modsecurity_crs_20_protocol_violations.conf == +Protocol vulnerabilities such as Response Splitting, Request Smuggling, Premature URL ending + - Content length only for non GET/HEAD methods + - Non ASCII characters or encoding in headers + - Valid use of headers (for example, content length is numerical) + - Proxy Access + +== base_rules/modsecurity_crs_21_protocol_anomalies.conf == +Attack requests are different due to automation + - Missing headers such as Host, Accept, User-Agent + - Host is an IP address (common worm propagation method) + +== base_rules/modsecurity_crs_23_request_limits.conf == +Policy is usually application specific + - Some restrictions can usually be applied generically + - White lists can be build for specific environments +Limitations on Sizes + - Request size, Upload size + - # of parameters, length of parameter + +== base_rules/modsecurity_crs_30_http_policy.conf == +Items that can be allowed or restricted + - Methods - Allow or restrict WebDAV, block abused methods such as CONNECT, TRACE or DEBUG + - File extensions – backup files, database files, ini files + - Content-Types (and to some extent other headers) + +-=[ Automation Detection ]=- +Automated clients are both a security risk and a +commercial risk. Automated crawlers collect information from your site, consume +bandwidth and might also search for vulnerabilities on the web site. Automation +detection is especially useful for generic detection of comments spam. + +Detecting bots, crawlers, scanners and other surface malicious activity. +Not aimed against targeted attacks, but against general malicious internet activity + - Offloads a lot of cyberspace junk & noise + - Effective against comment spam + - Reduce event count + +== base_rules/modsecurity_crs_35_bad_robots.conf == +Detection of Malicious Robots + - Unique request attributes: User-Agent header, URL, Headers + - RBL Check of IP addresses + - Detection of security scanners + - Blocking can confuse security testing software (WAFW00f) + +== optional_rules/modsecurity_crs_42_comment_spam.conf == +This rules file is only relevant if you are concerned about comment SPAM attacks. +The rules file will run an RBL check against the source IP address at SPAMHAUS and will +cache the response for 1 day. If the client sends subsequent requests, it will be denied +without having to re-run an RBL check. + +This file will also look for comment SPAM posting attacks which submit URL links. + + +-=[ Common Web Attacks Protection ]=- +Common Web Attacks Protection Rules on the second level address the common web +application security attack methods. These are the issues that can appear in +any web application. Some of the issues addressed are: + +- SQL Injection +- Cross-Site Scripting (XSS) +- OS Command execution +- Remote code inclusion +- LDAP Injection +- SSI Injection +- Information leak +- Buffer overflows +- File disclosure + +== base_rules/modsecurity_crs_40_generic_attacks.conf == + - OS command injection and remote command access + - Remote file inclusion + - Session Fixation + +== optional_rules/modsecurity_crs_40_experimental.conf == +The rules in this file are considered BETA quality as they have not been rigorously tested. +They attempt to address advanced attacks such as HTTP Parameter Pollution or use new rule +features or techniques. + +== base_rules/modsecurity_crs_42_tight_security.conf == +This rules file attempts to identify all directory traversal variations. It is prone to a high +level of false positives so set PARANOID_MODE if you want to run these rules. + +== base_rules/modsecurity_crs_41_sql_injection.conf == + - SQL injection and blind SQL injection + +== base_rules/modsecurity_crs_41_xss.conf == + - Cross site scripting (XSS) + +== base_rules/modsecurity_crs_41_phpids_converter.conf == +== base_rules/modsecurity_crs_41_phpids_filters.conf == +Trustwave's SpiderLabs received authorization from PHPIDS (http://phpids.net/) to convert their +rules and include them in the CRS + - Thanks to Mario Heiderich + +Converted version of PHPIDS Converter.php functionality. +https://svn.php-ids.org/svn/trunk/lib/IDS/Converter.php +These rules look for common evasion tactics. + +Converted version of PHPIDS default_filters.xml data. +https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml + - Filters are heavily tested by the community and updated frequently + - ~70 regular expression rules to detect common attack payloads + - XSS + - SQL Injection + - RFI + +== optional_rules/modsecurity_crs_46_et_sql_injection.conf == +== optional_rules/modsecurity_crs_46_et_web_rules.conf == +Due to the high number of rules and the possible impact on performance, these rules +have been placed in the optional_rules directory. + +Trustwave's SpiderLabs received authorization from ET to convert their Snort rules and include them in the CRS +http://www.emergingthreats.net/ + +Converted the following ET Snort rule files + - emerging-web_server.rules + - emerging-web_specific_apps.rules + +Identifying attacks against known web vulnerabilities does have value + - Raised threat level + - If done correctly, lessens false positives + +The issue to overcome is that the PCRE RegExs used in the rules are pretty poor. What we want +to do is to combine the *what* of our generic attack payload detection (attack payloads) with +the *where* (attack vector - URL + Parameter Name) of the ET known vuln data. The approach we +took was to have most of the ET rules look for the attack vector data and then simply check all +saved TX data for a corresponding attack vector match. + + +-=[ Trojan Protection ]=- +ModSecurity Core Rule Set detects access to back doors +installed on a web server. This feature is very important in a hosting +environment when some of this backdoors may be uploaded in a legitimate way and +used maliciously. In addition the Core Rule Set includes a hook for adding +an Anti-Virus program such as ClamAV for checking file uploads. + +== base_rules/modsecurity_crs_45_trojans.conf == + - Check uploading of http backdoor page + - Access detection + - Known signatures (x_key header) + - Generic file management output (gid, uid, drwx, c:\) + +-=[ InfoLeakages ]=- +If all fails, the Core Rule Set will detect errors sent by +the web server. Detecting and blocking errors prevents attackers from +collecting reconnaissance information about the web application and also server +as a last line of defense in case an attack was not detected eariler. + +== base_rules/modsecurity_crs_50_outbound.conf == + - HTTP Error Response Status Codes + - SQL Information Leakage + - Stack Dumps + - Source Code Leakage + + +-=[ Request Header Tagging ]=- +This concept is similar to anti-SPAM SMTP apps that will add additional mime headers +to emails providing the SPAM detection analysis information. The CRS is attempting +to mimic this concept at the HTTP layer by adding additional request headers that +provide insight into any ModSecurity events that may have triggered during processing. +The advantage of this approach is that it allows a WAF to be in a detection-only mode +while still providing attack data to the destination application server. The recieving +app server may then inspect the WAF request headers and make a determination whether +or not to process the transaction. This concept is valuable in distributed web environments +and hosting architectures where a determination to block may only be appropriate at the +destination app server. + +== optional_rules/modsecurity_crs_49_header_tagging.conf == +This rules file will take all of the TX attack variable data and populate Apache ENV +variables that Apache can then use to add X-WAF-Event request header data to the +request. + +Example showing the consolidated X-WAF-Events and X-WAF-Score data - + +GET /path/to/foo.php?test=1%27%20or%20%272%27=%272%27;-- HTTP/1.1 +Host: www.example.com +User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.5) Gecko/20091109 Ubuntu/9.10 (karmic) Firefox/3.5.5 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +X-WAF-Events: TX: / 999935-Detects common comment types-WEB_ATTACK/INJECTION-ARGS:test, TX:999923-Detects JavaScript location/document property access and window access obfuscation-WEB_ATTACK/INJECTION-REQUEST_URI_RAW, TX:950001-WEB_ATTACK/SQL_INJECTION-ARGS:test +X-WAF-Score: Total=48; sqli=2; xss= +Connection: Keep-Alive + + diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_et_joomla.data modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_et_joomla.data --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_et_joomla.data 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_et_joomla.data 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,44 @@ +/acomponents/com_mamboleto/mamboleto.php +/admin.rssreader.php +/administrator/components/com_joomlaxplorer/admin.joomlaxplorer.php +/administrator/components/com_jwmmxtd/admin.jwmmxtd.php +/administrator/components/com_sqlreport/ajax/print.php +/administrator/components/com_universal/includes/config/config.html.php +/administrator/components/com_xcloner-backupandrestore/cloner.cron.php +/administrator/components/com_xcloner-backupandrestore/index2.php +/com_koesubmit/koesubmit.php +/com_ongumatimesheet20/lib/onguma.class.php +/com_rwcards/rwcards.advancedate.php +/com_swmenupro/ImageManager/Classes/ImageManager.php +/com_xmovie/helpers/img.php +/components/com_ajaxchat/tests/ajcuser.php +/components/com_banners/banners.class.php +/components/com_ezine/class/php/d4m_ajax_pagenav.php +/components/com_intuit/models/intuit.php +/components/com_jcalpro/cal_popup.php +/components/com_mediaslide/viewer.php +/components/com_mojo/wp-comments-post.php +/components/com_mojo/wp-trackback.php +/components/com_moofaq/includes/file_includer.php +/components/com_morfeoshow/morfeoshow.html.php +/components/com_smartformer/smartformer.php +/components/com_xgallery/helpers/img.php +/config.dadamail.php +/database/table/user.php +/example.php +/gmail.php +/index.php +/letterman.class.php +/models/category.php +/modules/mod_mainmenu/menu.php +/modules/mod_virtuemart_featureprod/mod_virtuemart_featureprod.php +/modules/mod_virtuemart_latestprod/mod_virtuemart_latestprod.php +/plugins/authentication/ldap.php +/plugins/search/categories.php +/plugins/search/contacts.php +/plugins/search/content.php +/plugins/search/sections.php +/plugins/search/weblinks.php +/plugins/user/example.php +/real_estate/index.php +admin.ponygallery.html.php \ No newline at end of file diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_et_lfi.data modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_et_lfi.data --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_et_lfi.data 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_et_lfi.data 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,154 @@ +/123flashchat.php +/ADM_Pagina.php +/ST_browsers.php +/ST_countries.php +/ST_platforms.php +/_conf/core/common-tpl-vars.php +/_footer.php +/_functions.php +/acopia/manager/DiagCaptureFileListActionBody.do +/acopia/manager/DiagLogListActionBody.do +/acopia/sat/ViewInventoryErrorReport.do +/acopia/sat/ViewSatReport.do +/active_auctions.php +/addedit-render.php +/admin/admin_groups_reapir.php +/admin/admin_smilies.php +/admin/admin_words.php +/admin/loadplugin.php +/admin/thumbnailformpost.inc.php +/admin/upgrade_unattended.php +/administrator/components/com_xcloner-backupandrestore/cloner.cron.php +/api/download_launch.php +/arch.php +/artmedic_print.php +/baconmap/admin/updatelist.php +/bin/qte_init.php +/block_center_down.php +/block_center_top.php +/block_left.php +/block_right.php +/body_default.php +/books/getConfig.php +/centre.php +/chat/dac.php +/classes/BxDolGzip.php +/classes/flash_mp3_player.23/extras/external_feeds/getfeed.php +/classes/flash_mp3_player/extras/external_feeds/getfeed.php +/cms_detect.php +/com_xmovie/helpers/img.php +/components/com_intuit/models/intuit.php +/components/com_mediaslide/viewer.php +/components/com_moofaq/includes/file_includer.php +/components/com_xgallery/helpers/img.php +/config.dadamail.php +/config.php +/container.php +/content/dynpage_load.php +/cron.php +/cuenta/cuerpo.php +/cultbooking.php +/debugger/debug_php.php +/detail.php +/devtools/qooxdoo-sdk/framework/source/resource/qx/test/part/delay.php +/dm-albums/template/album.php +/doku.php +/download.php +/examples/tbs_us_examples_0view.php +/export.php +/footer.inc.php +/forum.php +/gradebook/open_document.php +/header.inc.php +/header.php +/include/global.php +/include/timesheet.php +/include/unverified.inc.php +/includes/esqueletos/skel_null.php +/includes/function_core.php +/includes/header.php +/includes/initsystem.php +/includes/startmodules.inc.php +/index.php +/index_inc.php +/infusions/last_seen_users_panel/last_seen_users_panel.php +/init.php +/latestposts.php +/lib/function.php +/lib/lcUser.php +/library/setup/rpc.php +/locales.php +/locms/smarty.php +/login.tpl.php +/main.inc.php +/maincore.php +/message_class.php +/mini.php +/module.php +/modules/3rdparty/adminpart/add3rdparty.php +/modules/articles/adminpart/addarticles.php +/modules/brandnews/adminpart/addbrandnews.php +/modules/comments.php +/modules/contact/adminpart/addcontact.php +/modules/core/security/init.php +/modules/game/adminpart/addgame.php +/modules/login.php +/modules/maticmarket/bleu/blanc/bas.php +/modules/maticmarket/bleu/blanc/haut.php +/modules/maticmarket/bleu/default/bas.php +/modules/maticmarket/bleu/default/haut.php +/modules/maticmarket/bleu/gold/bas.php +/modules/maticmarket/bleu/gold/haut.php +/modules/maticmarket/deco/blanc/bas.php +/modules/maticmarket/deco/blanc/haut.php +/modules/newsletter/adminpart/addnewsletter.php +/modules/plain/adminpart/addplain.php +/modules/polling/adminpart/addpolling.php +/modules/product/adminpart/addproduct.php +/modules/profile/user.php +/modules/tour/adminpart/addtour.php +/news/search.php3 +/news_show.php +/oldnews_reader.php +/op/op.Login.php +/passwiki.php +/pcltar.lib.php +/plog-includes/lib/phpthumb/phpThumb.php +/plugin/gateway/gnokii/init.php +/plugin/themes/default/init.php +/plugins/templateie/lib/templateie_install.class.php +/pmscript.php +/portfolio/css.php +/preview.php +/qlib/smarty.inc.php +/qte_web.php +/resource_categories_view.php +/section.php +/server_request.php +/show_joined.php +/sitemap.xml.php +/snippet.reflect.php +/spaw_control.class.php +/stage1.php +/stage4.php +/stage6.php +/templater.php +/templates/layout_lyrics.php +/threadstop/threadstop.php +/tiki-jsplugin.php +/update_trailer.php +/urheber.php +/util/barcode.php +/vars.inc.php +/viewsource.php +/website.php +/windetail.php +/window_down.php +/window_top.php +/wp-content/plugins/jquery-mega-menu/skin.php +/wp-content/plugins/wp-publication-archive/includes/openfile.php +/wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php +app=urchin.cgi +functions_navlinks.php +profile_send.php +viewtopic_PM-link.php \ No newline at end of file diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_et_phpbb.data modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_et_phpbb.data --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_et_phpbb.data 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_et_phpbb.data 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,10 @@ +.php +/acp_lcxbbportal.php +/admin/admin_acronyms.php +/admin/admin_groups_reapir.php +/admin/admin_smilies.php +/admin/admin_words.php +/admin_hacks_list.php +/include/global.php +/index.php +/portal_block.php \ No newline at end of file diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_et_rfi.data modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_et_rfi.data --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_et_rfi.data 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_et_rfi.data 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,461 @@ +.php +/123flashchat.php +/2checkout_return.inc.php +/ADM_Pagina.php +/Admin/ResellersManager.class.php +/Base/example_1.php +/Clickheat/Cache.php +/Clickheat_Heatmap.php +/CoupleDB.php +/Customers/PDPEmailReplaceConstants.class.php +/DB_adodb.class.php +/Framework/EmailTemplates.class.php +/GlobalVariables.php +/HTMLSax3.php +/LSTable.php +/OpenSiteAdmin/pages/pageHeader.php +/ST_browsers.php +/ST_countries.php +/ST_platforms.php +/SezHooTabsAndActions.php +/Thumbnail.php +/_conf/core/common-tpl-vars.php +/_footer.php +/_functions.php +/acomponents/com_mamboleto/mamboleto.php +/acopia/manager/DiagCaptureFileListActionBody.do +/acopia/manager/DiagLogListActionBody.do +/acopia/sat/ViewInventoryErrorReport.do +/acopia/sat/ViewSatReport.do +/acp_lcxbbportal.php +/action.php +/active_auctions.php +/activities/workflow-activities.php +/add_comments.php +/addedit-render.php +/adm/krgourl.php +/admin.googlebase.php +/admin.rssreader.php +/admin/admin_groups_reapir.php +/admin/admin_smilies.php +/admin/admin_words.php +/admin/frontpage_right.php +/admin/global.php +/admin/loadplugin.php +/admin/thumbnailformpost.inc.php +/admin/upgrade_unattended.php +/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php +/administrator/components/com_joomlaxplorer/admin.joomlaxplorer.php +/administrator/components/com_jwmmxtd/admin.jwmmxtd.php +/administrator/components/com_universal/includes/config/config.html.php +/administrator/components/com_xcloner-backupandrestore/cloner.cron.php +/application/views/public/commentform.php +/arch.php +/archive.php +/ardeaCore/lib/core/ardeaBlog.php +/ardeaCore/lib/core/ardeaInit.php +/ardeaCore/lib/core/mvc/ardeaMVC.php +/artmedic_print.php +/assets/plugins/mp3_id/mp3_id.php +/awcm/control/common.php +/awcm/header.php +/awcm/includes/window_top.php +/baconmap/admin/updatelist.php +/base/Archive.php +/base/Comments.php +/base/News.php +/base/SendFriend.php +/base_qry_common.php +/base_stat_common.php +/basicfogfactory.class.php +/bazar/picturelib.php +/berylium-classes.php +/bin/qte_init.php +/block.php +/block_center_down.php +/block_center_top.php +/block_left.php +/block_right.php +/blocks/file/controller.php +/blocks/headerfile.php +/body_comm.inc.php +/body_default.php +/centre.php +/ch_readalso.php +/chat/dac.php +/checkout.php +/class.csv.php +/class.phpmailer.php +/class_yapbbcooker.php +/classes/excel/class.writeexcel_workbook.inc.php +/classes/excel/class.writeexcel_worksheet.inc.php +/classes/flash_mp3_player.23/extras/external_feeds/getfeed.php +/classes/flash_mp3_player/extras/external_feeds/getfeed.php +/cms/modules/form.lib.php +/cms_detect.php +/com_del.php +/com_koesubmit/koesubmit.php +/com_ongumatimesheet20/lib/onguma.class.php +/com_rwcards/rwcards.advancedate.php +/com_swmenupro/ImageManager/Classes/ImageManager.php +/com_xmovie/helpers/img.php +/comments.php +/common.php +/common/errormsg.php +/common/func.php +/components/com_ajaxchat/tests/ajcuser.php +/components/com_banners/banners.class.php +/components/com_ezine/class/php/d4m_ajax_pagenav.php +/components/com_intuit/models/intuit.php +/components/com_jcalpro/cal_popup.php +/components/com_mediaslide/viewer.php +/components/com_mojo/wp-comments-post.php +/components/com_mojo/wp-trackback.php +/components/com_moofaq/includes/file_includer.php +/components/com_morfeoshow/morfeoshow.html.php +/components/com_smartformer/smartformer.php +/components/com_smf/smf.php +/components/com_xgallery/helpers/img.php +/config.dadamail.php +/config.php +/container.php +/content/dynpage_load.php +/content/themes/softsaurus_default/pages/subHeader.php +/content/themes/softsaurus_stretched/pages/subHeader.php +/core/includes/gfw_smarty.php +/cron.php +/cuenta/cuerpo.php +/cultbooking.php +/customer_ftp.php +/datumscalc.php +/debugger.php +/debugger/debug_php.php +/define.php +/detail.php +/devtools/qooxdoo-sdk/framework/source/resource/qx/test/part/delay.php +/display.php +/dm-albums/template/album.php +/doku.php +/dompdf.php +/don3_requiem.php +/dosearch.php +/download.php +/downloads.php +/dp_logs.php +/e-pay/src/a_affil.php +/editor/edit_htmlarea.php +/emailsender.php +/embedforum.php +/engine/api/api.class.php +/example_clientside_javascript.php +/examples/tbs_us_examples_0view.php +/examples/widget8.php +/export.php +/export_batch.inc.php +/familynews.php +/faq.php +/filepool.php +/files/blocks/latest_files.php +/filters/headerfile.php +/fonctions_racine.php +/footer.inc.php +/footer.php +/forum.php +/forums/blocks/latest_posts.php +/frontpage.php +/ftp.php +/functionen/ref_kd_rubrik.php +/functions.php +/functions_install.php +/gallery2/lib/adodb/adodb-error.inc.php +/gbookmx/gbook.php +/get_header.php +/global.php +/groups/headerfile.php +/gunaysoft.php +/handle/proxy.php +/handlers/page/show.php +/header.inc.php +/header.php +/heatmap/_main.php +/heatmap/main.php +/help.php +/hg_referenz_jobgalerie.php +/html.php +/html2.php +/iframe.php +/inc/articles.inc.php +/inc/content.inc.php +/inc/logingecon.php +/include/_bot.php +/include/addons/version/pages/index.inc.php +/include/admin.lib.inc.php +/include/admin/device_admin.php +/include/engine/content/elements/menu.php +/include/global.php +/include/header.php +/include/libs/internals/core.process_compiled_include.php +/include/libs/internals/core.write_compiled_include.php +/include/libs/plugins/function.config_load.php +/include/logout.php +/include/pages/specials.inc.php +/include/payment/payflow_pro.php +/include/prodler.class.php +/include/timesheet.php +/include/top_graph_header.php +/include/unverified.inc.php +/includes/Cache/Lite/Output.php +/includes/ajax_listado.php +/includes/classes/pctemplate.php +/includes/common.php +/includes/competitions/add.php +/includes/competitions/competitions.php +/includes/converter.inc.php +/includes/esqueletos/skel_null.php +/includes/file_manager/special.php +/includes/footer.php +/includes/function_core.php +/includes/header.inc.php +/includes/header.php +/includes/hnmain.inc.php3 +/includes/include.php +/includes/includes.php +/includes/init.php +/includes/initsystem.php +/includes/language.php +/includes/messages.inc.php +/includes/settings.inc.php +/includes/settings/settings.php +/includes/startmodules.inc.php +/includes/workspace.php +/index.php +/index_inc.php +/index_logged.php +/infusions/last_seen_users_panel/last_seen_users_panel.php +/init.php +/install.clickheat.php +/install/di.php +/js/wptable-button.php +/js/wptable-tinymce.php +/language/1/splash.lang.php +/last_gallery.php +/latestposts.php +/layout_admin_cfg.php +/layout_cfg.php +/layouts/standard.php +/left_menu.php +/lib.module.php +/lib/FSphp.php +/lib/action/rss.php +/lib/addressbook.php +/lib/function.php +/lib/layout/layoutHeaderFuncs.php +/lib/layout/layoutManager.php +/lib/layout/layoutParser.php +/lib/lcUser.php +/lib/navigation.php +/lib/page/pageDescriptionObject.php +/lib/pathwirte.php +/lib/smarty/SmartyFU.class.php +/libraries/database.php +/libraries/lib-remotehost.inc.php +/library/setup/rpc.php +/libs/db.php +/libs/ftp.php +/libs/lom.php +/libsecure.php +/linkadmin.php +/links/blocks/links.php +/load_lang.php +/locales.php +/locms/smarty.php +/login.php +/login.tpl.php +/logout.php +/lom_update.php +/ltdialogo.php +/main.inc.php +/main/forum/komentar.php +/main_prepend.php +/maincore.php +/membres/membreManager.php +/menu/headerfile.php +/message_class.php +/mini.php +/mod/image/index.php +/mod/liens/index.php +/mod/liste/index.php +/mod/special/index.php +/mod/texte/index.php +/mod/vm/controller/AccessController.php +/mod/vm/model/dao.php +/module.php +/module/referenz.php +/modules/3rdparty/adminpart/add3rdparty.php +/modules/admin/include/config.php +/modules/articles/adminpart/addarticles.php +/modules/brandnews/adminpart/addbrandnews.php +/modules/comments.php +/modules/contact/adminpart/addcontact.php +/modules/core/logger/init.php +/modules/core/security/init.php +/modules/dfss/lgsl/lgsl_players.php +/modules/dfss/lgsl/lgsl_settings.php +/modules/formmailer/formmailer.admin.inc.php +/modules/game/adminpart/addgame.php +/modules/login.php +/modules/maticmarket/bleu/blanc/bas.php +/modules/maticmarket/bleu/blanc/haut.php +/modules/maticmarket/bleu/default/bas.php +/modules/maticmarket/bleu/default/haut.php +/modules/maticmarket/bleu/gold/bas.php +/modules/maticmarket/bleu/gold/haut.php +/modules/maticmarket/deco/blanc/bas.php +/modules/maticmarket/deco/blanc/haut.php +/modules/mod_virtuemart_featureprod/mod_virtuemart_featureprod.php +/modules/mod_virtuemart_latestprod/mod_virtuemart_latestprod.php +/modules/newsletter/adminpart/addnewsletter.php +/modules/noevents/templates/mfa_theme.php +/modules/plain/adminpart/addplain.php +/modules/polling/adminpart/addpolling.php +/modules/product/adminpart/addproduct.php +/modules/profile/user.php +/modules/tour/adminpart/addtour.php +/modules/users/headerfile.php +/monatsblatt.php +/mtdialogo.php +/mw_plugin.php +/nettools.popup.php +/news.php +/news/blocks/latest_news.php +/news/search.php3 +/news_show.php +/newscat.php +/nucleus/libs/PLUGINADMIN.php +/nucleus/media.php +/nucleus/xmlrpc/server.php +/obj/action.class.php +/obj/architecte.class.php +/obj/avis.class.php +/obj/bible.class.php +/obj/blocnote.class.php +/oldnews_reader.php +/op/op.Login.php +/overview/main.php +/passwiki.php +/pcltar.lib.php +/pcltrace.lib.php +/pingsvr.php +/plugin/HP_DEV/cms2.php +/plugin/gateway/gnokii/init.php +/plugin/themes/default/init.php +/plugin_admin.php +/plugins/templateie/lib/templateie_install.class.php +/pmscript.php +/portal_block.php +/portfolio/css.php +/prepend.php +/preview.php +/produkte_nach_serie.php +/produkte_nach_serie_alle.php +/psg.smarty.lib.php +/public/code/cp_html2xhtmlbasic.php +/qlib/smarty.inc.php +/qte_web.php +/real_estate/index.php +/ref_kd_rubrik.php +/resource_categories_view.php +/resources/includes/class.Smarty.php +/rss_importer_functions.php +/run_auto_suspend.cron.php +/safehtml.php +/scorm/lib.inc.php +/scripts/check-lom.php +/scripts/weigh_keywords.php +/search.php +/section.php +/send_email_cache.php +/send_reminders.php +/server_request.php +/settings.php +/settings/headerfile.php +/show_joined.php +/site_conf.php +/sitemap.xml.php +/skins/header.php +/skins/phpchess/layout_t_top.php +/slogin_lib.inc.php +/smallaxe-0.3.1/inc/linkbar.php +/snippet.reflect.php +/spaw_control.class.php +/stage1.php +/stage4.php +/stage6.php +/standard/1/lay.php +/standard/3/lay.php +/startup.php +/surfer_aendern.php +/surfer_anmeldung_NWL.php +/system/pageTemplate.php +/system/utilities.php +/templater.php +/templates/default/tpl_message.php +/templates/layout_lyrics.php +/test/pages/contact.php +/theme/format.php +/threadstop/threadstop.php +/tiki-jsplugin.php +/tmsp/add_tmsp.php +/tmsp/edit_tmsp.php +/tmsp/subscription.php +/tmsp/tmsp.php +/toolbar.php +/tools/filemanager/skins/mobile/admin1.template.php +/update_trailer.php +/urheber.php +/user/turbulence.php +/utdb_access.php +/utgn_message.php +/util/barcode.php +/vars.inc.php +/velid3/getid3.php +/velid3/module.archive.gzip.php +/view_blog_archives.php +/view_blog_comments.php +/view_messages.php +/views/print/printbar.php +/viewsource.php +/viewver.php +/watermark.php +/web/lom.php +/website.php +/windetail.php +/window_down.php +/window_top.php +/wordtube-button.php +/wp-content/plugins/jquery-mega-menu/skin.php +/wp-content/plugins/wp-publication-archive/includes/openfile.php +/wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php +/www/lib/head_auth.php +admin.ponygallery.html.php +app=urchin.cgi +crea.php +create_file.php +functions_navlinks.php +plugins/links/functions.inc +plugins/polls/functions.inc +plugins/spamx/BlackList.Examine.class.php +plugins/spamx/DeleteComment.Action.class.php +plugins/spamx/EditHeader.Admin.class.php +plugins/spamx/EditIP.Admin.class.php +plugins/spamx/EditIPofURL.Admin.class.php +plugins/spamx/IPofUrl.Examine.class.php +plugins/spamx/Import.Admin.class.php +plugins/spamx/LogView.Admin.class.php +plugins/spamx/MTBlackList.Examine.class.php +plugins/spamx/MailAdmin.Action.class.php +plugins/spamx/MassDelTrackback.Admin.class.php +plugins/spamx/MassDelete.Admin.class.php +plugins/staticpages/functions.inc +profile_send.php +viewtopic_PM-link.php \ No newline at end of file diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_et_sqli.data modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_et_sqli.data --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_et_sqli.data 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_et_sqli.data 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,389 @@ +/ASPKAT.ASP +/DocPay.w2b +/G_Display.php +/HABERLER.ASP +/HaberDetay.asp +/News/page.asp +/OmegaMw7.asp +/ProductDetails.asp +/Search/DisplayResults.php +/SecureLoginManager/list.asp +/SelGruFra.asp +/Types.asp +/ViewBugs.php +/ViewCat.php +/ViewReport.php +/WorkOrder.do +/account_change.php +/activeNews_categories.asp +/activeNews_comments.asp +/activenews_search.asp +/activenews_view.asp +/actualpic.asp +/ad.asp +/add2.php +/add_comment.php +/addrating.php +/admin.asp +/admin.php +/admin/admin_acronyms.php +/admin/admin_annonce/changeannonce.php +/admin/admin_annonce/okvalannonce.php +/admin/admin_mail_adressee.asp +/admin/admin_membre/fiche_membre.php +/admin/cms/opentree.php +/admin/config.php +/admin/edit.asp +/admin/memberlist.php +/admin/modules/modules.php +/admin_check_user.asp +/admin_hacks_list.php +/admincp.php +/admincp/attachment.php +/administration/administre2.php +/administrator/components/com_sqlreport/ajax/print.php +/albmgr.php +/applications/SecureLoginManager/inc_secureloginmanager.asp +/aramayap.asp +/archives.php +/articles.asp +/artreplydelete.asp +/auth.php +/badword.asp +/banner.php +/bb-includes/formatting-functions.php +/bexfront.php +/blocks/block-Old_Articles.php +/boxx/ShowAppendix.asp +/bry.asp +/bt-trackback.php +/bus_details.asp +/calendar_detail.asp +/cart.inc.php +/cart.php +/cat.asp +/categoria.php +/category.php +/cats.asp +/cchatbox.php +/cgi-bin/reorder2.asp +/check_vote.php +/class/debug/debug_show.php +/class/table_broken.php +/classes/class.news.php +/classes/class_session.php +/classified_img.php +/code/guestadd.php +/com_comment.php +/comersus_optReviewReadExec.asp +/comment.php +/comments.php +/compareHomes.asp +/compare_product.php +/connexion.php +/content.asp +/content.php +/content/rubric/index.php +/coupon_detail.asp +/dagent/downloadreport.asp +/database/table/user.php +/db_ecard.php +/default.asp +/default2.asp +/detail.asp +/detail.php +/details.asp +/dettaglio.asp +/devami.asp +/diary.php +/dirSub.asp +/dircat.asp +/directions.php +/directory.php +/dispimage.asp +/displayCalendar.asp +/display_review.php +/displaypic.asp +/dl.php +/dlwallpaper.php +/down.asp +/down_indir.asp +/download_image.asp +/dsp_page.cfm +/duyuru.asp +/eWebQuiz.asp +/edit.asp +/edit_day.php +/email.php +/error.asp +/etkinlikbak.asp +/example.php +/faq.php +/faqDsp.asp +/filecheck.php +/filelist.asp +/filemgmt/singlefile.php +/forgotpass.asp +/forum.asp +/forum.php +/forum/include/error/autherror.cfm +/forum/modules/gallery/post.php +/forum/pop_up_member_search.asp +/forum2.asp +/forums.php +/friend.php +/functions.php +/functions/functions_filters.asp +/gallery.asp +/gallery.php +/game.php +/game_listing.php +/getnewsitem.php +/giris.asp +/giris_yap.asp +/glossaire-p-f.php +/gmail.php +/goster.asp +/guestbook.php +/h_goster.asp +/haber.asp +/haberdetay.asp +/haberoku.asp +/hilfsmittel.php +/home.php +/homeDetail.asp +/html/studentmain.php +/i-search.php +/imprimir.php +/inc/class_users.php +/inc/common.php +/inc_listnews.asp +/include.php +/includes/a_register.asp +/includes/mambo.php +/includes/nsbypass.php +/includes/rating.php +/index.asp +/index.cfm +/index.php +/index1.asp +/info_book.asp +/info_user.asp +/informacion_general.php +/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php +/infusions/teams_structure/team.php +/inlinemod.php +/inout/status.asp +/inout/update.asp +/install.php +/item.asp +/item.php +/item_list.asp +/item_show.asp +/ixm_ixpnews.php +/journal.php +/jtfwcpnt.jsp +/jump.php +/kategori.asp +/kernel/group.php +/kullanicilistesi.asp +/letterman.class.php +/lib/entry_reply_entry.php +/links.php +/linkslist.asp +/lire-avis.php +/list.asp +/list.php +/list_comments.php +/listfull.asp +/listings.asp +/listmain.asp +/listmembers.php +/listpics.asp +/login.asp +/login.php +/login/register.asp +/logon_user.php +/low.php +/mailer.w2b +/main.asp +/main/auth/my_progress.php +/main_page.php +/mainfile.php +/manufacturer.php +/meal_rest.asp +/members.asp +/mesajkutum.asp +/mezungiris.asp +/mod.php +/mod_banners.php +/models/category.php +/modules.php +/modules/Advertising/admin/index.php +/modules/News/index.php +/modules/Surveys/modules.php +/modules/admin/modules/gallery.php +/modules/bms/invoices_discount_ajax.php +/modules/comments/json.php +/modules/mod_mainmenu/menu.php +/moscomment.php +/mystats.php +/navigacija.php +/news.asp +/news.php +/news_detail.asp +/news_page.asp +/newsdetail.asp +/newsletters/edition.php +/nickpage.php +/notaevento.php +/nukesentinel.php +/ogretmenkontrol.asp +/oku.asp +/openPolicy.asp +/open_tree.php +/openlink.asp +/orange.asp +/order-track.php +/ossim/repository/repository_attachment.php +/outputs.php +/page.asp +/page.php +/pages/addcomment2.php +/pfs/pfs.edit.inc.php +/philboard_forum.asp +/phonemessage.asp +/php-stats.recphp.php +/plugins/authentication/ldap.php +/plugins/campsiteattachment/attachments.php +/plugins/ipsearch/ipsearch.admin.php +/plugins/mp3playlist/mp3playlist.php +/plugins/pdfClasses/pdfgen.php +/plugins/search/categories.php +/plugins/search/contacts.php +/plugins/search/content.php +/plugins/search/sections.php +/plugins/search/weblinks.php +/plugins/user/example.php +/plus/feedback_js.php +/pms.php +/pollmentorres.asp +/polls.php +/pop_profile.asp +/post.php +/postingdetails.php +/preferences.asp +/prikazInformacije.php +/print.asp +/print.php +/printarticle.asp +/printmain.asp +/printview.php +/process.php +/prodList.asp +/product.asp +/product_review.php +/productdetail.asp +/products.asp +/products.php +/program/moduler_banner_aabn.php +/public/code/cp_downloads.php +/public/code/cp_menu_data_file.php +/publication_view.asp +/publications_list.asp +/qte_result.php +/question.php +/rating.asp +/read/index.php +/recipe.php +/refund_request.php +/register.php +/repass.php +/res_details.asp +/result.asp +/result.php +/roleManager.jsp +/rss.asp +/rss/show_webfeed.php +/samples/with_db/loaddetails.php +/save.php +/search.asp +/search.php +/search_listing.asp +/searchkey.asp +/searchmain.asp +/searchoption.asp +/section/default.asp +/send_password_preferences.asp +/sendarticle.asp +/set_preferences.asp +/shared/code/cp_authorization.php +/shared/code/cp_functions_downloads.php +/shopgiftregsearch.asp +/show_joined.php +/show_news.php +/show_owned.php +/showfile.asp +/simplog/archive.php +/simplog/index.php +/site_info.php +/slideshow.asp +/sptrees/default.aspx +/style.php +/stylesheet.php +/subcat.php +/system/core/users/users.register.inc.php +/system/index.php +/takefreestart.php +/templates/modif.html +/thread.php +/thumbnails.asp +/thumbnails.php +/topic_title.php +/torrents.php +/tracking/courseLog.php +/types.asp +/update_profile.php +/urunbak.asp +/user.asp +/user.php +/user_confirm.asp +/user_pages/page.asp +/userdetail.php +/usergroups.php +/usermgr.php +/users.php +/utilities/usermessages.asp +/uye_giris_islem.asp +/vBSupport.php +/vdateUsr.asp +/vehiclelistings.asp +/verify.php +/vf_memberdetail.asp +/view.php +/view_gallery.asp +/view_profile.php +/view_recent.asp +/viewad.asp +/viewcat.php +/viewimage.php +/viewlinks.asp +/viewthread.php +/virtuemart_parser.php +/visu_user.asp +/voirannonce.php +/wallpaper.php +/wbsearch.aspx +/web/classes/autocomplete.php +/windows.asp +/wp-admin/admin-ajax.php +/wp-admin/admin-functions.php +/wp-content/plugins/1-flash-gallery/massedit_album.php +/wp-content/plugins/cpl/cplphoto.php +/wp-content/plugins/forum-server/feed.php +/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php +/wp-trackback.php +/xNews.php +/xmlrpc.php +graph_view.php +tree.php \ No newline at end of file diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_et_wordpress.data modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_et_wordpress.data --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_et_wordpress.data 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_et_wordpress.data 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,34 @@ +/books/getConfig.php +/js/modalbox/tests/functional/_ajax_method_get.php +/js/wptable-button.php +/js/wptable-tinymce.php +/plugins/accept-signups/accept-signups_submit.php +/plugins/feedlist/handler_image.php +/rss/show_webfeed.php +/sidebar.php +/wordtube-button.php +/wp-admin/admin-ajax.php +/wp-admin/admin-functions.php +/wp-admin/admin.php +/wp-content/plugins/1-flash-gallery/folder.php +/wp-content/plugins/1-flash-gallery/massedit_album.php +/wp-content/plugins/audio/getid3/demos/demo.browse.php +/wp-content/plugins/cpl/cplphoto.php +/wp-content/plugins/firestats/php/window-add-excluded-ip.php +/wp-content/plugins/firestats/php/window-add-excluded-url.php +/wp-content/plugins/firestats/php/window-new-edit-site.php +/wp-content/plugins/forum-server/feed.php +/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php +/wp-content/plugins/jquery-mega-menu/skin.php +/wp-content/plugins/lazyest-gallery/lazyest-popup.php +/wp-content/plugins/nextgen-gallery/xml/media-rss.php +/wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php +/wp-content/plugins/wp-cumulus/tagcloud.swf +/wp-content/plugins/wp-publication-archive/includes/openfile.php +/wp-content/plugins/wp-safe-search/wp-safe-search-jx.php +/wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php +/wp-content/plugins/xcloner-backup-and-restore/index2.php +/wp-content/plugins/zotpress/zotpress.image.php +/wp-login.php +/wp-trackback.php +/xmlrpc.php \ No newline at end of file diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_et_xss.data modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_et_xss.data --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_et_xss.data 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_et_xss.data 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,159 @@ +/Aris/wflogin.jsp +/Default.aspx +/English_manual_version_2.php +/Forms/home_1 +/ReadMsg.php +/ReqWebHelp/advanced/workingSet.jsp +/ReqWebHelp/basic/searchView.jsp +/SearchCenter/Pages/AllResults.aspx +/WebEditor/Authentication/LoginPage.aspx +/WorkArea/reterror.aspx +/_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php +/action_create/index.php +/addressbook.cgi +/admin/editListing.php +/admin/queuedMessage.do +/admin/rp-menu.php +/admin/upgrade_unattended.php +/administrator/components/com_xcloner-backupandrestore/index2.php +/all_photos.html +/appdev/sample/web/hello.jsp +/awards.php +/awstats/awstats.pl +/basicstats.php +/bizdir/bizdir.cgi +/browseCat.php +/browseSubCat.php +/cacti/utilities.php +/calendar.php +/cand_login.asp +/cat.php +/catalogo.php +/cgi/surgeftpmgr.cgi +/config/edituser.php +/configure_plugin.tpl.php +/console.php +/contact/index.php +/core/themes.php +/cultbooking.php +/dailyview.php +/de/create_account.asp +/de/pda/dev_logon.asp +/devtools/qooxdoo-sdk/framework/source/resource/qx/test/jsonp_primitive.php +/en/front_content.php +/explanation.php +/faces/jsf/tips.jsp +/fetchmailprefs.php +/footer.php +/forcerestart.php +/forcesd.php +/frontend/x3/files/fileop.html +/gnatsweb.pl +/header.php +/hlstats.php +/html/11-login.asp +/html/studentmain.php +/implicit-objects.jsp +/include/sessionRegister.php +/index.php +/js/modalbox/tests/functional/_ajax_method_get.php +/jscripts/folder_rte_files/module_table.php +/lib/spikephpcoverage/src/phpcoverage.remote.top.inc.php +/listmembers.php +/listmovies.php +/loan.php +/login.php +/main/inc/lib/fckeditor/editor/plugins/ImageManager/editor.php +/mods/ckeditor/filemanager/connectors/php/upload.php +/module_bbcodeloader.php +/module_div.php +/module_email.php +/module_image.php +/module_link.php +/modules.php +/modules/boonex/custom_rss/post_mod_crss.php +/modules/dl/download.php +/news.asp +/news.php +/news/list/index.php +/news/search.php3 +/newsletter/create/index.php +/openBrowser.php +/openTutorial.php +/order_form.php +/patch/single_winner1.php +/picture.php +/plugins/accept-signups/accept-signups_submit.php +/plugins/csstidy/css_optimiser.php +/plugins/feedlist/handler_image.php +/plugins/photosmash-galleries/index.php +/printcal.pl +/private/blade_leds.php +/private/cindefn.php +/private/ipmi_bladestatus.php +/private/pm_temp.php +/private/power_management_policy_options.php +/private/power_module.php +/profiles/html/simpleSearch.do +/rating/postcomments.php +/rating/rate.php +/register.php +/reportItem.do +/room/info_book.asp +/room/week.asp +/scripts/prodList.asp +/search.5.html +/search.php +/search/list/action_search/index.php +/sendcard.php +/sendmail.php +/settings.php +/shared/code/cp_authorization.php +/shared/config/cp_config.php +/shipping/methods/fedex_v7/label_mgr/js_include.php +/shipping/pages/popup_shipping/js_include.php +/shopcontent.asp +/showown.php +/sidebar.php +/siteminderagent/forms/smpwservices.fcc +/skins/header.php +/sqledit.php +/stats.php +/tagcloud-ru.swf +/tagcloud.swf +/templates/recruitment/jobVacancy.php +/tiki-featured_link.php +/topFrame.php +/user/User_ChkLogin.asp +/users/payment.php +/usersettings.php +/usrmgr/registerAccount.asp +/verify/asp/n6plugindestructor.asp +/vtigerservice.php +/we/include/weTracking/econda/weEcondaImplement.inc.php +/we/include/we_modules/messaging/messaging_show_folder_content.php +/we/include/we_modules/shop/edit_shop_editorFrameset.php +/weapons.php +/web/msgList/viewmsg/actions/msgAnalyse.asp +/web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp +/web/msgList/viewmsg/viewHeaders.asp +/web/phpinfo.php +/workarea/medialist.aspx +/wp-content/plugins/1-flash-gallery/folder.php +/wp-content/plugins/audio/getid3/demos/demo.browse.php +/wp-content/plugins/firestats/php/window-add-excluded-ip.php +/wp-content/plugins/firestats/php/window-add-excluded-url.php +/wp-content/plugins/firestats/php/window-new-edit-site.php +/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php +/wp-content/plugins/lazyest-gallery/lazyest-popup.php +/wp-content/plugins/nextgen-gallery/xml/media-rss.php +/wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php +/wp-content/plugins/wp-cumulus/tagcloud.swf +/wp-content/plugins/wp-safe-search/wp-safe-search-jx.php +/wp-content/plugins/xcloner-backup-and-restore/index2.php +/wp-content/plugins/zotpress/zotpress.image.php +/wp-content/themes/redoable/header.php +/wp-content/themes/redoable/searchloop.php +/zimplit.php +_invoice.asp +stconf.nsf \ No newline at end of file diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_joomla.data modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_joomla.data --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_joomla.data 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_joomla.data 2011-03-25 15:02:39.000000000 +0000 @@ -0,0 +1,40 @@ +/acomponents/com_mamboleto/mamboleto.php +/admin.rssreader.php +/administrator/components/com_joomlaxplorer/admin.joomlaxplorer.php +/administrator/components/com_jwmmxtd/admin.jwmmxtd.php +/administrator/components/com_sqlreport/ajax/print.php +/administrator/components/com_universal/includes/config/config.html.php +/administrator/components/com_xcloner-backupandrestore/cloner.cron.php +/administrator/components/com_xcloner-backupandrestore/index2.php +/com_koesubmit/koesubmit.php +/com_ongumatimesheet20/lib/onguma.class.php +/com_rwcards/rwcards.advancedate.php +/com_swmenupro/ImageManager/Classes/ImageManager.php +/com_xmovie/helpers/img.php +/components/com_ajaxchat/tests/ajcuser.php +/components/com_banners/banners.class.php +/components/com_ezine/class/php/d4m_ajax_pagenav.php +/components/com_intuit/models/intuit.php +/components/com_jcalpro/cal_popup.php +/components/com_mediaslide/viewer.php +/components/com_mojo/wp-comments-post.php +/components/com_mojo/wp-trackback.php +/components/com_moofaq/includes/file_includer.php +/components/com_morfeoshow/morfeoshow.html.php +/components/com_xgallery/helpers/img.php +/config.dadamail.php +/database/table/user.php +/example.php +/gmail.php +/index.php +/letterman.class.php +/models/category.php +/modules/mod_mainmenu/menu.php +/plugins/authentication/ldap.php +/plugins/search/categories.php +/plugins/search/contacts.php +/plugins/search/content.php +/plugins/search/sections.php +/plugins/search/weblinks.php +/plugins/user/example.php +/real_estate/index.php \ No newline at end of file diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_lfi.data modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_lfi.data --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_lfi.data 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_lfi.data 2011-03-25 15:02:39.000000000 +0000 @@ -0,0 +1,150 @@ +/123flashchat.php +/ADM_Pagina.php +/ST_browsers.php +/ST_countries.php +/ST_platforms.php +/_conf/core/common-tpl-vars.php +/_footer.php +/_functions.php +/acopia/manager/DiagCaptureFileListActionBody.do +/acopia/manager/DiagLogListActionBody.do +/acopia/sat/ViewInventoryErrorReport.do +/acopia/sat/ViewSatReport.do +/active_auctions.php +/addedit-render.php +/admin/admin_groups_reapir.php +/admin/admin_smilies.php +/admin/admin_words.php +/admin/loadplugin.php +/admin/thumbnailformpost.inc.php +/admin/upgrade_unattended.php +/administrator/components/com_xcloner-backupandrestore/cloner.cron.php +/api/download_launch.php +/arch.php +/artmedic_print.php +/baconmap/admin/updatelist.php +/bin/qte_init.php +/block_center_down.php +/block_center_top.php +/block_left.php +/block_right.php +/body_default.php +/books/getConfig.php +/centre.php +/chat/dac.php +/classes/BxDolGzip.php +/classes/flash_mp3_player.23/extras/external_feeds/getfeed.php +/classes/flash_mp3_player/extras/external_feeds/getfeed.php +/cms_detect.php +/com_xmovie/helpers/img.php +/components/com_intuit/models/intuit.php +/components/com_mediaslide/viewer.php +/components/com_moofaq/includes/file_includer.php +/components/com_xgallery/helpers/img.php +/config.dadamail.php +/config.php +/container.php +/content/dynpage_load.php +/cron.php +/cuenta/cuerpo.php +/cultbooking.php +/debugger/debug_php.php +/detail.php +/dm-albums/template/album.php +/doku.php +/download.php +/examples/tbs_us_examples_0view.php +/export.php +/footer.inc.php +/forum.php +/gradebook/open_document.php +/header.inc.php +/header.php +/include/global.php +/include/timesheet.php +/include/unverified.inc.php +/includes/esqueletos/skel_null.php +/includes/function_core.php +/includes/header.php +/includes/initsystem.php +/includes/startmodules.inc.php +/index.php +/index_inc.php +/infusions/last_seen_users_panel/last_seen_users_panel.php +/init.php +/latestposts.php +/lib/function.php +/library/setup/rpc.php +/locales.php +/locms/smarty.php +/login.tpl.php +/main.inc.php +/maincore.php +/message_class.php +/mini.php +/module.php +/modules/3rdparty/adminpart/add3rdparty.php +/modules/articles/adminpart/addarticles.php +/modules/brandnews/adminpart/addbrandnews.php +/modules/comments.php +/modules/contact/adminpart/addcontact.php +/modules/core/security/init.php +/modules/game/adminpart/addgame.php +/modules/login.php +/modules/maticmarket/bleu/blanc/bas.php +/modules/maticmarket/bleu/blanc/haut.php +/modules/maticmarket/bleu/default/bas.php +/modules/maticmarket/bleu/default/haut.php +/modules/maticmarket/bleu/gold/bas.php +/modules/maticmarket/bleu/gold/haut.php +/modules/maticmarket/deco/blanc/bas.php +/modules/maticmarket/deco/blanc/haut.php +/modules/newsletter/adminpart/addnewsletter.php +/modules/plain/adminpart/addplain.php +/modules/polling/adminpart/addpolling.php +/modules/product/adminpart/addproduct.php +/modules/profile/user.php +/modules/tour/adminpart/addtour.php +/news/search.php3 +/news_show.php +/oldnews_reader.php +/op/op.Login.php +/passwiki.php +/pcltar.lib.php +/plog-includes/lib/phpthumb/phpThumb.php +/plugin/gateway/gnokii/init.php +/plugin/themes/default/init.php +/plugins/templateie/lib/templateie_install.class.php +/pmscript.php +/portfolio/css.php +/preview.php +/qlib/smarty.inc.php +/qte_web.php +/resource_categories_view.php +/section.php +/server_request.php +/show_joined.php +/sitemap.xml.php +/snippet.reflect.php +/spaw_control.class.php +/stage1.php +/stage4.php +/stage6.php +/templater.php +/templates/layout_lyrics.php +/threadstop/threadstop.php +/tiki-jsplugin.php +/update_trailer.php +/urheber.php +/util/barcode.php +/vars.inc.php +/viewsource.php +/website.php +/windetail.php +/window_down.php +/window_top.php +/wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php +app=urchin.cgi +functions_navlinks.php +profile_send.php +viewtopic_PM-link.php \ No newline at end of file diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_phpbb.data modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_phpbb.data --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_phpbb.data 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_phpbb.data 2011-03-25 15:02:39.000000000 +0000 @@ -0,0 +1,10 @@ +.php +/acp_lcxbbportal.php +/admin/admin_acronyms.php +/admin/admin_groups_reapir.php +/admin/admin_smilies.php +/admin/admin_words.php +/admin_hacks_list.php +/include/global.php +/index.php +/portal_block.php \ No newline at end of file diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_rfi.data modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_rfi.data --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_rfi.data 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_rfi.data 2011-03-25 15:02:39.000000000 +0000 @@ -0,0 +1,446 @@ +.php +/123flashchat.php +/2checkout_return.inc.php +/ADM_Pagina.php +/Admin/ResellersManager.class.php +/Base/example_1.php +/Clickheat/Cache.php +/Clickheat_Heatmap.php +/CoupleDB.php +/Customers/PDPEmailReplaceConstants.class.php +/DB_adodb.class.php +/Framework/EmailTemplates.class.php +/GlobalVariables.php +/HTMLSax3.php +/LSTable.php +/OpenSiteAdmin/pages/pageHeader.php +/ST_browsers.php +/ST_countries.php +/ST_platforms.php +/SezHooTabsAndActions.php +/Thumbnail.php +/_conf/core/common-tpl-vars.php +/_footer.php +/_functions.php +/acomponents/com_mamboleto/mamboleto.php +/acopia/manager/DiagCaptureFileListActionBody.do +/acopia/manager/DiagLogListActionBody.do +/acopia/sat/ViewInventoryErrorReport.do +/acopia/sat/ViewSatReport.do +/acp_lcxbbportal.php +/action.php +/active_auctions.php +/activities/workflow-activities.php +/add_comments.php +/addedit-render.php +/adm/krgourl.php +/admin.googlebase.php +/admin.rssreader.php +/admin/admin_groups_reapir.php +/admin/admin_smilies.php +/admin/admin_words.php +/admin/frontpage_right.php +/admin/global.php +/admin/loadplugin.php +/admin/thumbnailformpost.inc.php +/admin/upgrade_unattended.php +/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php +/administrator/components/com_joomlaxplorer/admin.joomlaxplorer.php +/administrator/components/com_jwmmxtd/admin.jwmmxtd.php +/administrator/components/com_universal/includes/config/config.html.php +/administrator/components/com_xcloner-backupandrestore/cloner.cron.php +/application/views/public/commentform.php +/arch.php +/archive.php +/ardeaCore/lib/core/ardeaInit.php +/artmedic_print.php +/assets/plugins/mp3_id/mp3_id.php +/awcm/control/common.php +/awcm/header.php +/awcm/includes/window_top.php +/baconmap/admin/updatelist.php +/base/Archive.php +/base/Comments.php +/base/News.php +/base/SendFriend.php +/base_qry_common.php +/base_stat_common.php +/basicfogfactory.class.php +/bazar/picturelib.php +/berylium-classes.php +/bin/qte_init.php +/block.php +/block_center_down.php +/block_center_top.php +/block_left.php +/block_right.php +/blocks/file/controller.php +/blocks/headerfile.php +/body_comm.inc.php +/body_default.php +/centre.php +/ch_readalso.php +/chat/dac.php +/checkout.php +/class.csv.php +/class.phpmailer.php +/class_yapbbcooker.php +/classes/excel/class.writeexcel_workbook.inc.php +/classes/excel/class.writeexcel_worksheet.inc.php +/classes/flash_mp3_player.23/extras/external_feeds/getfeed.php +/classes/flash_mp3_player/extras/external_feeds/getfeed.php +/cms/modules/form.lib.php +/cms_detect.php +/com_del.php +/com_koesubmit/koesubmit.php +/com_ongumatimesheet20/lib/onguma.class.php +/com_rwcards/rwcards.advancedate.php +/com_swmenupro/ImageManager/Classes/ImageManager.php +/com_xmovie/helpers/img.php +/comments.php +/common.php +/common/errormsg.php +/common/func.php +/components/com_ajaxchat/tests/ajcuser.php +/components/com_banners/banners.class.php +/components/com_ezine/class/php/d4m_ajax_pagenav.php +/components/com_intuit/models/intuit.php +/components/com_jcalpro/cal_popup.php +/components/com_mediaslide/viewer.php +/components/com_mojo/wp-comments-post.php +/components/com_mojo/wp-trackback.php +/components/com_moofaq/includes/file_includer.php +/components/com_morfeoshow/morfeoshow.html.php +/components/com_smf/smf.php +/components/com_xgallery/helpers/img.php +/config.dadamail.php +/config.php +/container.php +/content/dynpage_load.php +/content/themes/softsaurus_default/pages/subHeader.php +/content/themes/softsaurus_stretched/pages/subHeader.php +/core/includes/gfw_smarty.php +/cron.php +/cuenta/cuerpo.php +/cultbooking.php +/customer_ftp.php +/datumscalc.php +/debugger.php +/debugger/debug_php.php +/define.php +/detail.php +/display.php +/dm-albums/template/album.php +/doku.php +/dompdf.php +/don3_requiem.php +/dosearch.php +/download.php +/downloads.php +/dp_logs.php +/e-pay/src/a_affil.php +/editor/edit_htmlarea.php +/emailsender.php +/embedforum.php +/engine/api/api.class.php +/example_clientside_javascript.php +/examples/tbs_us_examples_0view.php +/examples/widget8.php +/export.php +/export_batch.inc.php +/familynews.php +/faq.php +/filepool.php +/files/blocks/latest_files.php +/filters/headerfile.php +/fonctions_racine.php +/footer.inc.php +/footer.php +/forum.php +/forums/blocks/latest_posts.php +/frontpage.php +/ftp.php +/functionen/ref_kd_rubrik.php +/functions.php +/functions_install.php +/gallery2/lib/adodb/adodb-error.inc.php +/gbookmx/gbook.php +/get_header.php +/global.php +/groups/headerfile.php +/gunaysoft.php +/handle/proxy.php +/handlers/page/show.php +/header.inc.php +/header.php +/heatmap/_main.php +/heatmap/main.php +/help.php +/hg_referenz_jobgalerie.php +/html.php +/html2.php +/iframe.php +/inc/articles.inc.php +/inc/content.inc.php +/inc/logingecon.php +/include/_bot.php +/include/addons/version/pages/index.inc.php +/include/admin.lib.inc.php +/include/admin/device_admin.php +/include/engine/content/elements/menu.php +/include/global.php +/include/header.php +/include/libs/internals/core.process_compiled_include.php +/include/libs/internals/core.write_compiled_include.php +/include/libs/plugins/function.config_load.php +/include/logout.php +/include/pages/specials.inc.php +/include/payment/payflow_pro.php +/include/prodler.class.php +/include/timesheet.php +/include/top_graph_header.php +/include/unverified.inc.php +/includes/Cache/Lite/Output.php +/includes/ajax_listado.php +/includes/classes/pctemplate.php +/includes/common.php +/includes/competitions/add.php +/includes/competitions/competitions.php +/includes/converter.inc.php +/includes/esqueletos/skel_null.php +/includes/file_manager/special.php +/includes/footer.php +/includes/function_core.php +/includes/header.inc.php +/includes/header.php +/includes/hnmain.inc.php3 +/includes/include.php +/includes/includes.php +/includes/init.php +/includes/initsystem.php +/includes/language.php +/includes/messages.inc.php +/includes/settings.inc.php +/includes/settings/settings.php +/includes/startmodules.inc.php +/includes/workspace.php +/index.php +/index_inc.php +/index_logged.php +/infusions/last_seen_users_panel/last_seen_users_panel.php +/init.php +/install.clickheat.php +/install/di.php +/js/wptable-button.php +/js/wptable-tinymce.php +/language/1/splash.lang.php +/last_gallery.php +/latestposts.php +/layout_admin_cfg.php +/layout_cfg.php +/layouts/standard.php +/left_menu.php +/lib.module.php +/lib/FSphp.php +/lib/action/rss.php +/lib/addressbook.php +/lib/function.php +/lib/layout/layoutHeaderFuncs.php +/lib/layout/layoutManager.php +/lib/layout/layoutParser.php +/lib/navigation.php +/lib/page/pageDescriptionObject.php +/lib/pathwirte.php +/lib/smarty/SmartyFU.class.php +/libraries/database.php +/libraries/lib-remotehost.inc.php +/library/setup/rpc.php +/libs/db.php +/libs/ftp.php +/libs/lom.php +/libsecure.php +/linkadmin.php +/links/blocks/links.php +/load_lang.php +/locales.php +/locms/smarty.php +/login.php +/login.tpl.php +/logout.php +/lom_update.php +/ltdialogo.php +/main.inc.php +/main/forum/komentar.php +/main_prepend.php +/maincore.php +/membres/membreManager.php +/menu/headerfile.php +/message_class.php +/mini.php +/mod/image/index.php +/mod/liens/index.php +/mod/liste/index.php +/mod/special/index.php +/mod/texte/index.php +/mod/vm/controller/AccessController.php +/mod/vm/model/dao.php +/module.php +/module/referenz.php +/modules/3rdparty/adminpart/add3rdparty.php +/modules/admin/include/config.php +/modules/articles/adminpart/addarticles.php +/modules/brandnews/adminpart/addbrandnews.php +/modules/comments.php +/modules/contact/adminpart/addcontact.php +/modules/core/logger/init.php +/modules/core/security/init.php +/modules/dfss/lgsl/lgsl_players.php +/modules/dfss/lgsl/lgsl_settings.php +/modules/formmailer/formmailer.admin.inc.php +/modules/game/adminpart/addgame.php +/modules/login.php +/modules/maticmarket/bleu/blanc/bas.php +/modules/maticmarket/bleu/blanc/haut.php +/modules/maticmarket/bleu/default/bas.php +/modules/maticmarket/bleu/default/haut.php +/modules/maticmarket/bleu/gold/bas.php +/modules/maticmarket/bleu/gold/haut.php +/modules/maticmarket/deco/blanc/bas.php +/modules/maticmarket/deco/blanc/haut.php +/modules/newsletter/adminpart/addnewsletter.php +/modules/noevents/templates/mfa_theme.php +/modules/plain/adminpart/addplain.php +/modules/polling/adminpart/addpolling.php +/modules/product/adminpart/addproduct.php +/modules/profile/user.php +/modules/tour/adminpart/addtour.php +/modules/users/headerfile.php +/monatsblatt.php +/mtdialogo.php +/mw_plugin.php +/nettools.popup.php +/news.php +/news/blocks/latest_news.php +/news/search.php3 +/news_show.php +/newscat.php +/nucleus/libs/PLUGINADMIN.php +/nucleus/media.php +/nucleus/xmlrpc/server.php +/oldnews_reader.php +/op/op.Login.php +/overview/main.php +/passwiki.php +/pcltar.lib.php +/pcltrace.lib.php +/pingsvr.php +/plugin/HP_DEV/cms2.php +/plugin/gateway/gnokii/init.php +/plugin/themes/default/init.php +/plugin_admin.php +/plugins/templateie/lib/templateie_install.class.php +/pmscript.php +/portal_block.php +/portfolio/css.php +/prepend.php +/preview.php +/produkte_nach_serie.php +/produkte_nach_serie_alle.php +/psg.smarty.lib.php +/public/code/cp_html2xhtmlbasic.php +/qlib/smarty.inc.php +/qte_web.php +/real_estate/index.php +/ref_kd_rubrik.php +/resource_categories_view.php +/resources/includes/class.Smarty.php +/rss_importer_functions.php +/run_auto_suspend.cron.php +/safehtml.php +/scorm/lib.inc.php +/scripts/check-lom.php +/scripts/weigh_keywords.php +/search.php +/section.php +/send_email_cache.php +/send_reminders.php +/server_request.php +/settings.php +/settings/headerfile.php +/show_joined.php +/site_conf.php +/sitemap.xml.php +/skins/header.php +/skins/phpchess/layout_t_top.php +/slogin_lib.inc.php +/smallaxe-0.3.1/inc/linkbar.php +/snippet.reflect.php +/spaw_control.class.php +/stage1.php +/stage4.php +/stage6.php +/standard/1/lay.php +/standard/3/lay.php +/startup.php +/surfer_aendern.php +/surfer_anmeldung_NWL.php +/system/pageTemplate.php +/system/utilities.php +/templater.php +/templates/default/tpl_message.php +/templates/layout_lyrics.php +/test/pages/contact.php +/theme/format.php +/threadstop/threadstop.php +/tiki-jsplugin.php +/tmsp/add_tmsp.php +/tmsp/edit_tmsp.php +/tmsp/subscription.php +/tmsp/tmsp.php +/toolbar.php +/tools/filemanager/skins/mobile/admin1.template.php +/update_trailer.php +/urheber.php +/user/turbulence.php +/utdb_access.php +/utgn_message.php +/util/barcode.php +/vars.inc.php +/velid3/getid3.php +/velid3/module.archive.gzip.php +/view_blog_archives.php +/view_blog_comments.php +/view_messages.php +/views/print/printbar.php +/viewsource.php +/viewver.php +/watermark.php +/web/lom.php +/website.php +/windetail.php +/window_down.php +/window_top.php +/wordtube-button.php +/wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php +/www/lib/head_auth.php +app=urchin.cgi +crea.php +create_file.php +functions_navlinks.php +plugins/links/functions.inc +plugins/polls/functions.inc +plugins/spamx/BlackList.Examine.class.php +plugins/spamx/DeleteComment.Action.class.php +plugins/spamx/EditHeader.Admin.class.php +plugins/spamx/EditIP.Admin.class.php +plugins/spamx/EditIPofURL.Admin.class.php +plugins/spamx/IPofUrl.Examine.class.php +plugins/spamx/Import.Admin.class.php +plugins/spamx/LogView.Admin.class.php +plugins/spamx/MTBlackList.Examine.class.php +plugins/spamx/MailAdmin.Action.class.php +plugins/spamx/MassDelTrackback.Admin.class.php +plugins/spamx/MassDelete.Admin.class.php +plugins/staticpages/functions.inc +profile_send.php +viewtopic_PM-link.php \ No newline at end of file diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_sqli.data modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_sqli.data --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_sqli.data 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_sqli.data 2011-03-25 15:02:39.000000000 +0000 @@ -0,0 +1,382 @@ +/ASPKAT.ASP +/DocPay.w2b +/G_Display.php +/HABERLER.ASP +/HaberDetay.asp +/News/page.asp +/OmegaMw7.asp +/ProductDetails.asp +/Search/DisplayResults.php +/SecureLoginManager/list.asp +/SelGruFra.asp +/Types.asp +/ViewBugs.php +/ViewCat.php +/ViewReport.php +/WorkOrder.do +/account_change.php +/activeNews_categories.asp +/activeNews_comments.asp +/activenews_search.asp +/activenews_view.asp +/actualpic.asp +/ad.asp +/add2.php +/add_comment.php +/addrating.php +/admin.asp +/admin.php +/admin/admin_acronyms.php +/admin/admin_annonce/changeannonce.php +/admin/admin_annonce/okvalannonce.php +/admin/admin_mail_adressee.asp +/admin/admin_membre/fiche_membre.php +/admin/cms/opentree.php +/admin/config.php +/admin/edit.asp +/admin/memberlist.php +/admin/modules/modules.php +/admin_check_user.asp +/admin_hacks_list.php +/admincp.php +/admincp/attachment.php +/administration/administre2.php +/administrator/components/com_sqlreport/ajax/print.php +/albmgr.php +/applications/SecureLoginManager/inc_secureloginmanager.asp +/aramayap.asp +/archives.php +/articles.asp +/artreplydelete.asp +/auth.php +/badword.asp +/banner.php +/bb-includes/formatting-functions.php +/bexfront.php +/blocks/block-Old_Articles.php +/boxx/ShowAppendix.asp +/bry.asp +/bt-trackback.php +/bus_details.asp +/calendar_detail.asp +/cart.inc.php +/cart.php +/cat.asp +/categoria.php +/category.php +/cats.asp +/cgi-bin/reorder2.asp +/check_vote.php +/class/debug/debug_show.php +/class/table_broken.php +/classes/class.news.php +/classes/class_session.php +/classified_img.php +/code/guestadd.php +/com_comment.php +/comersus_optReviewReadExec.asp +/comment.php +/comments.php +/compareHomes.asp +/compare_product.php +/connexion.php +/content.asp +/content.php +/coupon_detail.asp +/dagent/downloadreport.asp +/database/table/user.php +/db_ecard.php +/default.asp +/default2.asp +/detail.asp +/detail.php +/details.asp +/dettaglio.asp +/devami.asp +/diary.php +/dirSub.asp +/dircat.asp +/directions.php +/directory.php +/dispimage.asp +/displayCalendar.asp +/display_review.php +/displaypic.asp +/dl.php +/dlwallpaper.php +/down.asp +/down_indir.asp +/download_image.asp +/dsp_page.cfm +/duyuru.asp +/eWebQuiz.asp +/edit.asp +/edit_day.php +/email.php +/error.asp +/etkinlikbak.asp +/example.php +/faq.php +/faqDsp.asp +/filecheck.php +/filelist.asp +/filemgmt/singlefile.php +/forgotpass.asp +/forum.asp +/forum.php +/forum/include/error/autherror.cfm +/forum/modules/gallery/post.php +/forum/pop_up_member_search.asp +/forum2.asp +/forums.php +/friend.php +/functions.php +/functions/functions_filters.asp +/gallery.asp +/gallery.php +/game.php +/game_listing.php +/getnewsitem.php +/giris.asp +/giris_yap.asp +/glossaire-p-f.php +/gmail.php +/goster.asp +/guestbook.php +/h_goster.asp +/haber.asp +/haberdetay.asp +/haberoku.asp +/hilfsmittel.php +/home.php +/homeDetail.asp +/html/studentmain.php +/i-search.php +/inc/class_users.php +/inc/common.php +/inc_listnews.asp +/include.php +/includes/a_register.asp +/includes/mambo.php +/includes/nsbypass.php +/includes/rating.php +/index.asp +/index.cfm +/index.php +/index1.asp +/info_book.asp +/info_user.asp +/informacion_general.php +/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php +/infusions/teams_structure/team.php +/inlinemod.php +/inout/status.asp +/inout/update.asp +/install.php +/item.asp +/item.php +/item_list.asp +/item_show.asp +/ixm_ixpnews.php +/journal.php +/jtfwcpnt.jsp +/jump.php +/kategori.asp +/kernel/group.php +/kullanicilistesi.asp +/letterman.class.php +/lib/entry_reply_entry.php +/links.php +/linkslist.asp +/lire-avis.php +/list.asp +/list.php +/list_comments.php +/listfull.asp +/listings.asp +/listmain.asp +/listmembers.php +/listpics.asp +/login.asp +/login.php +/login/register.asp +/logon_user.php +/low.php +/mailer.w2b +/main.asp +/main/auth/my_progress.php +/main_page.php +/mainfile.php +/manufacturer.php +/meal_rest.asp +/members.asp +/mesajkutum.asp +/mezungiris.asp +/mod.php +/mod_banners.php +/models/category.php +/modules.php +/modules/Advertising/admin/index.php +/modules/News/index.php +/modules/admin/modules/gallery.php +/modules/bms/invoices_discount_ajax.php +/modules/comments/json.php +/modules/mod_mainmenu/menu.php +/moscomment.php +/mystats.php +/navigacija.php +/news.asp +/news.php +/news_detail.asp +/news_page.asp +/newsdetail.asp +/newsletters/edition.php +/nickpage.php +/notaevento.php +/nukesentinel.php +/ogretmenkontrol.asp +/oku.asp +/openPolicy.asp +/open_tree.php +/openlink.asp +/orange.asp +/order-track.php +/ossim/repository/repository_attachment.php +/outputs.php +/page.asp +/page.php +/pages/addcomment2.php +/pfs/pfs.edit.inc.php +/philboard_forum.asp +/phonemessage.asp +/php-stats.recphp.php +/plugins/authentication/ldap.php +/plugins/campsiteattachment/attachments.php +/plugins/ipsearch/ipsearch.admin.php +/plugins/mp3playlist/mp3playlist.php +/plugins/search/categories.php +/plugins/search/contacts.php +/plugins/search/content.php +/plugins/search/sections.php +/plugins/search/weblinks.php +/plugins/user/example.php +/plus/feedback_js.php +/pms.php +/pollmentorres.asp +/polls.php +/pop_profile.asp +/post.php +/postingdetails.php +/preferences.asp +/prikazInformacije.php +/print.asp +/print.php +/printarticle.asp +/printmain.asp +/printview.php +/process.php +/prodList.asp +/product.asp +/product_review.php +/productdetail.asp +/products.asp +/products.php +/program/moduler_banner_aabn.php +/public/code/cp_downloads.php +/public/code/cp_menu_data_file.php +/publication_view.asp +/publications_list.asp +/qte_result.php +/question.php +/rating.asp +/read/index.php +/recipe.php +/refund_request.php +/register.php +/repass.php +/res_details.asp +/result.asp +/result.php +/roleManager.jsp +/rss.asp +/rss/show_webfeed.php +/save.php +/search.asp +/search.php +/search_listing.asp +/searchkey.asp +/searchmain.asp +/searchoption.asp +/section/default.asp +/send_password_preferences.asp +/sendarticle.asp +/set_preferences.asp +/shared/code/cp_authorization.php +/shared/code/cp_functions_downloads.php +/shopgiftregsearch.asp +/show_joined.php +/show_news.php +/show_owned.php +/showfile.asp +/simplog/archive.php +/simplog/index.php +/site_info.php +/slideshow.asp +/sptrees/default.aspx +/style.php +/stylesheet.php +/subcat.php +/system/core/users/users.register.inc.php +/system/index.php +/takefreestart.php +/templates/modif.html +/thread.php +/thumbnails.asp +/thumbnails.php +/topic_title.php +/torrents.php +/tracking/courseLog.php +/types.asp +/update_profile.php +/urunbak.asp +/user.asp +/user.php +/user_confirm.asp +/user_pages/page.asp +/userdetail.php +/usergroups.php +/usermgr.php +/users.php +/utilities/usermessages.asp +/uye_giris_islem.asp +/vBSupport.php +/vdateUsr.asp +/vehiclelistings.asp +/verify.php +/vf_memberdetail.asp +/view.php +/view_gallery.asp +/view_profile.php +/view_recent.asp +/viewad.asp +/viewcat.php +/viewimage.php +/viewlinks.asp +/viewthread.php +/virtuemart_parser.php +/visu_user.asp +/voirannonce.php +/wallpaper.php +/wbsearch.aspx +/windows.asp +/wp-admin/admin-ajax.php +/wp-admin/admin-functions.php +/wp-content/plugins/1-flash-gallery/massedit_album.php +/wp-content/plugins/cpl/cplphoto.php +/wp-content/plugins/forum-server/feed.php +/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php +/wp-trackback.php +/xNews.php +/xmlrpc.php +graph_view.php +tree.php \ No newline at end of file diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_wordpress.data modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_wordpress.data --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_wordpress.data 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_wordpress.data 2011-03-25 15:02:39.000000000 +0000 @@ -0,0 +1,31 @@ +/books/getConfig.php +/js/modalbox/tests/functional/_ajax_method_get.php +/js/wptable-button.php +/js/wptable-tinymce.php +/plugins/accept-signups/accept-signups_submit.php +/plugins/feedlist/handler_image.php +/rss/show_webfeed.php +/sidebar.php +/wordtube-button.php +/wp-admin/admin-ajax.php +/wp-admin/admin-functions.php +/wp-admin/admin.php +/wp-content/plugins/1-flash-gallery/folder.php +/wp-content/plugins/1-flash-gallery/massedit_album.php +/wp-content/plugins/audio/getid3/demos/demo.browse.php +/wp-content/plugins/cpl/cplphoto.php +/wp-content/plugins/firestats/php/window-add-excluded-ip.php +/wp-content/plugins/firestats/php/window-add-excluded-url.php +/wp-content/plugins/firestats/php/window-new-edit-site.php +/wp-content/plugins/forum-server/feed.php +/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php +/wp-content/plugins/nextgen-gallery/xml/media-rss.php +/wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php +/wp-content/plugins/wp-cumulus/tagcloud.swf +/wp-content/plugins/wp-safe-search/wp-safe-search-jx.php +/wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php +/wp-content/plugins/xcloner-backup-and-restore/index2.php +/wp-content/plugins/zotpress/zotpress.image.php +/wp-login.php +/wp-trackback.php +/xmlrpc.php \ No newline at end of file diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_xss.data modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_xss.data --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_46_slr_xss.data 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_46_slr_xss.data 2011-03-25 15:02:39.000000000 +0000 @@ -0,0 +1,148 @@ +/Aris/wflogin.jsp +/Default.aspx +/English_manual_version_2.php +/Forms/home_1 +/ReadMsg.php +/ReqWebHelp/advanced/workingSet.jsp +/ReqWebHelp/basic/searchView.jsp +/SearchCenter/Pages/AllResults.aspx +/WebEditor/Authentication/LoginPage.aspx +/WorkArea/reterror.aspx +/_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php +/action_create/index.php +/addressbook.cgi +/admin/editListing.php +/admin/queuedMessage.do +/admin/rp-menu.php +/admin/upgrade_unattended.php +/administrator/components/com_xcloner-backupandrestore/index2.php +/all_photos.html +/appdev/sample/web/hello.jsp +/awards.php +/awstats/awstats.pl +/bizdir/bizdir.cgi +/browseCat.php +/browseSubCat.php +/cacti/utilities.php +/calendar.php +/cand_login.asp +/cat.php +/catalogo.php +/cgi/surgeftpmgr.cgi +/config/edituser.php +/configure_plugin.tpl.php +/console.php +/contact/index.php +/core/themes.php +/cultbooking.php +/dailyview.php +/de/create_account.asp +/de/pda/dev_logon.asp +/en/front_content.php +/explanation.php +/faces/jsf/tips.jsp +/fetchmailprefs.php +/footer.php +/forcerestart.php +/forcesd.php +/frontend/x3/files/fileop.html +/gnatsweb.pl +/header.php +/hlstats.php +/html/11-login.asp +/html/studentmain.php +/implicit-objects.jsp +/include/sessionRegister.php +/index.php +/js/modalbox/tests/functional/_ajax_method_get.php +/jscripts/folder_rte_files/module_table.php +/lib/spikephpcoverage/src/phpcoverage.remote.top.inc.php +/listmembers.php +/listmovies.php +/loan.php +/login.php +/main/inc/lib/fckeditor/editor/plugins/ImageManager/editor.php +/module_bbcodeloader.php +/module_div.php +/module_email.php +/module_image.php +/module_link.php +/modules.php +/modules/boonex/custom_rss/post_mod_crss.php +/modules/dl/download.php +/news.asp +/news.php +/news/list/index.php +/news/search.php3 +/newsletter/create/index.php +/openTutorial.php +/order_form.php +/patch/single_winner1.php +/picture.php +/plugins/accept-signups/accept-signups_submit.php +/plugins/csstidy/css_optimiser.php +/plugins/feedlist/handler_image.php +/printcal.pl +/private/blade_leds.php +/private/cindefn.php +/private/ipmi_bladestatus.php +/private/pm_temp.php +/private/power_management_policy_options.php +/private/power_module.php +/profiles/html/simpleSearch.do +/rating/postcomments.php +/rating/rate.php +/register.php +/reportItem.do +/room/info_book.asp +/room/week.asp +/scripts/prodList.asp +/search.5.html +/search.php +/search/list/action_search/index.php +/sendcard.php +/sendmail.php +/settings.php +/shared/code/cp_authorization.php +/shared/config/cp_config.php +/shipping/methods/fedex_v7/label_mgr/js_include.php +/shipping/pages/popup_shipping/js_include.php +/shopcontent.asp +/showown.php +/sidebar.php +/siteminderagent/forms/smpwservices.fcc +/skins/header.php +/sqledit.php +/stats.php +/tagcloud-ru.swf +/tagcloud.swf +/tiki-featured_link.php +/topFrame.php +/user/User_ChkLogin.asp +/users/payment.php +/usersettings.php +/usrmgr/registerAccount.asp +/verify/asp/n6plugindestructor.asp +/weapons.php +/web/msgList/viewmsg/actions/msgAnalyse.asp +/web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp +/web/msgList/viewmsg/viewHeaders.asp +/web/phpinfo.php +/workarea/medialist.aspx +/wp-content/plugins/1-flash-gallery/folder.php +/wp-content/plugins/audio/getid3/demos/demo.browse.php +/wp-content/plugins/firestats/php/window-add-excluded-ip.php +/wp-content/plugins/firestats/php/window-add-excluded-url.php +/wp-content/plugins/firestats/php/window-new-edit-site.php +/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php +/wp-content/plugins/nextgen-gallery/xml/media-rss.php +/wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php +/wp-content/plugins/wp-cumulus/tagcloud.swf +/wp-content/plugins/wp-safe-search/wp-safe-search-jx.php +/wp-content/plugins/xcloner-backup-and-restore/index2.php +/wp-content/plugins/zotpress/zotpress.image.php +/wp-content/themes/redoable/header.php +/wp-content/themes/redoable/searchloop.php +/zimplit.php +_invoice.asp +stconf.nsf \ No newline at end of file diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_joomla_attacks.conf modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_joomla_attacks.conf --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_joomla_attacks.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_joomla_attacks.conf 2011-04-15 18:25:15.000000000 +0000 @@ -0,0 +1,1523 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under GPL version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: +# +# http://www.emergingthreats.net/ +# + +SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_joomla.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_JOOMLA_RULES" + +# (2005292) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid SELECT +SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005292,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule ARGS:catid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005293) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UNION SELECT +SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005293,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule ARGS:catid "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005294) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid INSERT +SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005294,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule ARGS:catid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005295) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid DELETE +SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005295,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule ARGS:catid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005296) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid ASCII +SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005296,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule ARGS:catid "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005297) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE +SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005297,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule ARGS:catid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005298) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id SELECT +SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005298,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" +SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005299) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UNION SELECT +SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005299,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" +SecRule ARGS:id "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005300) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id INSERT +SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005300,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" +SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005301) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id DELETE +SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005301,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" +SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005302) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id ASCII +SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005302,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" +SecRule ARGS:id "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005303) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE +SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005303,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" +SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005390) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT +SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005390,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005391) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT +SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005391,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005802) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT +SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005802,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005392) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE +SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005392,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005394) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII +SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005394,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005395) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE +SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005395,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005396) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php SELECT +SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005396,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005397) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UNION SELECT +SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005397,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005398) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php INSERT +SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005398,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005399) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php DELETE +SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005399,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005400) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php ASCII +SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005400,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005401) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE +SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005401,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005402) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT +SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005402,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005403) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT +SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005403,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005404) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT +SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005404,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005405) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE +SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005405,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005406) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII +SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005406,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005407) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE +SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005407,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005408) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php SELECT +SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005408,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005409) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UNION SELECT +SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005409,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005410) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php INSERT +SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005410,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005411) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php DELETE +SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005411,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005412) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php ASCII +SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005412,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005413) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE +SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005413,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005414) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php SELECT +SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005414,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005415) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UNION SELECT +SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005415,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005416) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php INSERT +SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005416,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005417) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php DELETE +SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005417,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005418) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php ASCII +SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005418,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005419) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE +SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005419,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005420) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where SELECT +SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005420,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005421) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UNION SELECT +SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005421,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005422) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where INSERT +SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005422,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005423) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where DELETE +SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005423,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005424) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where ASCII +SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005424,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005425) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE +SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005425,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005426) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where SELECT +SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005426,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UNION SELECT +SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005427,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005428) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where INSERT +SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005428,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005429) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where DELETE +SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005429,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005430) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where ASCII +SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005430,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005431) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE +SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005431,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005432) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text SELECT +SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005432,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005433) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UNION SELECT +SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005433,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005434) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text INSERT +SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005434,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005435) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text DELETE +SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005435,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005436) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text ASCII +SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005436,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005437) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE +SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005437,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005438) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text SELECT +SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005438,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005439) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UNION SELECT +SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005439,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005440) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text INSERT +SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005440,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005441) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text DELETE +SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005441,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005442) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text ASCII +SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005442,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005443) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE +SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005443,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005444) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text SELECT +SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005444,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005445) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UNION SELECT +SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005445,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005446) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text INSERT +SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005446,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005447) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text DELETE +SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005447,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005448) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text ASCII +SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005448,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005449) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE +SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005449,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005450) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email SELECT +SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005450,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:email "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005451) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UNION SELECT +SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005451,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:email "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005452) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email INSERT +SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005452,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:email "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005453) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email DELETE +SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005453,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:email "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005454) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email ASCII +SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005454,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:email "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005455) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE +SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005455,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:email "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008685) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla DS-Syndicate Component feed_id SQL Injection +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008685,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla DS-Syndicate Component feed_id SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6792/'" +SecRule REQUEST_LINE "@contains /index2.php?option=ds-syndicate" "chain" +SecRule REQUEST_LINE "@contains version=1" "chain" +SecRule ARGS:feed_id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla DS-Syndicate Component feed_id SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008822) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008822,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6980/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_pro_desk" "chain" +SecRule ARGS:include_file "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009369) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /admin.rssreader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009369,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7096/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_live_site "(?i:mosConfig_live_site=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009834) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla portalid Component UNION SELECT SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009834,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla portalid Component UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36206/info'" +SecRule ARGS:option=com_artportal&portalid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla portalid Component UNION SELECT SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009835) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla portalid Component SELECT FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009835,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla portalid Component SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36206/info'" +SecRule ARGS:option=com_artportal&portalid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla portalid Component SELECT FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009836) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla portalid Component DELETE FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009836,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla portalid Component DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36206/info'" +SecRule ARGS:option=com_artportal&portalid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla portalid Component DELETE FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009881) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla Com_joomlub Component Union Select SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009881,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla Com_joomlub Component Union Select SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9593/'" +SecRule ARGS:option=com_joomlub&controller=auction&view=auction&task=edit&aid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Joomla Com_joomlub Component Union Select SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009913) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS joomla com_djcatalog component SELECT FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009913,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS joomla com_djcatalog component SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9693/'" +SecRule ARGS:option=com_djcatalog&view=showItem&id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS joomla com_djcatalog component SELECT FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009914) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS joomla com_djcatalog component DELETE FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009914,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS joomla com_djcatalog component DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9693/'" +SecRule ARGS:option=com_djcatalog&view=showItem&id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS joomla com_djcatalog component DELETE FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009915) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS joomla com_djcatalog component INSERT INTO SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009915,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS joomla com_djcatalog component INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9693/'" +SecRule REQUEST_LINE "@contains INSER" "chain" +SecRule ARGS:option=com_djcatalog&view=showItem&id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS joomla com_djcatalog component INSERT INTO SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009916) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS joomla com_djcatalog component UNION SELECT SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009916,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS joomla com_djcatalog component UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9693/'" +SecRule ARGS:option=com_djcatalog&view=showItem&id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS joomla com_djcatalog component UNION SELECT SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009917) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009917,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9693/'" +SecRule ARGS:option=com_djcatalog&view=showItem&id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009919) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter SELECT FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009919,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36427/info'" +SecRule ARGS:option=com_jlord_rss&task=feed&id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter SELECT FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009920) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter DELETE FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009920,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36427/info'" +SecRule ARGS:option=com_jlord_rss&task=feed&id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter DELETE FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009921) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter UNION SELECT SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009921,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36427/info'" +SecRule ARGS:option=com_jlord_rss&task=feed&id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter UNION SELECT SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009924) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter INSERT INTO SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009924,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36427/info'" +SecRule ARGS:option=com_jlord_rss&task=feed&id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter INSERT INTO SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009922) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009922,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36427/info'" +SecRule ARGS:option=com_jlord_rss&task=feed&id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009929) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt +SecRule ARGS_NAMES "(?i:target)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009929,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9706/'" +SecRule REQUEST_LINE "@contains /index.php?option=com_album&" "chain" +SecRule REQUEST_LINE "@contains Itemid=128&" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009933) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component 'koesubmit.php' Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /com_koesubmit/koesubmit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009933,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component \'koesubmit.php\' Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.owasp.org/index.php/PHP_File_Inclusion'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component \'koesubmit.php\' Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009934) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /components/com_moofaq/includes/file_includer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009934,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/8898/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009938) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component SELECT FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_surveymanager" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009938,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36464/info'" +SecRule REQUEST_LINE "@contains task=editsurvey&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component SELECT FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009939) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component DELETE FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_surveymanager" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009939,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36464/info'" +SecRule REQUEST_LINE "@contains task=editsurvey&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component DELETE FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009940) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UNION SELECT SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_surveymanager" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009940,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36464/info'" +SecRule REQUEST_LINE "@contains task=editsurvey&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UNION SELECT SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009941) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component INSERT INTO SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_surveymanager" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009941,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36464/info'" +SecRule REQUEST_LINE "@contains task=editsurvey&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component INSERT INTO SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_surveymanager" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009942,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36464/info'" +SecRule REQUEST_LINE "@contains task=editsurvey&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009943) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter SELECT FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_jbudgetsmagic" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009943,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36461/info'" +SecRule REQUEST_LINE "@contains view=mybudget&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter SELECT FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009944) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter DELETE FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_jbudgetsmagic" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009944,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36461/info'" +SecRule REQUEST_LINE "@contains view=mybudget&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter DELETE FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009945) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter UNION SELECT SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_jbudgetsmagic" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009945,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36461/info'" +SecRule REQUEST_LINE "@contains view=mybudget&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter UNION SELECT SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009946) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter INSERT INTO SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_jbudgetsmagic" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009946,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36461/info'" +SecRule REQUEST_LINE "@contains view=mybudget&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter INSERT INTO SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009947) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_jbudgetsmagic" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009947,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36461/info'" +SecRule REQUEST_LINE "@contains view=mybudget&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009956) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component SELECT FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_facebook" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009956,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36484/info'" +SecRule REQUEST_LINE "@contains view=student" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component SELECT FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009957) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component DELETE FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_facebook" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009957,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36484/info'" +SecRule REQUEST_LINE "@contains view=student" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component DELETE FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009958) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UNION SELECT SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_facebook" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009958,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36484/info'" +SecRule REQUEST_LINE "@contains view=student" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UNION SELECT SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009959) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component INSERT INTO SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_facebook" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009959,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36484/info'" +SecRule REQUEST_LINE "@contains view=student" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component INSERT INTO SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009960) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_facebook" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009960,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36484/info'" +SecRule REQUEST_LINE "@contains view=student" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009961) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component SELECT FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_sportfusion" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009961,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36481/info'" +SecRule REQUEST_LINE "@contains view=teamdetail" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SportFusion Component SELECT FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009962) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component DELETE FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_sportfusion" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009962,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36481/info'" +SecRule REQUEST_LINE "@contains view=teamdetail" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SportFusion Component DELETE FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009963) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UNION SELECT SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_sportfusion" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009963,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36481/info'" +SecRule REQUEST_LINE "@contains view=teamdetail" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UNION SELECT SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009964) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component INSERT INTO SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_sportfusion" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009964,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36481/info'" +SecRule REQUEST_LINE "@contains view=teamdetail" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SportFusion Component INSERT INTO SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009965) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_sportfusion" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009965,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36481/info'" +SecRule REQUEST_LINE "@contains view=teamdetail" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter UNION SELECT SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_gameserver" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010014,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36213/info'" +SecRule REQUEST_LINE "@contains view=gamepanel" "chain" +SecRule ARGS:id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter UNION SELECT SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010015) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter SELECT FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_gameserver" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010015,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36213/info'" +SecRule REQUEST_LINE "@contains view=gamepanel" "chain" +SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter SELECT FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010016) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter DELETE FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_gameserver" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010016,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36213/info'" +SecRule REQUEST_LINE "@contains view=gamepanel" "chain" +SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter DELETE FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010017) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_gameserver" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010017,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36213/info'" +SecRule REQUEST_LINE "@contains view=gamepanel" "chain" +SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010018) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla Game Server Component id Parameter INSERT INTO SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_gameserver" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010018,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla Game Server Component id Parameter INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36213/info'" +SecRule REQUEST_LINE "@contains view=gamepanel" "chain" +SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Joomla Game Server Component id Parameter INSERT INTO SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010040) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter SELECT FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_cbresumebuilder" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010040,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36598/info'" +SecRule REQUEST_LINE "@contains task=group_members" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter SELECT FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010041) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter DELETE FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_cbresumebuilder" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010041,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36598/info'" +SecRule REQUEST_LINE "@contains task=group_members" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter DELETE FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010042) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter UNION SELECT SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_cbresumebuilder" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010042,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36598/info'" +SecRule REQUEST_LINE "@contains task=group_members" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter UNION SELECT SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010043) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter INSERT INTO SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_cbresumebuilder" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010043,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36598/info'" +SecRule REQUEST_LINE "@contains task=group_members" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter INSERT INTO SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010044) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_cbresumebuilder" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010044,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36598/info'" +SecRule REQUEST_LINE "@contains task=group_members" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010045) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter SELECT FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_soundset" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010045,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36597/info'" +SecRule REQUEST_LINE "@contains showcategory" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter SELECT FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010046) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter DELETE FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_soundset" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010046,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36597/info'" +SecRule REQUEST_LINE "@contains showcategory" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter DELETE FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010047) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter UNION SELECT SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_soundset" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010047,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36597/info'" +SecRule REQUEST_LINE "@contains showcategory" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter UNION SELECT SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010048) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter INSERT INTO SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_soundset" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010048,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36597/info'" +SecRule REQUEST_LINE "@contains showcategory" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter INSERT INTO SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010260) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_ajaxchat/tests/ajcuser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010260,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule ARGS:GLOBALS[mosConfig_absolute_path] "(?i:GLOBALS\[mosConfig_absolute_path\]\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010349) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010349,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_photoblog&" "chain" +SecRule ARGS:&category "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010350) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010350,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_photoblog&" "chain" +SecRule ARGS:&category "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010351) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010351,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_photoblog&" "chain" +SecRule ARGS:&category "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010352) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010352,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_photoblog&" "chain" +SecRule ARGS:&category "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010353) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010353,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_photoblog&" "chain" +SecRule ARGS:&category "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010474) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_ezine/class/php/d4m_ajax_pagenav.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010474,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37043'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[mosConfig_absolute_path] "(?i:GLOBALS\[mosConfig_absolute_path\]\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010476) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010476,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_jshop&" "chain" +SecRule ARGS:&pid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010477) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010477,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_jshop&" "chain" +SecRule ARGS:&pid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010478) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010478,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_jshop&" "chain" +SecRule ARGS:&pid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010479) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010479,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_jshop&" "chain" +SecRule ARGS:&pid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010480) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010480,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_jshop&" "chain" +SecRule ARGS:&pid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010555) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010555,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37178'" +SecRule REQUEST_LINE "@contains /index.php?option=com_joaktree&" "chain" +SecRule REQUEST_LINE "@contains &view=joaktree" "chain" +SecRule ARGS:treeId "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010556) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010556,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37178'" +SecRule REQUEST_LINE "@contains /index.php?option=com_joaktree&" "chain" +SecRule REQUEST_LINE "@contains &view=joaktree" "chain" +SecRule ARGS:treeId "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010557) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010557,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37178'" +SecRule REQUEST_LINE "@contains /index.php?option=com_joaktree&" "chain" +SecRule REQUEST_LINE "@contains &view=joaktree" "chain" +SecRule ARGS:treeId "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010558) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010558,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37178'" +SecRule REQUEST_LINE "@contains /index.php?option=com_joaktree&" "chain" +SecRule REQUEST_LINE "@contains &view=joaktree" "chain" +SecRule ARGS:treeId "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010559,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37178'" +SecRule REQUEST_LINE "@contains /index.php?option=com_joaktree&" "chain" +SecRule REQUEST_LINE "@contains &view=joaktree" "chain" +SecRule ARGS:treeId "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010620) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /acomponents/com_mamboleto/mamboleto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010620,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10369'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010636) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010636,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37279'" +SecRule REQUEST_LINE "@contains /index.php?option=com_jphoto&" "chain" +SecRule REQUEST_LINE "@contains view=category&" "chain" +SecRule ARGS:Id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010637) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010637,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37279'" +SecRule REQUEST_LINE "@contains /index.php?option=com_jphoto&" "chain" +SecRule REQUEST_LINE "@contains view=category&" "chain" +SecRule ARGS:Id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010638) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010638,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37279'" +SecRule REQUEST_LINE "@contains /index.php?option=com_jphoto&" "chain" +SecRule REQUEST_LINE "@contains view=category&" "chain" +SecRule ARGS:Id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010639) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010639,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37279'" +SecRule REQUEST_LINE "@contains /index.php?option=com_jphoto&" "chain" +SecRule REQUEST_LINE "@contains view=category&" "chain" +SecRule ARGS:Id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010640) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010640,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37279'" +SecRule REQUEST_LINE "@contains /index.php?option=com_jphoto&" "chain" +SecRule REQUEST_LINE "@contains view=category&" "chain" +SecRule ARGS:Id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_mojo/wp-comments-post.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010659,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37179'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010660) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_mojo/wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010660,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37179'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010710) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010710,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,36425'" +SecRule REQUEST_LINE "@contains /index.php?option=com_foobla_suggestions&" "chain" +SecRule ARGS:idea_id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010711) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010711,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,36425'" +SecRule REQUEST_LINE "@contains /index.php?option=com_foobla_suggestions&" "chain" +SecRule ARGS:idea_id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010712) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010712,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,36425'" +SecRule REQUEST_LINE "@contains /index.php?option=com_foobla_suggestions&" "chain" +SecRule ARGS:idea_id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010713) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010713,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,36425'" +SecRule REQUEST_LINE "@contains /index.php?option=com_foobla_suggestions&" "chain" +SecRule ARGS:idea_id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010714) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010714,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,36425'" +SecRule REQUEST_LINE "@contains /index.php?option=com_foobla_suggestions&" "chain" +SecRule ARGS:idea_id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010750) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010750,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt'" +SecRule REQUEST_LINE "@contains /index.php?option=com_musicgallery&" "chain" +SecRule REQUEST_LINE "@contains &task=itempage" "chain" +SecRule ARGS:Id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010751) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010751,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt'" +SecRule REQUEST_LINE "@contains /index.php?option=com_musicgallery&" "chain" +SecRule REQUEST_LINE "@contains &task=itempage" "chain" +SecRule ARGS:Id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010752) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010752,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt'" +SecRule REQUEST_LINE "@contains /index.php?option=com_musicgallery&" "chain" +SecRule REQUEST_LINE "@contains &task=itempage" "chain" +SecRule ARGS:Id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010753) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010753,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt'" +SecRule REQUEST_LINE "@contains /index.php?option=com_musicgallery&" "chain" +SecRule REQUEST_LINE "@contains &task=itempage" "chain" +SecRule ARGS:Id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010754) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010754,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt'" +SecRule REQUEST_LINE "@contains /index.php?option=com_musicgallery&" "chain" +SecRule REQUEST_LINE "@contains &task=itempage" "chain" +SecRule ARGS:Id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010780) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_mediaslide/viewer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010780,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37440'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010805) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010805,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38022'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_yelp&" "chain" +SecRule ARGS:cid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010806) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010806,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38022'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_yelp&" "chain" +SecRule ARGS:cid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010807) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010807,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38022'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_yelp&" "chain" +SecRule ARGS:cid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010808) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010808,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38022'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_yelp&" "chain" +SecRule ARGS:cid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010809) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010809,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38022'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_yelp&" "chain" +SecRule ARGS:cid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010833) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_intuit/models/intuit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010833,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10730'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:approval "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010843) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_avosbilletsy Component id Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010843,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_avosbilletsy Component id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37576'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_avosbillets&" "chain" +SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_avosbilletsy Component id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010844) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010844,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37576'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_avosbillets&" "chain" +SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010845) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010845,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37576'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_avosbillets&" "chain" +SecRule ARGS:id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010846) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010846,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37576'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_avosbillets&" "chain" +SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010842) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010842,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37576'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_avosbillets&" "chain" +SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010848) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_morfeoshow/morfeoshow.html.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010848,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:user_id "(?i:user_id\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010853) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010853,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_job&" "chain" +SecRule ARGS:id_job "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010854) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010854,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_job&" "chain" +SecRule ARGS:id_job "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010855) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010855,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_job&" "chain" +SecRule ARGS:id_job "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010856) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010856,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_job&" "chain" +SecRule ARGS:id_job "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010857) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010857,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_job&" "chain" +SecRule ARGS:id_job "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010924) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010924,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11103'" +SecRule REQUEST_LINE "@contains /index.php?option=com_perchagallery&" "chain" +SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010925) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010925,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11103'" +SecRule REQUEST_LINE "@contains /index.php?option=com_perchagallery&" "chain" +SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010926) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010926,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11103'" +SecRule REQUEST_LINE "@contains /index.php?option=com_perchagallery&" "chain" +SecRule ARGS:id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010927) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010927,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11103'" +SecRule REQUEST_LINE "@contains /index.php?option=com_perchagallery&" "chain" +SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010928) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010928,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11103'" +SecRule REQUEST_LINE "@contains /index.php?option=com_perchagallery&" "chain" +SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010947) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010947,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_hdflvplayer&" "chain" +SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010948) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010948,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_hdflvplayer&" "chain" +SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010949) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010949,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_hdflvplayer&" "chain" +SecRule ARGS:id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010950) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010950,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_hdflvplayer&" "chain" +SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010951) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010951,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_hdflvplayer&" "chain" +SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010942,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11088'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jcollection&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010989) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010989,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37987'" +SecRule REQUEST_LINE "@contains /index.php?option=com_ccnewsletter&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010990) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_sqlreport/ajax/print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010990,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:user_id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010991) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_sqlreport/ajax/print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010991,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:user_id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010992) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_sqlreport/ajax/print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010992,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:user_id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010993) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_sqlreport/ajax/print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010993,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:user_id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010994) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_sqlreport/ajax/print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010994,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:user_id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010981) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010981,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37161'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_quicknews&" "chain" +SecRule REQUEST_LINE "@contains &task=view_item" "chain" +SecRule ARGS:newsid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010982) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010982,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37161'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_quicknews&" "chain" +SecRule REQUEST_LINE "@contains &task=view_item" "chain" +SecRule ARGS:newsid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010983) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010983,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37161'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_quicknews&" "chain" +SecRule REQUEST_LINE "@contains &task=view_item" "chain" +SecRule ARGS:newsid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010984) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010984,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37161'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_quicknews&" "chain" +SecRule REQUEST_LINE "@contains &task=view_item" "chain" +SecRule ARGS:newsid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010985) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010985,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37161'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_quicknews&" "chain" +SecRule REQUEST_LINE "@contains &task=view_item" "chain" +SecRule ARGS:newsid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010996,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11511'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_communitypolls&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011001) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011001,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38009'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_rsgallery2&" "chain" +SecRule ARGS:catid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011002) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011002,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38009'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_rsgallery2&" "chain" +SecRule ARGS:catid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011003) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011003,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38009'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_rsgallery2&" "chain" +SecRule ARGS:catid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011004) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011004,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38009'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_rsgallery2&" "chain" +SecRule ARGS:catid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011005) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011005,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38009'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_rsgallery2&" "chain" +SecRule ARGS:catid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011022) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011022,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38668'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_blog&" "chain" +SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011023) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011023,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38668'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_blog&" "chain" +SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011024) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011024,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38668'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_blog&" "chain" +SecRule ARGS:id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011025) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011025,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38668'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_blog&" "chain" +SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011026) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011026,rev:11,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38668'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_blog&" "chain" +SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011017) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_jcalpro/cal_popup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011017,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/joomlajcalpro-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011067) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011067,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_wgpicasa&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011077) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011077,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_gbufacebook&" "chain" +SecRule ARGS:face_id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011078) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011078,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_gbufacebook&" "chain" +SecRule ARGS:face_id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011079) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011079,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_gbufacebook&" "chain" +SecRule ARGS:face_id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011080) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011080,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_gbufacebook&" "chain" +SecRule ARGS:face_id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011081) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011081,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_gbufacebook&" "chain" +SecRule ARGS:face_id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011131) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /administrator/components/com_jwmmxtd/admin.jwmmxtd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011131,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011132) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion +SecRule REQUEST_LINE "@contains /administrator/components/com_universal/includes/config/config.html.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011132,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,38949'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009383) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /config.dadamail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009383,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7002/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[mosConfig_absolute_path] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009384) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /config.dadamail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009384,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7002/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[mosConfig_absolute_path] "(?i:GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009391) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /com_ongumatimesheet20/lib/onguma.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009391,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6976/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011557) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011557,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UNION SELECT SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_zoomportfolio" "chain" +SecRule REQUEST_LINE "@contains view=portfolio" "chain" +SecRule ARGS:id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011558) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011558,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component INSERT INTO SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_zoomportfolio" "chain" +SecRule REQUEST_LINE "@contains view=portfolio" "chain" +SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011559,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_zoomportfolio" "chain" +SecRule REQUEST_LINE "@contains view=portfolio" "chain" +SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011560) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011560,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component SELECT FROM SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_zoomportfolio" "chain" +SecRule REQUEST_LINE "@contains view=portfolio" "chain" +SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011561) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011561,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component DELETE FROM SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_zoomportfolio" "chain" +SecRule REQUEST_LINE "@contains view=portfolio" "chain" +SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011554) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011554,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jphone" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011385) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011385,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_noticeboard" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011451) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011451,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jgrid" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011844) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /com_rwcards/rwcards.advancedate.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011844,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011847) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /real_estate/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011847,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jomestate" "chain" +SecRule ARGS:task "(?i:task=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011935) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_joomlaxplorer/admin.joomlaxplorer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011935,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\x3a\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011929) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_banners/banners.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011929,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\x3a\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012014,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jimtawl" "chain" +SecRule ARGS:task "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012022) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012022,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_cbe" "chain" +SecRule REQUEST_LINE "@contains task=userProfile" "chain" +SecRule ARGS:tabname "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012099) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component Billy Portfolio catid Parameter Blind SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012099,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component Billy Portfolio catid Parameter Blind SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_billyportfolio" "chain" +SecRule REQUEST_LINE "@contains view=billyportfolio" "chain" +SecRule ARGS:catid "(?i:and.*if\()" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component Billy Portfolio catid Parameter Blind SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012131) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Seyret Video com_seyret Component Blind SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012131,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Seyret Video com_seyret Component Blind SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_seyret" "chain" +SecRule REQUEST_LINE "@contains task=videodirectlink" "chain" +SecRule ARGS:id "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Seyret Video com_seyret Component Blind SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012166) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /com_xmovie/helpers/img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012166,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012345) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012345,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_frontenduseraccess" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012357) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_xgallery/helpers/img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012357,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012369) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /com_swmenupro/ImageManager/Classes/ImageManager.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012369,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_xcloner-backupandrestore/cloner.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012427,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012430) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_xcloner-backupandrestore/index2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012430,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule ARGS:mosmsg "(?i:mosmsg\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +SecMarker END_SLR_JOOMLA_RULES diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_lfi_attacks.conf modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_lfi_attacks.conf --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_lfi_attacks.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_lfi_attacks.conf 2011-04-15 18:25:15.000000000 +0000 @@ -0,0 +1,1092 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under GPL version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: +# +# http://www.emergingthreats.net/ +# + +SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_lfi.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_LFI_RULES" + +# (2009377) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion +SecRule REQUEST_LINE "@contains /container.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009377,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,34265'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:theme_directory "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009380) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion +SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009380,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,34265'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:theme_directory "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009904) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /latestposts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009904,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:forumspath "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009195) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /main.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009195,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mj_config[src_path] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009417) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion +SecRule REQUEST_LINE "@contains /block_center_down.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009417,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_blocks_center_down[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009418) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion +SecRule REQUEST_LINE "@contains /block_center_top.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009418,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_blocks_center_top[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009420) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion +SecRule REQUEST_LINE "@contains /block_left.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009420,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_blocks_left[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009421) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion +SecRule REQUEST_LINE "@contains /block_right.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009421,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_blocks_right[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009422) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion +SecRule REQUEST_LINE "@contains /window_down.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009422,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_bloginfo[theme] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009423) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion +SecRule REQUEST_LINE "@contains /window_top.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009423,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_bloginfo[theme] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009429) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /spaw_control.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009429,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30042'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:spaw_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009764) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /portfolio/css.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009764,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32218'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:theme "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010025) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /dm-albums/template/album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010025,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,35521'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:SECURITY_FILE "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009324) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /urheber.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009324,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33933'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:name "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009876) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion +SecRule REQUEST_LINE "@contains /doku.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009876,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,35095'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config_cascade[main][default][] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008832) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /show_joined.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008832,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009428) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /threadstop/threadstop.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009428,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28686'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:exbb[default_lang] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010800) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /acopia/manager/DiagLogListActionBody.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010800,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:logFile "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010801) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /acopia/manager/DiagCaptureFileListActionBody.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010801,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:captureFile "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010802) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /acopia/sat/ViewSatReport.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010802,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:fileName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010803) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do capture parameter LFI Attempt +SecRule REQUEST_LINE "@contains /acopia/manager/DiagCaptureFileListActionBody.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010803,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do capture parameter LFI Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:capture "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do capture parameter LFI Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010804) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /acopia/sat/ViewInventoryErrorReport.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010804,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:fileName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009507) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /sitemap.xml.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009507,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:dir[classes] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009745) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /pmscript.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009745,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34734'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:with "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008878) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion +SecRule REQUEST_LINE "@contains /init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008878,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:API_HOME_DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009652) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /includes/startmodules.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009652,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34538'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:lang_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008937) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /library/setup/rpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008937,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7344'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:objectname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009231) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion +SecRule REQUEST_LINE "@contains /includes/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009231,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-2898'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:c_temp_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011140) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011140,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jeajaxeventcalendar&" "chain" +SecRule ARGS:view "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008651) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008651,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6669/'" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:src/' "@gt 0" "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:src/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009508) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /windetail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009508,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34537'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:adtype "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009509) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /detail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009509,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34537'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:adtype "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008822) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008822,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6980/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_pro_desk" "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:include_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009929) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt +SecRule ARGS_NAMES "(?i:target)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009929,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9706/'" +SecRule REQUEST_LINE "@contains /index.php?option=com_album&" "chain" +SecRule REQUEST_LINE "@contains Itemid=128&" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009934) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /components/com_moofaq/includes/file_includer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009934,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/8898/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010780) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_mediaslide/viewer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010780,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37440'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010833) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_intuit/models/intuit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010833,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10730'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:approval "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010942,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11088'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jcollection&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010989) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010989,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37987'" +SecRule REQUEST_LINE "@contains /index.php?option=com_ccnewsletter&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010996,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11511'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_communitypolls&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011067) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011067,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_wgpicasa&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009383) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /config.dadamail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009383,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7002/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[mosConfig_absolute_path] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009761) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /include/unverified.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009761,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/5179/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:template "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010023) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /locms/smarty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010023,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9015/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:cwd "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008898) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion +SecRule REQUEST_LINE "@contains /snippet.reflect.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008898,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7204/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:reflect_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009437) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /viewsource.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009437,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28659'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:dirn "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009430) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /viewsource.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009430,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28659'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:fname "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008938) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion +SecRule REQUEST_LINE "@contains /include/global.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008938,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:pfad/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009330) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /centre.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009330,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6846/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:padmin "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010631) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /infusions/last_seen_users_panel/last_seen_users_panel.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010631,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9018/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:settings[locale] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009905) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /forum.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009905,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/8841/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[UTE][__tplCollection][a][file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009431) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /news_show.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009431,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/5429/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:newsoffice_directory "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009728) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009728,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34636'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains newlang=kacper" "chain" +SecRule ARGS:languages[kacper][file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009332) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion +SecRule REQUEST_LINE "@contains /resource_categories_view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009332,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:CLASSES_ROOT "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009396) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion +SecRule REQUEST_LINE "@contains /ADM_Pagina.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009396,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-5063'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:Tipo "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009461) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/core/security/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009461,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009462) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /stage1.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009462,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009463) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /stage4.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009463,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009464) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /stage6.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009464,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009743) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /website.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009743,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30176'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:page "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008961) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /_conf/core/common-tpl-vars.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008961,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32705'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:lang/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009390) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /chat/dac.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009390,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34213'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:sendChatData "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009073) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion +SecRule REQUEST_LINE "@contains /admin/admin_words.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009073,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009074) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion +SecRule REQUEST_LINE "@contains /admin/admin_groups_reapir.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009074,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009075) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion +SecRule REQUEST_LINE "@contains /admin/admin_smilies.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009075,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009168) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion +SecRule REQUEST_LINE "@contains /message_class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009168,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33718'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:pfadhier "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008687) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /passwiki.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008687,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29455'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:site_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /footer.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009659,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28421'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:settings[footer] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009660) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /header.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009660,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28421'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:settings[header] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008880) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains functions_navlinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008880,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32360'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:pun_user[language]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008881) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains profile_send.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008881,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32360'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:pun_user[language]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008882) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains viewtopic_PM-link.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008882,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32360'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:pun_user[language]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009503) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /server_request.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009503,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,27945'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:CONFIG[gameroot] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009505) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /qlib/smarty.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009505,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,27945'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:CONFIG[gameroot] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009746) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /qte_web.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009746,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:qte_web_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009724) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /bin/qte_init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009724,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:qte_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009018) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Text Lines Rearrange Script filename parameter File Disclosure +SecRule REQUEST_LINE "@contains /download.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009018,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Text Lines Rearrange Script filename parameter File Disclosure',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:filename/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Text Lines Rearrange Script filename parameter File Disclosure',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008652) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ScriptsEz Easy Image Downloader id File Disclosure +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008652,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ScriptsEz Easy Image Downloader id File Disclosure',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/6715'" +SecRule REQUEST_LINE "@contains main.php?action=download" "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:&id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ScriptsEz Easy Image Downloader id File Disclosure',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009070) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion +SecRule REQUEST_LINE "@contains /login.tpl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009070,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,33092'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:TplSuffix "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /vars.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009181,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:_SESSION[SCRIPT_PATH] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009182) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /pcltar.lib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009182,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:g_pcltar_lib_dir "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009145) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /preview.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009145,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33601'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:synTarget "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009230) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Local File Inclusion +SecRule REQUEST_LINE "@contains /body_default.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009230,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Local File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2009-0441'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:shop_this_skin_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009169) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /export.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009169,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33731'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:export_to "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009789) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /examples/tbs_us_examples_0view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009789,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:script "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009726) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009726,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34617'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:inc_dir "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009729) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /cms_detect.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009729,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34634'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:include "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008923) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TxtBlog index.php m Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008923,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TxtBlog index.php m Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32498'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:m/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TxtBlog index.php m Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010127) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /include/timesheet.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010127,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config[include_dir] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010255) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /debugger/debug_php.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010255,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:_GET[filename] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009306) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009306,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009308) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /ST_browsers.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009308,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009310) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /ST_countries.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009310,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009312) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /ST_platforms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009312,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009010) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure +SecRule REQUEST_LINE "@contains /books/getConfig.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009010,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure',tag:'web-application-attack',tag:'bugtraq,32966'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule QUERY_STRING|REQUEST_BODY "@contains book_id=" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009926) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /includes/function_core.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009926,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,31225'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:web_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009928) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion +SecRule REQUEST_LINE "@contains /templates/layout_lyrics.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009928,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion',tag:'web-application-attack',tag:'bugtraq,31225'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:web_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009194) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /mini.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009194,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,31460'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:help_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009191) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /update_trailer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009191,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:context[path_to_root] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009393) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion +SecRule REQUEST_LINE "@contains /cuenta/cuerpo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009393,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30345'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:base_archivo "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009329) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /locales.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009329,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33965'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:srclang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009661) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /artmedic_print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009661,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:date "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009790) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /arch.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009790,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34968'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:arch "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009875) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /_functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009875,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,35103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[prefix] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009436) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /123flashchat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009436,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:e107path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009224) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion +SecRule REQUEST_LINE "@contains /index_inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009224,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,33774'" +SecRule ARGS:inc_ordner "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008849) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/3rdparty/adminpart/add3rdparty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008849,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008850) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/polling/adminpart/addpolling.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008850,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008851) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/contact/adminpart/addcontact.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008851,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008852) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/brandnews/adminpart/addbrandnews.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008852,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008853) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/newsletter/adminpart/addnewsletter.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008853,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008854) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/game/adminpart/addgame.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008854,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008855) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/tour/adminpart/addtour.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008855,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008856) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/articles/adminpart/addarticles.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008856,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008857) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/product/adminpart/addproduct.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008857,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008858) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/plain/adminpart/addplain.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008858,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009719) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009719,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,19838'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:templates_dir "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009720) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009720,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,19838'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:template "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008992) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /addedit-render.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008992,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32774'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:editform/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009085) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion +SecRule REQUEST_LINE "@contains /plugin/gateway/gnokii/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009085,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:apps_path[plug] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009087) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion +SecRule REQUEST_LINE "@contains /plugin/themes/default/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009087,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:apps_path[themes] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009089) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion +SecRule REQUEST_LINE "@contains /lib/function.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009089,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:apps_path[libs] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009320) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion +SecRule REQUEST_LINE "@contains /_footer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009320,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,33621'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:skin_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009331) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion +SecRule REQUEST_LINE "@contains /templater.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009331,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30785'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config[template] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011573) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Plogger phpThumb.php src Parameter Remote File Disclosure Attempt +SecRule REQUEST_LINE "@contains /plog-includes/lib/phpthumb/phpThumb.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011573,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Plogger phpThumb.php src Parameter Remote File Disclosure Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:src "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Plogger phpThumb.php src Parameter Remote File Disclosure Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011574) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Plogger phpThumb.php w Parameter Remote File Disclosure Attempt +SecRule REQUEST_LINE "@contains /plog-includes/lib/phpthumb/phpThumb.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011574,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Plogger phpThumb.php w Parameter Remote File Disclosure Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:w "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Plogger phpThumb.php w Parameter Remote File Disclosure Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011572) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Plogger phpThumb.php h Parameter Remote File Disclosure Attempt +SecRule REQUEST_LINE "@contains /plog-includes/lib/phpthumb/phpThumb.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011572,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Plogger phpThumb.php h Parameter Remote File Disclosure Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:h "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Plogger phpThumb.php h Parameter Remote File Disclosure Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011563) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /content/dynpage_load.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011563,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011562) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /oldnews_reader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011562,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:lang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011554) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011554,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jphone" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011385) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011385,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_noticeboard" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011453) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /maincore.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011453,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:folder_level "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011828) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /section.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011828,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:Module "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011829) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1) +SecRule REQUEST_LINE "@contains /classes/flash_mp3_player/extras/external_feeds/getfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011829,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1)',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011830) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2) +SecRule REQUEST_LINE "@contains /classes/flash_mp3_player.23/extras/external_feeds/getfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011830,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2)',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011843) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /baconmap/admin/updatelist.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011843,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:filepath "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011846) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011846,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains uniqcode=KPI" "chain" +SecRule REQUEST_LINE "@contains menu_no_top=performance" "chain" +SecRule ARGS:uri "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011853) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /news/search.php3" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011853,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,44370'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/DIR_TRAVERSAL.*ARGS:bn/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011882) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011882,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:owa_action "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011883) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011883,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:owa_do "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011884) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /admin/loadplugin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011884,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:load "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011936) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dolphin BxDolGzip.php file Disclosure Attempt +SecRule REQUEST_LINE "@contains /classes/BxDolGzip.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011936,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Dolphin BxDolGzip.php file Disclosure Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dolphin BxDolGzip.php file Disclosure Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011928) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /admin/thumbnailformpost.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011928,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:adminlangfile "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011941) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /module.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011941,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains module=osTicket" "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012008) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /plugins/templateie/lib/templateie_install.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012008,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:skin_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012010) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/initsystem.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012010,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:loader_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012012) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Uploader download_launch.php Remote File Disclosure Attempt +SecRule REQUEST_LINE "@contains /api/download_launch.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012012,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS The Uploader download_launch.php Remote File Disclosure Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:filename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Uploader download_launch.php Remote File Disclosure Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012014,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jimtawl" "chain" +SecRule ARGS:task "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012022) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012022,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_cbe" "chain" +SecRule REQUEST_LINE "@contains task=userProfile" "chain" +SecRule ARGS:tabname "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012025) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /download.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012025,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains filesec=sitemap" "chain" +SecRule REQUEST_LINE "@contains filetype=text" "chain" +SecRule ARGS:file "@contains ..//" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012032) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/esqueletos/skel_null.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012032,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ABTPV_BLOQUE_CENTRAL "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012033) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /modules/login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012033,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:default_login_language "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012069) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /admin/upgrade_unattended.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012069,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:db_type "(?i:\.\.\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012071) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains app=urchin.cgi" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012071,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains action=prop" "chain" +SecRule ARGS:gfid "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012122) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1 +SecRule REQUEST_LINE "@contains /modules/maticmarket/deco/blanc/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012122,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012123) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2 +SecRule REQUEST_LINE "@contains /modules/maticmarket/deco/blanc/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012123,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012124) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/blanc/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012124,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012125) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/blanc/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012125,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012126) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/default/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012126,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012127) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/default/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012127,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012128) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/gold/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012128,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012129) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/gold/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012129,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012166) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /com_xmovie/helpers/img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012166,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012168) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /tiki-jsplugin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012168,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:language "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012186) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /modules/profile/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012186,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:aXconf[default_language] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012217) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /op/op.Login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012217,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37828'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:lang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012336) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /cultbooking.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012336,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:lang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012343) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /active_auctions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012343,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:lan "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012345) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012345,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_frontenduseraccess" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012354) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dokeos and Chamilo open_document.php file Parameter File Disclosure Attempt +SecRule REQUEST_LINE "@contains /gradebook/open_document.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012354,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Dokeos and Chamilo open_document.php file Parameter File Disclosure Attempt',tag:'web-application-attack',tag:'bugtraq,46173'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dokeos and Chamilo open_document.php file Parameter File Disclosure Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012357) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_xgallery/helpers/img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012357,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012373) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /util/barcode.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012373,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:type "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012407) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012407,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains /options-runnow-iframe.php?wpabs=/" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x00\&)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012408) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012408,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains /options-view_log-iframe.php?wpabs=/" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x00\&logfile\=\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012426) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012426,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_xcloner-backupandrestore/cloner.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012427,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +SecMarker END_SLR_LFI_RULES diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_phpbb_attacks.conf modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_phpbb_attacks.conf --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_phpbb_attacks.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_phpbb_attacks.conf 2011-04-15 18:25:15.000000000 +0000 @@ -0,0 +1,149 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under GPL version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: +# +# http://www.emergingthreats.net/ +# + +SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_phpbb.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_PHPBB_RULES" + +# (2008964) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /portal_block.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008964,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32647'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:phpbb_root_path "(?i:phpbb_root_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008965) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /acp_lcxbbportal.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008965,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32647'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:phpbb_root_path "(?i:phpbb_root_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008938) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion +SecRule REQUEST_LINE "@contains /include/global.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008938,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:pfad "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2002731) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt +SecRule REQUEST_LINE "@contains .php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2002731,rev:8,msg:'SLR: ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt',tag:'web-application-attack'" +SecRule ARGS:phpbb_root_path "(?i:phpbb_root_path=(ftps?|https?|php))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005967) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id SELECT +SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005967,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" +SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005968) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UNION SELECT +SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005968,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" +SecRule ARGS:id "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005969) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id INSERT +SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005969,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" +SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005970) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id DELETE +SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005970,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" +SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005971) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ASCII +SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005971,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" +SecRule ARGS:id "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005972) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE +SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005972,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" +SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006969) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id SELECT +SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006969,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" +SecRule ARGS:hack_id "(?i:.+SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006970) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UNION SELECT +SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006970,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" +SecRule ARGS:hack_id "(?i:.+UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006971) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id INSERT +SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006971,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" +SecRule ARGS:hack_id "(?i:.+INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006972) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE +SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006972,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" +SecRule ARGS:hack_id "(?i:.+DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006973) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ASCII +SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006973,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" +SecRule ARGS:hack_id "(?i:.+ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006974) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE +SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006974,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" +SecRule ARGS:hack_id "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004606) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004606,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" +SecRule ARGS:c "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004607) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004607,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" +SecRule ARGS:c "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004608) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004608,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" +SecRule ARGS:c "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004609) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004609,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" +SecRule ARGS:c "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004610) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004610,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" +SecRule ARGS:c "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004611) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004611,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" +SecRule ARGS:c "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009073) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion +SecRule REQUEST_LINE "@contains /admin/admin_words.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009073,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009074) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion +SecRule REQUEST_LINE "@contains /admin/admin_groups_reapir.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009074,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009075) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion +SecRule REQUEST_LINE "@contains /admin/admin_smilies.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009075,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +SecMarker END_SLR_PHPBB_RULES diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_rfi_attacks.conf modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_rfi_attacks.conf --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_rfi_attacks.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_rfi_attacks.conf 2011-04-15 18:25:15.000000000 +0000 @@ -0,0 +1,3136 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under GPL version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: +# +# http://www.emergingthreats.net/ +# + +SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_rfi.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_RFI_RULES" + +# (2011214) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ArdeaCore pathForArdeaCore Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /ardeaCore/lib/core/ardeaInit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011214,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ArdeaCore pathForArdeaCore Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,40811'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:pathForArdeaCore/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ArdeaCore pathForArdeaCore Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009717) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 1024 CMS standard.php page_include Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /layouts/standard.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009717,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS 1024 CMS standard.php page_include Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:page_include/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 1024 CMS standard.php page_include Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011164) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 29o3 CMS pageDescriptionObject.php LibDir Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /lib/page/pageDescriptionObject.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011164,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS 29o3 CMS pageDescriptionObject.php LibDir Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'cve,2010-1922'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:LibDir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 29o3 CMS pageDescriptionObject.php LibDir Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011165) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 29o3 CMS layoutHeaderFuncs.php LibDir Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /lib/layout/layoutHeaderFuncs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011165,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS 29o3 CMS layoutHeaderFuncs.php LibDir Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,40049'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:LibDir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 29o3 CMS layoutHeaderFuncs.php LibDir Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011666) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 29o3 CMS layoutManager.php LibDir Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /lib/layout/layoutManager.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011666,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS 29o3 CMS layoutManager.php LibDir Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,40049'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:LibDir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 29o3 CMS layoutManager.php LibDir Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011167) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 29o3 CMS layoutParser.php LibDir Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /lib/layout/layoutParser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011167,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS 29o3 CMS layoutParser.php LibDir Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,40049'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:LibDir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 29o3 CMS layoutParser.php LibDir Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003704) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AForum Remote Inclusion func.php CommonAbsDir +SecRule REQUEST_LINE "@contains /common/func.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003704,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS AForum Remote Inclusion func.php CommonAbsDir',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3884'" +SecRule ARGS_NAMES "(?i:CommonAbsDir)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AForum Remote Inclusion func.php CommonAbsDir',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003736) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AForum Remote Inclusion Attempt -- errormsg.php header +SecRule REQUEST_LINE "@contains /common/errormsg.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003736,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS AForum Remote Inclusion Attempt -- errormsg.php header',tag:'web-application-attack',tag:'cve,CVE-2007-2634'" +SecRule ARGS_NAMES "(?i:header)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AForum Remote Inclusion Attempt -- errormsg.php header',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010080) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible AIOCP cp_html2xhtmlbasic.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /public/code/cp_html2xhtmlbasic.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010080,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible AIOCP cp_html2xhtmlbasic.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/507030'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible AIOCP cp_html2xhtmlbasic.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2002901) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Aardvark Topsites PHP CONFIG PATH Remote File Include Attempt +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:CONFIG[PATH]/' "@gt 0" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2002901,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Aardvark Topsites PHP CONFIG PATH Remote File Include Attempt',tag:'web-application-attack',tag:'url,www.osvdb.org/25158'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:CONFIG[PATH]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Aardvark Topsites PHP CONFIG PATH Remote File Include Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010354) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Achievo debugger.php config_atkroot parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /debugger.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010354,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Achievo debugger.php config_atkroot parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,36822'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config_atkroot/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Achievo debugger.php config_atkroot parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009377) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion +SecRule REQUEST_LINE "@contains /container.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009377,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,34265'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:theme_directory "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009378) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter remote file inclusion +SecRule REQUEST_LINE "@contains /container.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009378,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,34265'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:theme_directory/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009379) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter remote file inclusion +SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009379,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,34265'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:theme_directory/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009380) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion +SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009380,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,34265'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:theme_directory "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009903) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /latestposts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009903,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:forumspath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009904) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /latestposts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009904,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:forumspath "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009167) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AdaptCMS Lite rss_importer_functions.php sitepath Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /rss_importer_functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009167,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS AdaptCMS Lite rss_importer_functions.php sitepath Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,33698'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:sitepath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AdaptCMS Lite rss_importer_functions.php sitepath Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009382) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Agares Media ThemeSiteScript frontpage_right.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /admin/frontpage_right.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009382,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Agares Media ThemeSiteScript frontpage_right.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31959'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:loadadminpage/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Agares Media ThemeSiteScript frontpage_right.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010362) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AjaxPortal di.php pathtoserverdata Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /install/di.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010362,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS AjaxPortal di.php pathtoserverdata Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:pathtoserverdata/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AjaxPortal di.php pathtoserverdata Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010198) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /include/_bot.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010198,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:master[currentskin]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009165) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Barcode Generator LSTable.php class_dir parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /LSTable.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009165,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Barcode Generator LSTable.php class_dir parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31419'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:class_dir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Barcode Generator LSTable.php class_dir parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009195) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /main.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009195,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mj_config[src_path] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009196) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Remote File inclusion +SecRule REQUEST_LINE "@contains /main.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009196,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Remote File inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mj_config[src_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Remote File inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003738) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Beacon Remote Inclusion Attempt -- splash.lang.php languagePath +SecRule REQUEST_LINE "@contains /language/1/splash.lang.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003738,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Beacon Remote Inclusion Attempt -- splash.lang.php languagePath',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3909'" +SecRule ARGS_NAMES "(?i:languagePath)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Beacon Remote Inclusion Attempt -- splash.lang.php languagePath',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009364) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Beerwins PHPLinkAdmin linkadmin.php page Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /linkadmin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009364,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Beerwins PHPLinkAdmin linkadmin.php page Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34129'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Beerwins PHPLinkAdmin linkadmin.php page Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003677) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Berylium2 Remote Inclusion Attempt -- berylium-classes.php beryliumroot +SecRule REQUEST_LINE "@contains /berylium-classes.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003677,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Berylium2 Remote Inclusion Attempt -- berylium-classes.php beryliumroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3869'" +SecRule ARGS_NAMES "(?i:beryliumroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Berylium2 Remote Inclusion Attempt -- berylium-classes.php beryliumroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009417) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion +SecRule REQUEST_LINE "@contains /block_center_down.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009417,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_blocks_center_down[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009418) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion +SecRule REQUEST_LINE "@contains /block_center_top.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009418,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_blocks_center_top[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009420) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion +SecRule REQUEST_LINE "@contains /block_left.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009420,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_blocks_left[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009421) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion +SecRule REQUEST_LINE "@contains /block_right.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009421,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_blocks_right[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009422) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion +SecRule REQUEST_LINE "@contains /window_down.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009422,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_bloginfo[theme] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009423) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion +SecRule REQUEST_LINE "@contains /window_top.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009423,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_bloginfo[theme] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009370) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Boonex Dolphin HTMLSax3.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /HTMLSax3.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009370,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Boonex Dolphin HTMLSax3.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,30136'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:dir[plugins]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Boonex Dolphin HTMLSax3.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009371) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Boonex Dolphin safehtml.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /safehtml.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009371,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Boonex Dolphin safehtml.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,30136'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:dir[plugins]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Boonex Dolphin safehtml.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009372) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Boonex Dolphin content.inc.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /inc/content.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009372,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Boonex Dolphin content.inc.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,30136'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:sIncPath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Boonex Dolphin content.inc.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009429) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /spaw_control.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009429,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30042'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:spaw_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003726) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- mtdialogo.php pathCGX +SecRule REQUEST_LINE "@contains /mtdialogo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003726,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- mtdialogo.php pathCGX',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3874'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:pathCGX/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- mtdialogo.php pathCGX',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003727) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- ltdialogo.php pathCGX +SecRule REQUEST_LINE "@contains /ltdialogo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003727,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- ltdialogo.php pathCGX',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3874'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:pathCGX/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- ltdialogo.php pathCGX',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003729) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- login.php pathCGX +SecRule REQUEST_LINE "@contains /login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003729,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- login.php pathCGX',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3874'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:pathCGX/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- login.php pathCGX',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003728) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- logingecon.php pathCGX +SecRule REQUEST_LINE "@contains /inc/logingecon.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003728,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- logingecon.php pathCGX',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3874'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:pathCGX/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- logingecon.php pathCGX',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003737) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CJG Explorer Remote Inclusion Attempt -- pcltrace.lib.php g_pcltar_lib_dir +SecRule REQUEST_LINE "@contains /pcltrace.lib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003737,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CJG Explorer Remote Inclusion Attempt -- pcltrace.lib.php g_pcltar_lib_dir',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3915'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:g_pcltar_lib_dir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CJG Explorer Remote Inclusion Attempt -- pcltrace.lib.php g_pcltar_lib_dir',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009754) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat install.clickheat.php mosConfig_absolute_path Remote File Inclusion +SecRule REQUEST_LINE "@contains /install.clickheat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009754,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat install.clickheat.php mosConfig_absolute_path Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32190'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Clickheat install.clickheat.php mosConfig_absolute_path Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009755) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat _main.php mosConfig_absolute_path Parameter Remote File Inclusion - 1 +SecRule REQUEST_LINE "@contains /heatmap/_main.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009755,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat _main.php mosConfig_absolute_path Parameter Remote File Inclusion - 1',tag:'web-application-attack',tag:'bugtraq,32190'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Clickheat _main.php mosConfig_absolute_path Parameter Remote File Inclusion - 1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009756) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion - 2 +SecRule REQUEST_LINE "@contains /heatmap/main.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009756,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion - 2',tag:'web-application-attack',tag:'bugtraq,32190'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion - 2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009757) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat Cache.php mosConfig_absolute_path Remote File Inclusion +SecRule REQUEST_LINE "@contains /Clickheat/Cache.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009757,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat Cache.php mosConfig_absolute_path Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32190'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Clickheat Cache.php mosConfig_absolute_path Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009758) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat Clickheat_Heatmap.php mosConfig_absolute_path Remote File Inclusion +SecRule REQUEST_LINE "@contains /Clickheat_Heatmap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009758,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat Clickheat_Heatmap.php mosConfig_absolute_path Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32190'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Clickheat Clickheat_Heatmap.php mosConfig_absolute_path Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009759) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat GlobalVariables.php mosConfig_absolute_path Remote File Inclusion - 1 +SecRule REQUEST_LINE "@contains /GlobalVariables.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009759,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat GlobalVariables.php mosConfig_absolute_path Remote File Inclusion - 1',tag:'web-application-attack',tag:'bugtraq,32190'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Clickheat GlobalVariables.php mosConfig_absolute_path Remote File Inclusion - 1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009760) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion -2 +SecRule REQUEST_LINE "@contains /overview/main.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009760,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion -2',tag:'web-application-attack',tag:'bugtraq,32190'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion -2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009166) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Concord Consortium CoAST header.php sections_file parameter remote file inclusion +SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009166,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Concord Consortium CoAST header.php sections_file parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,31461'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:sections_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Concord Consortium CoAST header.php sections_file parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009793) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Crawler footer.php footer_file Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /footer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009793,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Crawler footer.php footer_file Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31217'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:footer_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Crawler footer.php footer_file Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009764) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /portfolio/css.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009764,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32218'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:theme "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010025) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /dm-albums/template/album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010025,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,35521'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:SECURITY_FILE "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010027) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /dm-albums/template/album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010027,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,35521'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:SECURITY_FILE/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011099) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_players.php lgsl_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /modules/dfss/lgsl/lgsl_players.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011099,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_players.php lgsl_path Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:lgsl_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_players.php lgsl_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011100) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_settings.php lgsl_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /modules/dfss/lgsl/lgsl_settings.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011100,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_settings.php lgsl_path Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:lgsl_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_settings.php lgsl_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010252) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /engine/api/api.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010252,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.juniper.net/security/auto/vulnerabilities/vuln36212.html'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:dle_config_api/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009324) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /urheber.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009324,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33933'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:name "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009317) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /don3_requiem.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009317,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'cve,2008-2649'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:app_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009318) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /frontpage.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009318,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'cve,2008-2649'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:app_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009876) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion +SecRule REQUEST_LINE "@contains /doku.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009876,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,35095'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config_cascade[main][default][] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009848) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dragoon header.inc.php root Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/header.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009848,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Dragoon header.inc.php root Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28660'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:root/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dragoon header.inc.php root Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010707) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dros core.write_compiled_include.php smarty Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /include/libs/internals/core.write_compiled_include.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010707,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Dros core.write_compiled_include.php smarty Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10682'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:smarty/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dros core.write_compiled_include.php smarty Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010708) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dros core.process_compiled_include.php smarty Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /include/libs/internals/core.process_compiled_include.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010708,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Dros core.process_compiled_include.php smarty Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10682'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:smarty/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dros core.process_compiled_include.php smarty Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010709) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dros function.config_load.php _compile_file Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /include/libs/plugins/function.config_load.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010709,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Dros function.config_load.php _compile_file Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10682'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:_compile_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dros function.config_load.php _compile_file Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003679) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- dp_logs.php HomeDir +SecRule REQUEST_LINE "@contains /dp_logs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003679,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- dp_logs.php HomeDir',tag:'web-application-attack',tag:'cve,CVE-2007-2527'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:HomeDir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- dp_logs.php HomeDir',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003680) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- index.php HomeDir +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003680,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- index.php HomeDir',tag:'web-application-attack',tag:'cve,CVE-2007-2527'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:HomeDir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- index.php HomeDir',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003682) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS E-Gads Remote Inclusion Attempt -- common.php locale +SecRule REQUEST_LINE "@contains /common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003682,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS E-Gads Remote Inclusion Attempt -- common.php locale',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3846'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:locale/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS E-Gads Remote Inclusion Attempt -- common.php locale',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011725) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EZPX photoblog tpl_base_dir Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /application/views/public/commentform.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011725,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS EZPX photoblog tpl_base_dir Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,40881'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:tpl_base_dir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS EZPX photoblog tpl_base_dir Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008832) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /show_joined.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008832,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008833) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthusiast path parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /show_joined.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008833,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Enthusiast path parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthusiast path parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009428) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /threadstop/threadstop.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009428,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28686'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:exbb[default_lang] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010800) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /acopia/manager/DiagLogListActionBody.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010800,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:logFile "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010801) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /acopia/manager/DiagCaptureFileListActionBody.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010801,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:captureFile "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010802) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /acopia/sat/ViewSatReport.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010802,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:fileName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010804) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /acopia/sat/ViewInventoryErrorReport.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010804,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:fileName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010359) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FSphp FSphp.php FSPHP_LIB Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /lib/FSphp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010359,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FSphp FSphp.php FSPHP_LIB Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/9720'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:FSPHP_LIB/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FSphp FSphp.php FSPHP_LIB Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010360) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FSphp navigation.php FSPHP_LIB Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /lib/navigation.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010360,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FSphp navigation.php FSPHP_LIB Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/9720'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:FSPHP_LIB/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FSphp navigation.php FSPHP_LIB Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010361) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FSphp pathwirte.php FSPHP_LIB Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /lib/pathwirte.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010361,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FSphp pathwirte.php FSPHP_LIB Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/9720'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:FSPHP_LIB/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FSphp pathwirte.php FSPHP_LIB Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009506) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /sitemap.xml.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009506,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:dir[classes]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009507) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /sitemap.xml.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009507,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:dir[classes] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011096) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fatwiki datumscalc.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /datumscalc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011096,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Fatwiki datumscalc.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:kal_class_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Fatwiki datumscalc.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011097) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fatwiki monatsblatt.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /monatsblatt.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011097,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Fatwiki monatsblatt.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:kal_class_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Fatwiki monatsblatt.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003690) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Firefly Remote Inclusion Attempt -- config.php DOCUMENT_ROOT +SecRule REQUEST_LINE "@contains /modules/admin/include/config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003690,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Firefly Remote Inclusion Attempt -- config.php DOCUMENT_ROOT',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/1554'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:DOCUMENT_ROOT/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Firefly Remote Inclusion Attempt -- config.php DOCUMENT_ROOT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009745) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /pmscript.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009745,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34734'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:with "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010484) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FormMailer formmailer.admin.inc.php BASE_DIR Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /modules/formmailer/formmailer.admin.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010484,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FormMailer formmailer.admin.inc.php BASE_DIR Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:BASE_DIR[jax_formmailer]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FormMailer formmailer.admin.inc.php BASE_DIR Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008878) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion +SecRule REQUEST_LINE "@contains /init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008878,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:API_HOME_DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008879) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008879,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:API_HOME_DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009652) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /includes/startmodules.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009652,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34538'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:lang_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009163) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GBook header.php abspath Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009163,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS GBook header.php abspath Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:abspath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS GBook header.php abspath Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010096) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GROUP-E head_auth.php CFG Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /www/lib/head_auth.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010096,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS GROUP-E head_auth.php CFG Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28024'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:CFG[PREPEND_FILE]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS GROUP-E head_auth.php CFG Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011018) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Gallery2 adodb-error.inc.php ADODB_LANG Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /gallery2/lib/adodb/adodb-error.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011018,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Gallery2 adodb-error.inc.php ADODB_LANG Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10705'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:ADODB_LANG/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Gallery2 adodb-error.inc.php ADODB_LANG Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011116) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Gallo gfw_smarty.php gfwroot Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /core/includes/gfw_smarty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011116,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Gallo gfw_smarty.php gfwroot Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,39890'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config[gfwroot]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Gallo gfw_smarty.php gfwroot Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2002996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability +SecRule REQUEST_LINE "@contains .php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2002996,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability',tag:'web-application-attack'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:_CONF\[.*\]=(http|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003333) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Gnopaster Common.php remote file include +SecRule REQUEST_LINE "@contains /includes/common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003333,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Gnopaster Common.php remote file include',tag:'web-application-attack',tag:'bugtraq,18180'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:root_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Gnopaster Common.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009733) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Golabi index_logged.php cur_module Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /index_logged.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009733,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Golabi index_logged.php cur_module Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,33916'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:cur_module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Golabi index_logged.php cur_module Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Grape Web Statistics functions.php location Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009427,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Grape Web Statistics functions.php location Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28838'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:location/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Grape Web Statistics functions.php location Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008937) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /library/setup/rpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008937,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7344'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:objectname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009231) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion +SecRule REQUEST_LINE "@contains /includes/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009231,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-2898'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:c_temp_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009232) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hedgehog CMS footer.php c_temp_path Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/footer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009232,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Hedgehog CMS footer.php c_temp_path Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-2898'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:c_temp_path=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Hedgehog CMS footer.php c_temp_path Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009233) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009233,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-2898'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:c_temp_path=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009398) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HoMaP plugin_admin.php _settings Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /plugin_admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009398,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS HoMaP plugin_admin.php _settings Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,29877'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:_settings[pluginpath]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS HoMaP plugin_admin.php _settings Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011161) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HotNews hnmain.inc.php3 incdir Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/hnmain.inc.php3" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011161,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS HotNews hnmain.inc.php3 incdir Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config[incdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS HotNews hnmain.inc.php3 incdir Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008964) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /portal_block.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008964,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32647'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:phpbb_root_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008965) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /acp_lcxbbportal.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008965,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32647'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:phpbb_root_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009381) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Interact embedforum.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /embedforum.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009381,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Interact embedforum.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28996'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:CONFIG[LANGUAGE_CPATH]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Interact embedforum.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009386) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Interact lib.inc.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /scorm/lib.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009386,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Interact lib.inc.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28996'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:CONFIG[BASE_PATH]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Interact lib.inc.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011140) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011140,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jeajaxeventcalendar&" "chain" +SecRule ARGS:view "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008651) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008651,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6669/'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:src/' "@gt 0" "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:src/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009508) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /windetail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009508,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34537'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:adtype "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009509) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /detail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009509,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34537'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:adtype "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008822) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008822,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6980/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_pro_desk" "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:include_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009369) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /admin.rssreader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009369,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7096/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_live_site/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009929) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt +SecRule ARGS_NAMES "(?i:target)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009929,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9706/'" +SecRule REQUEST_LINE "@contains /index.php?option=com_album&" "chain" +SecRule REQUEST_LINE "@contains Itemid=128&" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009933) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component 'koesubmit.php' Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /com_koesubmit/koesubmit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009933,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component \'koesubmit.php\' Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.owasp.org/index.php/PHP_File_Inclusion'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component \'koesubmit.php\' Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009934) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /components/com_moofaq/includes/file_includer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009934,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/8898/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010260) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_ajaxchat/tests/ajcuser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010260,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010474) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_ezine/class/php/d4m_ajax_pagenav.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010474,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37043'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010620) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /acomponents/com_mamboleto/mamboleto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010620,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10369'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_mojo/wp-comments-post.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010659,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37179'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010660) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_mojo/wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010660,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37179'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010780) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_mediaslide/viewer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010780,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37440'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010833) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_intuit/models/intuit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010833,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10730'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:approval "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010848) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_morfeoshow/morfeoshow.html.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010848,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010942,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11088'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jcollection&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010989) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010989,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37987'" +SecRule REQUEST_LINE "@contains /index.php?option=com_ccnewsletter&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010996,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11511'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_communitypolls&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011017) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_jcalpro/cal_popup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011017,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/joomlajcalpro-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011067) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011067,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_wgpicasa&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011131) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /administrator/components/com_jwmmxtd/admin.jwmmxtd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011131,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011132) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion +SecRule REQUEST_LINE "@contains /administrator/components/com_universal/includes/config/config.html.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011132,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,38949'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009383) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /config.dadamail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009383,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7002/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[mosConfig_absolute_path] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009384) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /config.dadamail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009384,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7002/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009391) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /com_ongumatimesheet20/lib/onguma.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009391,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6976/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010475) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS KR-Web krgourl.php DOCUMENT_ROOT Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /adm/krgourl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010475,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS KR-Web krgourl.php DOCUMENT_ROOT Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/krweb-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:DOCUMENT_ROOT/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS KR-Web krgourl.php DOCUMENT_ROOT Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010197) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /include/engine/content/elements/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010197,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:CONFIG[AdminPath]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009761) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /include/unverified.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009761,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/5179/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:template "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003716) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LaVague Remote Inclusion Attempt -- printbar.php views_path +SecRule REQUEST_LINE "@contains /views/print/printbar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003716,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS LaVague Remote Inclusion Attempt -- printbar.php views_path',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3870/'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:views_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LaVague Remote Inclusion Attempt -- printbar.php views_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010023) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /locms/smarty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010023,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9015/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:cwd "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010024) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /locms/smarty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010024,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9015/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:cwd/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011000) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Worksystems linkbar.php cfile Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /smallaxe-0.3.1/inc/linkbar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011000,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Worksystems linkbar.php cfile Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10676'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:cfile/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Worksystems linkbar.php cfile Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008897) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Remote File Inclusion +SecRule REQUEST_LINE "@contains /snippet.reflect.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008897,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7204/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:reflect_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008898) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion +SecRule REQUEST_LINE "@contains /snippet.reflect.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008898,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7204/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:reflect_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011062) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor getid3.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /velid3/getid3.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011062,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor getid3.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:determined_format[include]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor getid3.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011063) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor module.archive.gzip.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /velid3/module.archive.gzip.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011063,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor module.archive.gzip.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:determined_format[include]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor module.archive.gzip.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010223) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/Cache/Lite/Output.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010223,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/29716/info'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011259) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/file_manager/special.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011259,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9350/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:fm_includes_special/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009888) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (1) +SecRule REQUEST_LINE "@contains /includes/InstantSite/inc.is_root.php?is_projectPath=http|3a|" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009888,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (1) ',tag:'web-application-attack',tag:'url,www.sans.org/top20/',ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MAXcms RFI attempt (1) ',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009889) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (2) +SecRule REQUEST_LINE "@contains /classes/class.Tree.php?GLOBALS[thCMS_root]=http|3a|" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009889,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (2) ',tag:'web-application-attack',tag:'url,www.sans.org/top20/',ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MAXcms RFI attempt (2) ',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009890) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (3) +SecRule REQUEST_LINE "@contains /classes/class.thcsm_user.php?is_path=http|3a|" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009890,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (3) ',tag:'web-application-attack',tag:'url,www.sans.org/top20/',ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MAXcms RFI attempt (3) ',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009891) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (4) +SecRule REQUEST_LINE "@contains /modul/mod.users.php?thCMS_root=http|3a|" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009891,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (4) ',tag:'web-application-attack',tag:'url,www.sans.org/top20/',ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MAXcms RFI attempt (4) ',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003331) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Generic membreManager.php remote file include +SecRule REQUEST_LINE "@contains /membres/membreManager.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003331,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Generic membreManager.php remote file include',tag:'web-application-attack',tag:'bugtraq,22287'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:include_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Generic membreManager.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009141) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MiNBank utdb_access.php minsoft_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /utdb_access.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009141,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MiNBank utdb_access.php minsoft_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31492'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:minsoft_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MiNBank utdb_access.php minsoft_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009142) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MiNBank utgn_message.php minsoft_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /utgn_message.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009142,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MiNBank utgn_message.php minsoft_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31492'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:minsoft_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MiNBank utgn_message.php minsoft_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003717) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS miplex2 Remote Inclusion SmartyFU.class.php system +SecRule REQUEST_LINE "@contains /lib/smarty/SmartyFU.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003717,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS miplex2 Remote Inclusion SmartyFU.class.php system',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3878'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS miplex2 Remote Inclusion SmartyFU.class.php system',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008900) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /export_batch.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008900,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008901) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /run_auto_suspend.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008901,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008902) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ModernBill send_email_cache.php DIR Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /send_email_cache.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008902,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ModernBill send_email_cache.php DIR Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ModernBill send_email_cache.php DIR Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008903) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /2checkout_return.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008903,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008904) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ModernBill nettools.popup.php DIR Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /nettools.popup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008904,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ModernBill nettools.popup.php DIR Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ModernBill nettools.popup.php DIR Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009437) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /viewsource.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009437,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28659'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:dirn "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009430) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /viewsource.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009430,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28659'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:fname "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008938) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion +SecRule REQUEST_LINE "@contains /include/global.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008938,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:pfad/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009330) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /centre.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009330,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6846/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:padmin "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010631) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /infusions/last_seen_users_panel/last_seen_users_panel.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010631,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9018/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:settings[locale] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009905) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /forum.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009905,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/8841/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[UTE][__tplCollection][a][file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009431) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /news_show.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009431,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/5429/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:newsoffice_directory "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009432) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /news_show.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009432,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/5429/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:newsoffice_directory/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010099) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS News Manager ch_readalso.php read_xml_include Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /ch_readalso.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010099,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS News Manager ch_readalso.php read_xml_include Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,29251'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:read_xml_include/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS News Manager ch_readalso.php read_xml_include Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008922) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nitrotech common.php root Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008922,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Nitrotech common.php root Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:root/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Nitrotech common.php root Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003694) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NoAH Remote Inclusion Attempt -- mfa_theme.php tpls +SecRule REQUEST_LINE "@contains /modules/noevents/templates/mfa_theme.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003694,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS NoAH Remote Inclusion Attempt -- mfa_theme.php tpls',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3861'" +SecRule REQUEST_LINE "@contains tpls[" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NoAH Remote Inclusion Attempt -- mfa_theme.php tpls',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009728) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009728,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34636'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains newlang=kacper" "chain" +SecRule ARGS:languages[kacper][file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010355) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OBOphiX fonctions_racine.php chemin_lib parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /fonctions_racine.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010355,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS OBOphiX fonctions_racine.php chemin_lib parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:chemin_lib/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS OBOphiX fonctions_racine.php chemin_lib parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009332) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion +SecRule REQUEST_LINE "@contains /resource_categories_view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009332,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:CLASSES_ROOT "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009333) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion +SecRule REQUEST_LINE "@contains /resource_categories_view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009333,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:CLASSES_ROOT/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003741) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Translation Engine Remote Inclusion Attempt -- header.php ote_home +SecRule REQUEST_LINE "@contains /skins/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003741,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Open Translation Engine Remote Inclusion Attempt -- header.php ote_home',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3838'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:ote_home/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Open Translation Engine Remote Inclusion Attempt -- header.php ote_home',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009395) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Remote File Inclusion +SecRule REQUEST_LINE "@contains /ADM_Pagina.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009395,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-5063'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:Tipo/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009396) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion +SecRule REQUEST_LINE "@contains /ADM_Pagina.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009396,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-5063'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:Tipo "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009164) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS openEngine filepool.php oe_classpath parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /filepool.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009164,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS openEngine filepool.php oe_classpath parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31423'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:oe_classpath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS openEngine filepool.php oe_classpath parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009931) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible OpenSiteAdmin pageHeader.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /OpenSiteAdmin/pages/pageHeader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009931,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible OpenSiteAdmin pageHeader.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.owasp.org/index.php/PHP_File_Inclusion'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible OpenSiteAdmin pageHeader.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011274) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OpenX phpAdsNew phpAds_geoPlugin Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /libraries/lib-remotehost.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011274,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS OpenX phpAdsNew phpAds_geoPlugin Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:phpAds_geoPlugin/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS OpenX phpAdsNew phpAds_geoPlugin Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009459) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS classes init.php GLOBALS Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /modules/core/logger/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009459,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS classes init.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GLOBALS[preloc]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Orlando CMS classes init.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009460) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS newscat.php GLOBALS Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /newscat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009460,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS newscat.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GLOBALS[preloc]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Orlando CMS newscat.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009461) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/core/security/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009461,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009462) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /stage1.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009462,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009463) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /stage4.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009463,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009464) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /stage6.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009464,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009871) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPauction GPL converter.inc.php include_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/converter.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009871,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPauction GPL converter.inc.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28284'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPauction GPL converter.inc.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009872) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPauction GPL messages.inc.php include_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/messages.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009872,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPauction GPL messages.inc.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28284'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPauction GPL messages.inc.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009873) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPauction GPL settings.inc.php include_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/settings.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009873,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPauction GPL settings.inc.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28284'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPauction GPL settings.inc.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003742) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- language.php config +SecRule REQUEST_LINE "@contains /includes/language.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003742,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- language.php config',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3837'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- language.php config',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003743) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_admin_cfg.php Root_Path +SecRule REQUEST_LINE "@contains /layout_admin_cfg.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003743,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_admin_cfg.php Root_Path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3837'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:Root_Path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_admin_cfg.php Root_Path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003744) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_cfg.php Root_Path +SecRule REQUEST_LINE "@contains /layout_cfg.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003744,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_cfg.php Root_Path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3837'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:Root_Path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_cfg.php Root_Path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003745) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_t_top.php Root_Path +SecRule REQUEST_LINE "@contains /skins/phpchess/layout_t_top.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003745,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_t_top.php Root_Path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3837'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:Root_Path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_t_top.php Root_Path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009743) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /website.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009743,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30176'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:page "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003372) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPEventMan remote file include +SecRule REQUEST_LINE "@contains /controller/" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003372,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPEventMan remote file include',tag:'web-application-attack',tag:'bugtraq,22358'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:(text\.ctrl\.php|common\.function\.php)\?level=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPEventMan remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003740) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPFirstPost Remote Inclusion Attempt block.php Include +SecRule REQUEST_LINE "@contains /block.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003740,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPFirstPost Remote Inclusion Attempt block.php Include',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3906'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:Include/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPFirstPost Remote Inclusion Attempt block.php Include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010095) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPGenealogy CoupleDB.php DataDirectory Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /CoupleDB.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010095,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPGenealogy CoupleDB.php DataDirectory Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:DataDirectory/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPGenealogy CoupleDB.php DataDirectory Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003730) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPHtmlLib Remote Inclusion Attempt -- widget8.php phphtmllib +SecRule REQUEST_LINE "@contains /examples/widget8.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003730,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPHtmlLib Remote Inclusion Attempt -- widget8.php phphtmllib',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467837/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:phphtmllib/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPHtmlLib Remote Inclusion Attempt -- widget8.php phphtmllib',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003731) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- ftp.php path_local +SecRule REQUEST_LINE "@contains /ftp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003731,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- ftp.php path_local',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3875'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:path_local/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- ftp.php path_local',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003732) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- db.php path_local +SecRule REQUEST_LINE "@contains /libs/db.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003732,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- db.php path_local',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3875'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:path_local/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- db.php path_local',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003733) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- libs_ftp.php path_local +SecRule REQUEST_LINE "@contains /libs/ftp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003733,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- libs_ftp.php path_local',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3875'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:path_local/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- libs_ftp.php path_local',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008961) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /_conf/core/common-tpl-vars.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008961,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32705'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:lang/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008962) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPmyGallery confdir parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /_conf/core/common-tpl-vars.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008962,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPmyGallery confdir parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32705'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:confdir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPmyGallery confdir parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003703) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpMyPortal Remote Inclusion Attempt -- articles.inc.php GLOBALS CHEMINMODULES +SecRule REQUEST_LINE "@contains /inc/articles.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003703,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS phpMyPortal Remote Inclusion Attempt -- articles.inc.php GLOBALS CHEMINMODULES',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3879'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GLOBALS[CHEMINMODULES]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpMyPortal Remote Inclusion Attempt -- articles.inc.php GLOBALS CHEMINMODULES',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009051) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /DB_adodb.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009051,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,25541'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:PHPOF_INCLUDE_PATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003735) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPSecurityAdmin Remote Inclusion Attempt -- logout.php PSA_PATH +SecRule REQUEST_LINE "@contains /include/logout.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003735,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPSecurityAdmin Remote Inclusion Attempt -- logout.php PSA_PATH',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23801'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:PSA_PATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPSecurityAdmin Remote Inclusion Attempt -- logout.php PSA_PATH',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2002800) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP PHPNuke Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /iframe.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2002800,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHP PHPNuke Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.zone-h.org/en/advisories/read/id=8694/'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP PHPNuke Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003683) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Turbulence Remote Inclusion Attempt -- turbulence.php GLOBALS tcore +SecRule REQUEST_LINE "@contains /user/turbulence.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003683,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Turbulence Remote Inclusion Attempt -- turbulence.php GLOBALS tcore',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23580'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GLOBALS[tcore]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Turbulence Remote Inclusion Attempt -- turbulence.php GLOBALS tcore',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2002898) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Web Calendar Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /send_reminders.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2002898,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Web Calendar Remote File Inclusion Attempt',tag:'web-application-attack',tag:'cve,2005-2717'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:includedir=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Web Calendar Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009390) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /chat/dac.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009390,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34213'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:sendChatData "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009892) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Paid4Mail RFI attempt +SecRule REQUEST_LINE "@contains /home.php?page=http\:" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009892,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Paid4Mail RFI attempt ',tag:'web-application-attack',ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Paid4Mail RFI attempt ',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003693) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPtree Remote Inclusion Attempt -- cms2.php s_dir +SecRule REQUEST_LINE "@contains /plugin/HP_DEV/cms2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003693,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPtree Remote Inclusion Attempt -- cms2.php s_dir',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3860'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:s_dir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPtree Remote Inclusion Attempt -- cms2.php s_dir',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003672) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_image_index.php config pathMod +SecRule REQUEST_LINE "@contains /mod/image/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003672,rev:8,msg:'SLR: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_image_index.php config pathMod',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3852'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config[pathMod]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_image_index.php config pathMod',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003673) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liens_index.php config pathMod +SecRule REQUEST_LINE "@contains /mod/liens/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003673,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liens_index.php config pathMod',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3852'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config[pathMod]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liens_index.php config pathMod',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003674) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liste_index.php config pathMod +SecRule REQUEST_LINE "@contains /mod/liste/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003674,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liste_index.php config pathMod',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3852'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config[pathMod]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liste_index.php config pathMod',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003675) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_special_index.php config pathMod +SecRule REQUEST_LINE "@contains /mod/special/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003675,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_special_index.php config pathMod',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3852'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config[pathMod]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_special_index.php config pathMod',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003676) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_texte_index.php config pathMod +SecRule REQUEST_LINE "@contains /mod/texte/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003676,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_texte_index.php config pathMod',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3852'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config[pathMod]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_texte_index.php config pathMod',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009073) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion +SecRule REQUEST_LINE "@contains /admin/admin_words.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009073,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009074) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion +SecRule REQUEST_LINE "@contains /admin/admin_groups_reapir.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009074,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009075) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion +SecRule REQUEST_LINE "@contains /admin/admin_smilies.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009075,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009168) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion +SecRule REQUEST_LINE "@contains /message_class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009168,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33718'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:pfadhier "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008687) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /passwiki.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008687,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29455'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:site_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003660) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt - Headerfile.php System +SecRule REQUEST_LINE "@contains /blocks/headerfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003660,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt - Headerfile.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt - Headerfile.php System',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003661) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_files.php System +SecRule REQUEST_LINE "@contains /files/blocks/latest_files.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003661,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_files.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_files.php System',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003662) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_posts.php System +SecRule REQUEST_LINE "@contains /forums/blocks/latest_posts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003662,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_posts.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_posts.php System',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003663) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- groups_headerfile.php System +SecRule REQUEST_LINE "@contains /groups/headerfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003663,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- groups_headerfile.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- groups_headerfile.php System',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003664) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- filters_headerfile.php System +SecRule REQUEST_LINE "@contains /filters/headerfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003664,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- filters_headerfile.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- filters_headerfile.php System',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003665) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- links.php System +SecRule REQUEST_LINE "@contains /links/blocks/links.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003665,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- links.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- links.php System',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003666) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- menu_headerfile.php System +SecRule REQUEST_LINE "@contains /menu/headerfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003666,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- menu_headerfile.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- menu_headerfile.php System',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003667) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_news.php System +SecRule REQUEST_LINE "@contains /news/blocks/latest_news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003667,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_news.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_news.php System',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003668) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- settings_headerfile.php System +SecRule REQUEST_LINE "@contains /settings/headerfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003668,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- settings_headerfile.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- settings_headerfile.php System',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003681) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- users_headerfile.php System +SecRule REQUEST_LINE "@contains /modules/users/headerfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003681,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- users_headerfile.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- users_headerfile.php System',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009415) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PhpBlock basicfogfactory.class.php PATH_TO_CODE Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /basicfogfactory.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009415,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PhpBlock basicfogfactory.class.php PATH_TO_CODE Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28588'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:PATH_TO_CODE/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PhpBlock basicfogfactory.class.php PATH_TO_CODE Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008871) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpFan init.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008871,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpFan init.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32335'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:includepath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpFan init.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008899) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Pie RSS module lib parameter remote file inclusion +SecRule REQUEST_LINE "@contains /lib/action/rss.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008899,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Pie RSS module lib parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,32465'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:lib/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Pie RSS module lib parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003691) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion Attempt -- psg.smarty.lib.php cfg sys base_path +SecRule REQUEST_LINE "@contains /psg.smarty.lib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003691,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion Attempt -- psg.smarty.lib.php cfg sys base_path',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/1390'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:cfg[sys][base_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion Attempt -- psg.smarty.lib.php cfg sys base_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003702) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion class.Smarty.php cfg sys base_path +SecRule REQUEST_LINE "@contains /resources/includes/class.Smarty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003702,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion class.Smarty.php cfg sys base_path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3733'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:cfg[sys][base_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion class.Smarty.php cfg sys base_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2002815) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Plume CMS prepend.php Remote File Inclusion attempt +SecRule REQUEST_LINE "@contains /prepend.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2002815,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Plume CMS prepend.php Remote File Inclusion attempt',tag:'web-application-attack',tag:'bugtraq,16662'" +SecRule QUERY_STRING|REQUEST_BODY "@contains _px_config[manager_path]=" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:_px_config\x5bmanager_path\x5d=(https?|ftps?|php)\:)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Plume CMS prepend.php Remote File Inclusion attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010466) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PointComma pctemplate.php pcConfig Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/classes/pctemplate.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010466,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS PointComma pctemplate.php pcConfig Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/pointcomma-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:pcConfig[smartyPath]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PointComma pctemplate.php pcConfig Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003371) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Portail Includes.php remote file include +SecRule REQUEST_LINE "@contains /includes/includes.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003371,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Portail Includes.php remote file include',tag:'web-application-attack',tag:'bugtraq,22361'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:site_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Portail Includes.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /footer.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009659,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28421'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:settings[footer] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009660) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /header.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009660,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28421'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:settings[header] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009898) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Pragyan CMS form.lib.php sourceFolder Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /cms/modules/form.lib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009898,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Pragyan CMS form.lib.php sourceFolder Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,30235'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:sourceFolder/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Pragyan CMS form.lib.php sourceFolder Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010276) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ProdLer prodler.class.php sPath Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /include/prodler.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010276,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ProdLer prodler.class.php sPath Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:sPath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ProdLer prodler.class.php sPath Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008880) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains functions_navlinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008880,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32360'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:pun_user[language]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008881) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains profile_send.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008881,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32360'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:pun_user[language]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008882) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains viewtopic_PM-link.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008882,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32360'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:pun_user[language]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009502) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /server_request.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009502,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,27945'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:CONFIG[gameroot]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009503) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /server_request.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009503,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,27945'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:CONFIG[gameroot] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009504) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /qlib/smarty.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009504,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,27945'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:CONFIG[gameroot]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009505) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /qlib/smarty.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009505,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,27945'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:CONFIG[gameroot] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009746) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /qte_web.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009746,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:qte_web_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009723) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /qte_web.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009723,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:qte_web_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009724) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /bin/qte_init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009724,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:qte_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009788) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RSS-aggregator display.php path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /display.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009788,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS RSS-aggregator display.php path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,29873'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS RSS-aggregator display.php path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010097) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RaXnet Cacti top_graph_header.php config Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /include/top_graph_header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010097,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS RaXnet Cacti top_graph_header.php config Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,14030'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config[library_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS RaXnet Cacti top_graph_header.php config Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009101) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS REALTOR define.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /define.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009101,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS REALTOR define.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,33227'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:INC_DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS REALTOR define.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009059) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Feederator add_tmsp.php mosConfig_absolute_path parameter remote file inclusion +SecRule REQUEST_LINE "@contains /tmsp/add_tmsp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009059,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Feederator add_tmsp.php mosConfig_absolute_path parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,32194'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Recly Feederator add_tmsp.php mosConfig_absolute_path parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009060) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Feederator edit_tmsp.php mosConfig_absolute_path parameter remote file inclusion +SecRule REQUEST_LINE "@contains /tmsp/edit_tmsp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009060,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Feederator edit_tmsp.php mosConfig_absolute_path parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,32194'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Recly Feederator edit_tmsp.php mosConfig_absolute_path parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009061) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Feederator subscription.php GLOBALS mosConfig_absolute_path parameter remote file inclusion +SecRule REQUEST_LINE "@contains /tmsp/subscription.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009061,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Feederator subscription.php GLOBALS mosConfig_absolute_path parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,32194'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Recly Feederator subscription.php GLOBALS mosConfig_absolute_path parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009062) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Feederator tmsp.php mosConfig_absolute_path parameter remote file inclusion +SecRule REQUEST_LINE "@contains /tmsp/tmsp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009062,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Feederator tmsp.php mosConfig_absolute_path parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,32194'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Recly Feederator tmsp.php mosConfig_absolute_path parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009466) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Competitions Component add.php GLOBALS Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/competitions/add.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009466,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Competitions Component add.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32192'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Recly Competitions Component add.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009467) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Competitions Component competitions.php GLOBALS Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/competitions/competitions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009467,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Competitions Component competitions.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32192'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Recly Competitions Component competitions.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009468) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Competitions Component settings.php mosConfig_absolute_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/settings/settings.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009468,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Competitions Component settings.php mosConfig_absolute_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32192'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Recly Competitions Component settings.php mosConfig_absolute_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011254) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Redaxo CMS index.inc.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /include/addons/version/pages/index.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011254,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Redaxo CMS index.inc.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:REX[INCLUDE_PATH]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Redaxo CMS index.inc.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011255) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Redaxo CMS specials.inc.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /include/pages/specials.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011255,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Redaxo CMS specials.inc.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:REX[INCLUDE_PATH]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Redaxo CMS specials.inc.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010124) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /load_lang.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010124,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,26747'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:_SERWEB[configdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010125) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /main_prepend.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010125,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,26747'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:_SERWEB[functionsdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009653) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SMA-DB format.php _page_css Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /theme/format.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009653,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS SMA-DB format.php _page_css Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34569'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:_page_css/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SMA-DB format.php _page_css Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009654) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SMA-DB format.php _page_javascript Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /theme/format.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009654,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SMA-DB format.php _page_javascript Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34569'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:_page_javascript/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SMA-DB format.php _page_javascript Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009656) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SMA-DB format.php _page_content Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /theme/format.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009656,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SMA-DB format.php _page_content Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34569'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:_page_content/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SMA-DB format.php _page_content Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011209) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /include/admin/device_admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011209,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'cve,CVE-2010-2145'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:cs_base_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010922) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_workbook.inc.php class_path Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /classes/excel/class.writeexcel_workbook.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010922,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_workbook.inc.php class_path Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/saurus-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:class_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_workbook.inc.php class_path Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010923) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_worksheet.inc.php class_path Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /classes/excel/class.writeexcel_worksheet.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010923,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_worksheet.inc.php class_path Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/saurus-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:class_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_worksheet.inc.php class_path Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009123) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SezHoo SezHooTabsAndActions.php IP Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /SezHooTabsAndActions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009123,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SezHoo SezHooTabsAndActions.php IP Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/6751'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:IP/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SezHoo SezHooTabsAndActions.php IP Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003746) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Simple PHP Script Gallery Remote Inclusion index.php gallery +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003746,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Simple PHP Script Gallery Remote Inclusion index.php gallery',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23534'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:gallery/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Simple PHP Script Gallery Remote Inclusion index.php gallery',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Simple Text-File Login script slogin_path parameter remote file inclusion +SecRule REQUEST_LINE "@contains /slogin_lib.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008996,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Simple Text-File Login script slogin_path parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,32811'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:slogin_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Simple Text-File Login script slogin_path parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010564) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Sisplet CMS komentar.php site_path Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /main/forum/komentar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010564,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Sisplet CMS komentar.php site_path Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,23334'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:site_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Sisplet CMS komentar.php site_path Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009070) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion +SecRule REQUEST_LINE "@contains /login.tpl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009070,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,33092'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:TplSuffix "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009071) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpSkelSite theme parameter remote file inclusion +SecRule REQUEST_LINE "@contains /login.tpl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009071,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpSkelSite theme parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,33092'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:theme/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpSkelSite theme parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009179) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /vars.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009179,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:_SESSION[SCRIPT_PATH]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009180) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /pcltar.lib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009180,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:g_pcltar_lib_dir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /vars.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009181,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:_SESSION[SCRIPT_PATH] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009182) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /pcltar.lib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009182,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:g_pcltar_lib_dir "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011051) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -1 +SecRule REQUEST_LINE "@contains /content/themes/softsaurus_default/pages/subHeader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011051,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -1',tag:'web-application-attack',tag:'bugtraq,38842'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:objects_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011052) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -2 +SecRule REQUEST_LINE "@contains /content/themes/softsaurus_stretched/pages/subHeader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011052,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -2',tag:'web-application-attack',tag:'bugtraq,38842'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:objects_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009144) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Sourdough neededFiles Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /example_clientside_javascript.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009144,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Sourdough neededFiles Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:neededFiles[patForms]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Sourdough neededFiles Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009145) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /preview.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009145,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33601'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:synTarget "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009229) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Remote File Inclusion +SecRule REQUEST_LINE "@contains /body_default.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009229,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2009-0441'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:shop_this_skin_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009230) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Local File Inclusion +SecRule REQUEST_LINE "@contains /body_default.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009230,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Local File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2009-0441'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:shop_this_skin_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003705) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion site_conf.php ordnertiefe +SecRule REQUEST_LINE "@contains /site_conf.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003705,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion site_conf.php ordnertiefe',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:ordnertiefe)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion site_conf.php ordnertiefe',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003706) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion class.csv.php tt_docroot +SecRule REQUEST_LINE "@contains /class.csv.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003706,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion class.csv.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion class.csv.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003707) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot +SecRule REQUEST_LINE "@contains /produkte_nach_serie.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003707,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003708) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot +SecRule REQUEST_LINE "@contains /functionen/ref_kd_rubrik.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003708,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003709) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot +SecRule REQUEST_LINE "@contains /hg_referenz_jobgalerie.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003709,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003710) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot +SecRule REQUEST_LINE "@contains /surfer_anmeldung_NWL.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003710,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003711) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot +SecRule REQUEST_LINE "@contains /produkte_nach_serie_alle.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003711,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003712) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot +SecRule REQUEST_LINE "@contains /surfer_aendern.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003712,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003715) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot +SecRule REQUEST_LINE "@contains /ref_kd_rubrik.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003715,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003713) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion referenz.php tt_docroot +SecRule REQUEST_LINE "@contains /module/referenz.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003713,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion referenz.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion referenz.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003714) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion lay.php tt_docroot +SecRule REQUEST_LINE "@contains /standard/1/lay.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003714,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion lay.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion lay.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003867) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion 3_lay.php tt_docroot +SecRule REQUEST_LINE "@contains /standard/3/lay.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003867,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion 3_lay.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion 3_lay.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009169) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /export.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009169,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33731'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:export_to "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009789) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /examples/tbs_us_examples_0view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009789,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:script "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003669) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TopTree Remote Inclusion Attempt -- tpl_message.php right_file +SecRule REQUEST_LINE "@contains /templates/default/tpl_message.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003669,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS TopTree Remote Inclusion Attempt -- tpl_message.php right_file',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3854'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:right_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TopTree Remote Inclusion Attempt -- tpl_message.php right_file',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009663) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009663,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34617'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:inc_dir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009726) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009726,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34617'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:inc_dir "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009729) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /cms_detect.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009729,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34634'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:include "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003678) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tropicalm Remote Inclusion Attempt -- dosearch.php RESPATH +SecRule REQUEST_LINE "@contains /dosearch.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003678,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Tropicalm Remote Inclusion Attempt -- dosearch.php RESPATH',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3865'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:RESPATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Tropicalm Remote Inclusion Attempt -- dosearch.php RESPATH',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003687) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- payflow_pro.php abs_path +SecRule REQUEST_LINE "@contains /include/payment/payflow_pro.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003687,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- payflow_pro.php abs_path',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23662'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:abs_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- payflow_pro.php abs_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003688) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- global.php abs_path +SecRule REQUEST_LINE "@contains /global.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003688,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- global.php abs_path',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23662'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:abs_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- global.php abs_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003689) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- libsecure.php abs_path +SecRule REQUEST_LINE "@contains /libsecure.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003689,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- libsecure.php abs_path',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23662'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:abs_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- libsecure.php abs_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008923) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TxtBlog index.php m Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008923,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TxtBlog index.php m Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32498'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:m/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TxtBlog index.php m Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010126) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /include/timesheet.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010126,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config[include_dir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010127) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /include/timesheet.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010127,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config[include_dir] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003692) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VM Watermark Remote Inclusion Attempt -- watermark.php GALLERY_BASEDIR +SecRule REQUEST_LINE "@contains /watermark.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003692,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS VM Watermark Remote Inclusion Attempt -- watermark.php GALLERY_BASEDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3857'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GALLERY_BASEDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS VM Watermark Remote Inclusion Attempt -- watermark.php GALLERY_BASEDIR',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2002899) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion get_header.php +SecRule REQUEST_LINE "@contains /get_header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2002899,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion get_header.php',tag:'web-application-attack',tag:'bugtraq,17358'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:vwar_root=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion get_header.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2002902) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion functions_install.php +SecRule REQUEST_LINE "@contains /functions_install.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2002902,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion functions_install.php',tag:'web-application-attack',tag:'bugtraq,17290'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:vwar_root=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion functions_install.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010254) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /editor/edit_htmlarea.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010254,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:highlighter/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010255) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /debugger/debug_php.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010255,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:_GET[filename] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003671) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Versado CMS Remote Inclusion Attempt -- ajax_listado.php urlModulo +SecRule REQUEST_LINE "@contains /includes/ajax_listado.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003671,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Versado CMS Remote Inclusion Attempt -- ajax_listado.php urlModulo',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3847'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:urlModulo/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Versado CMS Remote Inclusion Attempt -- ajax_listado.php urlModulo',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009877) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VirtueMart Google Base Component admin.googlebase.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /admin.googlebase.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009877,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS VirtueMart Google Base Component admin.googlebase.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32098'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS VirtueMart Google Base Component admin.googlebase.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009838) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News search.php config Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009838,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News search.php config Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,33434'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WB News search.php config Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009839) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News archive.php config Parameter Remote File Inclusion -1 +SecRule REQUEST_LINE "@contains /archive.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009839,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News archive.php config Parameter Remote File Inclusion -1',tag:'web-application-attack',tag:'bugtraq,33434'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WB News archive.php config Parameter Remote File Inclusion -1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009840) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News Archive.php config Parameter Remote File Inclusion -2 +SecRule REQUEST_LINE "@contains /base/Archive.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009840,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News Archive.php config Parameter Remote File Inclusion -2',tag:'web-application-attack',tag:'bugtraq,33434'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WB News Archive.php config Parameter Remote File Inclusion -2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009841) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News comments.php config Parameter Remote File Inclusion -1 +SecRule REQUEST_LINE "@contains /comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009841,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News comments.php config Parameter Remote File Inclusion -1',tag:'web-application-attack',tag:'bugtraq,33434'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WB News comments.php config Parameter Remote File Inclusion -1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009842) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News Comments.php config Parameter Remote File Inclusion -2 +SecRule REQUEST_LINE "@contains /base/Comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009842,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News Comments.php config Parameter Remote File Inclusion -2',tag:'web-application-attack',tag:'bugtraq,33434'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WB News Comments.php config Parameter Remote File Inclusion -2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009843) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News news.php config Parameter Remote File Inclusion -1 +SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009843,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News news.php config Parameter Remote File Inclusion -1',tag:'web-application-attack',tag:'bugtraq,33434'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WB News news.php config Parameter Remote File Inclusion -1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009844) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News News.php config Parameter Remote File Inclusion -2 +SecRule REQUEST_LINE "@contains /base/News.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009844,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News News.php config Parameter Remote File Inclusion -2',tag:'web-application-attack',tag:'bugtraq,33434'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WB News News.php config Parameter Remote File Inclusion -2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009845) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News SendFriend.php config Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /base/SendFriend.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009845,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News SendFriend.php config Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,33434'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WB News SendFriend.php config Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009846) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News global.php config Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /admin/global.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009846,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News global.php config Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WB News global.php config Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008826) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Way Of The Warrior crea.php plancia Remote File Inclusion +SecRule REQUEST_LINE "@contains crea.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008826,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Way Of The Warrior crea.php plancia Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:plancia/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Way Of The Warrior crea.php plancia Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009306) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009306,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009307) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009307,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009308) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /ST_browsers.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009308,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009309) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /ST_browsers.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009309,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009310) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /ST_countries.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009310,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009311) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /ST_countries.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009311,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009312) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /ST_platforms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009312,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009313) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /ST_platforms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009313,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010092) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Webradev Download Protect EmailTemplates.class.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /Framework/EmailTemplates.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010092,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Webradev Download Protect EmailTemplates.class.php Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GLOBALS[RootPath]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Webradev Download Protect EmailTemplates.class.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010093) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Webradev Download Protect PDPEmailReplaceConstants.class.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /Customers/PDPEmailReplaceConstants.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010093,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Webradev Download Protect PDPEmailReplaceConstants.class.php Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GLOBALS[RootPath]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Webradev Download Protect PDPEmailReplaceConstants.class.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010094) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Webradev Download Protect ResellersManager.class.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /Admin/ResellersManager.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010094,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Webradev Download Protect ResellersManager.class.php Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GLOBALS[RootPath]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Webradev Download Protect ResellersManager.class.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009690) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebMoney html.php page Remote File Inclusion +SecRule REQUEST_LINE "@contains /html.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009690,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WebMoney html.php page Remote File Inclusion',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0907-exploits/3awebmoney-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebMoney html.php page Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009691) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebMoney html2.php page Remote File Inclusion +SecRule REQUEST_LINE "@contains /html2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009691,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WebMoney html2.php page Remote File Inclusion',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0907-exploits/3awebmoney-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebMoney html2.php page Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008935) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Werner Hilversum FAQ Manager header.php config_path parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /include/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008935,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Werner Hilversum FAQ Manager header.php config_path parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32472'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:config_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Werner Hilversum FAQ Manager header.php config_path parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003696) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wikivi5 Remote Inclusion Attempt -- show.php sous_rep +SecRule REQUEST_LINE "@contains /handlers/page/show.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003696,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wikivi5 Remote Inclusion Attempt -- show.php sous_rep',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3863'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:sous_rep/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wikivi5 Remote Inclusion Attempt -- show.php sous_rep',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003685) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH +SecRule REQUEST_LINE "@contains /js/wptable-button.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003685,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3824'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:wpPATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003686) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH +SecRule REQUEST_LINE "@contains /wordtube-button.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003686,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3825'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:wpPATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010473) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt +SecRule REQUEST_LINE "@contains /js/wptable-tinymce.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010473,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:ABSPATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009925) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/function_core.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009925,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31225'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:web_root/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009926) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /includes/function_core.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009926,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,31225'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:web_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009927) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /templates/layout_lyrics.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009927,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31225'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:web_root/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009928) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion +SecRule REQUEST_LINE "@contains /templates/layout_lyrics.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009928,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion',tag:'web-application-attack',tag:'bugtraq,31225'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:web_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009194) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /mini.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009194,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,31460'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:help_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009870) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS XRMS CRM workflow-activities.php include_directory Remote File Inclusion +SecRule REQUEST_LINE "@contains /activities/workflow-activities.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009870,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS XRMS CRM workflow-activities.php include_directory Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-3399'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:include_directory/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS XRMS CRM workflow-activities.php include_directory Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003517) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iPhotoAlbum header.php remote file include +SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003517,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS iPhotoAlbum header.php remote file include',tag:'web-application-attack',tag:'bugtraq,23189'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:set_menu/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS iPhotoAlbum header.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009190) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /update_trailer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009190,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:context[path_to_root]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009191) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /update_trailer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009191,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:context[path_to_root] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011098) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YaPig last_gallery.php YAPIG_PATH Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /last_gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011098,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS YaPig last_gallery.php YAPIG_PATH Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:YAPIG_PATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS YaPig last_gallery.php YAPIG_PATH Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003739) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Yaap Remote Inclusion Attempt -- common.php root_path +SecRule REQUEST_LINE "@contains /includes/common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003739,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Yaap Remote Inclusion Attempt -- common.php root_path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3908'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:root_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Yaap Remote Inclusion Attempt -- common.php root_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009316) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /class_yapbbcooker.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009316,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,30686'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:cfgIncludeDirectory/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009393) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion +SecRule REQUEST_LINE "@contains /cuenta/cuerpo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009393,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30345'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:base_archivo "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009329) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /locales.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009329,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33965'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:srclang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009661) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /artmedic_print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009661,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:date "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010771) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /view_messages.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010771,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010772) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /view_blog_comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010772,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010773) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /view_blog_archives.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010773,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010774) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /add_comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010774,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010775) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /downloads.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010775,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010776) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /emailsender.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010776,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010777) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /left_menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010777,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009790) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /arch.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009790,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34968'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:arch "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008966) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ccTiddly index.php cct_base parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008966,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ccTiddly index.php cct_base parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7336'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:cct_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ccTiddly index.php cct_base parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008967) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ccTiddly proxy.php cct_base parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /handle/proxy.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008967,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ccTiddly proxy.php cct_base parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7336'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:cct_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ccTiddly proxy.php cct_base parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008968) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ccTiddly header.php cct_base parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008968,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ccTiddly header.php cct_base parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7336'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:cct_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ccTiddly header.php cct_base parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008969) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ccTiddly include.php cct_base parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/include.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008969,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ccTiddly include.php cct_base parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7336'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:cct_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ccTiddly include.php cct_base parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008970) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ccTiddly workspace.php cct_base parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/workspace.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008970,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ccTiddly workspace.php cct_base parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7336'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:cct_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ccTiddly workspace.php cct_base parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009367) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cmsWorks lib.module.php mod_root Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /lib.module.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009367,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS cmsWorks lib.module.php mod_root Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,29914'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:mod_root=\s*(https?|ftps?|php))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS cmsWorks lib.module.php mod_root Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010847) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS com_if_nexus controller Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010847,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS com_if_nexus controller Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10754'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_if_nexus&" "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:controller/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS com_if_nexus controller Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009874) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /_functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009874,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,35103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GLOBALS[prefix]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009875) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /_functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009875,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,35103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[prefix] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009435) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /123flashchat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009435,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:e107path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009436) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /123flashchat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009436,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:e107path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009932) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible eFront database.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /libraries/database.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009932,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible eFront database.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.owasp.org/index.php/PHP_File_Inclusion'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible eFront database.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009224) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion +SecRule REQUEST_LINE "@contains /index_inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009224,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,33774'" +SecRule ARGS:inc_ordner "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009225) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter remote file inclusion +SecRule REQUEST_LINE "@contains /index_inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009225,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,33774'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:inc_ordner/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008849) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/3rdparty/adminpart/add3rdparty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008849,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008850) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/polling/adminpart/addpolling.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008850,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008851) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/contact/adminpart/addcontact.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008851,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008852) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/brandnews/adminpart/addbrandnews.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008852,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008853) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/newsletter/adminpart/addnewsletter.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008853,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008854) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/game/adminpart/addgame.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008854,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008855) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/tour/adminpart/addtour.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008855,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008856) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/articles/adminpart/addarticles.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008856,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008857) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/product/adminpart/addproduct.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008857,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008858) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/plain/adminpart/addplain.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008858,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010661) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS epay a_affil.php _REQUEST Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /e-pay/src/a_affil.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010661,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS epay a_affil.php _REQUEST Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10697'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:_REQUEST[read]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS epay a_affil.php _REQUEST Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009188) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gapicms toolbar.php dirDepth Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /toolbar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009188,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS gapicms toolbar.php dirDepth Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:dirDepth/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gapicms toolbar.php dirDepth Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003718) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR +SecRule REQUEST_LINE "@contains /libs/lom.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003718,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003719) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom_update.php ETCDIR +SecRule REQUEST_LINE "@contains /lom_update.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003719,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom_update.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom_update.php ETCDIR',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003720) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- check-lom.php ETCDIR +SecRule REQUEST_LINE "@contains /scripts/check-lom.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003720,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- check-lom.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- check-lom.php ETCDIR',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003721) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- weigh_keywords.php ETCDIR +SecRule REQUEST_LINE "@contains /scripts/weigh_keywords.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003721,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- weigh_keywords.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- weigh_keywords.php ETCDIR',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003722) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- logout.php ETCDIR +SecRule REQUEST_LINE "@contains /logout.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003722,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- logout.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- logout.php ETCDIR',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003723) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- help.php ETCDIR +SecRule REQUEST_LINE "@contains /help.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003723,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- help.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- help.php ETCDIR',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003724) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- index.php ETCDIR +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003724,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- index.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- index.php ETCDIR',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003725) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- login.php ETCDIR +SecRule REQUEST_LINE "@contains /login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003725,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- login.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- login.php ETCDIR',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003747) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR +SecRule REQUEST_LINE "@contains /web/lom.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003747,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010979) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ispCP Omega admin1.template.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /tools/filemanager/skins/mobile/admin1.template.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010979,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ispCP Omega admin1.template.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,38644'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:net2ftp_globals[application_skinsdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ispCP Omega admin1.template.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010191) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /test/pages/contact.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010191,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:fs_jVroot/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010192) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /system/pageTemplate.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010192,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:fs_jVroot/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010193) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /system/utilities.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010193,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:fs_jVroot/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009053) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MODx CMS Thumbnail.php base_path Remote File Inclusion +SecRule REQUEST_LINE "@contains /Thumbnail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009053,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MODx CMS Thumbnail.php base_path Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:base_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MODx CMS Thumbnail.php base_path Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003684) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MXBB Remote Inclusion Attempt -- faq.php module_root_path +SecRule REQUEST_LINE "@contains /faq.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003684,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS MXBB Remote Inclusion Attempt -- faq.php module_root_path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3833'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:cmd/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MXBB Remote Inclusion Attempt -- faq.php module_root_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009719) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009719,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,19838'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:templates_dir "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009720) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009720,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,19838'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:template "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003698) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php abs_path +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003698,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php abs_path',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:abs_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php abs_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003699) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion checkout.php abs_path +SecRule REQUEST_LINE "@contains /checkout.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003699,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion checkout.php abs_path',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:abs_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion checkout.php abs_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003700) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion libsecure.php abs_path +SecRule REQUEST_LINE "@contains /libsecure.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003700,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion libsecure.php abs_path',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:abs_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion libsecure.php abs_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003701) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php repinc +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003701,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php repinc',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467827/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:repinc/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php repinc',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009325) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /gunaysoft.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009325,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-3022'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:icerikyolu/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009326) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /gunaysoft.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009326,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-3022'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:sayfaid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009327) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phPortal gunaysoft.php uzanti Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /gunaysoft.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009327,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phPortal gunaysoft.php uzanti Parameter Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-3022'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:uzanti/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phPortal gunaysoft.php uzanti Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2002879) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP phpMyAgenda rootagenda Remote File Include Attempt +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:rootagenda/' "@gt 0" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2002879,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHP phpMyAgenda rootagenda Remote File Include Attempt',tag:'web-application-attack',tag:'bugtraq,17670'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:rootagenda/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP phpMyAgenda rootagenda Remote File Include Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009397) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpProfiles body_comm.inc.php content parameter remote file inclusion +SecRule REQUEST_LINE "@contains /body_comm.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009397,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpProfiles body_comm.inc.php content parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,27952'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:content/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpProfiles body_comm.inc.php content parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008992) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /addedit-render.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008992,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32774'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:editform/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010485) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phptraverse mp3_id.php GLOBALS Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /assets/plugins/mp3_id/mp3_id.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010485,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS phptraverse mp3_id.php GLOBALS Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/phptraverse-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GLOBALS[BASE]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phptraverse mp3_id.php GLOBALS Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009085) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion +SecRule REQUEST_LINE "@contains /plugin/gateway/gnokii/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009085,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:apps_path[plug] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009086) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter remote file inclusion +SecRule REQUEST_LINE "@contains /plugin/themes/default/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009086,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter remote file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:apps_path[themes]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009087) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion +SecRule REQUEST_LINE "@contains /plugin/themes/default/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009087,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:apps_path[themes] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009088) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter remote file inclusion +SecRule REQUEST_LINE "@contains /lib/function.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009088,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter remote file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:apps_path[libs]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009089) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion +SecRule REQUEST_LINE "@contains /lib/function.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009089,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:apps_path[libs] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009887) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ProjectButler RFI attempt +SecRule REQUEST_LINE "@contains /pda_projects.php?offset=http\:" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009887,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ProjectButler RFI attempt ',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0908-exploits/projectbutler-rfi.txt',ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ProjectButler RFI attempt ',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009320) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion +SecRule REQUEST_LINE "@contains /_footer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009320,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,33621'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:skin_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009321) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS rgboard footer.php _path parameter remote file inclusion +SecRule REQUEST_LINE "@contains /footer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009321,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS rgboard footer.php _path parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,33621'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:_path[counter]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS rgboard footer.php _path parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009331) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion +SecRule REQUEST_LINE "@contains /templater.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009331,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30785'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config[template] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009416) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS txtSQL startup.php CFG Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /startup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009416,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS txtSQL startup.php CFG Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,30625'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:CFG[txtsql][class]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS txtSQL startup.php CFG Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003670) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Workbench Survival Guide Remote Inclusion Attempt -- headerfile.php path +SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003670,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Workbench Survival Guide Remote Inclusion Attempt -- headerfile.php path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3848'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Workbench Survival Guide Remote Inclusion Attempt -- headerfile.php path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (100000358) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS BASE base_include.inc.php remote file include +SecRule QUERY_STRING|REQUEST_BODY "@contains /base_include.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000358,rev:4,msg:'SLR: GPL WEB_SPECIFIC_APPS BASE base_include.inc.php remote file include',tag:'web-application-attack'" +SecRule QUERY_STRING|REQUEST_BODY "@contains BASE_path=" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:BASE_path=(https?|ftp))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS BASE base_include.inc.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (100000356) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS BASE base_qry_common.php remote file include +SecRule REQUEST_LINE "@contains /base_qry_common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000356,rev:2,msg:'SLR: GPL WEB_SPECIFIC_APPS BASE base_qry_common.php remote file include',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:BASE_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS BASE base_qry_common.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (100000357) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS BASE base_stat_common.php remote file include +SecRule REQUEST_LINE "@contains /base_stat_common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000357,rev:2,msg:'SLR: GPL WEB_SPECIFIC_APPS BASE base_stat_common.php remote file include',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:BASE_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS BASE base_stat_common.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (100000730) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog BlackList.Examine.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/BlackList.Examine.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000730,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog BlackList.Examine.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog BlackList.Examine.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (100000731) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog DeleteComment.Action.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/DeleteComment.Action.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000731,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog DeleteComment.Action.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog DeleteComment.Action.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (100000737) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog EditHeader.Admin.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/EditHeader.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000737,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog EditHeader.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog EditHeader.Admin.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (100000738) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog EditIP.Admin.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/EditIP.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000738,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog EditIP.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog EditIP.Admin.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (100000732) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog EditIPofURL.Admin.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/EditIPofURL.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000732,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog EditIPofURL.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog EditIPofURL.Admin.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (100000739) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog IPofUrl.Examine.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/IPofUrl.Examine.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000739,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog IPofUrl.Examine.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog IPofUrl.Examine.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (100000740) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog Import.Admin.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/Import.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000740,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog Import.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog Import.Admin.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (100000741) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog LogView.Admin.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/LogView.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000741,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog LogView.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog LogView.Admin.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (100000733) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog MTBlackList.Examine.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/MTBlackList.Examine.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000733,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog MTBlackList.Examine.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog MTBlackList.Examine.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (100000735) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog MailAdmin.Action.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/MailAdmin.Action.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000735,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog MailAdmin.Action.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog MailAdmin.Action.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (100000736) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog MassDelTrackback.Admin.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/MassDelTrackback.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000736,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog MassDelTrackback.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog MassDelTrackback.Admin.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (100000734) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog MassDelete.Admin.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/MassDelete.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000734,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog MassDelete.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog MassDelete.Admin.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (100000728) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include +SecRule REQUEST_LINE "@contains plugins/links/functions.inc" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000728,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (100000729) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include +SecRule REQUEST_LINE "@contains plugins/polls/functions.inc" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000729,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (100000742) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include +SecRule REQUEST_LINE "@contains plugins/staticpages/functions.inc" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000742,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (100000908) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS WEB-PHP phpMyWebmin create_file script remote file include +SecRule REQUEST_LINE "@contains create_file.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000908,rev:1,msg:'SLR: GPL WEB_SPECIFIC_APPS WEB-PHP phpMyWebmin create_file script remote file include',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20281/info'" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:target/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS WEB-PHP phpMyWebmin create_file script remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011565) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dompdf dompdf.php input_file Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /dompdf.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011565,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Dompdf dompdf.php input_file Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:input_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dompdf dompdf.php input_file Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011564) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Classifieds class.phpmailer.php lang_path Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /class.phpmailer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011564,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Classifieds class.phpmailer.php lang_path Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:lang_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Classifieds class.phpmailer.php lang_path Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011563) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /content/dynpage_load.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011563,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011562) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /oldnews_reader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011562,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:lang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011554) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011554,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jphone" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011552) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FCMS familynews.php current_user_id Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /familynews.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011552,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS FCMS familynews.php current_user_id Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:current_user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FCMS familynews.php current_user_id Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011553) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FCMS settings.php current_user_id Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /settings.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011553,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS FCMS settings.php current_user_id Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:current_user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FCMS settings.php current_user_id Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011377) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SaurusCMS com_del.php class_path Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /com_del.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011377,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS SaurusCMS com_del.php class_path Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:class_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SaurusCMS com_del.php class_path Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011384) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/file_manager/special.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011384,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:fm_includes_special/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011385) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011385,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_noticeboard" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011451) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011451,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jgrid" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011453) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /maincore.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011453,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:folder_level "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011454) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 4images global.php db_servertype Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /global.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011454,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS 4images global.php db_servertype Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:db_servertype/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 4images global.php db_servertype Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011828) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /section.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011828,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:Module "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011829) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1) +SecRule REQUEST_LINE "@contains /classes/flash_mp3_player/extras/external_feeds/getfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011829,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1)',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011830) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2) +SecRule REQUEST_LINE "@contains /classes/flash_mp3_player.23/extras/external_feeds/getfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011830,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2)',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011831) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CMS Board site_path Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /include/admin.lib.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011831,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS CMS Board site_path Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:site_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CMS Board site_path Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011837) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS A6MamboHelpDesk Admin.a6mambohelpdesk.php Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011837,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS A6MamboHelpDesk Admin.a6mambohelpdesk.php Remote File inclusion Attempt',tag:'web-application-attack',tag:'cve,CVE-2006-3930'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_live_site/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS A6MamboHelpDesk Admin.a6mambohelpdesk.php Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011843) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /baconmap/admin/updatelist.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011843,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:filepath "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011844) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /com_rwcards/rwcards.advancedate.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011844,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011846) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011846,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains uniqcode=KPI" "chain" +SecRule REQUEST_LINE "@contains menu_no_top=performance" "chain" +SecRule ARGS:uri "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011847) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /real_estate/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011847,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jomestate" "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:task/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011853) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /news/search.php3" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011853,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,44370'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:bn/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011880) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBazar picturelib.php Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /bazar/picturelib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011880,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS phpBazar picturelib.php Remote File inclusion Attempt',tag:'web-application-attack',tag:'cve,CVE-2010-2315'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBazar picturelib.php Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011881) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Web Analytics mw_plugin.php IP Parameter Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /mw_plugin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011881,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Open Web Analytics mw_plugin.php IP Parameter Remote File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:IP/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Open Web Analytics mw_plugin.php IP Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011882) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011882,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:owa_action "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011883) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011883,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:owa_do "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011884) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /admin/loadplugin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011884,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:load "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011935) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_joomlaxplorer/admin.joomlaxplorer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011935,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011928) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /admin/thumbnailformpost.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011928,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:adminlangfile "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011929) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_banners/banners.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011929,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011941) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /module.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011941,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains module=osTicket" "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011948) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AWCM window_top.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /awcm/includes/window_top.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011948,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS AWCM window_top.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:theme_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AWCM window_top.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011949) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AWCM common.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /awcm/control/common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011949,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS AWCM common.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:lang_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AWCM common.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011950) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AWCM header.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /awcm/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011950,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS AWCM header.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:theme_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AWCM header.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012006) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MassMirror Uploader example_1.php Remote File Inclusion attempt +SecRule REQUEST_LINE "@contains /Base/example_1.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012006,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS MassMirror Uploader example_1.php Remote File Inclusion attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:GLOBALS[MM_ROOT_DIRECTORY]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MassMirror Uploader example_1.php Remote File Inclusion attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012007) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /plugins/templateie/lib/templateie_install.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012007,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:skin_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012008) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /plugins/templateie/lib/templateie_install.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012008,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:skin_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012010) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/initsystem.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012010,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:loader_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012013) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mambo Component com_smf smf.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_smf/smf.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012013,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Mambo Component com_smf smf.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mambo Component com_smf smf.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012014,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jimtawl" "chain" +SecRule ARGS:task "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012015) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebRCSdiff viewver.php File Inclusion Attempt +SecRule REQUEST_LINE "@contains /viewver.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012015,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WebRCSdiff viewver.php File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:doc_root/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebRCSdiff viewver.php File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012022) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012022,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_cbe" "chain" +SecRule REQUEST_LINE "@contains task=userProfile" "chain" +SecRule ARGS:tabname "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012024) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Gbook MX newlangsel Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /gbookmx/gbook.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012024,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Gbook MX newlangsel Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:newlangsel/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Gbook MX newlangsel Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012025) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /download.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012025,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains filesec=sitemap" "chain" +SecRule REQUEST_LINE "@contains filetype=text" "chain" +SecRule ARGS:file "@contains ..//" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012031) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/esqueletos/skel_null.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012031,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:ABTPV_BLOQUE_CENTRAL/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012032) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/esqueletos/skel_null.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012032,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ABTPV_BLOQUE_CENTRAL "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012033) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /modules/login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012033,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:default_login_language "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012069) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /admin/upgrade_unattended.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012069,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:db_type "(?i:\.\.\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012071) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains app=urchin.cgi" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012071,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains action=prop" "chain" +SecRule ARGS:gfid "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012122) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1 +SecRule REQUEST_LINE "@contains /modules/maticmarket/deco/blanc/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012122,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012123) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2 +SecRule REQUEST_LINE "@contains /modules/maticmarket/deco/blanc/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012123,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012124) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/blanc/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012124,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012125) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/blanc/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012125,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012126) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/default/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012126,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012127) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/default/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012127,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012128) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/gold/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012128,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012129) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/gold/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012129,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012130) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS myBloggie mybloggie_root_path Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /pingsvr.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012130,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS myBloggie mybloggie_root_path Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mybloggie_root_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS myBloggie mybloggie_root_path Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012165) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Concrete DIR_FILES_BLOCK_TYPES_CORE Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /blocks/file/controller.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012165,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Concrete DIR_FILES_BLOCK_TYPES_CORE Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,45669'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:DIR_FILES_BLOCK_TYPES_CORE/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Concrete DIR_FILES_BLOCK_TYPES_CORE Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012166) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /com_xmovie/helpers/img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012166,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012168) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /tiki-jsplugin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012168,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:language "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nucleus action.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /action.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012181,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Nucleus action.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:DIR_LIBS/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Nucleus action.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012182) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nucleus media.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /nucleus/media.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012182,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Nucleus media.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:DIR_LIBS/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Nucleus media.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012184) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nucleus server.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /nucleus/xmlrpc/server.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012184,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Nucleus server.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:DIR_LIBS/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Nucleus server.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012185) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nucleus PLUGINADMIN.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /nucleus/libs/PLUGINADMIN.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012185,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Nucleus PLUGINADMIN.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:DIR_LIBS/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Nucleus PLUGINADMIN.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012186) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /modules/profile/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012186,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:aXconf[default_language] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012217) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /op/op.Login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012217,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37828'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:lang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012334) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Froxlor customer_ftp.php id Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /customer_ftp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012334,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Froxlor customer_ftp.php id Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Froxlor customer_ftp.php id Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012336) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /cultbooking.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012336,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:lang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012343) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /active_auctions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012343,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:lan "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012344) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Madirish Webmail basedir Parameter Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /lib/addressbook.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012344,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Madirish Webmail basedir Parameter Remote File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:basedir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Madirish Webmail basedir Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012345) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012345,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_frontenduseraccess" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012357) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_xgallery/helpers/img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012357,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012369) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /com_swmenupro/ImageManager/Classes/ImageManager.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012369,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012373) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /util/barcode.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012373,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:type "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012426) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012426,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_xcloner-backupandrestore/cloner.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012427,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012496) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Sahana Agasti AccessController.php approot Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /mod/vm/controller/AccessController.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012496,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Sahana Agasti AccessController.php approot Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,45656'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:global[approot]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Sahana Agasti AccessController.php approot Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012497) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Sahana Agasti dao.php approot Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /mod/vm/model/dao.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012497,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Sahana Agasti dao.php approot Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,45656'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/RFI.*ARGS:global[approot]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Sahana Agasti dao.php approot Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +SecMarker END_SLR_RFI_RULES diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_slr_et_joomla_attacks.conf modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_slr_et_joomla_attacks.conf --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_slr_et_joomla_attacks.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_slr_et_joomla_attacks.conf 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,1564 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: +# +# http://www.emergingthreats.net/ +# + +SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_et_joomla.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_ET_JOOMLA_RULES" + +# (2005292) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid SELECT +SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005292,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule ARGS:catid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005293) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UNION SELECT +SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005293,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule ARGS:catid "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005294) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid INSERT +SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005294,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule ARGS:catid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005295) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid DELETE +SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005295,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule ARGS:catid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005296) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid ASCII +SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005296,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule ARGS:catid "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005297) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE +SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005297,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule ARGS:catid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005298) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id SELECT +SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005298,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" +SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005299) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UNION SELECT +SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005299,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" +SecRule ARGS:id "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005300) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id INSERT +SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005300,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" +SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005301) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id DELETE +SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005301,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" +SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005302) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id ASCII +SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005302,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" +SecRule ARGS:id "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005303) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE +SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005303,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" +SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005390) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT +SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005390,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005391) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT +SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005391,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005802) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT +SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005802,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005392) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE +SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005392,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005394) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII +SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005394,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005395) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE +SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005395,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005396) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php SELECT +SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005396,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005397) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UNION SELECT +SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005397,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005398) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php INSERT +SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005398,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005399) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php DELETE +SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005399,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005400) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php ASCII +SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005400,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005401) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE +SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005401,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005402) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT +SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005402,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005403) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT +SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005403,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005404) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT +SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005404,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005405) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE +SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005405,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005406) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII +SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005406,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005407) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE +SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005407,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005408) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php SELECT +SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005408,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005409) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UNION SELECT +SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005409,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005410) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php INSERT +SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005410,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005411) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php DELETE +SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005411,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005412) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php ASCII +SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005412,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005413) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE +SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005413,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005414) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php SELECT +SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005414,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005415) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UNION SELECT +SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005415,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005416) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php INSERT +SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005416,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005417) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php DELETE +SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005417,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005418) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php ASCII +SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005418,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005419) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE +SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005419,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005420) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where SELECT +SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005420,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005421) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UNION SELECT +SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005421,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005422) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where INSERT +SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005422,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005423) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where DELETE +SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005423,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005424) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where ASCII +SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005424,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005425) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE +SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005425,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005426) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where SELECT +SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005426,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UNION SELECT +SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005427,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005428) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where INSERT +SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005428,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005429) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where DELETE +SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005429,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005430) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where ASCII +SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005430,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005431) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE +SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005431,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:where "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005432) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text SELECT +SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005432,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005433) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UNION SELECT +SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005433,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005434) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text INSERT +SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005434,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005435) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text DELETE +SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005435,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005436) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text ASCII +SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005436,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005437) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE +SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005437,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005438) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text SELECT +SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005438,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005439) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UNION SELECT +SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005439,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005440) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text INSERT +SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005440,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005441) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text DELETE +SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005441,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005442) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text ASCII +SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005442,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005443) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE +SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005443,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005444) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text SELECT +SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005444,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005445) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UNION SELECT +SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005445,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005446) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text INSERT +SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005446,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005447) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text DELETE +SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005447,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005448) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text ASCII +SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005448,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005449) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE +SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005449,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:text "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005450) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email SELECT +SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005450,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:email "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005451) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UNION SELECT +SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005451,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:email "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005452) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email INSERT +SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005452,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:email "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005453) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email DELETE +SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005453,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:email "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005454) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email ASCII +SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005454,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:email "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005455) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE +SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005455,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule ARGS:email "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008685) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla DS-Syndicate Component feed_id SQL Injection +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008685,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla DS-Syndicate Component feed_id SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6792/'" +SecRule REQUEST_LINE "@contains /index2.php?option=ds-syndicate" "chain" +SecRule REQUEST_LINE "@contains version=1" "chain" +SecRule ARGS:feed_id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla DS-Syndicate Component feed_id SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008822) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008822,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6980/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_pro_desk" "chain" +SecRule ARGS:include_file "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009369) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /admin.rssreader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009369,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7096/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_live_site "(?i:mosConfig_live_site=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009834) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla portalid Component UNION SELECT SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009834,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla portalid Component UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36206/info'" +SecRule ARGS:option=com_artportal&portalid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla portalid Component UNION SELECT SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009835) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla portalid Component SELECT FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009835,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla portalid Component SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36206/info'" +SecRule ARGS:option=com_artportal&portalid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla portalid Component SELECT FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009836) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla portalid Component DELETE FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009836,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla portalid Component DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36206/info'" +SecRule ARGS:option=com_artportal&portalid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla portalid Component DELETE FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009881) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla Com_joomlub Component Union Select SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009881,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla Com_joomlub Component Union Select SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9593/'" +SecRule ARGS:option=com_joomlub&controller=auction&view=auction&task=edit&aid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Joomla Com_joomlub Component Union Select SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009913) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS joomla com_djcatalog component SELECT FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009913,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS joomla com_djcatalog component SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9693/'" +SecRule ARGS:option=com_djcatalog&view=showItem&id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS joomla com_djcatalog component SELECT FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009914) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS joomla com_djcatalog component DELETE FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009914,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS joomla com_djcatalog component DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9693/'" +SecRule ARGS:option=com_djcatalog&view=showItem&id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS joomla com_djcatalog component DELETE FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009915) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS joomla com_djcatalog component INSERT INTO SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009915,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS joomla com_djcatalog component INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9693/'" +SecRule REQUEST_LINE "@contains INSER" "chain" +SecRule ARGS:option=com_djcatalog&view=showItem&id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS joomla com_djcatalog component INSERT INTO SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009916) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS joomla com_djcatalog component UNION SELECT SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009916,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS joomla com_djcatalog component UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9693/'" +SecRule ARGS:option=com_djcatalog&view=showItem&id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS joomla com_djcatalog component UNION SELECT SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009917) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009917,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9693/'" +SecRule ARGS:option=com_djcatalog&view=showItem&id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009919) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter SELECT FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009919,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36427/info'" +SecRule ARGS:option=com_jlord_rss&task=feed&id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter SELECT FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009920) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter DELETE FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009920,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36427/info'" +SecRule ARGS:option=com_jlord_rss&task=feed&id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter DELETE FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009921) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter UNION SELECT SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009921,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36427/info'" +SecRule ARGS:option=com_jlord_rss&task=feed&id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter UNION SELECT SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009924) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter INSERT INTO SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009924,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36427/info'" +SecRule ARGS:option=com_jlord_rss&task=feed&id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter INSERT INTO SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009922) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009922,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36427/info'" +SecRule ARGS:option=com_jlord_rss&task=feed&id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009929) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt +SecRule ARGS_NAMES "(?i:target)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009929,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9706/'" +SecRule REQUEST_LINE "@contains /index.php?option=com_album&" "chain" +SecRule REQUEST_LINE "@contains Itemid=128&" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009933) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component 'koesubmit.php' Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /com_koesubmit/koesubmit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009933,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component \'koesubmit.php\' Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.owasp.org/index.php/PHP_File_Inclusion'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component \'koesubmit.php\' Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009934) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /components/com_moofaq/includes/file_includer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009934,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/8898/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009938) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component SELECT FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_surveymanager" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009938,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36464/info'" +SecRule REQUEST_LINE "@contains task=editsurvey&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component SELECT FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009939) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component DELETE FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_surveymanager" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009939,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36464/info'" +SecRule REQUEST_LINE "@contains task=editsurvey&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component DELETE FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009940) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UNION SELECT SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_surveymanager" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009940,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36464/info'" +SecRule REQUEST_LINE "@contains task=editsurvey&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UNION SELECT SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009941) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component INSERT INTO SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_surveymanager" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009941,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36464/info'" +SecRule REQUEST_LINE "@contains task=editsurvey&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component INSERT INTO SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_surveymanager" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009942,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36464/info'" +SecRule REQUEST_LINE "@contains task=editsurvey&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009943) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter SELECT FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_jbudgetsmagic" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009943,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36461/info'" +SecRule REQUEST_LINE "@contains view=mybudget&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter SELECT FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009944) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter DELETE FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_jbudgetsmagic" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009944,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36461/info'" +SecRule REQUEST_LINE "@contains view=mybudget&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter DELETE FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009945) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter UNION SELECT SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_jbudgetsmagic" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009945,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36461/info'" +SecRule REQUEST_LINE "@contains view=mybudget&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter UNION SELECT SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009946) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter INSERT INTO SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_jbudgetsmagic" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009946,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36461/info'" +SecRule REQUEST_LINE "@contains view=mybudget&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter INSERT INTO SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009947) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_jbudgetsmagic" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009947,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36461/info'" +SecRule REQUEST_LINE "@contains view=mybudget&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009956) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component SELECT FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_facebook" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009956,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36484/info'" +SecRule REQUEST_LINE "@contains view=student" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component SELECT FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009957) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component DELETE FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_facebook" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009957,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36484/info'" +SecRule REQUEST_LINE "@contains view=student" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component DELETE FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009958) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UNION SELECT SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_facebook" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009958,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36484/info'" +SecRule REQUEST_LINE "@contains view=student" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UNION SELECT SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009959) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component INSERT INTO SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_facebook" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009959,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36484/info'" +SecRule REQUEST_LINE "@contains view=student" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component INSERT INTO SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009960) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_facebook" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009960,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36484/info'" +SecRule REQUEST_LINE "@contains view=student" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009961) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component SELECT FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_sportfusion" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009961,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36481/info'" +SecRule REQUEST_LINE "@contains view=teamdetail" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SportFusion Component SELECT FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009962) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component DELETE FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_sportfusion" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009962,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36481/info'" +SecRule REQUEST_LINE "@contains view=teamdetail" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SportFusion Component DELETE FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009963) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UNION SELECT SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_sportfusion" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009963,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36481/info'" +SecRule REQUEST_LINE "@contains view=teamdetail" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UNION SELECT SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009964) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component INSERT INTO SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_sportfusion" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009964,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36481/info'" +SecRule REQUEST_LINE "@contains view=teamdetail" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SportFusion Component INSERT INTO SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009965) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_sportfusion" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009965,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36481/info'" +SecRule REQUEST_LINE "@contains view=teamdetail" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter UNION SELECT SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_gameserver" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010014,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36213/info'" +SecRule REQUEST_LINE "@contains view=gamepanel" "chain" +SecRule ARGS:id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter UNION SELECT SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010015) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter SELECT FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_gameserver" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010015,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36213/info'" +SecRule REQUEST_LINE "@contains view=gamepanel" "chain" +SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter SELECT FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010016) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter DELETE FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_gameserver" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010016,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36213/info'" +SecRule REQUEST_LINE "@contains view=gamepanel" "chain" +SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter DELETE FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010017) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_gameserver" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010017,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36213/info'" +SecRule REQUEST_LINE "@contains view=gamepanel" "chain" +SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010018) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla Game Server Component id Parameter INSERT INTO SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_gameserver" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010018,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla Game Server Component id Parameter INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36213/info'" +SecRule REQUEST_LINE "@contains view=gamepanel" "chain" +SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Joomla Game Server Component id Parameter INSERT INTO SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010040) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter SELECT FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_cbresumebuilder" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010040,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36598/info'" +SecRule REQUEST_LINE "@contains task=group_members" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter SELECT FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010041) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter DELETE FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_cbresumebuilder" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010041,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36598/info'" +SecRule REQUEST_LINE "@contains task=group_members" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter DELETE FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010042) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter UNION SELECT SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_cbresumebuilder" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010042,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36598/info'" +SecRule REQUEST_LINE "@contains task=group_members" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter UNION SELECT SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010043) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter INSERT INTO SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_cbresumebuilder" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010043,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36598/info'" +SecRule REQUEST_LINE "@contains task=group_members" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter INSERT INTO SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010044) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_cbresumebuilder" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010044,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36598/info'" +SecRule REQUEST_LINE "@contains task=group_members" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010045) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter SELECT FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_soundset" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010045,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36597/info'" +SecRule REQUEST_LINE "@contains showcategory" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter SELECT FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010046) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter DELETE FROM SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_soundset" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010046,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36597/info'" +SecRule REQUEST_LINE "@contains showcategory" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter DELETE FROM SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010047) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter UNION SELECT SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_soundset" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010047,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36597/info'" +SecRule REQUEST_LINE "@contains showcategory" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter UNION SELECT SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010048) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter INSERT INTO SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_soundset" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010048,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36597/info'" +SecRule REQUEST_LINE "@contains showcategory" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter INSERT INTO SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010260) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_ajaxchat/tests/ajcuser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010260,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule ARGS:GLOBALS[mosConfig_absolute_path] "(?i:GLOBALS\[mosConfig_absolute_path\]\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010349) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010349,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_photoblog&" "chain" +SecRule ARGS:&category "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010350) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010350,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_photoblog&" "chain" +SecRule ARGS:&category "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010351) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010351,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_photoblog&" "chain" +SecRule ARGS:&category "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010352) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010352,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_photoblog&" "chain" +SecRule ARGS:&category "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010353) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010353,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_photoblog&" "chain" +SecRule ARGS:&category "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010474) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_ezine/class/php/d4m_ajax_pagenav.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010474,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37043'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[mosConfig_absolute_path] "(?i:GLOBALS\[mosConfig_absolute_path\]\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010476) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010476,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_jshop&" "chain" +SecRule ARGS:&pid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010477) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010477,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_jshop&" "chain" +SecRule ARGS:&pid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010478) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010478,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_jshop&" "chain" +SecRule ARGS:&pid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010479) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010479,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_jshop&" "chain" +SecRule ARGS:&pid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010480) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010480,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_jshop&" "chain" +SecRule ARGS:&pid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010555) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010555,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37178'" +SecRule REQUEST_LINE "@contains /index.php?option=com_joaktree&" "chain" +SecRule REQUEST_LINE "@contains &view=joaktree" "chain" +SecRule ARGS:treeId "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010556) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010556,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37178'" +SecRule REQUEST_LINE "@contains /index.php?option=com_joaktree&" "chain" +SecRule REQUEST_LINE "@contains &view=joaktree" "chain" +SecRule ARGS:treeId "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010557) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010557,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37178'" +SecRule REQUEST_LINE "@contains /index.php?option=com_joaktree&" "chain" +SecRule REQUEST_LINE "@contains &view=joaktree" "chain" +SecRule ARGS:treeId "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010558) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010558,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37178'" +SecRule REQUEST_LINE "@contains /index.php?option=com_joaktree&" "chain" +SecRule REQUEST_LINE "@contains &view=joaktree" "chain" +SecRule ARGS:treeId "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010559,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37178'" +SecRule REQUEST_LINE "@contains /index.php?option=com_joaktree&" "chain" +SecRule REQUEST_LINE "@contains &view=joaktree" "chain" +SecRule ARGS:treeId "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010620) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /acomponents/com_mamboleto/mamboleto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010620,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10369'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010636) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010636,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37279'" +SecRule REQUEST_LINE "@contains /index.php?option=com_jphoto&" "chain" +SecRule REQUEST_LINE "@contains view=category&" "chain" +SecRule ARGS:Id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010637) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010637,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37279'" +SecRule REQUEST_LINE "@contains /index.php?option=com_jphoto&" "chain" +SecRule REQUEST_LINE "@contains view=category&" "chain" +SecRule ARGS:Id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010638) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010638,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37279'" +SecRule REQUEST_LINE "@contains /index.php?option=com_jphoto&" "chain" +SecRule REQUEST_LINE "@contains view=category&" "chain" +SecRule ARGS:Id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010639) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010639,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37279'" +SecRule REQUEST_LINE "@contains /index.php?option=com_jphoto&" "chain" +SecRule REQUEST_LINE "@contains view=category&" "chain" +SecRule ARGS:Id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010640) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010640,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37279'" +SecRule REQUEST_LINE "@contains /index.php?option=com_jphoto&" "chain" +SecRule REQUEST_LINE "@contains view=category&" "chain" +SecRule ARGS:Id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_mojo/wp-comments-post.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010659,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37179'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010660) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_mojo/wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010660,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37179'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010710) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010710,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,36425'" +SecRule REQUEST_LINE "@contains /index.php?option=com_foobla_suggestions&" "chain" +SecRule ARGS:idea_id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010711) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010711,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,36425'" +SecRule REQUEST_LINE "@contains /index.php?option=com_foobla_suggestions&" "chain" +SecRule ARGS:idea_id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010712) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010712,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,36425'" +SecRule REQUEST_LINE "@contains /index.php?option=com_foobla_suggestions&" "chain" +SecRule ARGS:idea_id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010713) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010713,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,36425'" +SecRule REQUEST_LINE "@contains /index.php?option=com_foobla_suggestions&" "chain" +SecRule ARGS:idea_id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010714) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010714,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,36425'" +SecRule REQUEST_LINE "@contains /index.php?option=com_foobla_suggestions&" "chain" +SecRule ARGS:idea_id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010750) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010750,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt'" +SecRule REQUEST_LINE "@contains /index.php?option=com_musicgallery&" "chain" +SecRule REQUEST_LINE "@contains &task=itempage" "chain" +SecRule ARGS:Id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010751) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010751,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt'" +SecRule REQUEST_LINE "@contains /index.php?option=com_musicgallery&" "chain" +SecRule REQUEST_LINE "@contains &task=itempage" "chain" +SecRule ARGS:Id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010752) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010752,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt'" +SecRule REQUEST_LINE "@contains /index.php?option=com_musicgallery&" "chain" +SecRule REQUEST_LINE "@contains &task=itempage" "chain" +SecRule ARGS:Id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010753) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010753,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt'" +SecRule REQUEST_LINE "@contains /index.php?option=com_musicgallery&" "chain" +SecRule REQUEST_LINE "@contains &task=itempage" "chain" +SecRule ARGS:Id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010754) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010754,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt'" +SecRule REQUEST_LINE "@contains /index.php?option=com_musicgallery&" "chain" +SecRule REQUEST_LINE "@contains &task=itempage" "chain" +SecRule ARGS:Id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010780) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_mediaslide/viewer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010780,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37440'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010805) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010805,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38022'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_yelp&" "chain" +SecRule ARGS:cid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010806) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010806,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38022'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_yelp&" "chain" +SecRule ARGS:cid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010807) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010807,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38022'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_yelp&" "chain" +SecRule ARGS:cid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010808) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010808,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38022'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_yelp&" "chain" +SecRule ARGS:cid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010809) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010809,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38022'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_yelp&" "chain" +SecRule ARGS:cid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010833) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_intuit/models/intuit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010833,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10730'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:approval "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010843) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_avosbilletsy Component id Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010843,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_avosbilletsy Component id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37576'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_avosbillets&" "chain" +SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_avosbilletsy Component id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010844) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010844,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37576'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_avosbillets&" "chain" +SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010845) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010845,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37576'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_avosbillets&" "chain" +SecRule ARGS:id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010846) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010846,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37576'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_avosbillets&" "chain" +SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010842) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010842,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37576'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_avosbillets&" "chain" +SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010848) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_morfeoshow/morfeoshow.html.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010848,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:user_id "(?i:user_id\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010853) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010853,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_job&" "chain" +SecRule ARGS:id_job "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010854) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010854,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_job&" "chain" +SecRule ARGS:id_job "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010855) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010855,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_job&" "chain" +SecRule ARGS:id_job "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010856) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010856,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_job&" "chain" +SecRule ARGS:id_job "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010857) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010857,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_job&" "chain" +SecRule ARGS:id_job "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010924) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010924,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11103'" +SecRule REQUEST_LINE "@contains /index.php?option=com_perchagallery&" "chain" +SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010925) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010925,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11103'" +SecRule REQUEST_LINE "@contains /index.php?option=com_perchagallery&" "chain" +SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010926) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010926,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11103'" +SecRule REQUEST_LINE "@contains /index.php?option=com_perchagallery&" "chain" +SecRule ARGS:id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010927) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010927,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11103'" +SecRule REQUEST_LINE "@contains /index.php?option=com_perchagallery&" "chain" +SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010928) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010928,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11103'" +SecRule REQUEST_LINE "@contains /index.php?option=com_perchagallery&" "chain" +SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010947) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010947,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_hdflvplayer&" "chain" +SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010948) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010948,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_hdflvplayer&" "chain" +SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010949) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010949,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_hdflvplayer&" "chain" +SecRule ARGS:id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010950) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010950,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_hdflvplayer&" "chain" +SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010951) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010951,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_hdflvplayer&" "chain" +SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010942,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11088'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jcollection&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010989) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010989,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37987'" +SecRule REQUEST_LINE "@contains /index.php?option=com_ccnewsletter&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010990) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_sqlreport/ajax/print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010990,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:user_id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010991) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_sqlreport/ajax/print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010991,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:user_id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010992) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_sqlreport/ajax/print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010992,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:user_id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010993) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_sqlreport/ajax/print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010993,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:user_id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010994) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_sqlreport/ajax/print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010994,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:user_id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010981) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010981,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37161'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_quicknews&" "chain" +SecRule REQUEST_LINE "@contains &task=view_item" "chain" +SecRule ARGS:newsid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010982) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010982,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37161'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_quicknews&" "chain" +SecRule REQUEST_LINE "@contains &task=view_item" "chain" +SecRule ARGS:newsid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010983) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010983,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37161'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_quicknews&" "chain" +SecRule REQUEST_LINE "@contains &task=view_item" "chain" +SecRule ARGS:newsid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010984) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010984,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37161'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_quicknews&" "chain" +SecRule REQUEST_LINE "@contains &task=view_item" "chain" +SecRule ARGS:newsid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010985) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010985,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37161'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_quicknews&" "chain" +SecRule REQUEST_LINE "@contains &task=view_item" "chain" +SecRule ARGS:newsid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010996,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11511'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_communitypolls&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011001) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011001,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38009'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_rsgallery2&" "chain" +SecRule ARGS:catid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011002) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011002,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38009'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_rsgallery2&" "chain" +SecRule ARGS:catid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011003) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011003,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38009'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_rsgallery2&" "chain" +SecRule ARGS:catid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011004) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011004,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38009'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_rsgallery2&" "chain" +SecRule ARGS:catid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011005) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011005,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38009'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_rsgallery2&" "chain" +SecRule ARGS:catid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011022) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011022,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38668'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_blog&" "chain" +SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011023) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011023,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38668'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_blog&" "chain" +SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011024) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011024,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38668'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_blog&" "chain" +SecRule ARGS:id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011025) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011025,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38668'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_blog&" "chain" +SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011026) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011026,rev:11,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38668'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_blog&" "chain" +SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011017) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_jcalpro/cal_popup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011017,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/joomlajcalpro-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011067) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011067,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_wgpicasa&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011077) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011077,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_gbufacebook&" "chain" +SecRule ARGS:face_id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011078) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011078,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_gbufacebook&" "chain" +SecRule ARGS:face_id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011079) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011079,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_gbufacebook&" "chain" +SecRule ARGS:face_id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011080) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011080,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_gbufacebook&" "chain" +SecRule ARGS:face_id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011081) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011081,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_gbufacebook&" "chain" +SecRule ARGS:face_id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011131) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /administrator/components/com_jwmmxtd/admin.jwmmxtd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011131,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011132) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion +SecRule REQUEST_LINE "@contains /administrator/components/com_universal/includes/config/config.html.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011132,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,38949'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009383) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /config.dadamail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009383,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7002/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[mosConfig_absolute_path] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009384) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /config.dadamail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009384,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7002/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[mosConfig_absolute_path] "(?i:GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009391) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /com_ongumatimesheet20/lib/onguma.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009391,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6976/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011557) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011557,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UNION SELECT SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_zoomportfolio" "chain" +SecRule REQUEST_LINE "@contains view=portfolio" "chain" +SecRule ARGS:id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011558) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011558,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component INSERT INTO SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_zoomportfolio" "chain" +SecRule REQUEST_LINE "@contains view=portfolio" "chain" +SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011559,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_zoomportfolio" "chain" +SecRule REQUEST_LINE "@contains view=portfolio" "chain" +SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011560) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011560,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component SELECT FROM SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_zoomportfolio" "chain" +SecRule REQUEST_LINE "@contains view=portfolio" "chain" +SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011561) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011561,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component DELETE FROM SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_zoomportfolio" "chain" +SecRule REQUEST_LINE "@contains view=portfolio" "chain" +SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011554) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011554,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jphone" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011385) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011385,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_noticeboard" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011451) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011451,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jgrid" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011844) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /com_rwcards/rwcards.advancedate.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011844,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011847) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /real_estate/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011847,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jomestate" "chain" +SecRule ARGS:task "(?i:task=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011935) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_joomlaxplorer/admin.joomlaxplorer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011935,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\x3a\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011929) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_banners/banners.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011929,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\x3a\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012014,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jimtawl" "chain" +SecRule ARGS:task "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012022) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012022,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_cbe" "chain" +SecRule REQUEST_LINE "@contains task=userProfile" "chain" +SecRule ARGS:tabname "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012099) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component Billy Portfolio catid Parameter Blind SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012099,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component Billy Portfolio catid Parameter Blind SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_billyportfolio" "chain" +SecRule REQUEST_LINE "@contains view=billyportfolio" "chain" +SecRule ARGS:catid "(?i:and.*if\()" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component Billy Portfolio catid Parameter Blind SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012131) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Seyret Video com_seyret Component Blind SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012131,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Seyret Video com_seyret Component Blind SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_seyret" "chain" +SecRule REQUEST_LINE "@contains task=videodirectlink" "chain" +SecRule ARGS:id "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Seyret Video com_seyret Component Blind SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012166) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /com_xmovie/helpers/img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012166,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012345) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012345,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_frontenduseraccess" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012357) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_xgallery/helpers/img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012357,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012369) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /com_swmenupro/ImageManager/Classes/ImageManager.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012369,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_xcloner-backupandrestore/cloner.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012427,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012430) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_xcloner-backupandrestore/index2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012430,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule ARGS:mosmsg "(?i:mosmsg\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_doqment Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains admin.ponygallery.html.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012659,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_doqment Remote File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_doqment" "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_doqment Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012666) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla component smartformer Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_smartformer/smartformer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012666,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla component smartformer Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla component smartformer Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012667) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component Media Mall Factory Blind SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012667,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component Media Mall Factory Blind SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_mediamall" "chain" +SecRule ARGS:category "(?i:and.*substring\()" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component Media Mall Factory Blind SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012697) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla virtuemart Blind SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012697,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla virtuemart Blind SQL Injection Attempt',tag:'web-application-attack'" +SecRule ARGS_NAMES "(?i:page)" "chain" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_virtuemart" "chain" +SecRule REQUEST_LINE "@contains substring" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla virtuemart Blind SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012703) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_latestprod module Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /modules/mod_virtuemart_latestprod/mod_virtuemart_latestprod.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012703,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_latestprod module Remote File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_latestprod module Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012704) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_featureprod module Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /modules/mod_virtuemart_featureprod/mod_virtuemart_featureprod.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012704,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_featureprod module Remote File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_featureprod module Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +SecMarker END_SLR_ET_JOOMLA_RULES diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_slr_et_lfi_attacks.conf modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_slr_et_lfi_attacks.conf --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_slr_et_lfi_attacks.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_slr_et_lfi_attacks.conf 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,1118 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: +# +# http://www.emergingthreats.net/ +# + +SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_et_lfi.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_ET_LFI_RULES" + +# (2009377) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion +SecRule REQUEST_LINE "@contains /container.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009377,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,34265'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:theme_directory "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009380) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion +SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009380,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,34265'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:theme_directory "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009904) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /latestposts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009904,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:forumspath "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009195) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /main.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009195,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mj_config[src_path] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009417) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion +SecRule REQUEST_LINE "@contains /block_center_down.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009417,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_blocks_center_down[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009418) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion +SecRule REQUEST_LINE "@contains /block_center_top.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009418,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_blocks_center_top[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009420) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion +SecRule REQUEST_LINE "@contains /block_left.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009420,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_blocks_left[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009421) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion +SecRule REQUEST_LINE "@contains /block_right.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009421,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_blocks_right[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009422) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion +SecRule REQUEST_LINE "@contains /window_down.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009422,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_bloginfo[theme] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009423) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion +SecRule REQUEST_LINE "@contains /window_top.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009423,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_bloginfo[theme] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009429) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /spaw_control.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009429,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30042'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:spaw_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009764) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /portfolio/css.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009764,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32218'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:theme "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2010025) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /dm-albums/template/album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010025,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,35521'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:SECURITY_FILE "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009324) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /urheber.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009324,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33933'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:name "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009876) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion +SecRule REQUEST_LINE "@contains /doku.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009876,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,35095'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config_cascade[main][default][] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008832) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /show_joined.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008832,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009428) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /threadstop/threadstop.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009428,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28686'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:exbb[default_lang] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2010800) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /acopia/manager/DiagLogListActionBody.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010800,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:logFile "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2010801) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /acopia/manager/DiagCaptureFileListActionBody.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010801,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:captureFile "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2010802) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /acopia/sat/ViewSatReport.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010802,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:fileName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2010803) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do capture parameter LFI Attempt +SecRule REQUEST_LINE "@contains /acopia/manager/DiagCaptureFileListActionBody.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010803,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do capture parameter LFI Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:capture "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do capture parameter LFI Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2010804) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /acopia/sat/ViewInventoryErrorReport.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010804,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:fileName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009507) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /sitemap.xml.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009507,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:dir[classes] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009745) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /pmscript.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009745,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34734'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:with "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008878) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion +SecRule REQUEST_LINE "@contains /init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008878,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:API_HOME_DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009652) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /includes/startmodules.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009652,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34538'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:lang_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008937) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /library/setup/rpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008937,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7344'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:objectname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009231) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion +SecRule REQUEST_LINE "@contains /includes/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009231,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-2898'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:c_temp_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011140) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011140,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jeajaxeventcalendar&" "chain" +SecRule ARGS:view "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008651) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008651,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6669/'" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:src/' "@gt 0" "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:src/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009508) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /windetail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009508,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34537'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:adtype "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009509) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /detail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009509,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34537'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:adtype "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008822) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008822,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6980/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_pro_desk" "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:include_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009929) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt +SecRule ARGS_NAMES "(?i:target)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009929,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9706/'" +SecRule REQUEST_LINE "@contains /index.php?option=com_album&" "chain" +SecRule REQUEST_LINE "@contains Itemid=128&" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009934) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /components/com_moofaq/includes/file_includer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009934,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/8898/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2010780) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_mediaslide/viewer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010780,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37440'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2010833) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_intuit/models/intuit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010833,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10730'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:approval "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2010942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010942,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11088'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jcollection&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2010989) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010989,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37987'" +SecRule REQUEST_LINE "@contains /index.php?option=com_ccnewsletter&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2010996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010996,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11511'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_communitypolls&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011067) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011067,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_wgpicasa&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009383) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /config.dadamail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009383,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7002/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[mosConfig_absolute_path] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009761) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /include/unverified.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009761,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/5179/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:template "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2010023) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /locms/smarty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010023,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9015/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:cwd "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008898) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion +SecRule REQUEST_LINE "@contains /snippet.reflect.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008898,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7204/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:reflect_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009437) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /viewsource.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009437,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28659'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:dirn "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009430) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /viewsource.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009430,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28659'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:fname "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008938) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion +SecRule REQUEST_LINE "@contains /include/global.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008938,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:pfad/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009330) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /centre.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009330,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6846/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:padmin "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2010631) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /infusions/last_seen_users_panel/last_seen_users_panel.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010631,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9018/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:settings[locale] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009905) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /forum.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009905,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/8841/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[UTE][__tplCollection][a][file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009431) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /news_show.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009431,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/5429/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:newsoffice_directory "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009728) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009728,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34636'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains newlang=kacper" "chain" +SecRule ARGS:languages[kacper][file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009332) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion +SecRule REQUEST_LINE "@contains /resource_categories_view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009332,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:CLASSES_ROOT "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009396) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion +SecRule REQUEST_LINE "@contains /ADM_Pagina.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009396,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-5063'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:Tipo "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009461) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/core/security/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009461,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009462) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /stage1.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009462,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009463) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /stage4.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009463,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009464) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /stage6.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009464,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009743) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /website.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009743,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30176'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:page "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008961) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /_conf/core/common-tpl-vars.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008961,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32705'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:lang/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009390) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /chat/dac.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009390,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34213'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:sendChatData "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009073) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion +SecRule REQUEST_LINE "@contains /admin/admin_words.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009073,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009074) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion +SecRule REQUEST_LINE "@contains /admin/admin_groups_reapir.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009074,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009075) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion +SecRule REQUEST_LINE "@contains /admin/admin_smilies.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009075,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009168) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion +SecRule REQUEST_LINE "@contains /message_class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009168,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33718'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:pfadhier "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008687) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /passwiki.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008687,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29455'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:site_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /footer.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009659,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28421'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:settings[footer] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009660) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /header.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009660,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28421'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:settings[header] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008880) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains functions_navlinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008880,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32360'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:pun_user[language]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008881) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains profile_send.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008881,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32360'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:pun_user[language]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008882) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains viewtopic_PM-link.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008882,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32360'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:pun_user[language]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009503) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /server_request.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009503,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,27945'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:CONFIG[gameroot] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009505) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /qlib/smarty.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009505,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,27945'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:CONFIG[gameroot] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009746) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /qte_web.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009746,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:qte_web_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009724) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /bin/qte_init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009724,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:qte_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009018) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Text Lines Rearrange Script filename parameter File Disclosure +SecRule REQUEST_LINE "@contains /download.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009018,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Text Lines Rearrange Script filename parameter File Disclosure',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:filename/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Text Lines Rearrange Script filename parameter File Disclosure',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008652) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ScriptsEz Easy Image Downloader id File Disclosure +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008652,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ScriptsEz Easy Image Downloader id File Disclosure',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/6715'" +SecRule REQUEST_LINE "@contains main.php?action=download" "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:&id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ScriptsEz Easy Image Downloader id File Disclosure',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009070) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion +SecRule REQUEST_LINE "@contains /login.tpl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009070,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,33092'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:TplSuffix "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /vars.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009181,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:_SESSION[SCRIPT_PATH] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009182) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /pcltar.lib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009182,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:g_pcltar_lib_dir "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009145) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /preview.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009145,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33601'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:synTarget "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009230) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Local File Inclusion +SecRule REQUEST_LINE "@contains /body_default.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009230,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Local File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2009-0441'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:shop_this_skin_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009169) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /export.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009169,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33731'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:export_to "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009789) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /examples/tbs_us_examples_0view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009789,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:script "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009726) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009726,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34617'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:inc_dir "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009729) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /cms_detect.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009729,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34634'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:include "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008923) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TxtBlog index.php m Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008923,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TxtBlog index.php m Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32498'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:m/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TxtBlog index.php m Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2010127) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /include/timesheet.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010127,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config[include_dir] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2010255) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /debugger/debug_php.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010255,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:_GET[filename] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009306) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009306,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009308) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /ST_browsers.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009308,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009310) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /ST_countries.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009310,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009312) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /ST_platforms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009312,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009010) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure +SecRule REQUEST_LINE "@contains /books/getConfig.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009010,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure',tag:'web-application-attack',tag:'bugtraq,32966'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule QUERY_STRING|REQUEST_BODY "@contains book_id=" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009926) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /includes/function_core.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009926,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,31225'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:web_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009928) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion +SecRule REQUEST_LINE "@contains /templates/layout_lyrics.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009928,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion',tag:'web-application-attack',tag:'bugtraq,31225'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:web_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009194) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /mini.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009194,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,31460'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:help_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009191) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /update_trailer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009191,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:context[path_to_root] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009393) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion +SecRule REQUEST_LINE "@contains /cuenta/cuerpo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009393,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30345'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:base_archivo "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009329) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /locales.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009329,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33965'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:srclang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009661) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /artmedic_print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009661,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:date "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009790) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /arch.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009790,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34968'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:arch "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009875) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /_functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009875,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,35103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[prefix] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009436) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /123flashchat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009436,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:e107path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009224) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion +SecRule REQUEST_LINE "@contains /index_inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009224,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,33774'" +SecRule ARGS:inc_ordner "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008849) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/3rdparty/adminpart/add3rdparty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008849,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008850) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/polling/adminpart/addpolling.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008850,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008851) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/contact/adminpart/addcontact.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008851,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008852) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/brandnews/adminpart/addbrandnews.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008852,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008853) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/newsletter/adminpart/addnewsletter.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008853,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008854) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/game/adminpart/addgame.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008854,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008855) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/tour/adminpart/addtour.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008855,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008856) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/articles/adminpart/addarticles.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008856,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008857) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/product/adminpart/addproduct.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008857,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008858) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/plain/adminpart/addplain.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008858,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009719) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009719,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,19838'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:templates_dir "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009720) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009720,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,19838'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:template "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2008992) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /addedit-render.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008992,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32774'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:editform/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009085) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion +SecRule REQUEST_LINE "@contains /plugin/gateway/gnokii/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009085,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:apps_path[plug] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009087) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion +SecRule REQUEST_LINE "@contains /plugin/themes/default/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009087,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:apps_path[themes] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009089) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion +SecRule REQUEST_LINE "@contains /lib/function.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009089,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:apps_path[libs] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009320) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion +SecRule REQUEST_LINE "@contains /_footer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009320,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,33621'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:skin_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2009331) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion +SecRule REQUEST_LINE "@contains /templater.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009331,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30785'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config[template] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011573) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Plogger phpThumb.php src Parameter Remote File Disclosure Attempt +SecRule REQUEST_LINE "@contains /plog-includes/lib/phpthumb/phpThumb.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011573,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Plogger phpThumb.php src Parameter Remote File Disclosure Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:src "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Plogger phpThumb.php src Parameter Remote File Disclosure Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011574) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Plogger phpThumb.php w Parameter Remote File Disclosure Attempt +SecRule REQUEST_LINE "@contains /plog-includes/lib/phpthumb/phpThumb.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011574,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Plogger phpThumb.php w Parameter Remote File Disclosure Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:w "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Plogger phpThumb.php w Parameter Remote File Disclosure Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011572) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Plogger phpThumb.php h Parameter Remote File Disclosure Attempt +SecRule REQUEST_LINE "@contains /plog-includes/lib/phpthumb/phpThumb.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011572,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Plogger phpThumb.php h Parameter Remote File Disclosure Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:h "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Plogger phpThumb.php h Parameter Remote File Disclosure Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011563) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /content/dynpage_load.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011563,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011562) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /oldnews_reader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011562,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:lang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011554) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011554,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jphone" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011385) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011385,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_noticeboard" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011453) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /maincore.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011453,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:folder_level "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011828) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /section.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011828,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:Module "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011829) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1) +SecRule REQUEST_LINE "@contains /classes/flash_mp3_player/extras/external_feeds/getfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011829,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1)',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011830) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2) +SecRule REQUEST_LINE "@contains /classes/flash_mp3_player.23/extras/external_feeds/getfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011830,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2)',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011843) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /baconmap/admin/updatelist.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011843,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:filepath "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011846) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011846,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains uniqcode=KPI" "chain" +SecRule REQUEST_LINE "@contains menu_no_top=performance" "chain" +SecRule ARGS:uri "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011853) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /news/search.php3" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011853,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,44370'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/DIR_TRAVERSAL.*ARGS:bn/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011882) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011882,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:owa_action "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011883) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011883,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:owa_do "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011884) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /admin/loadplugin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011884,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:load "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011936) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dolphin BxDolGzip.php file Disclosure Attempt +SecRule REQUEST_LINE "@contains /classes/BxDolGzip.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011936,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Dolphin BxDolGzip.php file Disclosure Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dolphin BxDolGzip.php file Disclosure Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011928) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /admin/thumbnailformpost.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011928,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:adminlangfile "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2011941) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /module.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011941,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains module=osTicket" "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012008) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /plugins/templateie/lib/templateie_install.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012008,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:skin_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012010) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/initsystem.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012010,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:loader_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012012) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Uploader download_launch.php Remote File Disclosure Attempt +SecRule REQUEST_LINE "@contains /api/download_launch.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012012,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS The Uploader download_launch.php Remote File Disclosure Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:filename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Uploader download_launch.php Remote File Disclosure Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012014,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jimtawl" "chain" +SecRule ARGS:task "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012022) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012022,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_cbe" "chain" +SecRule REQUEST_LINE "@contains task=userProfile" "chain" +SecRule ARGS:tabname "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012025) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /download.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012025,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains filesec=sitemap" "chain" +SecRule REQUEST_LINE "@contains filetype=text" "chain" +SecRule ARGS:file "@contains ..//" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012032) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/esqueletos/skel_null.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012032,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ABTPV_BLOQUE_CENTRAL "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012033) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /modules/login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012033,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:default_login_language "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012069) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /admin/upgrade_unattended.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012069,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:db_type "(?i:\.\.\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012071) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains app=urchin.cgi" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012071,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains action=prop" "chain" +SecRule ARGS:gfid "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012122) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1 +SecRule REQUEST_LINE "@contains /modules/maticmarket/deco/blanc/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012122,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012123) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2 +SecRule REQUEST_LINE "@contains /modules/maticmarket/deco/blanc/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012123,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012124) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/blanc/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012124,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012125) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/blanc/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012125,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012126) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/default/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012126,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012127) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/default/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012127,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012128) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/gold/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012128,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012129) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/gold/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012129,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012166) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /com_xmovie/helpers/img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012166,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012168) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /tiki-jsplugin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012168,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:language "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012186) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /modules/profile/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012186,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:aXconf[default_language] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012217) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /op/op.Login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012217,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37828'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:lang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012336) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /cultbooking.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012336,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:lang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012343) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /active_auctions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012343,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:lan "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012345) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012345,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_frontenduseraccess" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012354) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dokeos and Chamilo open_document.php file Parameter File Disclosure Attempt +SecRule REQUEST_LINE "@contains /gradebook/open_document.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012354,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Dokeos and Chamilo open_document.php file Parameter File Disclosure Attempt',tag:'web-application-attack',tag:'bugtraq,46173'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dokeos and Chamilo open_document.php file Parameter File Disclosure Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012357) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_xgallery/helpers/img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012357,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012373) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /util/barcode.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012373,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:type "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012407) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012407,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains /options-runnow-iframe.php?wpabs=/" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x00\&)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012408) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012408,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains /options-view_log-iframe.php?wpabs=/" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x00\&logfile\=\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012426) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012426,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_xcloner-backupandrestore/cloner.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012427,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012571) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/jquery-mega-menu/skin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012571,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:skin "(?i:\.\.\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012657) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /devtools/qooxdoo-sdk/framework/source/resource/qx/test/part/delay.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012657,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:sleep "@contains file=" "chain" +SecRule ARGS:sleep "(?i:\.\.\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012668) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LoCal Calendar System LIBDIR Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /lib/lcUser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012668,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS LoCal Calendar System LIBDIR Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:LIBDIR "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LoCal Calendar System LIBDIR Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +# (2012705) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-publication-archive/includes/openfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012705,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" + + +SecMarker END_SLR_ET_LFI_RULES diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_slr_et_phpbb_attacks.conf modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_slr_et_phpbb_attacks.conf --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_slr_et_phpbb_attacks.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_slr_et_phpbb_attacks.conf 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,150 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: +# +# http://www.emergingthreats.net/ +# + +SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_et_phpbb.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_ET_PHPBB_RULES" + +# (2008964) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /portal_block.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008964,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32647'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:phpbb_root_path "(?i:phpbb_root_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2008965) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /acp_lcxbbportal.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008965,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32647'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:phpbb_root_path "(?i:phpbb_root_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2008938) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion +SecRule REQUEST_LINE "@contains /include/global.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008938,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:pfad "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2002731) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt +SecRule REQUEST_LINE "@contains .php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2002731,rev:8,msg:'SLR: ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt',tag:'web-application-attack'" +SecRule ARGS:phpbb_root_path "(?i:phpbb_root_path=(ftps?|https?|php))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2005967) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id SELECT +SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005967,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" +SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2005968) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UNION SELECT +SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005968,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" +SecRule ARGS:id "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2005969) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id INSERT +SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005969,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" +SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2005970) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id DELETE +SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005970,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" +SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2005971) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ASCII +SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005971,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" +SecRule ARGS:id "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2005972) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE +SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005972,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" +SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2006969) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id SELECT +SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006969,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" +SecRule ARGS:hack_id "(?i:.+SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2006970) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UNION SELECT +SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006970,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" +SecRule ARGS:hack_id "(?i:.+UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2006971) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id INSERT +SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006971,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" +SecRule ARGS:hack_id "(?i:.+INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2006972) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE +SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006972,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" +SecRule ARGS:hack_id "(?i:.+DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2006973) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ASCII +SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006973,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" +SecRule ARGS:hack_id "(?i:.+ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2006974) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE +SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006974,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" +SecRule ARGS:hack_id "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2004606) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004606,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" +SecRule ARGS:c "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2004607) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004607,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" +SecRule ARGS:c "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2004608) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004608,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" +SecRule ARGS:c "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2004609) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004609,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" +SecRule ARGS:c "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2004610) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004610,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" +SecRule ARGS:c "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2004611) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004611,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" +SecRule ARGS:c "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2009073) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion +SecRule REQUEST_LINE "@contains /admin/admin_words.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009073,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2009074) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion +SecRule REQUEST_LINE "@contains /admin/admin_groups_reapir.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009074,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +# (2009075) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion +SecRule REQUEST_LINE "@contains /admin/admin_smilies.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009075,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" + + +SecMarker END_SLR_ET_PHPBB_RULES diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_slr_et_rfi_attacks.conf modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_slr_et_rfi_attacks.conf --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_slr_et_rfi_attacks.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_slr_et_rfi_attacks.conf 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,3247 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: +# +# http://www.emergingthreats.net/ +# + +SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_et_rfi.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_ET_RFI_RULES" + +# (2011214) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ArdeaCore pathForArdeaCore Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /ardeaCore/lib/core/ardeaInit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011214,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ArdeaCore pathForArdeaCore Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,40811'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:pathForArdeaCore/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ArdeaCore pathForArdeaCore Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009717) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 1024 CMS standard.php page_include Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /layouts/standard.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009717,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS 1024 CMS standard.php page_include Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:page_include/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 1024 CMS standard.php page_include Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011164) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 29o3 CMS pageDescriptionObject.php LibDir Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /lib/page/pageDescriptionObject.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011164,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS 29o3 CMS pageDescriptionObject.php LibDir Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'cve,2010-1922'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:LibDir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 29o3 CMS pageDescriptionObject.php LibDir Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011165) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 29o3 CMS layoutHeaderFuncs.php LibDir Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /lib/layout/layoutHeaderFuncs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011165,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS 29o3 CMS layoutHeaderFuncs.php LibDir Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,40049'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:LibDir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 29o3 CMS layoutHeaderFuncs.php LibDir Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011666) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 29o3 CMS layoutManager.php LibDir Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /lib/layout/layoutManager.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011666,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS 29o3 CMS layoutManager.php LibDir Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,40049'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:LibDir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 29o3 CMS layoutManager.php LibDir Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011167) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 29o3 CMS layoutParser.php LibDir Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /lib/layout/layoutParser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011167,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS 29o3 CMS layoutParser.php LibDir Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,40049'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:LibDir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 29o3 CMS layoutParser.php LibDir Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003704) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AForum Remote Inclusion func.php CommonAbsDir +SecRule REQUEST_LINE "@contains /common/func.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003704,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS AForum Remote Inclusion func.php CommonAbsDir',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3884'" +SecRule ARGS_NAMES "(?i:CommonAbsDir)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AForum Remote Inclusion func.php CommonAbsDir',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003736) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AForum Remote Inclusion Attempt -- errormsg.php header +SecRule REQUEST_LINE "@contains /common/errormsg.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003736,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS AForum Remote Inclusion Attempt -- errormsg.php header',tag:'web-application-attack',tag:'cve,CVE-2007-2634'" +SecRule ARGS_NAMES "(?i:header)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AForum Remote Inclusion Attempt -- errormsg.php header',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010080) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible AIOCP cp_html2xhtmlbasic.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /public/code/cp_html2xhtmlbasic.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010080,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible AIOCP cp_html2xhtmlbasic.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/507030'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible AIOCP cp_html2xhtmlbasic.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2002901) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Aardvark Topsites PHP CONFIG PATH Remote File Include Attempt +SecRule &TX:'/RFI.*ARGS:CONFIG[PATH]/' "@gt 0" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2002901,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Aardvark Topsites PHP CONFIG PATH Remote File Include Attempt',tag:'web-application-attack',tag:'url,www.osvdb.org/25158'" +SecRule &TX:'/RFI.*ARGS:CONFIG[PATH]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Aardvark Topsites PHP CONFIG PATH Remote File Include Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010354) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Achievo debugger.php config_atkroot parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /debugger.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010354,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Achievo debugger.php config_atkroot parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,36822'" +SecRule &TX:'/RFI.*ARGS:config_atkroot/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Achievo debugger.php config_atkroot parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009377) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion +SecRule REQUEST_LINE "@contains /container.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009377,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,34265'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:theme_directory "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009378) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter remote file inclusion +SecRule REQUEST_LINE "@contains /container.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009378,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,34265'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:theme_directory/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009379) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter remote file inclusion +SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009379,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,34265'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:theme_directory/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009380) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion +SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009380,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,34265'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:theme_directory "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009903) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /latestposts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009903,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:forumspath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009904) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /latestposts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009904,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:forumspath "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009167) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AdaptCMS Lite rss_importer_functions.php sitepath Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /rss_importer_functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009167,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS AdaptCMS Lite rss_importer_functions.php sitepath Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,33698'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:sitepath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AdaptCMS Lite rss_importer_functions.php sitepath Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009382) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Agares Media ThemeSiteScript frontpage_right.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /admin/frontpage_right.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009382,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Agares Media ThemeSiteScript frontpage_right.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31959'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:loadadminpage/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Agares Media ThemeSiteScript frontpage_right.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010362) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AjaxPortal di.php pathtoserverdata Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /install/di.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010362,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS AjaxPortal di.php pathtoserverdata Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule &TX:'/RFI.*ARGS:pathtoserverdata/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AjaxPortal di.php pathtoserverdata Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010198) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /include/_bot.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010198,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:master[currentskin]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009165) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Barcode Generator LSTable.php class_dir parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /LSTable.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009165,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Barcode Generator LSTable.php class_dir parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31419'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:class_dir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Barcode Generator LSTable.php class_dir parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009195) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /main.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009195,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mj_config[src_path] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009196) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Remote File inclusion +SecRule REQUEST_LINE "@contains /main.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009196,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Remote File inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mj_config[src_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Remote File inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003738) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Beacon Remote Inclusion Attempt -- splash.lang.php languagePath +SecRule REQUEST_LINE "@contains /language/1/splash.lang.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003738,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Beacon Remote Inclusion Attempt -- splash.lang.php languagePath',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3909'" +SecRule ARGS_NAMES "(?i:languagePath)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Beacon Remote Inclusion Attempt -- splash.lang.php languagePath',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009364) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Beerwins PHPLinkAdmin linkadmin.php page Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /linkadmin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009364,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Beerwins PHPLinkAdmin linkadmin.php page Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34129'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Beerwins PHPLinkAdmin linkadmin.php page Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003677) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Berylium2 Remote Inclusion Attempt -- berylium-classes.php beryliumroot +SecRule REQUEST_LINE "@contains /berylium-classes.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003677,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Berylium2 Remote Inclusion Attempt -- berylium-classes.php beryliumroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3869'" +SecRule ARGS_NAMES "(?i:beryliumroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Berylium2 Remote Inclusion Attempt -- berylium-classes.php beryliumroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009417) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion +SecRule REQUEST_LINE "@contains /block_center_down.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009417,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_blocks_center_down[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009418) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion +SecRule REQUEST_LINE "@contains /block_center_top.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009418,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_blocks_center_top[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009420) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion +SecRule REQUEST_LINE "@contains /block_left.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009420,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_blocks_left[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009421) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion +SecRule REQUEST_LINE "@contains /block_right.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009421,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_blocks_right[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009422) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion +SecRule REQUEST_LINE "@contains /window_down.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009422,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_bloginfo[theme] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009423) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion +SecRule REQUEST_LINE "@contains /window_top.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009423,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:row_mysql_bloginfo[theme] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009370) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Boonex Dolphin HTMLSax3.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /HTMLSax3.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009370,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Boonex Dolphin HTMLSax3.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,30136'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:dir[plugins]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Boonex Dolphin HTMLSax3.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009371) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Boonex Dolphin safehtml.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /safehtml.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009371,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Boonex Dolphin safehtml.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,30136'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:dir[plugins]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Boonex Dolphin safehtml.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009372) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Boonex Dolphin content.inc.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /inc/content.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009372,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Boonex Dolphin content.inc.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,30136'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:sIncPath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Boonex Dolphin content.inc.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009429) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /spaw_control.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009429,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30042'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:spaw_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003726) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- mtdialogo.php pathCGX +SecRule REQUEST_LINE "@contains /mtdialogo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003726,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- mtdialogo.php pathCGX',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3874'" +SecRule &TX:'/RFI.*ARGS:pathCGX/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- mtdialogo.php pathCGX',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003727) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- ltdialogo.php pathCGX +SecRule REQUEST_LINE "@contains /ltdialogo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003727,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- ltdialogo.php pathCGX',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3874'" +SecRule &TX:'/RFI.*ARGS:pathCGX/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- ltdialogo.php pathCGX',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003729) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- login.php pathCGX +SecRule REQUEST_LINE "@contains /login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003729,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- login.php pathCGX',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3874'" +SecRule &TX:'/RFI.*ARGS:pathCGX/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- login.php pathCGX',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003728) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- logingecon.php pathCGX +SecRule REQUEST_LINE "@contains /inc/logingecon.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003728,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- logingecon.php pathCGX',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3874'" +SecRule &TX:'/RFI.*ARGS:pathCGX/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- logingecon.php pathCGX',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003737) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CJG Explorer Remote Inclusion Attempt -- pcltrace.lib.php g_pcltar_lib_dir +SecRule REQUEST_LINE "@contains /pcltrace.lib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003737,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CJG Explorer Remote Inclusion Attempt -- pcltrace.lib.php g_pcltar_lib_dir',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3915'" +SecRule &TX:'/RFI.*ARGS:g_pcltar_lib_dir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CJG Explorer Remote Inclusion Attempt -- pcltrace.lib.php g_pcltar_lib_dir',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009754) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat install.clickheat.php mosConfig_absolute_path Remote File Inclusion +SecRule REQUEST_LINE "@contains /install.clickheat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009754,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat install.clickheat.php mosConfig_absolute_path Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32190'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Clickheat install.clickheat.php mosConfig_absolute_path Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009755) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat _main.php mosConfig_absolute_path Parameter Remote File Inclusion - 1 +SecRule REQUEST_LINE "@contains /heatmap/_main.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009755,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat _main.php mosConfig_absolute_path Parameter Remote File Inclusion - 1',tag:'web-application-attack',tag:'bugtraq,32190'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Clickheat _main.php mosConfig_absolute_path Parameter Remote File Inclusion - 1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009756) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion - 2 +SecRule REQUEST_LINE "@contains /heatmap/main.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009756,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion - 2',tag:'web-application-attack',tag:'bugtraq,32190'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion - 2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009757) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat Cache.php mosConfig_absolute_path Remote File Inclusion +SecRule REQUEST_LINE "@contains /Clickheat/Cache.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009757,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat Cache.php mosConfig_absolute_path Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32190'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Clickheat Cache.php mosConfig_absolute_path Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009758) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat Clickheat_Heatmap.php mosConfig_absolute_path Remote File Inclusion +SecRule REQUEST_LINE "@contains /Clickheat_Heatmap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009758,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat Clickheat_Heatmap.php mosConfig_absolute_path Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32190'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Clickheat Clickheat_Heatmap.php mosConfig_absolute_path Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009759) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat GlobalVariables.php mosConfig_absolute_path Remote File Inclusion - 1 +SecRule REQUEST_LINE "@contains /GlobalVariables.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009759,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat GlobalVariables.php mosConfig_absolute_path Remote File Inclusion - 1',tag:'web-application-attack',tag:'bugtraq,32190'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Clickheat GlobalVariables.php mosConfig_absolute_path Remote File Inclusion - 1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009760) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion -2 +SecRule REQUEST_LINE "@contains /overview/main.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009760,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion -2',tag:'web-application-attack',tag:'bugtraq,32190'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion -2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009166) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Concord Consortium CoAST header.php sections_file parameter remote file inclusion +SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009166,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Concord Consortium CoAST header.php sections_file parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,31461'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:sections_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Concord Consortium CoAST header.php sections_file parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009793) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Crawler footer.php footer_file Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /footer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009793,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Crawler footer.php footer_file Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31217'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:footer_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Crawler footer.php footer_file Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009764) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /portfolio/css.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009764,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32218'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:theme "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010025) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /dm-albums/template/album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010025,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,35521'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:SECURITY_FILE "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010027) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /dm-albums/template/album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010027,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,35521'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:SECURITY_FILE/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011099) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_players.php lgsl_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /modules/dfss/lgsl/lgsl_players.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011099,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_players.php lgsl_path Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:lgsl_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_players.php lgsl_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011100) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_settings.php lgsl_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /modules/dfss/lgsl/lgsl_settings.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011100,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_settings.php lgsl_path Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:lgsl_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_settings.php lgsl_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010252) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /engine/api/api.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010252,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.juniper.net/security/auto/vulnerabilities/vuln36212.html'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:dle_config_api/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009324) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /urheber.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009324,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33933'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:name "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009317) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /don3_requiem.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009317,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'cve,2008-2649'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:app_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009318) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /frontpage.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009318,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'cve,2008-2649'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:app_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009876) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion +SecRule REQUEST_LINE "@contains /doku.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009876,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,35095'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config_cascade[main][default][] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009848) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dragoon header.inc.php root Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/header.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009848,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Dragoon header.inc.php root Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28660'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:root/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dragoon header.inc.php root Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010707) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dros core.write_compiled_include.php smarty Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /include/libs/internals/core.write_compiled_include.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010707,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Dros core.write_compiled_include.php smarty Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10682'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:smarty/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dros core.write_compiled_include.php smarty Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010708) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dros core.process_compiled_include.php smarty Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /include/libs/internals/core.process_compiled_include.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010708,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Dros core.process_compiled_include.php smarty Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10682'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:smarty/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dros core.process_compiled_include.php smarty Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010709) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dros function.config_load.php _compile_file Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /include/libs/plugins/function.config_load.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010709,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Dros function.config_load.php _compile_file Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10682'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:_compile_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dros function.config_load.php _compile_file Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003679) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- dp_logs.php HomeDir +SecRule REQUEST_LINE "@contains /dp_logs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003679,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- dp_logs.php HomeDir',tag:'web-application-attack',tag:'cve,CVE-2007-2527'" +SecRule &TX:'/RFI.*ARGS:HomeDir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- dp_logs.php HomeDir',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003680) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- index.php HomeDir +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003680,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- index.php HomeDir',tag:'web-application-attack',tag:'cve,CVE-2007-2527'" +SecRule &TX:'/RFI.*ARGS:HomeDir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- index.php HomeDir',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003682) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS E-Gads Remote Inclusion Attempt -- common.php locale +SecRule REQUEST_LINE "@contains /common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003682,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS E-Gads Remote Inclusion Attempt -- common.php locale',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3846'" +SecRule &TX:'/RFI.*ARGS:locale/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS E-Gads Remote Inclusion Attempt -- common.php locale',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011725) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EZPX photoblog tpl_base_dir Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /application/views/public/commentform.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011725,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS EZPX photoblog tpl_base_dir Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,40881'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:tpl_base_dir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS EZPX photoblog tpl_base_dir Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008832) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /show_joined.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008832,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008833) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthusiast path parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /show_joined.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008833,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Enthusiast path parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthusiast path parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009428) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /threadstop/threadstop.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009428,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28686'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:exbb[default_lang] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010800) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /acopia/manager/DiagLogListActionBody.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010800,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:logFile "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010801) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /acopia/manager/DiagCaptureFileListActionBody.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010801,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:captureFile "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010802) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /acopia/sat/ViewSatReport.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010802,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:fileName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010804) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /acopia/sat/ViewInventoryErrorReport.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010804,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:fileName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010359) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FSphp FSphp.php FSPHP_LIB Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /lib/FSphp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010359,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FSphp FSphp.php FSPHP_LIB Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/9720'" +SecRule &TX:'/RFI.*ARGS:FSPHP_LIB/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FSphp FSphp.php FSPHP_LIB Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010360) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FSphp navigation.php FSPHP_LIB Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /lib/navigation.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010360,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FSphp navigation.php FSPHP_LIB Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/9720'" +SecRule &TX:'/RFI.*ARGS:FSPHP_LIB/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FSphp navigation.php FSPHP_LIB Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010361) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FSphp pathwirte.php FSPHP_LIB Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /lib/pathwirte.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010361,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FSphp pathwirte.php FSPHP_LIB Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/9720'" +SecRule &TX:'/RFI.*ARGS:FSPHP_LIB/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FSphp pathwirte.php FSPHP_LIB Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009506) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /sitemap.xml.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009506,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:dir[classes]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009507) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /sitemap.xml.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009507,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:dir[classes] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011096) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fatwiki datumscalc.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /datumscalc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011096,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Fatwiki datumscalc.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:kal_class_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Fatwiki datumscalc.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011097) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fatwiki monatsblatt.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /monatsblatt.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011097,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Fatwiki monatsblatt.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:kal_class_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Fatwiki monatsblatt.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003690) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Firefly Remote Inclusion Attempt -- config.php DOCUMENT_ROOT +SecRule REQUEST_LINE "@contains /modules/admin/include/config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003690,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Firefly Remote Inclusion Attempt -- config.php DOCUMENT_ROOT',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/1554'" +SecRule &TX:'/RFI.*ARGS:DOCUMENT_ROOT/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Firefly Remote Inclusion Attempt -- config.php DOCUMENT_ROOT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009745) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /pmscript.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009745,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34734'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:with "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010484) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FormMailer formmailer.admin.inc.php BASE_DIR Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /modules/formmailer/formmailer.admin.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010484,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FormMailer formmailer.admin.inc.php BASE_DIR Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:BASE_DIR[jax_formmailer]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FormMailer formmailer.admin.inc.php BASE_DIR Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008878) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion +SecRule REQUEST_LINE "@contains /init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008878,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:API_HOME_DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008879) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008879,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:API_HOME_DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009652) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /includes/startmodules.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009652,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34538'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:lang_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009163) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GBook header.php abspath Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009163,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS GBook header.php abspath Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:abspath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS GBook header.php abspath Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010096) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GROUP-E head_auth.php CFG Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /www/lib/head_auth.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010096,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS GROUP-E head_auth.php CFG Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28024'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:CFG[PREPEND_FILE]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS GROUP-E head_auth.php CFG Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011018) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Gallery2 adodb-error.inc.php ADODB_LANG Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /gallery2/lib/adodb/adodb-error.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011018,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Gallery2 adodb-error.inc.php ADODB_LANG Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10705'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:ADODB_LANG/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Gallery2 adodb-error.inc.php ADODB_LANG Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011116) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Gallo gfw_smarty.php gfwroot Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /core/includes/gfw_smarty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011116,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Gallo gfw_smarty.php gfwroot Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,39890'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:config[gfwroot]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Gallo gfw_smarty.php gfwroot Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2002996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability +SecRule REQUEST_LINE "@contains .php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2002996,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability',tag:'web-application-attack'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:_CONF\[.*\]=(http|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003333) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Gnopaster Common.php remote file include +SecRule REQUEST_LINE "@contains /includes/common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003333,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Gnopaster Common.php remote file include',tag:'web-application-attack',tag:'bugtraq,18180'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:root_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Gnopaster Common.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009733) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Golabi index_logged.php cur_module Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /index_logged.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009733,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Golabi index_logged.php cur_module Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,33916'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:cur_module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Golabi index_logged.php cur_module Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Grape Web Statistics functions.php location Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009427,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Grape Web Statistics functions.php location Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28838'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:location/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Grape Web Statistics functions.php location Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008937) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /library/setup/rpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008937,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7344'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:objectname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009231) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion +SecRule REQUEST_LINE "@contains /includes/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009231,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-2898'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:c_temp_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009232) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hedgehog CMS footer.php c_temp_path Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/footer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009232,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Hedgehog CMS footer.php c_temp_path Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-2898'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:c_temp_path=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Hedgehog CMS footer.php c_temp_path Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009233) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009233,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-2898'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:c_temp_path=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009398) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HoMaP plugin_admin.php _settings Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /plugin_admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009398,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS HoMaP plugin_admin.php _settings Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,29877'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:_settings[pluginpath]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS HoMaP plugin_admin.php _settings Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011161) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HotNews hnmain.inc.php3 incdir Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/hnmain.inc.php3" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011161,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS HotNews hnmain.inc.php3 incdir Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:config[incdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS HotNews hnmain.inc.php3 incdir Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008964) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /portal_block.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008964,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32647'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:phpbb_root_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008965) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /acp_lcxbbportal.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008965,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32647'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:phpbb_root_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009381) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Interact embedforum.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /embedforum.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009381,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Interact embedforum.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28996'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:CONFIG[LANGUAGE_CPATH]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Interact embedforum.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009386) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Interact lib.inc.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /scorm/lib.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009386,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Interact lib.inc.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28996'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:CONFIG[BASE_PATH]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Interact lib.inc.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011140) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011140,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jeajaxeventcalendar&" "chain" +SecRule ARGS:view "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008651) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008651,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6669/'" +SecRule &TX:'/RFI.*ARGS:src/' "@gt 0" "chain" +SecRule &TX:'/RFI.*ARGS:src/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009508) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /windetail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009508,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34537'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:adtype "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009509) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /detail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009509,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34537'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:adtype "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008822) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008822,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6980/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_pro_desk" "chain" +SecRule &TX:'/RFI.*ARGS:include_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009369) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /admin.rssreader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009369,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7096/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_live_site/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009929) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt +SecRule ARGS_NAMES "(?i:target)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009929,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9706/'" +SecRule REQUEST_LINE "@contains /index.php?option=com_album&" "chain" +SecRule REQUEST_LINE "@contains Itemid=128&" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009933) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component 'koesubmit.php' Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /com_koesubmit/koesubmit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009933,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component \'koesubmit.php\' Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.owasp.org/index.php/PHP_File_Inclusion'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component \'koesubmit.php\' Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009934) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /components/com_moofaq/includes/file_includer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009934,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/8898/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010260) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_ajaxchat/tests/ajcuser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010260,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule &TX:'/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010474) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_ezine/class/php/d4m_ajax_pagenav.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010474,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37043'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010620) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /acomponents/com_mamboleto/mamboleto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010620,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10369'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_mojo/wp-comments-post.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010659,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37179'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010660) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_mojo/wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010660,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37179'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010780) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_mediaslide/viewer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010780,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37440'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010833) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_intuit/models/intuit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010833,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10730'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:approval "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010848) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_morfeoshow/morfeoshow.html.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010848,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010942,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11088'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jcollection&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010989) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010989,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37987'" +SecRule REQUEST_LINE "@contains /index.php?option=com_ccnewsletter&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010996,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11511'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_communitypolls&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011017) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_jcalpro/cal_popup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011017,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/joomlajcalpro-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011067) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011067,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_wgpicasa&" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011131) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /administrator/components/com_jwmmxtd/admin.jwmmxtd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011131,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011132) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion +SecRule REQUEST_LINE "@contains /administrator/components/com_universal/includes/config/config.html.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011132,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,38949'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009383) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /config.dadamail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009383,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7002/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[mosConfig_absolute_path] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009384) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /config.dadamail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009384,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7002/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009391) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /com_ongumatimesheet20/lib/onguma.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009391,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6976/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010475) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS KR-Web krgourl.php DOCUMENT_ROOT Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /adm/krgourl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010475,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS KR-Web krgourl.php DOCUMENT_ROOT Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/krweb-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:DOCUMENT_ROOT/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS KR-Web krgourl.php DOCUMENT_ROOT Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010197) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /include/engine/content/elements/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010197,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:CONFIG[AdminPath]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009761) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /include/unverified.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009761,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/5179/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:template "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003716) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LaVague Remote Inclusion Attempt -- printbar.php views_path +SecRule REQUEST_LINE "@contains /views/print/printbar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003716,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS LaVague Remote Inclusion Attempt -- printbar.php views_path',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3870/'" +SecRule &TX:'/RFI.*ARGS:views_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LaVague Remote Inclusion Attempt -- printbar.php views_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010023) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /locms/smarty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010023,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9015/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:cwd "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010024) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /locms/smarty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010024,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9015/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:cwd/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011000) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Worksystems linkbar.php cfile Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /smallaxe-0.3.1/inc/linkbar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011000,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Worksystems linkbar.php cfile Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10676'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:cfile/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Worksystems linkbar.php cfile Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008897) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Remote File Inclusion +SecRule REQUEST_LINE "@contains /snippet.reflect.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008897,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7204/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:reflect_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008898) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion +SecRule REQUEST_LINE "@contains /snippet.reflect.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008898,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7204/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:reflect_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011062) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor getid3.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /velid3/getid3.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011062,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor getid3.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:determined_format[include]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor getid3.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011063) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor module.archive.gzip.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /velid3/module.archive.gzip.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011063,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor module.archive.gzip.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:determined_format[include]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor module.archive.gzip.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010223) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/Cache/Lite/Output.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010223,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/29716/info'" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011259) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/file_manager/special.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011259,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9350/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:fm_includes_special/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009888) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (1) +SecRule REQUEST_LINE "@contains /includes/InstantSite/inc.is_root.php?is_projectPath=http|3a|" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009888,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (1) ',tag:'web-application-attack',tag:'url,www.sans.org/top20/',ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MAXcms RFI attempt (1) ',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009889) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (2) +SecRule REQUEST_LINE "@contains /classes/class.Tree.php?GLOBALS[thCMS_root]=http|3a|" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009889,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (2) ',tag:'web-application-attack',tag:'url,www.sans.org/top20/',ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MAXcms RFI attempt (2) ',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009890) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (3) +SecRule REQUEST_LINE "@contains /classes/class.thcsm_user.php?is_path=http|3a|" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009890,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (3) ',tag:'web-application-attack',tag:'url,www.sans.org/top20/',ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MAXcms RFI attempt (3) ',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009891) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (4) +SecRule REQUEST_LINE "@contains /modul/mod.users.php?thCMS_root=http|3a|" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009891,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (4) ',tag:'web-application-attack',tag:'url,www.sans.org/top20/',ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MAXcms RFI attempt (4) ',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003331) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Generic membreManager.php remote file include +SecRule REQUEST_LINE "@contains /membres/membreManager.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003331,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Generic membreManager.php remote file include',tag:'web-application-attack',tag:'bugtraq,22287'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:include_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Generic membreManager.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009141) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MiNBank utdb_access.php minsoft_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /utdb_access.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009141,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MiNBank utdb_access.php minsoft_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31492'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:minsoft_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MiNBank utdb_access.php minsoft_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009142) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MiNBank utgn_message.php minsoft_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /utgn_message.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009142,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MiNBank utgn_message.php minsoft_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31492'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:minsoft_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MiNBank utgn_message.php minsoft_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003717) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS miplex2 Remote Inclusion SmartyFU.class.php system +SecRule REQUEST_LINE "@contains /lib/smarty/SmartyFU.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003717,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS miplex2 Remote Inclusion SmartyFU.class.php system',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3878'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS miplex2 Remote Inclusion SmartyFU.class.php system',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008900) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /export_batch.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008900,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008901) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /run_auto_suspend.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008901,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008902) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ModernBill send_email_cache.php DIR Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /send_email_cache.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008902,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ModernBill send_email_cache.php DIR Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ModernBill send_email_cache.php DIR Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008903) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /2checkout_return.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008903,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008904) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ModernBill nettools.popup.php DIR Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /nettools.popup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008904,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ModernBill nettools.popup.php DIR Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ModernBill nettools.popup.php DIR Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009437) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /viewsource.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009437,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28659'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:dirn "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009430) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /viewsource.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009430,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28659'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:fname "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008938) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion +SecRule REQUEST_LINE "@contains /include/global.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008938,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:pfad/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009330) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /centre.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009330,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6846/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:padmin "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010631) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /infusions/last_seen_users_panel/last_seen_users_panel.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010631,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9018/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:settings[locale] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009905) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /forum.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009905,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/8841/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[UTE][__tplCollection][a][file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009431) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /news_show.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009431,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/5429/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:newsoffice_directory "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009432) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /news_show.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009432,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/5429/'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:newsoffice_directory/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010099) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS News Manager ch_readalso.php read_xml_include Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /ch_readalso.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010099,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS News Manager ch_readalso.php read_xml_include Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,29251'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:read_xml_include/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS News Manager ch_readalso.php read_xml_include Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008922) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nitrotech common.php root Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008922,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Nitrotech common.php root Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:root/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Nitrotech common.php root Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003694) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NoAH Remote Inclusion Attempt -- mfa_theme.php tpls +SecRule REQUEST_LINE "@contains /modules/noevents/templates/mfa_theme.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003694,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS NoAH Remote Inclusion Attempt -- mfa_theme.php tpls',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3861'" +SecRule REQUEST_LINE "@contains tpls[" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NoAH Remote Inclusion Attempt -- mfa_theme.php tpls',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009728) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009728,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34636'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains newlang=kacper" "chain" +SecRule ARGS:languages[kacper][file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010355) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OBOphiX fonctions_racine.php chemin_lib parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /fonctions_racine.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010355,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS OBOphiX fonctions_racine.php chemin_lib parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule &TX:'/RFI.*ARGS:chemin_lib/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS OBOphiX fonctions_racine.php chemin_lib parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009332) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion +SecRule REQUEST_LINE "@contains /resource_categories_view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009332,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:CLASSES_ROOT "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009333) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion +SecRule REQUEST_LINE "@contains /resource_categories_view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009333,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:CLASSES_ROOT/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003741) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Translation Engine Remote Inclusion Attempt -- header.php ote_home +SecRule REQUEST_LINE "@contains /skins/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003741,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Open Translation Engine Remote Inclusion Attempt -- header.php ote_home',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3838'" +SecRule &TX:'/RFI.*ARGS:ote_home/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Open Translation Engine Remote Inclusion Attempt -- header.php ote_home',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009395) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Remote File Inclusion +SecRule REQUEST_LINE "@contains /ADM_Pagina.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009395,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-5063'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:Tipo/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009396) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion +SecRule REQUEST_LINE "@contains /ADM_Pagina.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009396,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-5063'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:Tipo "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009164) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS openEngine filepool.php oe_classpath parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /filepool.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009164,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS openEngine filepool.php oe_classpath parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31423'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:oe_classpath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS openEngine filepool.php oe_classpath parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009931) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible OpenSiteAdmin pageHeader.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /OpenSiteAdmin/pages/pageHeader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009931,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible OpenSiteAdmin pageHeader.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.owasp.org/index.php/PHP_File_Inclusion'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible OpenSiteAdmin pageHeader.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011274) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OpenX phpAdsNew phpAds_geoPlugin Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /libraries/lib-remotehost.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011274,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS OpenX phpAdsNew phpAds_geoPlugin Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:phpAds_geoPlugin/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS OpenX phpAdsNew phpAds_geoPlugin Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009459) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS classes init.php GLOBALS Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /modules/core/logger/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009459,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS classes init.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:GLOBALS[preloc]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Orlando CMS classes init.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009460) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS newscat.php GLOBALS Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /newscat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009460,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS newscat.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:GLOBALS[preloc]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Orlando CMS newscat.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009461) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/core/security/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009461,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009462) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /stage1.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009462,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009463) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /stage4.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009463,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009464) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /stage6.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009464,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009871) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPauction GPL converter.inc.php include_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/converter.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009871,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPauction GPL converter.inc.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28284'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPauction GPL converter.inc.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009872) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPauction GPL messages.inc.php include_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/messages.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009872,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPauction GPL messages.inc.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28284'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPauction GPL messages.inc.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009873) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPauction GPL settings.inc.php include_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/settings.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009873,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPauction GPL settings.inc.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28284'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPauction GPL settings.inc.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003742) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- language.php config +SecRule REQUEST_LINE "@contains /includes/language.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003742,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- language.php config',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3837'" +SecRule &TX:'/RFI.*ARGS:config/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- language.php config',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003743) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_admin_cfg.php Root_Path +SecRule REQUEST_LINE "@contains /layout_admin_cfg.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003743,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_admin_cfg.php Root_Path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3837'" +SecRule &TX:'/RFI.*ARGS:Root_Path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_admin_cfg.php Root_Path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003744) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_cfg.php Root_Path +SecRule REQUEST_LINE "@contains /layout_cfg.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003744,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_cfg.php Root_Path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3837'" +SecRule &TX:'/RFI.*ARGS:Root_Path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_cfg.php Root_Path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003745) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_t_top.php Root_Path +SecRule REQUEST_LINE "@contains /skins/phpchess/layout_t_top.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003745,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_t_top.php Root_Path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3837'" +SecRule &TX:'/RFI.*ARGS:Root_Path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_t_top.php Root_Path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009743) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /website.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009743,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30176'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:page "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003372) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPEventMan remote file include +SecRule REQUEST_LINE "@contains /controller/" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003372,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPEventMan remote file include',tag:'web-application-attack',tag:'bugtraq,22358'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:(text\.ctrl\.php|common\.function\.php)\?level=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPEventMan remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003740) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPFirstPost Remote Inclusion Attempt block.php Include +SecRule REQUEST_LINE "@contains /block.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003740,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPFirstPost Remote Inclusion Attempt block.php Include',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3906'" +SecRule &TX:'/RFI.*ARGS:Include/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPFirstPost Remote Inclusion Attempt block.php Include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010095) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPGenealogy CoupleDB.php DataDirectory Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /CoupleDB.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010095,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPGenealogy CoupleDB.php DataDirectory Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:DataDirectory/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPGenealogy CoupleDB.php DataDirectory Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003730) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPHtmlLib Remote Inclusion Attempt -- widget8.php phphtmllib +SecRule REQUEST_LINE "@contains /examples/widget8.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003730,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPHtmlLib Remote Inclusion Attempt -- widget8.php phphtmllib',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467837/100/0/threaded'" +SecRule &TX:'/RFI.*ARGS:phphtmllib/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPHtmlLib Remote Inclusion Attempt -- widget8.php phphtmllib',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003731) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- ftp.php path_local +SecRule REQUEST_LINE "@contains /ftp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003731,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- ftp.php path_local',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3875'" +SecRule &TX:'/RFI.*ARGS:path_local/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- ftp.php path_local',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003732) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- db.php path_local +SecRule REQUEST_LINE "@contains /libs/db.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003732,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- db.php path_local',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3875'" +SecRule &TX:'/RFI.*ARGS:path_local/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- db.php path_local',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003733) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- libs_ftp.php path_local +SecRule REQUEST_LINE "@contains /libs/ftp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003733,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- libs_ftp.php path_local',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3875'" +SecRule &TX:'/RFI.*ARGS:path_local/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- libs_ftp.php path_local',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008961) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /_conf/core/common-tpl-vars.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008961,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32705'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:lang/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008962) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPmyGallery confdir parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /_conf/core/common-tpl-vars.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008962,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPmyGallery confdir parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32705'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:confdir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPmyGallery confdir parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003703) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpMyPortal Remote Inclusion Attempt -- articles.inc.php GLOBALS CHEMINMODULES +SecRule REQUEST_LINE "@contains /inc/articles.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003703,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS phpMyPortal Remote Inclusion Attempt -- articles.inc.php GLOBALS CHEMINMODULES',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3879'" +SecRule &TX:'/RFI.*ARGS:GLOBALS[CHEMINMODULES]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpMyPortal Remote Inclusion Attempt -- articles.inc.php GLOBALS CHEMINMODULES',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009051) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /DB_adodb.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009051,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,25541'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:PHPOF_INCLUDE_PATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003735) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPSecurityAdmin Remote Inclusion Attempt -- logout.php PSA_PATH +SecRule REQUEST_LINE "@contains /include/logout.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003735,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPSecurityAdmin Remote Inclusion Attempt -- logout.php PSA_PATH',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23801'" +SecRule &TX:'/RFI.*ARGS:PSA_PATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPSecurityAdmin Remote Inclusion Attempt -- logout.php PSA_PATH',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2002800) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP PHPNuke Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /iframe.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2002800,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHP PHPNuke Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.zone-h.org/en/advisories/read/id=8694/'" +SecRule &TX:'/RFI.*ARGS:file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP PHPNuke Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003683) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Turbulence Remote Inclusion Attempt -- turbulence.php GLOBALS tcore +SecRule REQUEST_LINE "@contains /user/turbulence.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003683,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Turbulence Remote Inclusion Attempt -- turbulence.php GLOBALS tcore',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23580'" +SecRule &TX:'/RFI.*ARGS:GLOBALS[tcore]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Turbulence Remote Inclusion Attempt -- turbulence.php GLOBALS tcore',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2002898) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Web Calendar Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /send_reminders.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2002898,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Web Calendar Remote File Inclusion Attempt',tag:'web-application-attack',tag:'cve,2005-2717'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:includedir=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Web Calendar Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009390) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /chat/dac.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009390,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34213'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:sendChatData "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009892) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Paid4Mail RFI attempt +SecRule REQUEST_LINE "@contains /home.php?page=http\:" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009892,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Paid4Mail RFI attempt ',tag:'web-application-attack',ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Paid4Mail RFI attempt ',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003693) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPtree Remote Inclusion Attempt -- cms2.php s_dir +SecRule REQUEST_LINE "@contains /plugin/HP_DEV/cms2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003693,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPtree Remote Inclusion Attempt -- cms2.php s_dir',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3860'" +SecRule &TX:'/RFI.*ARGS:s_dir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPtree Remote Inclusion Attempt -- cms2.php s_dir',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003672) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_image_index.php config pathMod +SecRule REQUEST_LINE "@contains /mod/image/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003672,rev:8,msg:'SLR: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_image_index.php config pathMod',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3852'" +SecRule &TX:'/RFI.*ARGS:config[pathMod]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_image_index.php config pathMod',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003673) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liens_index.php config pathMod +SecRule REQUEST_LINE "@contains /mod/liens/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003673,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liens_index.php config pathMod',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3852'" +SecRule &TX:'/RFI.*ARGS:config[pathMod]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liens_index.php config pathMod',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003674) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liste_index.php config pathMod +SecRule REQUEST_LINE "@contains /mod/liste/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003674,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liste_index.php config pathMod',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3852'" +SecRule &TX:'/RFI.*ARGS:config[pathMod]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liste_index.php config pathMod',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003675) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_special_index.php config pathMod +SecRule REQUEST_LINE "@contains /mod/special/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003675,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_special_index.php config pathMod',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3852'" +SecRule &TX:'/RFI.*ARGS:config[pathMod]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_special_index.php config pathMod',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003676) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_texte_index.php config pathMod +SecRule REQUEST_LINE "@contains /mod/texte/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003676,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_texte_index.php config pathMod',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3852'" +SecRule &TX:'/RFI.*ARGS:config[pathMod]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_texte_index.php config pathMod',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009073) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion +SecRule REQUEST_LINE "@contains /admin/admin_words.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009073,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009074) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion +SecRule REQUEST_LINE "@contains /admin/admin_groups_reapir.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009074,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009075) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion +SecRule REQUEST_LINE "@contains /admin/admin_smilies.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009075,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009168) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion +SecRule REQUEST_LINE "@contains /message_class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009168,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33718'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:pfadhier "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008687) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /passwiki.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008687,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29455'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:site_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003660) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt - Headerfile.php System +SecRule REQUEST_LINE "@contains /blocks/headerfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003660,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt - Headerfile.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt - Headerfile.php System',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003661) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_files.php System +SecRule REQUEST_LINE "@contains /files/blocks/latest_files.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003661,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_files.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_files.php System',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003662) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_posts.php System +SecRule REQUEST_LINE "@contains /forums/blocks/latest_posts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003662,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_posts.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_posts.php System',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003663) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- groups_headerfile.php System +SecRule REQUEST_LINE "@contains /groups/headerfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003663,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- groups_headerfile.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- groups_headerfile.php System',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003664) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- filters_headerfile.php System +SecRule REQUEST_LINE "@contains /filters/headerfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003664,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- filters_headerfile.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- filters_headerfile.php System',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003665) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- links.php System +SecRule REQUEST_LINE "@contains /links/blocks/links.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003665,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- links.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- links.php System',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003666) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- menu_headerfile.php System +SecRule REQUEST_LINE "@contains /menu/headerfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003666,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- menu_headerfile.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- menu_headerfile.php System',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003667) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_news.php System +SecRule REQUEST_LINE "@contains /news/blocks/latest_news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003667,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_news.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_news.php System',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003668) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- settings_headerfile.php System +SecRule REQUEST_LINE "@contains /settings/headerfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003668,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- settings_headerfile.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- settings_headerfile.php System',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003681) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- users_headerfile.php System +SecRule REQUEST_LINE "@contains /modules/users/headerfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003681,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- users_headerfile.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" +SecRule REQUEST_LINE "@contains system[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- users_headerfile.php System',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009415) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PhpBlock basicfogfactory.class.php PATH_TO_CODE Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /basicfogfactory.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009415,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PhpBlock basicfogfactory.class.php PATH_TO_CODE Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28588'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:PATH_TO_CODE/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PhpBlock basicfogfactory.class.php PATH_TO_CODE Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008871) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpFan init.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008871,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpFan init.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32335'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:includepath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpFan init.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008899) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Pie RSS module lib parameter remote file inclusion +SecRule REQUEST_LINE "@contains /lib/action/rss.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008899,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Pie RSS module lib parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,32465'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:lib/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Pie RSS module lib parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003691) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion Attempt -- psg.smarty.lib.php cfg sys base_path +SecRule REQUEST_LINE "@contains /psg.smarty.lib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003691,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion Attempt -- psg.smarty.lib.php cfg sys base_path',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/1390'" +SecRule &TX:'/RFI.*ARGS:cfg[sys][base_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion Attempt -- psg.smarty.lib.php cfg sys base_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003702) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion class.Smarty.php cfg sys base_path +SecRule REQUEST_LINE "@contains /resources/includes/class.Smarty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003702,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion class.Smarty.php cfg sys base_path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3733'" +SecRule &TX:'/RFI.*ARGS:cfg[sys][base_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion class.Smarty.php cfg sys base_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2002815) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Plume CMS prepend.php Remote File Inclusion attempt +SecRule REQUEST_LINE "@contains /prepend.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2002815,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Plume CMS prepend.php Remote File Inclusion attempt',tag:'web-application-attack',tag:'bugtraq,16662'" +SecRule QUERY_STRING|REQUEST_BODY "@contains _px_config[manager_path]=" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:_px_config\x5bmanager_path\x5d=(https?|ftps?|php)\:)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Plume CMS prepend.php Remote File Inclusion attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010466) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PointComma pctemplate.php pcConfig Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/classes/pctemplate.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010466,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS PointComma pctemplate.php pcConfig Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/pointcomma-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:pcConfig[smartyPath]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PointComma pctemplate.php pcConfig Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003371) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Portail Includes.php remote file include +SecRule REQUEST_LINE "@contains /includes/includes.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003371,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Portail Includes.php remote file include',tag:'web-application-attack',tag:'bugtraq,22361'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:site_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Portail Includes.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /footer.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009659,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28421'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:settings[footer] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009660) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /header.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009660,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28421'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:settings[header] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009898) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Pragyan CMS form.lib.php sourceFolder Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /cms/modules/form.lib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009898,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Pragyan CMS form.lib.php sourceFolder Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,30235'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:sourceFolder/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Pragyan CMS form.lib.php sourceFolder Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010276) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ProdLer prodler.class.php sPath Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /include/prodler.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010276,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ProdLer prodler.class.php sPath Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule &TX:'/RFI.*ARGS:sPath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ProdLer prodler.class.php sPath Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008880) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains functions_navlinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008880,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32360'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:pun_user[language]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008881) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains profile_send.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008881,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32360'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:pun_user[language]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008882) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains viewtopic_PM-link.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008882,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32360'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:pun_user[language]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009502) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /server_request.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009502,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,27945'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:CONFIG[gameroot]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009503) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /server_request.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009503,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,27945'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:CONFIG[gameroot] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009504) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /qlib/smarty.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009504,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,27945'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:CONFIG[gameroot]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009505) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /qlib/smarty.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009505,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,27945'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:CONFIG[gameroot] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009746) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /qte_web.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009746,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:qte_web_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009723) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /qte_web.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009723,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:qte_web_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009724) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /bin/qte_init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009724,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:qte_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009788) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RSS-aggregator display.php path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /display.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009788,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS RSS-aggregator display.php path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,29873'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS RSS-aggregator display.php path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010097) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RaXnet Cacti top_graph_header.php config Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /include/top_graph_header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010097,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS RaXnet Cacti top_graph_header.php config Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,14030'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:config[library_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS RaXnet Cacti top_graph_header.php config Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009101) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS REALTOR define.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /define.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009101,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS REALTOR define.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,33227'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:INC_DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS REALTOR define.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009059) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Feederator add_tmsp.php mosConfig_absolute_path parameter remote file inclusion +SecRule REQUEST_LINE "@contains /tmsp/add_tmsp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009059,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Feederator add_tmsp.php mosConfig_absolute_path parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,32194'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Recly Feederator add_tmsp.php mosConfig_absolute_path parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009060) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Feederator edit_tmsp.php mosConfig_absolute_path parameter remote file inclusion +SecRule REQUEST_LINE "@contains /tmsp/edit_tmsp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009060,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Feederator edit_tmsp.php mosConfig_absolute_path parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,32194'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Recly Feederator edit_tmsp.php mosConfig_absolute_path parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009061) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Feederator subscription.php GLOBALS mosConfig_absolute_path parameter remote file inclusion +SecRule REQUEST_LINE "@contains /tmsp/subscription.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009061,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Feederator subscription.php GLOBALS mosConfig_absolute_path parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,32194'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Recly Feederator subscription.php GLOBALS mosConfig_absolute_path parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009062) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Feederator tmsp.php mosConfig_absolute_path parameter remote file inclusion +SecRule REQUEST_LINE "@contains /tmsp/tmsp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009062,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Feederator tmsp.php mosConfig_absolute_path parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,32194'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Recly Feederator tmsp.php mosConfig_absolute_path parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009466) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Competitions Component add.php GLOBALS Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/competitions/add.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009466,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Competitions Component add.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32192'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Recly Competitions Component add.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009467) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Competitions Component competitions.php GLOBALS Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/competitions/competitions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009467,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Competitions Component competitions.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32192'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Recly Competitions Component competitions.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009468) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Competitions Component settings.php mosConfig_absolute_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/settings/settings.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009468,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Competitions Component settings.php mosConfig_absolute_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32192'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Recly Competitions Component settings.php mosConfig_absolute_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011254) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Redaxo CMS index.inc.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /include/addons/version/pages/index.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011254,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Redaxo CMS index.inc.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:REX[INCLUDE_PATH]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Redaxo CMS index.inc.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011255) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Redaxo CMS specials.inc.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /include/pages/specials.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011255,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Redaxo CMS specials.inc.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:REX[INCLUDE_PATH]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Redaxo CMS specials.inc.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010124) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /load_lang.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010124,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,26747'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:_SERWEB[configdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010125) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /main_prepend.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010125,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,26747'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:_SERWEB[functionsdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009653) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SMA-DB format.php _page_css Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /theme/format.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009653,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS SMA-DB format.php _page_css Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34569'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:_page_css/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SMA-DB format.php _page_css Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009654) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SMA-DB format.php _page_javascript Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /theme/format.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009654,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SMA-DB format.php _page_javascript Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34569'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:_page_javascript/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SMA-DB format.php _page_javascript Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009656) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SMA-DB format.php _page_content Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /theme/format.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009656,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SMA-DB format.php _page_content Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34569'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:_page_content/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SMA-DB format.php _page_content Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011209) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /include/admin/device_admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011209,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'cve,CVE-2010-2145'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:cs_base_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010922) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_workbook.inc.php class_path Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /classes/excel/class.writeexcel_workbook.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010922,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_workbook.inc.php class_path Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/saurus-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:class_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_workbook.inc.php class_path Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010923) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_worksheet.inc.php class_path Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /classes/excel/class.writeexcel_worksheet.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010923,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_worksheet.inc.php class_path Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/saurus-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:class_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_worksheet.inc.php class_path Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009123) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SezHoo SezHooTabsAndActions.php IP Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /SezHooTabsAndActions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009123,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SezHoo SezHooTabsAndActions.php IP Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/6751'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:IP/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SezHoo SezHooTabsAndActions.php IP Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003746) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Simple PHP Script Gallery Remote Inclusion index.php gallery +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003746,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Simple PHP Script Gallery Remote Inclusion index.php gallery',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23534'" +SecRule &TX:'/RFI.*ARGS:gallery/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Simple PHP Script Gallery Remote Inclusion index.php gallery',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Simple Text-File Login script slogin_path parameter remote file inclusion +SecRule REQUEST_LINE "@contains /slogin_lib.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008996,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Simple Text-File Login script slogin_path parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,32811'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:slogin_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Simple Text-File Login script slogin_path parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010564) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Sisplet CMS komentar.php site_path Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /main/forum/komentar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010564,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Sisplet CMS komentar.php site_path Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,23334'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:site_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Sisplet CMS komentar.php site_path Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009070) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion +SecRule REQUEST_LINE "@contains /login.tpl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009070,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,33092'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:TplSuffix "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009071) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpSkelSite theme parameter remote file inclusion +SecRule REQUEST_LINE "@contains /login.tpl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009071,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpSkelSite theme parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,33092'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:theme/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpSkelSite theme parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009179) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /vars.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009179,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:_SESSION[SCRIPT_PATH]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009180) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /pcltar.lib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009180,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:g_pcltar_lib_dir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /vars.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009181,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:_SESSION[SCRIPT_PATH] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009182) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /pcltar.lib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009182,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:g_pcltar_lib_dir "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011051) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -1 +SecRule REQUEST_LINE "@contains /content/themes/softsaurus_default/pages/subHeader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011051,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -1',tag:'web-application-attack',tag:'bugtraq,38842'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:objects_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011052) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -2 +SecRule REQUEST_LINE "@contains /content/themes/softsaurus_stretched/pages/subHeader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011052,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -2',tag:'web-application-attack',tag:'bugtraq,38842'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:objects_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009144) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Sourdough neededFiles Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /example_clientside_javascript.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009144,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Sourdough neededFiles Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:neededFiles[patForms]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Sourdough neededFiles Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009145) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /preview.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009145,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33601'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:synTarget "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009229) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Remote File Inclusion +SecRule REQUEST_LINE "@contains /body_default.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009229,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2009-0441'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:shop_this_skin_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009230) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Local File Inclusion +SecRule REQUEST_LINE "@contains /body_default.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009230,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Local File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2009-0441'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:shop_this_skin_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003705) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion site_conf.php ordnertiefe +SecRule REQUEST_LINE "@contains /site_conf.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003705,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion site_conf.php ordnertiefe',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:ordnertiefe)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion site_conf.php ordnertiefe',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003706) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion class.csv.php tt_docroot +SecRule REQUEST_LINE "@contains /class.csv.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003706,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion class.csv.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion class.csv.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003707) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot +SecRule REQUEST_LINE "@contains /produkte_nach_serie.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003707,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003708) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot +SecRule REQUEST_LINE "@contains /functionen/ref_kd_rubrik.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003708,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003709) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot +SecRule REQUEST_LINE "@contains /hg_referenz_jobgalerie.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003709,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003710) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot +SecRule REQUEST_LINE "@contains /surfer_anmeldung_NWL.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003710,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003711) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot +SecRule REQUEST_LINE "@contains /produkte_nach_serie_alle.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003711,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003712) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot +SecRule REQUEST_LINE "@contains /surfer_aendern.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003712,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003715) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot +SecRule REQUEST_LINE "@contains /ref_kd_rubrik.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003715,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003713) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion referenz.php tt_docroot +SecRule REQUEST_LINE "@contains /module/referenz.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003713,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion referenz.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion referenz.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003714) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion lay.php tt_docroot +SecRule REQUEST_LINE "@contains /standard/1/lay.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003714,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion lay.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion lay.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003867) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion 3_lay.php tt_docroot +SecRule REQUEST_LINE "@contains /standard/3/lay.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003867,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion 3_lay.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" +SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion 3_lay.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009169) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /export.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009169,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33731'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:export_to "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009789) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /examples/tbs_us_examples_0view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009789,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:script "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003669) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TopTree Remote Inclusion Attempt -- tpl_message.php right_file +SecRule REQUEST_LINE "@contains /templates/default/tpl_message.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003669,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS TopTree Remote Inclusion Attempt -- tpl_message.php right_file',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3854'" +SecRule &TX:'/RFI.*ARGS:right_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TopTree Remote Inclusion Attempt -- tpl_message.php right_file',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009663) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009663,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34617'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:inc_dir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009726) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009726,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34617'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:inc_dir "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009729) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /cms_detect.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009729,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34634'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:include "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003678) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tropicalm Remote Inclusion Attempt -- dosearch.php RESPATH +SecRule REQUEST_LINE "@contains /dosearch.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003678,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Tropicalm Remote Inclusion Attempt -- dosearch.php RESPATH',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3865'" +SecRule &TX:'/RFI.*ARGS:RESPATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Tropicalm Remote Inclusion Attempt -- dosearch.php RESPATH',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003687) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- payflow_pro.php abs_path +SecRule REQUEST_LINE "@contains /include/payment/payflow_pro.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003687,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- payflow_pro.php abs_path',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23662'" +SecRule &TX:'/RFI.*ARGS:abs_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- payflow_pro.php abs_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003688) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- global.php abs_path +SecRule REQUEST_LINE "@contains /global.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003688,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- global.php abs_path',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23662'" +SecRule &TX:'/RFI.*ARGS:abs_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- global.php abs_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003689) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- libsecure.php abs_path +SecRule REQUEST_LINE "@contains /libsecure.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003689,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- libsecure.php abs_path',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23662'" +SecRule &TX:'/RFI.*ARGS:abs_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- libsecure.php abs_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008923) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TxtBlog index.php m Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008923,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TxtBlog index.php m Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32498'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:m/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TxtBlog index.php m Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010126) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /include/timesheet.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010126,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:config[include_dir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010127) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /include/timesheet.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010127,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config[include_dir] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003692) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VM Watermark Remote Inclusion Attempt -- watermark.php GALLERY_BASEDIR +SecRule REQUEST_LINE "@contains /watermark.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003692,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS VM Watermark Remote Inclusion Attempt -- watermark.php GALLERY_BASEDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3857'" +SecRule &TX:'/RFI.*ARGS:GALLERY_BASEDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS VM Watermark Remote Inclusion Attempt -- watermark.php GALLERY_BASEDIR',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2002899) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion get_header.php +SecRule REQUEST_LINE "@contains /get_header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2002899,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion get_header.php',tag:'web-application-attack',tag:'bugtraq,17358'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:vwar_root=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion get_header.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2002902) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion functions_install.php +SecRule REQUEST_LINE "@contains /functions_install.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2002902,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion functions_install.php',tag:'web-application-attack',tag:'bugtraq,17290'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:vwar_root=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion functions_install.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010254) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /editor/edit_htmlarea.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010254,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:highlighter/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010255) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /debugger/debug_php.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010255,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:_GET[filename] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003671) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Versado CMS Remote Inclusion Attempt -- ajax_listado.php urlModulo +SecRule REQUEST_LINE "@contains /includes/ajax_listado.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003671,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Versado CMS Remote Inclusion Attempt -- ajax_listado.php urlModulo',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3847'" +SecRule &TX:'/RFI.*ARGS:urlModulo/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Versado CMS Remote Inclusion Attempt -- ajax_listado.php urlModulo',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009877) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VirtueMart Google Base Component admin.googlebase.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /admin.googlebase.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009877,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS VirtueMart Google Base Component admin.googlebase.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32098'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS VirtueMart Google Base Component admin.googlebase.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009838) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News search.php config Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009838,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News search.php config Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,33434'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WB News search.php config Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009839) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News archive.php config Parameter Remote File Inclusion -1 +SecRule REQUEST_LINE "@contains /archive.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009839,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News archive.php config Parameter Remote File Inclusion -1',tag:'web-application-attack',tag:'bugtraq,33434'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WB News archive.php config Parameter Remote File Inclusion -1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009840) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News Archive.php config Parameter Remote File Inclusion -2 +SecRule REQUEST_LINE "@contains /base/Archive.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009840,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News Archive.php config Parameter Remote File Inclusion -2',tag:'web-application-attack',tag:'bugtraq,33434'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WB News Archive.php config Parameter Remote File Inclusion -2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009841) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News comments.php config Parameter Remote File Inclusion -1 +SecRule REQUEST_LINE "@contains /comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009841,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News comments.php config Parameter Remote File Inclusion -1',tag:'web-application-attack',tag:'bugtraq,33434'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WB News comments.php config Parameter Remote File Inclusion -1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009842) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News Comments.php config Parameter Remote File Inclusion -2 +SecRule REQUEST_LINE "@contains /base/Comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009842,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News Comments.php config Parameter Remote File Inclusion -2',tag:'web-application-attack',tag:'bugtraq,33434'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WB News Comments.php config Parameter Remote File Inclusion -2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009843) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News news.php config Parameter Remote File Inclusion -1 +SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009843,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News news.php config Parameter Remote File Inclusion -1',tag:'web-application-attack',tag:'bugtraq,33434'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WB News news.php config Parameter Remote File Inclusion -1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009844) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News News.php config Parameter Remote File Inclusion -2 +SecRule REQUEST_LINE "@contains /base/News.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009844,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News News.php config Parameter Remote File Inclusion -2',tag:'web-application-attack',tag:'bugtraq,33434'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WB News News.php config Parameter Remote File Inclusion -2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009845) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News SendFriend.php config Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /base/SendFriend.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009845,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News SendFriend.php config Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,33434'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WB News SendFriend.php config Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009846) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News global.php config Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /admin/global.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009846,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News global.php config Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WB News global.php config Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008826) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Way Of The Warrior crea.php plancia Remote File Inclusion +SecRule REQUEST_LINE "@contains crea.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008826,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Way Of The Warrior crea.php plancia Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:plancia/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Way Of The Warrior crea.php plancia Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009306) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009306,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009307) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009307,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009308) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /ST_browsers.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009308,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009309) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /ST_browsers.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009309,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009310) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /ST_countries.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009310,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009311) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /ST_countries.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009311,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009312) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /ST_platforms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009312,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009313) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /ST_platforms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009313,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010092) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Webradev Download Protect EmailTemplates.class.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /Framework/EmailTemplates.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010092,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Webradev Download Protect EmailTemplates.class.php Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:GLOBALS[RootPath]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Webradev Download Protect EmailTemplates.class.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010093) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Webradev Download Protect PDPEmailReplaceConstants.class.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /Customers/PDPEmailReplaceConstants.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010093,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Webradev Download Protect PDPEmailReplaceConstants.class.php Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:GLOBALS[RootPath]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Webradev Download Protect PDPEmailReplaceConstants.class.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010094) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Webradev Download Protect ResellersManager.class.php Remote File Inclusion +SecRule REQUEST_LINE "@contains /Admin/ResellersManager.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010094,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Webradev Download Protect ResellersManager.class.php Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:GLOBALS[RootPath]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Webradev Download Protect ResellersManager.class.php Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009690) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebMoney html.php page Remote File Inclusion +SecRule REQUEST_LINE "@contains /html.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009690,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WebMoney html.php page Remote File Inclusion',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0907-exploits/3awebmoney-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebMoney html.php page Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009691) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebMoney html2.php page Remote File Inclusion +SecRule REQUEST_LINE "@contains /html2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009691,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WebMoney html2.php page Remote File Inclusion',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0907-exploits/3awebmoney-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebMoney html2.php page Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008935) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Werner Hilversum FAQ Manager header.php config_path parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /include/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008935,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Werner Hilversum FAQ Manager header.php config_path parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32472'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:config_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Werner Hilversum FAQ Manager header.php config_path parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003696) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wikivi5 Remote Inclusion Attempt -- show.php sous_rep +SecRule REQUEST_LINE "@contains /handlers/page/show.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003696,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wikivi5 Remote Inclusion Attempt -- show.php sous_rep',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3863'" +SecRule &TX:'/RFI.*ARGS:sous_rep/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wikivi5 Remote Inclusion Attempt -- show.php sous_rep',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003685) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH +SecRule REQUEST_LINE "@contains /js/wptable-button.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003685,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3824'" +SecRule &TX:'/RFI.*ARGS:wpPATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003686) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH +SecRule REQUEST_LINE "@contains /wordtube-button.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003686,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3825'" +SecRule &TX:'/RFI.*ARGS:wpPATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010473) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt +SecRule REQUEST_LINE "@contains /js/wptable-tinymce.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010473,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:ABSPATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009925) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/function_core.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009925,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31225'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:web_root/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009926) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /includes/function_core.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009926,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,31225'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:web_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009927) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /templates/layout_lyrics.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009927,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31225'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:web_root/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009928) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion +SecRule REQUEST_LINE "@contains /templates/layout_lyrics.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009928,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion',tag:'web-application-attack',tag:'bugtraq,31225'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:web_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009194) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /mini.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009194,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,31460'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:help_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009870) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS XRMS CRM workflow-activities.php include_directory Remote File Inclusion +SecRule REQUEST_LINE "@contains /activities/workflow-activities.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009870,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS XRMS CRM workflow-activities.php include_directory Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-3399'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:include_directory/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS XRMS CRM workflow-activities.php include_directory Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003517) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iPhotoAlbum header.php remote file include +SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003517,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS iPhotoAlbum header.php remote file include',tag:'web-application-attack',tag:'bugtraq,23189'" +SecRule &TX:'/RFI.*ARGS:set_menu/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS iPhotoAlbum header.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009190) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /update_trailer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009190,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:context[path_to_root]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009191) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /update_trailer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009191,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:context[path_to_root] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011098) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YaPig last_gallery.php YAPIG_PATH Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /last_gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011098,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS YaPig last_gallery.php YAPIG_PATH Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:YAPIG_PATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS YaPig last_gallery.php YAPIG_PATH Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003739) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Yaap Remote Inclusion Attempt -- common.php root_path +SecRule REQUEST_LINE "@contains /includes/common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003739,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Yaap Remote Inclusion Attempt -- common.php root_path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3908'" +SecRule &TX:'/RFI.*ARGS:root_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Yaap Remote Inclusion Attempt -- common.php root_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009316) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /class_yapbbcooker.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009316,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,30686'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:cfgIncludeDirectory/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009393) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion +SecRule REQUEST_LINE "@contains /cuenta/cuerpo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009393,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30345'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:base_archivo "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009329) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /locales.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009329,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33965'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:srclang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009661) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /artmedic_print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009661,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:date "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010771) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /view_messages.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010771,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010772) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /view_blog_comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010772,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010773) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /view_blog_archives.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010773,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010774) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /add_comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010774,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010775) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /downloads.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010775,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010776) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /emailsender.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010776,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010777) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /left_menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010777,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009790) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /arch.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009790,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34968'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:arch "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008966) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ccTiddly index.php cct_base parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008966,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ccTiddly index.php cct_base parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7336'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:cct_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ccTiddly index.php cct_base parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008967) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ccTiddly proxy.php cct_base parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /handle/proxy.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008967,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ccTiddly proxy.php cct_base parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7336'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:cct_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ccTiddly proxy.php cct_base parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008968) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ccTiddly header.php cct_base parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008968,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ccTiddly header.php cct_base parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7336'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:cct_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ccTiddly header.php cct_base parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008969) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ccTiddly include.php cct_base parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/include.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008969,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ccTiddly include.php cct_base parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7336'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:cct_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ccTiddly include.php cct_base parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008970) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ccTiddly workspace.php cct_base parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /includes/workspace.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008970,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ccTiddly workspace.php cct_base parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7336'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:cct_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ccTiddly workspace.php cct_base parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009367) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cmsWorks lib.module.php mod_root Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /lib.module.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009367,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS cmsWorks lib.module.php mod_root Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,29914'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:mod_root=\s*(https?|ftps?|php))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS cmsWorks lib.module.php mod_root Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010847) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS com_if_nexus controller Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010847,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS com_if_nexus controller Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10754'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_if_nexus&" "chain" +SecRule &TX:'/RFI.*ARGS:controller/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS com_if_nexus controller Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009874) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /_functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009874,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,35103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:GLOBALS[prefix]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009875) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /_functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009875,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,35103'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:GLOBALS[prefix] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009435) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /123flashchat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009435,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:e107path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009436) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /123flashchat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009436,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:e107path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009932) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible eFront database.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /libraries/database.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009932,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible eFront database.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.owasp.org/index.php/PHP_File_Inclusion'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible eFront database.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009224) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion +SecRule REQUEST_LINE "@contains /index_inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009224,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,33774'" +SecRule ARGS:inc_ordner "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009225) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter remote file inclusion +SecRule REQUEST_LINE "@contains /index_inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009225,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,33774'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:inc_ordner/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008849) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/3rdparty/adminpart/add3rdparty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008849,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008850) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/polling/adminpart/addpolling.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008850,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008851) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/contact/adminpart/addcontact.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008851,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008852) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/brandnews/adminpart/addbrandnews.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008852,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008853) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/newsletter/adminpart/addnewsletter.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008853,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008854) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/game/adminpart/addgame.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008854,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008855) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/tour/adminpart/addtour.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008855,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008856) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/articles/adminpart/addarticles.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008856,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008857) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/product/adminpart/addproduct.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008857,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008858) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/plain/adminpart/addplain.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008858,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010661) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS epay a_affil.php _REQUEST Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /e-pay/src/a_affil.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010661,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS epay a_affil.php _REQUEST Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10697'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:_REQUEST[read]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS epay a_affil.php _REQUEST Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009188) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gapicms toolbar.php dirDepth Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /toolbar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009188,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS gapicms toolbar.php dirDepth Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:dirDepth/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gapicms toolbar.php dirDepth Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003718) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR +SecRule REQUEST_LINE "@contains /libs/lom.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003718,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" +SecRule &TX:'/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003719) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom_update.php ETCDIR +SecRule REQUEST_LINE "@contains /lom_update.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003719,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom_update.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" +SecRule &TX:'/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom_update.php ETCDIR',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003720) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- check-lom.php ETCDIR +SecRule REQUEST_LINE "@contains /scripts/check-lom.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003720,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- check-lom.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" +SecRule &TX:'/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- check-lom.php ETCDIR',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003721) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- weigh_keywords.php ETCDIR +SecRule REQUEST_LINE "@contains /scripts/weigh_keywords.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003721,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- weigh_keywords.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" +SecRule &TX:'/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- weigh_keywords.php ETCDIR',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003722) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- logout.php ETCDIR +SecRule REQUEST_LINE "@contains /logout.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003722,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- logout.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" +SecRule &TX:'/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- logout.php ETCDIR',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003723) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- help.php ETCDIR +SecRule REQUEST_LINE "@contains /help.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003723,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- help.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" +SecRule &TX:'/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- help.php ETCDIR',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003724) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- index.php ETCDIR +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003724,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- index.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" +SecRule &TX:'/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- index.php ETCDIR',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003725) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- login.php ETCDIR +SecRule REQUEST_LINE "@contains /login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003725,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- login.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" +SecRule &TX:'/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- login.php ETCDIR',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003747) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR +SecRule REQUEST_LINE "@contains /web/lom.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003747,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" +SecRule &TX:'/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010979) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ispCP Omega admin1.template.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /tools/filemanager/skins/mobile/admin1.template.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010979,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ispCP Omega admin1.template.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,38644'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:net2ftp_globals[application_skinsdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ispCP Omega admin1.template.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010191) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /test/pages/contact.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010191,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:fs_jVroot/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010192) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /system/pageTemplate.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010192,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:fs_jVroot/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010193) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /system/utilities.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010193,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:fs_jVroot/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009053) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MODx CMS Thumbnail.php base_path Remote File Inclusion +SecRule REQUEST_LINE "@contains /Thumbnail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009053,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MODx CMS Thumbnail.php base_path Remote File Inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:base_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MODx CMS Thumbnail.php base_path Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003684) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MXBB Remote Inclusion Attempt -- faq.php module_root_path +SecRule REQUEST_LINE "@contains /faq.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003684,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS MXBB Remote Inclusion Attempt -- faq.php module_root_path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3833'" +SecRule &TX:'/RFI.*ARGS:cmd/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MXBB Remote Inclusion Attempt -- faq.php module_root_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009719) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009719,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,19838'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:templates_dir "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009720) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion +SecRule REQUEST_LINE "@contains /modules/comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009720,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,19838'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:template "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003698) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php abs_path +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003698,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php abs_path',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded'" +SecRule &TX:'/RFI.*ARGS:abs_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php abs_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003699) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion checkout.php abs_path +SecRule REQUEST_LINE "@contains /checkout.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003699,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion checkout.php abs_path',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded'" +SecRule &TX:'/RFI.*ARGS:abs_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion checkout.php abs_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003700) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion libsecure.php abs_path +SecRule REQUEST_LINE "@contains /libsecure.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003700,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion libsecure.php abs_path',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded'" +SecRule &TX:'/RFI.*ARGS:abs_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion libsecure.php abs_path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003701) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php repinc +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003701,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php repinc',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467827/100/0/threaded'" +SecRule &TX:'/RFI.*ARGS:repinc/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php repinc',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009325) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /gunaysoft.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009325,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-3022'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:icerikyolu/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009326) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /gunaysoft.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009326,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-3022'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:sayfaid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009327) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phPortal gunaysoft.php uzanti Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /gunaysoft.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009327,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phPortal gunaysoft.php uzanti Parameter Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-3022'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:uzanti/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phPortal gunaysoft.php uzanti Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2002879) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP phpMyAgenda rootagenda Remote File Include Attempt +SecRule &TX:'/RFI.*ARGS:rootagenda/' "@gt 0" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2002879,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHP phpMyAgenda rootagenda Remote File Include Attempt',tag:'web-application-attack',tag:'bugtraq,17670'" +SecRule &TX:'/RFI.*ARGS:rootagenda/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP phpMyAgenda rootagenda Remote File Include Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009397) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpProfiles body_comm.inc.php content parameter remote file inclusion +SecRule REQUEST_LINE "@contains /body_comm.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009397,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpProfiles body_comm.inc.php content parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,27952'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:content/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpProfiles body_comm.inc.php content parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2008992) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion +SecRule REQUEST_LINE "@contains /addedit-render.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008992,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32774'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:editform/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2010485) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phptraverse mp3_id.php GLOBALS Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /assets/plugins/mp3_id/mp3_id.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010485,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS phptraverse mp3_id.php GLOBALS Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/phptraverse-rfi.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:GLOBALS[BASE]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phptraverse mp3_id.php GLOBALS Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009085) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion +SecRule REQUEST_LINE "@contains /plugin/gateway/gnokii/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009085,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:apps_path[plug] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009086) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter remote file inclusion +SecRule REQUEST_LINE "@contains /plugin/themes/default/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009086,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter remote file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:apps_path[themes]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009087) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion +SecRule REQUEST_LINE "@contains /plugin/themes/default/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009087,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:apps_path[themes] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009088) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter remote file inclusion +SecRule REQUEST_LINE "@contains /lib/function.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009088,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter remote file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:apps_path[libs]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009089) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion +SecRule REQUEST_LINE "@contains /lib/function.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009089,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:apps_path[libs] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009887) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ProjectButler RFI attempt +SecRule REQUEST_LINE "@contains /pda_projects.php?offset=http\:" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009887,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ProjectButler RFI attempt ',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0908-exploits/projectbutler-rfi.txt',ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ProjectButler RFI attempt ',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009320) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion +SecRule REQUEST_LINE "@contains /_footer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009320,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,33621'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:skin_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009321) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS rgboard footer.php _path parameter remote file inclusion +SecRule REQUEST_LINE "@contains /footer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009321,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS rgboard footer.php _path parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,33621'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:_path[counter]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS rgboard footer.php _path parameter remote file inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009331) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion +SecRule REQUEST_LINE "@contains /templater.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009331,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30785'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config[template] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2009416) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS txtSQL startup.php CFG Parameter Remote File Inclusion +SecRule REQUEST_LINE "@contains /startup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009416,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS txtSQL startup.php CFG Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,30625'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:CFG[txtsql][class]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS txtSQL startup.php CFG Parameter Remote File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2003670) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Workbench Survival Guide Remote Inclusion Attempt -- headerfile.php path +SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003670,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Workbench Survival Guide Remote Inclusion Attempt -- headerfile.php path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3848'" +SecRule &TX:'/RFI.*ARGS:path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Workbench Survival Guide Remote Inclusion Attempt -- headerfile.php path',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (100000358) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS BASE base_include.inc.php remote file include +SecRule QUERY_STRING|REQUEST_BODY "@contains /base_include.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000358,rev:4,msg:'SLR: GPL WEB_SPECIFIC_APPS BASE base_include.inc.php remote file include',tag:'web-application-attack'" +SecRule QUERY_STRING|REQUEST_BODY "@contains BASE_path=" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:BASE_path=(https?|ftp))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS BASE base_include.inc.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (100000356) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS BASE base_qry_common.php remote file include +SecRule REQUEST_LINE "@contains /base_qry_common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000356,rev:2,msg:'SLR: GPL WEB_SPECIFIC_APPS BASE base_qry_common.php remote file include',tag:'web-application-attack'" +SecRule &TX:'/RFI.*ARGS:BASE_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS BASE base_qry_common.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (100000357) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS BASE base_stat_common.php remote file include +SecRule REQUEST_LINE "@contains /base_stat_common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000357,rev:2,msg:'SLR: GPL WEB_SPECIFIC_APPS BASE base_stat_common.php remote file include',tag:'web-application-attack'" +SecRule &TX:'/RFI.*ARGS:BASE_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS BASE base_stat_common.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (100000730) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog BlackList.Examine.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/BlackList.Examine.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000730,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog BlackList.Examine.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog BlackList.Examine.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (100000731) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog DeleteComment.Action.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/DeleteComment.Action.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000731,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog DeleteComment.Action.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog DeleteComment.Action.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (100000737) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog EditHeader.Admin.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/EditHeader.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000737,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog EditHeader.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog EditHeader.Admin.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (100000738) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog EditIP.Admin.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/EditIP.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000738,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog EditIP.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog EditIP.Admin.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (100000732) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog EditIPofURL.Admin.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/EditIPofURL.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000732,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog EditIPofURL.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog EditIPofURL.Admin.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (100000739) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog IPofUrl.Examine.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/IPofUrl.Examine.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000739,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog IPofUrl.Examine.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog IPofUrl.Examine.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (100000740) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog Import.Admin.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/Import.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000740,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog Import.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog Import.Admin.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (100000741) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog LogView.Admin.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/LogView.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000741,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog LogView.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog LogView.Admin.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (100000733) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog MTBlackList.Examine.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/MTBlackList.Examine.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000733,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog MTBlackList.Examine.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog MTBlackList.Examine.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (100000735) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog MailAdmin.Action.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/MailAdmin.Action.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000735,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog MailAdmin.Action.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog MailAdmin.Action.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (100000736) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog MassDelTrackback.Admin.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/MassDelTrackback.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000736,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog MassDelTrackback.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog MassDelTrackback.Admin.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (100000734) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog MassDelete.Admin.class.php remote file include +SecRule REQUEST_LINE "@contains plugins/spamx/MassDelete.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000734,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog MassDelete.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog MassDelete.Admin.class.php remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (100000728) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include +SecRule REQUEST_LINE "@contains plugins/links/functions.inc" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000728,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (100000729) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include +SecRule REQUEST_LINE "@contains plugins/polls/functions.inc" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000729,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (100000742) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include +SecRule REQUEST_LINE "@contains plugins/staticpages/functions.inc" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000742,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" +SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (100000908) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS WEB-PHP phpMyWebmin create_file script remote file include +SecRule REQUEST_LINE "@contains create_file.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:100000908,rev:1,msg:'SLR: GPL WEB_SPECIFIC_APPS WEB-PHP phpMyWebmin create_file script remote file include',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20281/info'" +SecRule &TX:'/RFI.*ARGS:target/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - GPL WEB_SPECIFIC_APPS WEB-PHP phpMyWebmin create_file script remote file include',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011565) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dompdf dompdf.php input_file Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /dompdf.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011565,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Dompdf dompdf.php input_file Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:input_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dompdf dompdf.php input_file Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011564) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Classifieds class.phpmailer.php lang_path Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /class.phpmailer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011564,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Classifieds class.phpmailer.php lang_path Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:lang_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Classifieds class.phpmailer.php lang_path Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011563) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /content/dynpage_load.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011563,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011562) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /oldnews_reader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011562,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:lang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011554) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011554,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jphone" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011552) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FCMS familynews.php current_user_id Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /familynews.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011552,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS FCMS familynews.php current_user_id Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:current_user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FCMS familynews.php current_user_id Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011553) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FCMS settings.php current_user_id Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /settings.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011553,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS FCMS settings.php current_user_id Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:current_user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FCMS settings.php current_user_id Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011377) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SaurusCMS com_del.php class_path Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /com_del.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011377,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS SaurusCMS com_del.php class_path Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:class_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SaurusCMS com_del.php class_path Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011384) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/file_manager/special.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011384,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:fm_includes_special/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011385) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011385,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_noticeboard" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011451) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011451,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jgrid" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011453) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /maincore.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011453,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:folder_level "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011454) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 4images global.php db_servertype Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /global.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011454,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS 4images global.php db_servertype Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:db_servertype/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 4images global.php db_servertype Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011828) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /section.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011828,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:Module "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011829) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1) +SecRule REQUEST_LINE "@contains /classes/flash_mp3_player/extras/external_feeds/getfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011829,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1)',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011830) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2) +SecRule REQUEST_LINE "@contains /classes/flash_mp3_player.23/extras/external_feeds/getfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011830,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2)',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011831) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CMS Board site_path Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /include/admin.lib.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011831,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS CMS Board site_path Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:site_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CMS Board site_path Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011837) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS A6MamboHelpDesk Admin.a6mambohelpdesk.php Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011837,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS A6MamboHelpDesk Admin.a6mambohelpdesk.php Remote File inclusion Attempt',tag:'web-application-attack',tag:'cve,CVE-2006-3930'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_live_site/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS A6MamboHelpDesk Admin.a6mambohelpdesk.php Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011843) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /baconmap/admin/updatelist.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011843,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:filepath "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011844) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /com_rwcards/rwcards.advancedate.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011844,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011846) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011846,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains uniqcode=KPI" "chain" +SecRule REQUEST_LINE "@contains menu_no_top=performance" "chain" +SecRule ARGS:uri "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011847) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /real_estate/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011847,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jomestate" "chain" +SecRule &TX:'/RFI.*ARGS:task/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011853) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /news/search.php3" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011853,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,44370'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:bn/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011880) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBazar picturelib.php Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /bazar/picturelib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011880,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS phpBazar picturelib.php Remote File inclusion Attempt',tag:'web-application-attack',tag:'cve,CVE-2010-2315'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBazar picturelib.php Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011881) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Web Analytics mw_plugin.php IP Parameter Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /mw_plugin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011881,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Open Web Analytics mw_plugin.php IP Parameter Remote File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:IP/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Open Web Analytics mw_plugin.php IP Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011882) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011882,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:owa_action "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011883) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011883,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:owa_do "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011884) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /admin/loadplugin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011884,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:load "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011935) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_joomlaxplorer/admin.joomlaxplorer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011935,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011928) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /admin/thumbnailformpost.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011928,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:adminlangfile "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011929) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_banners/banners.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011929,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011941) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /module.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011941,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains module=osTicket" "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011948) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AWCM window_top.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /awcm/includes/window_top.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011948,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS AWCM window_top.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:theme_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AWCM window_top.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011949) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AWCM common.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /awcm/control/common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011949,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS AWCM common.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:lang_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AWCM common.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2011950) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AWCM header.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /awcm/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011950,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS AWCM header.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:theme_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AWCM header.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012006) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MassMirror Uploader example_1.php Remote File Inclusion attempt +SecRule REQUEST_LINE "@contains /Base/example_1.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012006,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS MassMirror Uploader example_1.php Remote File Inclusion attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:GLOBALS[MM_ROOT_DIRECTORY]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MassMirror Uploader example_1.php Remote File Inclusion attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012007) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /plugins/templateie/lib/templateie_install.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012007,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:skin_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012008) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /plugins/templateie/lib/templateie_install.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012008,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:skin_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012010) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/initsystem.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012010,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:loader_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012013) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mambo Component com_smf smf.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_smf/smf.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012013,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Mambo Component com_smf smf.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mambo Component com_smf smf.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012014,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_jimtawl" "chain" +SecRule ARGS:task "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012015) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebRCSdiff viewver.php File Inclusion Attempt +SecRule REQUEST_LINE "@contains /viewver.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012015,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WebRCSdiff viewver.php File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:doc_root/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebRCSdiff viewver.php File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012022) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012022,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_cbe" "chain" +SecRule REQUEST_LINE "@contains task=userProfile" "chain" +SecRule ARGS:tabname "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012024) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Gbook MX newlangsel Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /gbookmx/gbook.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012024,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Gbook MX newlangsel Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:newlangsel/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Gbook MX newlangsel Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012025) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /download.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012025,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains filesec=sitemap" "chain" +SecRule REQUEST_LINE "@contains filetype=text" "chain" +SecRule ARGS:file "@contains ..//" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012031) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/esqueletos/skel_null.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012031,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:ABTPV_BLOQUE_CENTRAL/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012032) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/esqueletos/skel_null.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012032,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ABTPV_BLOQUE_CENTRAL "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012033) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /modules/login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012033,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:default_login_language "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012069) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /admin/upgrade_unattended.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012069,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:db_type "(?i:\.\.\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012071) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains app=urchin.cgi" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012071,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains action=prop" "chain" +SecRule ARGS:gfid "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012122) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1 +SecRule REQUEST_LINE "@contains /modules/maticmarket/deco/blanc/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012122,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012123) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2 +SecRule REQUEST_LINE "@contains /modules/maticmarket/deco/blanc/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012123,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012124) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/blanc/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012124,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012125) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/blanc/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012125,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012126) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/default/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012126,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012127) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/default/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012127,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012128) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/gold/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012128,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012129) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8 +SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/gold/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012129,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012130) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS myBloggie mybloggie_root_path Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /pingsvr.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012130,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS myBloggie mybloggie_root_path Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mybloggie_root_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS myBloggie mybloggie_root_path Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012165) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Concrete DIR_FILES_BLOCK_TYPES_CORE Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /blocks/file/controller.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012165,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Concrete DIR_FILES_BLOCK_TYPES_CORE Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,45669'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:DIR_FILES_BLOCK_TYPES_CORE/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Concrete DIR_FILES_BLOCK_TYPES_CORE Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012166) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /com_xmovie/helpers/img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012166,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012168) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /tiki-jsplugin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012168,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:language "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nucleus action.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /action.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012181,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Nucleus action.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:DIR_LIBS/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Nucleus action.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012182) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nucleus media.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /nucleus/media.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012182,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Nucleus media.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:DIR_LIBS/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Nucleus media.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012184) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nucleus server.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /nucleus/xmlrpc/server.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012184,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Nucleus server.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:DIR_LIBS/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Nucleus server.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012185) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nucleus PLUGINADMIN.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /nucleus/libs/PLUGINADMIN.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012185,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Nucleus PLUGINADMIN.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:DIR_LIBS/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Nucleus PLUGINADMIN.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012186) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /modules/profile/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012186,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:aXconf[default_language] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012217) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /op/op.Login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012217,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37828'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:lang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012334) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Froxlor customer_ftp.php id Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /customer_ftp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012334,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Froxlor customer_ftp.php id Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Froxlor customer_ftp.php id Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012336) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /cultbooking.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012336,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:lang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012343) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt +SecRule REQUEST_LINE "@contains /active_auctions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012343,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:lan "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012344) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Madirish Webmail basedir Parameter Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /lib/addressbook.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012344,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Madirish Webmail basedir Parameter Remote File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:basedir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Madirish Webmail basedir Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012345) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012345,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_frontenduseraccess" "chain" +SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012357) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_xgallery/helpers/img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012357,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012369) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /com_swmenupro/ImageManager/Classes/ImageManager.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012369,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012373) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /util/barcode.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012373,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:type "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012426) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012426,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_xcloner-backupandrestore/cloner.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012427,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012496) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Sahana Agasti AccessController.php approot Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /mod/vm/controller/AccessController.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012496,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Sahana Agasti AccessController.php approot Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,45656'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:global[approot]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Sahana Agasti AccessController.php approot Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012497) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Sahana Agasti dao.php approot Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /mod/vm/model/dao.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012497,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Sahana Agasti dao.php approot Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,45656'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:global[approot]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Sahana Agasti dao.php approot Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012561) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Openfoncier action.class.php script Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /obj/action.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012561,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Openfoncier action.class.php script Remote File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:path_om/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Openfoncier action.class.php script Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012562) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Openfoncier architecte.class.php script Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /obj/architecte.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012562,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Openfoncier architecte.class.php script Remote File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:path_om/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Openfoncier architecte.class.php script Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012563) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Openfoncier avis.class.php script Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /obj/avis.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012563,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Openfoncier avis.class.php script Remote File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:path_om/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Openfoncier avis.class.php script Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012564) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Openfoncier bible.class.php script Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /obj/bible.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012564,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Openfoncier bible.class.php script Remote File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:path_om/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Openfoncier bible.class.php script Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012565) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Openfoncier blocnote.class.php script Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /obj/blocnote.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012565,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Openfoncier blocnote.class.php script Remote File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:path_om/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Openfoncier blocnote.class.php script Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012571) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/jquery-mega-menu/skin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012571,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:skin "(?i:\.\.\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012572) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mambo Cache_Lite Class mosConfig_absolute_path Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /includes/Cache/Lite/Output.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012572,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Mambo Cache_Lite Class mosConfig_absolute_path Remote File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mambo Cache_Lite Class mosConfig_absolute_path Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012583) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /ardeaCore/lib/core/mvc/ardeaMVC.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012583,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:appMVCPath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012584) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /ardeaCore/lib/core/ardeaBlog.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012584,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:CURRENT_BLOG_PATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012604) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /ardeaCore/lib/core/mvc/ardeaMVC.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012604,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:appMVCPath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012605) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /ardeaCore/lib/core/ardeaBlog.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012605,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:CURRENT_BLOG_PATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012657) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /devtools/qooxdoo-sdk/framework/source/resource/qx/test/part/delay.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012657,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:sleep "@contains file=" "chain" +SecRule ARGS:sleep "(?i:\.\.\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_doqment Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains admin.ponygallery.html.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012659,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_doqment Remote File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_doqment" "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Component com_doqment Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012666) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla component smartformer Remote File Inclusion Attempt +SecRule REQUEST_LINE "@contains /components/com_smartformer/smartformer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012666,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla component smartformer Remote File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla component smartformer Remote File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012668) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LoCal Calendar System LIBDIR Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /lib/lcUser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012668,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS LoCal Calendar System LIBDIR Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:LIBDIR "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LoCal Calendar System LIBDIR Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012703) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_latestprod module Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /modules/mod_virtuemart_latestprod/mod_virtuemart_latestprod.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012703,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_latestprod module Remote File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_latestprod module Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012704) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_featureprod module Remote File inclusion Attempt +SecRule REQUEST_LINE "@contains /modules/mod_virtuemart_featureprod/mod_virtuemart_featureprod.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012704,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_featureprod module Remote File inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_featureprod module Remote File inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +# (2012705) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-publication-archive/includes/openfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012705,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" + + +SecMarker END_SLR_ET_RFI_RULES diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_slr_et_sqli_attacks.conf modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_slr_et_sqli_attacks.conf --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_slr_et_sqli_attacks.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_slr_et_sqli_attacks.conf 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,3371 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: +# +# http://www.emergingthreats.net/ +# + +SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_et_sqli.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_ET_SQLI_RULES" + +# (2011219) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Campsite article_id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /plugins/campsiteattachment/attachments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011219,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Campsite article_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:article_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Campsite article_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007515) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UPDATE +SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007515,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" +SecRule &TX:'/SQL_INJECTION.*ARGS:categoryID_list/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007521) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UPDATE +SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007521,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" +SecRule &TX:'/SQL_INJECTION.*ARGS:sale_type/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007527) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UPDATE +SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007527,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" +SecRule &TX:'/SQL_INJECTION.*ARGS:stock_number/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007533) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UPDATE +SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007533,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" +SecRule &TX:'/SQL_INJECTION.*ARGS:manufacturer/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007539) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UPDATE +SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007539,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" +SecRule &TX:'/SQL_INJECTION.*ARGS:model/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007545) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE +SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007545,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" +SecRule &TX:'/SQL_INJECTION.*ARGS:vehicleID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007551) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UPDATE +SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007551,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" +SecRule &TX:'/SQL_INJECTION.*ARGS:year/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007557) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UPDATE +SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007557,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" +SecRule &TX:'/SQL_INJECTION.*ARGS:vin/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007563) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UPDATE +SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007563,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" +SecRule &TX:'/SQL_INJECTION.*ARGS:listing_price/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004064) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UPDATE +SecRule REQUEST_LINE "@contains /includes/rating.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004064,rev:8,msg:'SLR: ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:rating/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004076) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UPDATE +SecRule REQUEST_LINE "@contains /includes/rating.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004076,rev:8,msg:'SLR: ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:post_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007222) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UPDATE +SecRule REQUEST_LINE "@contains /admin/edit.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007222,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2853'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005062) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UPDATE +SecRule REQUEST_LINE "@contains /templates/modif.html" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005062,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0388'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id_mod/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005578) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UPDATE +SecRule REQUEST_LINE "@contains /shared/code/cp_authorization.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005578,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22032'" +SecRule &TX:'/SQL_INJECTION.*ARGS:xuser_name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005584) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UPDATE +SecRule REQUEST_LINE "@contains /public/code/cp_downloads.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005584,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22032'" +SecRule &TX:'/SQL_INJECTION.*ARGS:did/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004534) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UPDATE +SecRule REQUEST_LINE "@contains /subcat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004534,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3408'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cate_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004540) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UPDATE +SecRule REQUEST_LINE "@contains /view_profile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004540,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3409'" +SecRule &TX:'/SQL_INJECTION.*ARGS:user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004546) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UPDATE +SecRule REQUEST_LINE "@contains /postingdetails.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004546,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3410'" +SecRule &TX:'/SQL_INJECTION.*ARGS:postingid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004551) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UPDATE +SecRule REQUEST_LINE "@contains /topic_title.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004551,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3411'" +SecRule &TX:'/SQL_INJECTION.*ARGS:td_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006824) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UPDATE +SecRule REQUEST_LINE "@contains /forum2.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006824,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:soruid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006830) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UPDATE +SecRule REQUEST_LINE "@contains /kullanicilistesi.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006830,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ak/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006836) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UPDATE +SecRule REQUEST_LINE "@contains /aramayap.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006836,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:kelimeler/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006842) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UPDATE +SecRule REQUEST_LINE "@contains /giris.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006842,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:kullaniciadi/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006848) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UPDATE +SecRule REQUEST_LINE "@contains /mesajkutum.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006848,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:mesajno/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006854) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UPDATE +SecRule REQUEST_LINE "@contains /kullanicilistesi.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006854,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:harf/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006860) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UPDATE +SecRule REQUEST_LINE "@contains /forum.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006860,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:baslik/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005110) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UPDATE +SecRule REQUEST_LINE "@contains /artreplydelete.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005110,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0341'" +SecRule &TX:'/SQL_INJECTION.*ARGS:username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005169) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UPDATE +SecRule REQUEST_LINE "@contains /news_detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005169,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3187'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005175) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UPDATE +SecRule REQUEST_LINE "@contains /user.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005175,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3186'" +SecRule &TX:'/SQL_INJECTION.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005888) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UPDATE +SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005888,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3062'" +SecRule &TX:'/SQL_INJECTION.*ARGS:iPro/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007005) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UPDATE +SecRule REQUEST_LINE "@contains /listpics.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007005,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21279'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004324) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UPDATE +SecRule REQUEST_LINE "@contains /gallery.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004324,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22988'" +SecRule &TX:'/SQL_INJECTION.*ARGS:categoryid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007397) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UPDATE +SecRule REQUEST_LINE "@contains /product.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007397,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21166'" +SecRule &TX:'/SQL_INJECTION.*ARGS:productid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007403) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UPDATE +SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007403,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21166'" +SecRule &TX:'/SQL_INJECTION.*ARGS:search/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010135) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt +SecRule ARGS_NAMES "(?i:userid)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010135,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'cve,2009-2734'" +SecRule REQUEST_LINE "@contains /dispatch.php?atknodetype=reports.weekreport" "chain" +SecRule QUERY_STRING|REQUEST_BODY "@contains UPDATE" "chain" +SecRule QUERY_STRING|REQUEST_BODY "@contains SET" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007481) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UPDATE +SecRule REQUEST_LINE "@contains /activenews_view.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007481,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21167'" +SecRule &TX:'/SQL_INJECTION.*ARGS:articleID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007486) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007486,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21167'" +SecRule &TX:'/SQL_INJECTION.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007492) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UPDATE +SecRule REQUEST_LINE "@contains /activeNews_categories.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007492,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21167'" +SecRule &TX:'/SQL_INJECTION.*ARGS:catID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007498) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UPDATE +SecRule REQUEST_LINE "@contains /activeNews_comments.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007498,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21167'" +SecRule &TX:'/SQL_INJECTION.*ARGS:articleID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007565) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UPDATE +SecRule REQUEST_LINE "@contains /activenews_search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007565,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21167'" +SecRule &TX:'/SQL_INJECTION.*ARGS:query/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004892) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UPDATE +SecRule REQUEST_LINE "@contains /HaberDetay.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004892,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0620'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004898) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UPDATE +SecRule REQUEST_LINE "@contains /rss.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004898,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0620'" +SecRule &TX:'/SQL_INJECTION.*ARGS:kid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005777) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005777,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3103'" +SecRule &TX:'/SQL_INJECTION.*ARGS:lang/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004022) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AlstraSoft E-Friends SQL Injection Attempt -- index.php pack UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004022,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS AlstraSoft E-Friends SQL Injection Attempt -- index.php pack UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3956'" +SecRule &TX:'/SQL_INJECTION.*ARGS:pack/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AlstraSoft E-Friends SQL Injection Attempt -- index.php pack UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004723) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UPDATE +SecRule REQUEST_LINE "@contains /section/default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004723,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3390'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006566) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UPDATE +SecRule REQUEST_LINE "@contains /email.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006566,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21514/exploit'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006572) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UPDATE +SecRule REQUEST_LINE "@contains /voirannonce.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006572,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21514/exploit'" +SecRule &TX:'/SQL_INJECTION.*ARGS:no/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006578) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UPDATE +SecRule REQUEST_LINE "@contains /admin/admin_membre/fiche_membre.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006578,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21514/exploit'" +SecRule &TX:'/SQL_INJECTION.*ARGS:idmembre/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006584) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UPDATE +SecRule REQUEST_LINE "@contains /admin/admin_annonce/okvalannonce.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006584,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21514/exploit'" +SecRule &TX:'/SQL_INJECTION.*ARGS:idannonce/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006590) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UPDATE +SecRule REQUEST_LINE "@contains /admin/admin_annonce/changeannonce.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006590,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21514/exploit'" +SecRule &TX:'/SQL_INJECTION.*ARGS:idannonce/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006788) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UPDATE +SecRule REQUEST_LINE "@contains /giris.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006788,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21398'" +SecRule &TX:'/SQL_INJECTION.*ARGS:kullanici/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006794) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UPDATE +SecRule REQUEST_LINE "@contains /giris.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006794,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21398'" +SecRule &TX:'/SQL_INJECTION.*ARGS:parola/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004729) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UPDATE +SecRule REQUEST_LINE "@contains /system/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004729,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22728'" +SecRule &TX:'/SQL_INJECTION.*ARGS:PHPSESSID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007457) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UPDATE +SecRule REQUEST_LINE "@contains /publications_list.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007457,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:vjob/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007463) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UPDATE +SecRule REQUEST_LINE "@contains /publication_view.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007463,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:InfoID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004336) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004336,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3466'" +SecRule &TX:'/SQL_INJECTION.*ARGS:layout/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007216) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UPDATE +SecRule REQUEST_LINE "@contains /edit.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007216,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2848'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006338) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UPDATE +SecRule REQUEST_LINE "@contains /bt-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006338,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23316'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004833) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UPDATE +SecRule REQUEST_LINE "@contains /admin/config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004833,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/19758'" +SecRule &TX:'/SQL_INJECTION.*ARGS:sqlcmd/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004028) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UPDATE +SecRule REQUEST_LINE "@contains /account_change.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004028,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3970'" +SecRule &TX:'/SQL_INJECTION.*ARGS:style/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004034) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UPDATE +SecRule REQUEST_LINE "@contains /account_change.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004034,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3970'" +SecRule &TX:'/SQL_INJECTION.*ARGS:langue/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004990) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UPDATE +SecRule REQUEST_LINE "@contains /torrents.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004990,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/18549'" +SecRule &TX:'/SQL_INJECTION.*ARGS:by/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UPDATE +SecRule REQUEST_LINE "@contains /torrents.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004996,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/18549'" +SecRule &TX:'/SQL_INJECTION.*ARGS:order/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003781) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id UPDATE +SecRule REQUEST_LINE "@contains /bry.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003781,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23678'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006254) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UPDATE +SecRule REQUEST_LINE "@contains /HABERLER.ASP" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006254,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5085'" +SecRule &TX:'/SQL_INJECTION.*ARGS:kid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006260) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UPDATE +SecRule REQUEST_LINE "@contains /HABERLER.ASP" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006260,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5085'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006266) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UPDATE +SecRule REQUEST_LINE "@contains /ASPKAT.ASP" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006266,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5085'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006272) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UPDATE +SecRule REQUEST_LINE "@contains /ASPKAT.ASP" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006272,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5085'" +SecRule &TX:'/SQL_INJECTION.*ARGS:kid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006278) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UPDATE +SecRule REQUEST_LINE "@contains /down.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006278,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21676'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003798) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid UPDATE +SecRule REQUEST_LINE "@contains /stylesheet.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003798,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23753'" +SecRule &TX:'/SQL_INJECTION.*ARGS:templateid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2009979) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009979,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/9727'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id_menu/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007892) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UPDATE +SecRule REQUEST_LINE "@contains graph_view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007892,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UPDATE',tag:'web-application-attack',tag:'bugtraq,27749'" +SecRule &TX:'/SQL_INJECTION.*ARGS:graph_list/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007897) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE +SecRule REQUEST_LINE "@contains tree.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007897,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE',tag:'web-application-attack',tag:'bugtraq,27749'" +SecRule &TX:'/SQL_INJECTION.*ARGS:leaf_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006170) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UPDATE +SecRule REQUEST_LINE "@contains /calendar_detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006170,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2993'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006188) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UPDATE +SecRule REQUEST_LINE "@contains /admin/admin_mail_adressee.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006188,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2998'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007469) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UPDATE +SecRule REQUEST_LINE "@contains /openPolicy.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007469,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21090/info'" +SecRule &TX:'/SQL_INJECTION.*ARGS:policy/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007475) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UPDATE +SecRule REQUEST_LINE "@contains /prodList.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007475,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21090/info'" +SecRule &TX:'/SQL_INJECTION.*ARGS:brand/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007228) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UPDATE +SecRule REQUEST_LINE "@contains /displayCalendar.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007228,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21310'" +SecRule &TX:'/SQL_INJECTION.*ARGS:date/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007234) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UPDATE +SecRule REQUEST_LINE "@contains /view_gallery.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007234,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:currentpage/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007240) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UPDATE +SecRule REQUEST_LINE "@contains /view_gallery.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007240,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:gallery_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007246) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UPDATE +SecRule REQUEST_LINE "@contains /download_image.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007246,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:image_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007252) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UPDATE +SecRule REQUEST_LINE "@contains /gallery.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007252,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:currentpage/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007258) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UPDATE +SecRule REQUEST_LINE "@contains /gallery.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007258,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:orderby/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007264) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UPDATE +SecRule REQUEST_LINE "@contains /view_recent.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007264,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:currentpage/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007270) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007270,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21302'" +SecRule &TX:'/SQL_INJECTION.*ARGS:AlphaSort/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007276) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007276,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21302'" +SecRule &TX:'/SQL_INJECTION.*ARGS:In/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007282) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007282,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21302'" +SecRule &TX:'/SQL_INJECTION.*ARGS:orderby/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004880) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UPDATE +SecRule REQUEST_LINE "@contains /inc_listnews.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004880,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3317'" +SecRule &TX:'/SQL_INJECTION.*ARGS:CAT_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006509) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UPDATE +SecRule REQUEST_LINE "@contains /comersus_optReviewReadExec.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006509,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24562'" +SecRule &TX:'/SQL_INJECTION.*ARGS:idProduct/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004640) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004640,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:epi/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004710) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UPDATE +SecRule REQUEST_LINE "@contains /admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004710,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3352'" +SecRule &TX:'/SQL_INJECTION.*ARGS:uploadimage/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004716) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004716,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3352'" +SecRule &TX:'/SQL_INJECTION.*ARGS:p_skin/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007341) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007341,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2822'" +SecRule &TX:'/SQL_INJECTION.*ARGS:pageid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006308) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UPDATE +SecRule REQUEST_LINE "@contains /haber.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006308,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21626'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004815) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UPDATE +SecRule REQUEST_LINE "@contains /thumbnails.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004815,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3371'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cpg131_fav/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005846) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UPDATE +SecRule REQUEST_LINE "@contains /albmgr.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005846,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21894'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005852) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UPDATE +SecRule REQUEST_LINE "@contains /usermgr.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005852,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21894'" +SecRule &TX:'/SQL_INJECTION.*ARGS:gid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005858) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UPDATE +SecRule REQUEST_LINE "@contains /db_ecard.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005858,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21894'" +SecRule &TX:'/SQL_INJECTION.*ARGS:start/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003757) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id UPDATE +SecRule REQUEST_LINE "@contains /error.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003757,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3767'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005864) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UPDATE +SecRule REQUEST_LINE "@contains /cats.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005864,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21929'" +SecRule &TX:'/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004040) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UPDATE +SecRule REQUEST_LINE "@contains /cart.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004040,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010275) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /plus/feedback_js.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010275,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:arcurl/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004088) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UPDATE +SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004088,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24201'" +SecRule &TX:'/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004461) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UPDATE +SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004461,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24212'" +SecRule &TX:'/SQL_INJECTION.*ARGS:newsid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004688) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UPDATE +SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004688,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21064'" +SecRule &TX:'/SQL_INJECTION.*ARGS:mid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006086) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UPDATE +SecRule REQUEST_LINE "@contains /set_preferences.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006086,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006092) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UPDATE +SecRule REQUEST_LINE "@contains /send_password_preferences.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006092,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006098) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UPDATE +SecRule REQUEST_LINE "@contains /SecureLoginManager/list.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006098,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006104) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UPDATE +SecRule REQUEST_LINE "@contains /login.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006104,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" +SecRule &TX:'/SQL_INJECTION.*ARGS:sent/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006110) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UPDATE +SecRule REQUEST_LINE "@contains /content.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006110,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" +SecRule &TX:'/SQL_INJECTION.*ARGS:sent/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006116) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UPDATE +SecRule REQUEST_LINE "@contains /members.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006116,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" +SecRule &TX:'/SQL_INJECTION.*ARGS:sent/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006122) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UPDATE +SecRule REQUEST_LINE "@contains /applications/SecureLoginManager/inc_secureloginmanager.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006122,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" +SecRule &TX:'/SQL_INJECTION.*ARGS:sent/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005900) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UPDATE +SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005900,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3089'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ordernum/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004839) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UPDATE +SecRule REQUEST_LINE "@contains /page.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004839,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22636'" +SecRule &TX:'/SQL_INJECTION.*ARGS:art_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005596) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id UPDATE +SecRule REQUEST_LINE "@contains /visu_user.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005596,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3122'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005840) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id UPDATE +SecRule REQUEST_LINE "@contains /info_book.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005840,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3081'" +SecRule &TX:'/SQL_INJECTION.*ARGS:book_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010073) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010073,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/507072'" +SecRule REQUEST_LINE "@contains /docebo/docebo" "chain" +SecRule REQUEST_LINE "@contains UPDATE" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:modname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010078) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010078,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/507072'" +SecRule REQUEST_LINE "@contains /docebo/docebo" "chain" +SecRule REQUEST_LINE "@contains UPDATE" "chain" +SecRule REQUEST_LINE "@contains SET" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:modname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004052) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen UPDATE +SecRule REQUEST_LINE "@contains /tracking/courseLog.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004052,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3980'" +SecRule &TX:'/SQL_INJECTION.*ARGS:scormcontopen/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004070) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UPDATE +SecRule REQUEST_LINE "@contains /main/auth/my_progress.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004070,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3974'" +SecRule &TX:'/SQL_INJECTION.*ARGS:course/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006146) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID UPDATE +SecRule REQUEST_LINE "@contains /bus_details.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006146,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2992'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004390) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UPDATE +SecRule REQUEST_LINE "@contains /goster.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004390,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22910'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006692) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile UPDATE +SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006692,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21405'" +SecRule &TX:'/SQL_INJECTION.*ARGS:iFile/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006699) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action UPDATE +SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006699,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21405'" +SecRule &TX:'/SQL_INJECTION.*ARGS:action/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006705) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType UPDATE +SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006705,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/14034'" +SecRule &TX:'/SQL_INJECTION.*ARGS:iType/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006711) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006711,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:iCity/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006717) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews UPDATE +SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006717,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/15681'" +SecRule &TX:'/SQL_INJECTION.*ARGS:iNews/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003775) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a UPDATE +SecRule REQUEST_LINE "@contains /home.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003775,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23727'" +SecRule &TX:'/SQL_INJECTION.*ARGS:a/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004629) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank UPDATE +SecRule REQUEST_LINE "@contains /listmembers.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004629,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4030'" +SecRule &TX:'/SQL_INJECTION.*ARGS:rank/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005273) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword UPDATE +SecRule REQUEST_LINE "@contains /admin/memberlist.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005273,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:keyword/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005279) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row UPDATE +SecRule REQUEST_LINE "@contains /admin/memberlist.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005279,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:init_row/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005045) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i UPDATE +SecRule REQUEST_LINE "@contains /add_comment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005045,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22369'" +SecRule &TX:'/SQL_INJECTION.*ARGS:i/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005050) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id UPDATE +SecRule REQUEST_LINE "@contains /add_comment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005050,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22369'" +SecRule &TX:'/SQL_INJECTION.*ARGS:post_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005056) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i UPDATE +SecRule REQUEST_LINE "@contains /list_comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005056,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22369'" +SecRule &TX:'/SQL_INJECTION.*ARGS:i/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId UPDATE +SecRule REQUEST_LINE "@contains /sptrees/default.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006559,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:docId/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005092) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005092,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0424'" +SecRule &TX:'/SQL_INJECTION.*ARGS:qid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005116) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005116,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3227'" +SecRule &TX:'/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005990) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup UPDATE +SecRule REQUEST_LINE "@contains /admin.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005990,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5150'" +SecRule &TX:'/SQL_INJECTION.*ARGS:grup/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005996,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5150'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006002) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id UPDATE +SecRule REQUEST_LINE "@contains /admin.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006002,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5150'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006164) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006164,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21726'" +SecRule &TX:'/SQL_INJECTION.*ARGS:grup/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006454) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UPDATE +SecRule REQUEST_LINE "@contains /mod_banners.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006454,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24478'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006140) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID UPDATE +SecRule REQUEST_LINE "@contains /newsdetail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006140,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2990'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006152) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id UPDATE +SecRule REQUEST_LINE "@contains /Types.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006152,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2989'" +SecRule &TX:'/SQL_INJECTION.*ARGS:Type_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006158) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID UPDATE +SecRule REQUEST_LINE "@contains /actualpic.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006158,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2991'" +SecRule &TX:'/SQL_INJECTION.*ARGS:Biz_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007047) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID UPDATE +SecRule REQUEST_LINE "@contains /ad.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007047,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21192'" +SecRule &TX:'/SQL_INJECTION.*ARGS:AD_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007053) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id UPDATE +SecRule REQUEST_LINE "@contains /ad.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007053,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21192'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cat_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007049) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id UPDATE +SecRule REQUEST_LINE "@contains /ad.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007049,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21192'" +SecRule &TX:'/SQL_INJECTION.*ARGS:sub_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007035) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid UPDATE +SecRule REQUEST_LINE "@contains /dircat.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007035,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21192'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007041) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid UPDATE +SecRule REQUEST_LINE "@contains /dirSub.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007041,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21192'" +SecRule &TX:'/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007081) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid UPDATE +SecRule REQUEST_LINE "@contains /dircat.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007081,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007087) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid UPDATE +SecRule REQUEST_LINE "@contains /dirSub.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007087,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007093) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID UPDATE +SecRule REQUEST_LINE "@contains /types.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007093,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/SQL_INJECTION.*ARGS:TYPE_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007099) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID UPDATE +SecRule REQUEST_LINE "@contains /homeDetail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007099,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/SQL_INJECTION.*ARGS:AD_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007105) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat UPDATE +SecRule REQUEST_LINE "@contains /result.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007105,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007111) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare UPDATE +SecRule REQUEST_LINE "@contains /compareHomes.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007111,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/SQL_INJECTION.*ARGS:compare/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007117) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear UPDATE +SecRule REQUEST_LINE "@contains /compareHomes.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007117,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/SQL_INJECTION.*ARGS:clear/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007123) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID UPDATE +SecRule REQUEST_LINE "@contains /compareHomes.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007123,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/SQL_INJECTION.*ARGS:adID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007129) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice UPDATE +SecRule REQUEST_LINE "@contains /result.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007129,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/SQL_INJECTION.*ARGS:aminprice/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007135) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice UPDATE +SecRule REQUEST_LINE "@contains /result.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007135,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/SQL_INJECTION.*ARGS:amaxprice/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007141) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms UPDATE +SecRule REQUEST_LINE "@contains /result.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007141,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/SQL_INJECTION.*ARGS:abedrooms/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005261) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat UPDATE +SecRule REQUEST_LINE "@contains /show_owned.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005261,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22180'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005267) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat UPDATE +SecRule REQUEST_LINE "@contains /show_joined.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005267,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22180'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006224) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user UPDATE +SecRule REQUEST_LINE "@contains /administration/administre2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006224,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2945'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id_user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005882) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id UPDATE +SecRule REQUEST_LINE "@contains /productdetail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005882,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3074'" +SecRule &TX:'/SQL_INJECTION.*ARGS:product_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005341) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template UPDATE +SecRule REQUEST_LINE "@contains /style.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005341,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4054'" +SecRule &TX:'/SQL_INJECTION.*ARGS:template/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007065) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno UPDATE +SecRule REQUEST_LINE "@contains /products.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007065,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21323'" +SecRule &TX:'/SQL_INJECTION.*ARGS:partno/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005086) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id UPDATE +SecRule REQUEST_LINE "@contains /faq.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005086,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3234'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006818) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex UPDATE +SecRule REQUEST_LINE "@contains /articles.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006818,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21296'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ex/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006344) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp UPDATE +SecRule REQUEST_LINE "@contains /vdateUsr.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006344,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23304'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005620) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UPDATE +SecRule REQUEST_LINE "@contains /boxx/ShowAppendix.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005620,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:iid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003851) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref UPDATE +SecRule REQUEST_LINE "@contains /question.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003851,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3943'" +SecRule &TX:'/SQL_INJECTION.*ARGS:questionref/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006128) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID UPDATE +SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006128,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2997'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006332) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id UPDATE +SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006332,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2906'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003793) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003793,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23752'" +SecRule &TX:'/SQL_INJECTION.*ARGS:fid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006903) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat UPDATE +SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006903,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21289'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006909) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did UPDATE +SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006909,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21289'" +SecRule &TX:'/SQL_INJECTION.*ARGS:did/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007187) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id UPDATE +SecRule REQUEST_LINE "@contains /filelist.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007187,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21282'" +SecRule &TX:'/SQL_INJECTION.*ARGS:show_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007193) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid UPDATE +SecRule REQUEST_LINE "@contains /filelist.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007193,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21282'" +SecRule &TX:'/SQL_INJECTION.*ARGS:parentid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007199) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid UPDATE +SecRule REQUEST_LINE "@contains /showfile.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007199,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21282'" +SecRule &TX:'/SQL_INJECTION.*ARGS:fid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003828) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid UPDATE +SecRule REQUEST_LINE "@contains /game.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003828,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3849'" +SecRule &TX:'/SQL_INJECTION.*ARGS:lid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005151) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user UPDATE +SecRule REQUEST_LINE "@contains /info_user.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005151,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3197'" +SecRule &TX:'/SQL_INJECTION.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004923) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UPDATE +SecRule REQUEST_LINE "@contains /listmain.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004923,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22545'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005080) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id UPDATE +SecRule REQUEST_LINE "@contains /windows.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005080,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3233'" +SecRule &TX:'/SQL_INJECTION.*ARGS:kategori_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005377) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE +SecRule REQUEST_LINE "@contains /down_indir.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005377,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4057'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006466) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm UPDATE +SecRule REQUEST_LINE "@contains /index.cfm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006466,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24498'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006472) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode UPDATE +SecRule REQUEST_LINE "@contains /forum/include/error/autherror.cfm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006472,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24528'" +SecRule &TX:'/SQL_INJECTION.*ARGS:errorcode/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006194) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId UPDATE +SecRule REQUEST_LINE "@contains /index.cfm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006194,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21727'" +SecRule &TX:'/SQL_INJECTION.*ARGS:newsId/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006200) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid UPDATE +SecRule REQUEST_LINE "@contains /index.cfm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006200,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21727'" +SecRule &TX:'/SQL_INJECTION.*ARGS:categoryid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006206) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId UPDATE +SecRule REQUEST_LINE "@contains /index.cfm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006206,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21727'" +SecRule &TX:'/SQL_INJECTION.*ARGS:langId/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005335) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic UPDATE +SecRule REQUEST_LINE "@contains /low.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005335,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4062'" +SecRule &TX:'/SQL_INJECTION.*ARGS:topic/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004004) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE +SecRule REQUEST_LINE "@contains /down_indir.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004004,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23714'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004402) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori UPDATE +SecRule REQUEST_LINE "@contains /kategori.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004402,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3437'" +SecRule &TX:'/SQL_INJECTION.*ARGS:kategori/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user UPDATE +SecRule REQUEST_LINE "@contains /inc/common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005014,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003845) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid UPDATE +SecRule REQUEST_LINE "@contains /glossaire-p-f.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003845,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3932'" +SecRule &TX:'/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004354) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UPDATE +SecRule REQUEST_LINE "@contains /userdetail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004354,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22911'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004360) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id UPDATE +SecRule REQUEST_LINE "@contains /jump.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004360,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22911'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004366) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id UPDATE +SecRule REQUEST_LINE "@contains /detail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004366,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22911'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004372) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url UPDATE +SecRule REQUEST_LINE "@contains /jump.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004372,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22911'" +SecRule &TX:'/SQL_INJECTION.*ARGS:url/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2011266) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /modules/comments/json.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011266,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains task=comment" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:comment_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005226) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id UPDATE +SecRule REQUEST_LINE "@contains /print.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005226,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3195'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007409) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd UPDATE +SecRule REQUEST_LINE "@contains /addrating.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007409,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4689'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ipadd/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007415) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url UPDATE +SecRule REQUEST_LINE "@contains /addrating.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007415,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4689'" +SecRule &TX:'/SQL_INJECTION.*ARGS:url/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004426) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre UPDATE +SecRule REQUEST_LINE "@contains /giris_yap.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004426,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20375'" +SecRule &TX:'/SQL_INJECTION.*ARGS:sifre/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004634) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id UPDATE +SecRule REQUEST_LINE "@contains /haberoku.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004634,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24288'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005068) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UPDATE +SecRule REQUEST_LINE "@contains /oku.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005068,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3241'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005644) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id UPDATE +SecRule REQUEST_LINE "@contains /dispimage.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005644,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21131'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005650) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005650,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21131'" +SecRule &TX:'/SQL_INJECTION.*ARGS:order/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005656) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005656,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21131'" +SecRule &TX:'/SQL_INJECTION.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006867) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id UPDATE +SecRule REQUEST_LINE "@contains /rating.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006867,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006873) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid UPDATE +SecRule REQUEST_LINE "@contains /meal_rest.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006873,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:mealid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006879) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid UPDATE +SecRule REQUEST_LINE "@contains /res_details.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006879,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:resid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004802) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UPDATE +SecRule REQUEST_LINE "@contains /classes/class_session.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004802,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2010'" +SecRule &TX:'/SQL_INJECTION.*ARGS:CLIENT_IP/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006674) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img UPDATE +SecRule REQUEST_LINE "@contains /forum/modules/gallery/post.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006674,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:img/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006680) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006680,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:img/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006686) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid UPDATE +SecRule REQUEST_LINE "@contains /lib/entry_reply_entry.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006686,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:eid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006212) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id UPDATE +SecRule REQUEST_LINE "@contains /ixm_ixpnews.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006212,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21710'" +SecRule &TX:'/SQL_INJECTION.*ARGS:story_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005347) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE +SecRule REQUEST_LINE "@contains /auth.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005347,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25587'" +SecRule &TX:'/SQL_INJECTION.*ARGS:pass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005365) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user UPDATE +SecRule REQUEST_LINE "@contains /auth.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005365,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25587'" +SecRule &TX:'/SQL_INJECTION.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005371) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE +SecRule REQUEST_LINE "@contains /auth.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005371,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25587'" +SecRule &TX:'/SQL_INJECTION.*ARGS:pass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004157) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title UPDATE +SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004157,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0940'" +SecRule &TX:'/SQL_INJECTION.*ARGS:title/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004342) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UPDATE +SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004342,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3470'" +SecRule &TX:'/SQL_INJECTION.*ARGS:author/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004485) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq UPDATE +SecRule REQUEST_LINE "@contains /G_Display.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004485,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24253'" +SecRule &TX:'/SQL_INJECTION.*ARGS:iCategoryUnq/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004491) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID UPDATE +SecRule REQUEST_LINE "@contains /Search/DisplayResults.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004491,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24253'" +SecRule &TX:'/SQL_INJECTION.*ARGS:iSearchID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006497) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UPDATE +SecRule REQUEST_LINE "@contains /login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006497,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4081'" +SecRule &TX:'/SQL_INJECTION.*ARGS:login_username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006503) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UPDATE +SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006503,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4081'" +SecRule &TX:'/SQL_INJECTION.*ARGS:item/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004082) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE +SecRule REQUEST_LINE "@contains /admincp/attachment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004082,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE',tag:'web-application-attack',tag:'url,www.vbulletin.com/forum/project.php?issueid=21615'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004151) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE +SecRule REQUEST_LINE "@contains /admincp/attachment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004151,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24503'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004671) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids UPDATE +SecRule REQUEST_LINE "@contains /inlinemod.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004671,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3387'" +SecRule &TX:'/SQL_INJECTION.*ARGS:postids/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003944) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php UPDATE +SecRule REQUEST_LINE "@contains /main_page.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003944,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php UPDATE',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0027'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003950) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php UPDATE +SecRule REQUEST_LINE "@contains /open_tree.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003950,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php UPDATE',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0027'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003956) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php UPDATE +SecRule REQUEST_LINE "@contains /outputs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003956,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php UPDATE',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0027'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003962) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003962,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view UPDATE',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0027'" +SecRule &TX:'/SQL_INJECTION.*ARGS:view/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003968) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id UPDATE +SecRule REQUEST_LINE "@contains /admin/cms/opentree.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003968,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id UPDATE',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0027'" +SecRule REQUEST_LINE "@contains id[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003974) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003974,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login UPDATE',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0028'" +SecRule &TX:'/SQL_INJECTION.*ARGS:login/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007349) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID UPDATE +SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007349,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2836'" +SecRule &TX:'/SQL_INJECTION.*ARGS:tID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007355) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID UPDATE +SecRule REQUEST_LINE "@contains /openlink.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007355,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21226'" +SecRule &TX:'/SQL_INJECTION.*ARGS:LinkID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007361) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID UPDATE +SecRule REQUEST_LINE "@contains /viewlinks.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007361,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21226'" +SecRule &TX:'/SQL_INJECTION.*ARGS:CategoryID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004378) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004378,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3455/'" +SecRule &TX:'/SQL_INJECTION.*ARGS:salary/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003763) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003763,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3672'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005297) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE +SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005297,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005303) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE +SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005303,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005395) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE +SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005395,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005401) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE +SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005401,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005407) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE +SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005407,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005413) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE +SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005413,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005419) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE +SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005419,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005425) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE +SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005425,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule &TX:'/SQL_INJECTION.*ARGS:where/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005431) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE +SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005431,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule &TX:'/SQL_INJECTION.*ARGS:where/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005437) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE +SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005437,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule &TX:'/SQL_INJECTION.*ARGS:text/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005443) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE +SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005443,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule &TX:'/SQL_INJECTION.*ARGS:text/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005449) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE +SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005449,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule &TX:'/SQL_INJECTION.*ARGS:text/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005455) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE +SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005455,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule &TX:'/SQL_INJECTION.*ARGS:email/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2009917) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009917,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9693/'" +SecRule &TX:'/SQL_INJECTION.*ARGS:option=com_djcatalog&view=showItem&id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2009922) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009922,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36427/info'" +SecRule &TX:'/SQL_INJECTION.*ARGS:option=com_jlord_rss&task=feed&id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2009942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_surveymanager" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009942,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36464/info'" +SecRule REQUEST_LINE "@contains task=editsurvey&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2009947) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_jbudgetsmagic" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009947,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36461/info'" +SecRule REQUEST_LINE "@contains view=mybudget&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2009960) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_facebook" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009960,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36484/info'" +SecRule REQUEST_LINE "@contains view=student" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2009965) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_sportfusion" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009965,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36481/info'" +SecRule REQUEST_LINE "@contains view=teamdetail" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010017) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_gameserver" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010017,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36213/info'" +SecRule REQUEST_LINE "@contains view=gamepanel" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010044) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_cbresumebuilder" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010044,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36598/info'" +SecRule REQUEST_LINE "@contains task=group_members" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010353) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010353,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_photoblog&" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:&category/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010480) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010480,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_jshop&" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:&pid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010559,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37178'" +SecRule REQUEST_LINE "@contains /index.php?option=com_joaktree&" "chain" +SecRule REQUEST_LINE "@contains &view=joaktree" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:treeId/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010640) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010640,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37279'" +SecRule REQUEST_LINE "@contains /index.php?option=com_jphoto&" "chain" +SecRule REQUEST_LINE "@contains view=category&" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:Id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010714) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010714,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,36425'" +SecRule REQUEST_LINE "@contains /index.php?option=com_foobla_suggestions&" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:idea_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010754) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010754,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt'" +SecRule REQUEST_LINE "@contains /index.php?option=com_musicgallery&" "chain" +SecRule REQUEST_LINE "@contains &task=itempage" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:Id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010809) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010809,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38022'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_yelp&" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010842) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010842,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37576'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_avosbillets&" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010857) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010857,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_job&" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:id_job/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010928) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010928,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11103'" +SecRule REQUEST_LINE "@contains /index.php?option=com_perchagallery&" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010951) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010951,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_hdflvplayer&" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010994) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_sqlreport/ajax/print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010994,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010985) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010985,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37161'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_quicknews&" "chain" +SecRule REQUEST_LINE "@contains &task=view_item" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:newsid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2011005) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011005,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38009'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_rsgallery2&" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2011026) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011026,rev:11,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38668'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_blog&" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2011081) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011081,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_gbufacebook&" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:face_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006765) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UPDATE +SecRule REQUEST_LINE "@contains /search_listing.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006765,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21199'" +SecRule &TX:'/SQL_INJECTION.*ARGS:category/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006771) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UPDATE +SecRule REQUEST_LINE "@contains /search_listing.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006771,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21199'" +SecRule &TX:'/SQL_INJECTION.*ARGS:agent/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006777) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UPDATE +SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006777,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21199'" +SecRule &TX:'/SQL_INJECTION.*ARGS:property_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004646) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UPDATE +SecRule REQUEST_LINE "@contains /news.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004646,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/4040/'" +SecRule &TX:'/SQL_INJECTION.*ARGS:news_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004127) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004127,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3513/'" +SecRule &TX:'/SQL_INJECTION.*ARGS:kolumna/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004984) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UPDATE +SecRule REQUEST_LINE "@contains /forum.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004984,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3278/'" +SecRule &TX:'/SQL_INJECTION.*ARGS:forumid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005801) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UPDATE +SecRule REQUEST_LINE "@contains /down.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005801,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21889'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004694) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004694,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/2863/'" +SecRule &TX:'/SQL_INJECTION.*ARGS:member_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005074) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UPDATE +SecRule REQUEST_LINE "@contains /i-search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005074,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3232/'" +SecRule &TX:'/SQL_INJECTION.*ARGS:itemid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005978) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UPDATE +SecRule REQUEST_LINE "@contains /journal.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005978,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:w/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006320) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UPDATE +SecRule REQUEST_LINE "@contains /polls.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006320,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21366'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004528) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UPDATE +SecRule REQUEST_LINE "@contains /guestbook.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004528,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22821'" +SecRule &TX:'/SQL_INJECTION.*ARGS:country/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007299) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UPDATE +SecRule REQUEST_LINE "@contains /inout/status.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007299,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4704'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007305) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UPDATE +SecRule REQUEST_LINE "@contains /inout/update.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007305,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4704'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007311) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UPDATE +SecRule REQUEST_LINE "@contains /forgotpass.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007311,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4704'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007317) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UPDATE +SecRule REQUEST_LINE "@contains /forgotpass.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007317,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4704'" +SecRule &TX:'/SQL_INJECTION.*ARGS:uid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007323) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UPDATE +SecRule REQUEST_LINE "@contains /inout/update.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007323,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4704'" +SecRule &TX:'/SQL_INJECTION.*ARGS:uid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007329) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UPDATE +SecRule REQUEST_LINE "@contains /inout/status.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007329,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4704'" +SecRule &TX:'/SQL_INJECTION.*ARGS:uid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007335) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UPDATE +SecRule REQUEST_LINE "@contains /details.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007335,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2846'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006662) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UPDATE +SecRule REQUEST_LINE "@contains /navigacija.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006662,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21464'" +SecRule &TX:'/SQL_INJECTION.*ARGS:IDMeniGlavni/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006668) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UPDATE +SecRule REQUEST_LINE "@contains /prikazInformacije.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006668,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21464'" +SecRule &TX:'/SQL_INJECTION.*ARGS:IDStranicaPodaci/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007367) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UPDATE +SecRule REQUEST_LINE "@contains /linkslist.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007367,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:psearch/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007373) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UPDATE +SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007373,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004414) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004414,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3416/'" +SecRule &TX:'/SQL_INJECTION.*ARGS:lcnt/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006478) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UPDATE +SecRule REQUEST_LINE "@contains /categoria.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006478,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/4082/'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005834) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UPDATE +SecRule REQUEST_LINE "@contains /main.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005834,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3073/'" +SecRule &TX:'/SQL_INJECTION.*ARGS:subcatID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006326) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UPDATE +SecRule REQUEST_LINE "@contains /ProductDetails.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006326,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/2908/'" +SecRule &TX:'/SQL_INJECTION.*ARGS:PID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004966) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UPDATE +SecRule REQUEST_LINE "@contains /comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004966,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3287/'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004972) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UPDATE +SecRule REQUEST_LINE "@contains /register.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004972,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3288/'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005140) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005140,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22293'" +SecRule &TX:'/SQL_INJECTION.*ARGS:startrow/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005517) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UPDATE +SecRule REQUEST_LINE "@contains /email.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005517,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3141'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006230) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UPDATE +SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006230,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21073'" +SecRule &TX:'/SQL_INJECTION.*ARGS:p/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006236) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UPDATE +SecRule REQUEST_LINE "@contains /listings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006236,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21073'" +SecRule &TX:'/SQL_INJECTION.*ARGS:l/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006242) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UPDATE +SecRule REQUEST_LINE "@contains /listings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006242,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21073'" +SecRule &TX:'/SQL_INJECTION.*ARGS:typ/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006248) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UPDATE +SecRule REQUEST_LINE "@contains /listings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006248,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21073'" +SecRule &TX:'/SQL_INJECTION.*ARGS:loc/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003992) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003992,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3944/'" +SecRule &TX:'/SQL_INJECTION.*ARGS:listid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004432) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UPDATE +SecRule REQUEST_LINE "@contains /moscomment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004432,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20650'" +SecRule &TX:'/SQL_INJECTION.*ARGS:mcname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004438) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UPDATE +SecRule REQUEST_LINE "@contains /com_comment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004438,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20650'" +SecRule &TX:'/SQL_INJECTION.*ARGS:mcname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004771) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UPDATE +SecRule REQUEST_LINE "@contains /includes/mambo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004771,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20413'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2011095) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /WorkOrder.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011095,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:woID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005146) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UPDATE +SecRule REQUEST_LINE "@contains /news_page.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005146,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3194/'" +SecRule &TX:'/SQL_INJECTION.*ARGS:uid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004270) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE +SecRule REQUEST_LINE "@contains /product_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004270,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE',tag:'web-application-attack',tag:'cve,CVE-2006-7171'" +SecRule REQUEST_LINE "@contains x[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004276) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UPDATE +SecRule REQUEST_LINE "@contains /product_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004276,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21072'" +SecRule &TX:'/SQL_INJECTION.*ARGS:t/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004282) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UPDATE +SecRule REQUEST_LINE "@contains /product_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004282,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21072'" +SecRule &TX:'/SQL_INJECTION.*ARGS:productId/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004288) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UPDATE +SecRule REQUEST_LINE "@contains /product_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004288,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21072'" +SecRule &TX:'/SQL_INJECTION.*ARGS:sk/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004294) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE +SecRule REQUEST_LINE "@contains /product_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004294,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21072'" +SecRule &TX:'/SQL_INJECTION.*ARGS:x/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004300) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UPDATE +SecRule REQUEST_LINE "@contains /product_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004300,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21072'" +SecRule &TX:'/SQL_INJECTION.*ARGS:so/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004306) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UPDATE +SecRule REQUEST_LINE "@contains /order-track.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004306,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21072'" +SecRule &TX:'/SQL_INJECTION.*ARGS:orderNo/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006350) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa UPDATE +SecRule REQUEST_LINE "@contains /lire-avis.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006350,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21513'" +SecRule &TX:'/SQL_INJECTION.*ARGS:aa/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006800) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi UPDATE +SecRule REQUEST_LINE "@contains /uye_giris_islem.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006800,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21418'" +SecRule &TX:'/SQL_INJECTION.*ARGS:kullanici_ismi/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006806) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre UPDATE +SecRule REQUEST_LINE "@contains /uye_giris_islem.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006806,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21418'" +SecRule &TX:'/SQL_INJECTION.*ARGS:sifre/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005608) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UPDATE +SecRule REQUEST_LINE "@contains /duyuru.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005608,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3120'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007011) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant UPDATE +SecRule REQUEST_LINE "@contains /item_show.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007011,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21273'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id2006quant/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007017) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup UPDATE +SecRule REQUEST_LINE "@contains /item_list.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007017,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21273'" +SecRule &TX:'/SQL_INJECTION.*ARGS:maingroup/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007023) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup UPDATE +SecRule REQUEST_LINE "@contains /item_list.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007023,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21273'" +SecRule &TX:'/SQL_INJECTION.*ARGS:secondgroup/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004169) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c UPDATE +SecRule REQUEST_LINE "@contains /forum.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004169,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3519'" +SecRule &TX:'/SQL_INJECTION.*ARGS:c/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005783) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName UPDATE +SecRule REQUEST_LINE "@contains /admin_check_user.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005783,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3105'" +SecRule &TX:'/SQL_INJECTION.*ARGS:txtUserName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003840) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003840,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/1830'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006632) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UPDATE +SecRule REQUEST_LINE "@contains /mystats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006632,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UPDATE',tag:'web-application-attack',tag:'cve,CVE-2006-6403'" +SecRule &TX:'/SQL_INJECTION.*ARGS:details/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004617) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UPDATE +SecRule REQUEST_LINE "@contains /diary.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004617,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:delete/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004100) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004100,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3989/'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004747) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UPDATE +SecRule REQUEST_LINE "@contains /result.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004747,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3355/'" +SecRule &TX:'/SQL_INJECTION.*ARGS:surv/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006885) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UPDATE +SecRule REQUEST_LINE "@contains /users.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006885,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21227'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006741) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UPDATE +SecRule REQUEST_LINE "@contains /plugins/ipsearch/ipsearch.admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006741,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23180'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006747) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UPDATE +SecRule REQUEST_LINE "@contains /pfs/pfs.edit.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006747,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23180'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006753) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UPDATE +SecRule REQUEST_LINE "@contains /system/core/users/users.register.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006753,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23180'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006759) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UPDATE +SecRule REQUEST_LINE "@contains /polls.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006759,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23180'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007293) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UPDATE +SecRule REQUEST_LINE "@contains /users.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007293,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006552) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id UPDATE +SecRule REQUEST_LINE "@contains /ViewCat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006552,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24584'" +SecRule &TX:'/SQL_INJECTION.*ARGS:s_user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004163) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID UPDATE +SecRule REQUEST_LINE "@contains /News/page.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004163,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3520/'" +SecRule &TX:'/SQL_INJECTION.*ARGS:NewsID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004941) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UPDATE +SecRule REQUEST_LINE "@contains /pages/addcomment2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004941,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/19703'" +SecRule &TX:'/SQL_INJECTION.*ARGS:commentname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004948) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UPDATE +SecRule REQUEST_LINE "@contains /pages/addcomment2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004948,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/19703'" +SecRule &TX:'/SQL_INJECTION.*ARGS:commentmail/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004954) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UPDATE +SecRule REQUEST_LINE "@contains /pages/addcomment2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004954,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/19703'" +SecRule &TX:'/SQL_INJECTION.*ARGS:commentwebsite/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004960) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UPDATE +SecRule REQUEST_LINE "@contains /pages/addcomment2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004960,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/19703'" +SecRule &TX:'/SQL_INJECTION.*ARGS:comment/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005680) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category UPDATE +SecRule REQUEST_LINE "@contains /shared/code/cp_functions_downloads.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005680,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23726'" +SecRule &TX:'/SQL_INJECTION.*ARGS:download_category/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005020) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id UPDATE +SecRule REQUEST_LINE "@contains /view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005020,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3261'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006596) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid UPDATE +SecRule REQUEST_LINE "@contains /dagent/downloadreport.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006596,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21473'" +SecRule &TX:'/SQL_INJECTION.*ARGS:agentid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006602) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass UPDATE +SecRule REQUEST_LINE "@contains /dagent/downloadreport.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006602,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21473'" +SecRule &TX:'/SQL_INJECTION.*ARGS:pass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004312) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE +SecRule REQUEST_LINE "@contains /nukesentinel.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004312,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004735) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE +SecRule REQUEST_LINE "@contains /nukesentinel.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004735,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3338'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004741) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UPDATE +SecRule REQUEST_LINE "@contains /includes/nsbypass.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004741,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3337'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006812) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid UPDATE +SecRule REQUEST_LINE "@contains /viewthread.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006812,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21172'" +SecRule &TX:'/SQL_INJECTION.*ARGS:pid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010656) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /ossim/repository/repository_attachment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010656,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10479'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:id_document/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005602) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id UPDATE +SecRule REQUEST_LINE "@contains /etkinlikbak.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005602,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3135'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004455) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp UPDATE +SecRule REQUEST_LINE "@contains /OmegaMw7.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004455,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24275'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004850) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id UPDATE +SecRule REQUEST_LINE "@contains /user_pages/page.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004850,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3339'" +SecRule &TX:'/SQL_INJECTION.*ARGS:art_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2011061) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /jtfwcpnt.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011061,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,39510'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:query/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate UPDATE +SecRule REQUEST_LINE "@contains /login/register.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005942,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21822'" +SecRule &TX:'/SQL_INJECTION.*ARGS:UserUpdate/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005948) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp UPDATE +SecRule REQUEST_LINE "@contains /includes/a_register.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005948,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21822'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004246) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip UPDATE +SecRule REQUEST_LINE "@contains /php-stats.recphp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004246,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3497'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ip/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006515) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006515,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3345'" +SecRule &TX:'/SQL_INJECTION.*ARGS:Outgoing_Type_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006521) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006521,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3345'" +SecRule &TX:'/SQL_INJECTION.*ARGS:Outgoing_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006527) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006527,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3345'" +SecRule &TX:'/SQL_INJECTION.*ARGS:Project_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006533) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006533,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3345'" +SecRule &TX:'/SQL_INJECTION.*ARGS:Client_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006539) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006539,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3345'" +SecRule &TX:'/SQL_INJECTION.*ARGS:Invoice_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006545) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006545,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3345'" +SecRule &TX:'/SQL_INJECTION.*ARGS:Vendor_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005972) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE +SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005972,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006974) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE +SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006974,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" +SecRule &TX:'/SQL_INJECTION.*ARGS:hack_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004046) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id UPDATE +SecRule REQUEST_LINE "@contains /modules/admin/modules/gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004046,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/1937'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003810) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UPDATE +SecRule REQUEST_LINE "@contains /admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003810,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23854'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ADMIN_USER/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003816) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UPDATE +SecRule REQUEST_LINE "@contains /admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003816,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23854'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ADMIN_PASS/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004700) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UPDATE +SecRule REQUEST_LINE "@contains /include.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004700,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21002'" +SecRule &TX:'/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005789) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid UPDATE +SecRule REQUEST_LINE "@contains /comment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005789,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21962'" +SecRule &TX:'/SQL_INJECTION.*ARGS:subid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php UPDATE +SecRule REQUEST_LINE "@contains /admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005181,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2759'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004330) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang UPDATE +SecRule REQUEST_LINE "@contains /mainfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004330,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22909'" +SecRule &TX:'/SQL_INJECTION.*ARGS:lang/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004856) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id UPDATE +SecRule REQUEST_LINE "@contains /modules.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004856,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3334'" +SecRule &TX:'/SQL_INJECTION.*ARGS:category_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005461) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active UPDATE +SecRule REQUEST_LINE "@contains /admin/modules/modules.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005461,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22116'" +SecRule &TX:'/SQL_INJECTION.*ARGS:active/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005467) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class UPDATE +SecRule REQUEST_LINE "@contains /modules/Advertising/admin/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005467,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22116'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ad_class/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005473) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl UPDATE +SecRule REQUEST_LINE "@contains /modules/Advertising/admin/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005473,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22116'" +SecRule &TX:'/SQL_INJECTION.*ARGS:imageurl/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005479) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl UPDATE +SecRule REQUEST_LINE "@contains /modules/Advertising/admin/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005479,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22116'" +SecRule &TX:'/SQL_INJECTION.*ARGS:clickurl/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005485) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code UPDATE +SecRule REQUEST_LINE "@contains /modules/Advertising/admin/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005485,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22116'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ad_code/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005492) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position UPDATE +SecRule REQUEST_LINE "@contains /modules/Advertising/admin/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005492,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22116'" +SecRule &TX:'/SQL_INJECTION.*ARGS:position/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005590) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat UPDATE +SecRule REQUEST_LINE "@contains /blocks/block-Old_Articles.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005590,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22037'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006932) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid UPDATE +SecRule REQUEST_LINE "@contains /modules.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006932,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006938) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid UPDATE +SecRule REQUEST_LINE "@contains /modules.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006938,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:pid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid UPDATE +SecRule REQUEST_LINE "@contains /modules/News/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007181,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2011137) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /links.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011137,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,39925'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains op=viewslink&" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2011172) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /friend.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011172,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,39992'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains op=FriendSend&" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005906) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage UPDATE +SecRule REQUEST_LINE "@contains /code/guestadd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005906,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3017'" +SecRule &TX:'/SQL_INJECTION.*ARGS:newmessage/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005912) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname UPDATE +SecRule REQUEST_LINE "@contains /code/guestadd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005912,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3017'" +SecRule &TX:'/SQL_INJECTION.*ARGS:newname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005918) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite UPDATE +SecRule REQUEST_LINE "@contains /code/guestadd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005918,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3017'" +SecRule &TX:'/SQL_INJECTION.*ARGS:newwebsite/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005924) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail UPDATE +SecRule REQUEST_LINE "@contains /code/guestadd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005924,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3017'" +SecRule &TX:'/SQL_INJECTION.*ARGS:newemail/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004611) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004611,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" +SecRule &TX:'/SQL_INJECTION.*ARGS:c/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004935) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UPDATE +SecRule REQUEST_LINE "@contains /item.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004935,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/17974'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006735) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006735,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main UPDATE',tag:'web-application-attack',tag:'cve,CVE-2006-6349'" +SecRule &TX:'/SQL_INJECTION.*ARGS:main/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004264) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid UPDATE +SecRule REQUEST_LINE "@contains /post.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004264,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3500'" +SecRule &TX:'/SQL_INJECTION.*ARGS:postid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005221) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month UPDATE +SecRule REQUEST_LINE "@contains /archives.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005221,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:month/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004623) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment UPDATE +SecRule REQUEST_LINE "@contains /viewimage.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004623,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4019'" +SecRule &TX:'/SQL_INJECTION.*ARGS:editcomment/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004094) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004094,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4003'" +SecRule &TX:'/SQL_INJECTION.*ARGS:form_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004929) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UPDATE +SecRule REQUEST_LINE "@contains /philboard_forum.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004929,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3295'" +SecRule &TX:'/SQL_INJECTION.*ARGS:forumid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004910) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id UPDATE +SecRule REQUEST_LINE "@contains /pollmentorres.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004910,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3301'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005626) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid UPDATE +SecRule REQUEST_LINE "@contains /simplog/archive.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005626,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20974/exploit'" +SecRule &TX:'/SQL_INJECTION.*ARGS:blogid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005632) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid UPDATE +SecRule REQUEST_LINE "@contains /simplog/archive.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005632,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20974/exploit'" +SecRule &TX:'/SQL_INJECTION.*ARGS:pid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005638) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid UPDATE +SecRule REQUEST_LINE "@contains /simplog/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005638,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20974/exploit'" +SecRule &TX:'/SQL_INJECTION.*ARGS:blogid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006356) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa UPDATE +SecRule REQUEST_LINE "@contains /lire-avis.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006356,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21516'" +SecRule &TX:'/SQL_INJECTION.*ARGS:aa/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010189) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /qte_result.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010189,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:title/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005686) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id UPDATE +SecRule REQUEST_LINE "@contains /viewad.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005686,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21197'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005026) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user UPDATE +SecRule REQUEST_LINE "@contains /login.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005026,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005032) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password UPDATE +SecRule REQUEST_LINE "@contains /login.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005032,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:password/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005098) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id UPDATE +SecRule REQUEST_LINE "@contains /user_confirm.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005098,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22350'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005104) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass UPDATE +SecRule REQUEST_LINE "@contains /user_confirm.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005104,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22350'" +SecRule &TX:'/SQL_INJECTION.*ARGS:pass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006944) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid UPDATE +SecRule REQUEST_LINE "@contains /recipe.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006944,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2834'" +SecRule &TX:'/SQL_INJECTION.*ARGS:recipeid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006950) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid UPDATE +SecRule REQUEST_LINE "@contains /list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006950,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2834'" +SecRule &TX:'/SQL_INJECTION.*ARGS:categoryid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003834) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UPDATE +SecRule REQUEST_LINE "@contains /edit_day.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003834,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3931'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id_reserv/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004605) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php UPDATE +SecRule REQUEST_LINE "@contains /inc/class_users.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004605,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4020'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005692) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID UPDATE +SecRule REQUEST_LINE "@contains /listfull.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005692,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005698) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID UPDATE +SecRule REQUEST_LINE "@contains /printmain.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005698,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005704) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat UPDATE +SecRule REQUEST_LINE "@contains /listmain.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005704,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005710) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat UPDATE +SecRule REQUEST_LINE "@contains /searchoption.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005710,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005716) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat UPDATE +SecRule REQUEST_LINE "@contains /searchmain.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005716,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005722) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword UPDATE +SecRule REQUEST_LINE "@contains /searchkey.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005722,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/SQL_INJECTION.*ARGS:Keyword/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005728) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area UPDATE +SecRule REQUEST_LINE "@contains /searchmain.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005728,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/SQL_INJECTION.*ARGS:area/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005734) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area UPDATE +SecRule REQUEST_LINE "@contains /searchoption.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005734,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/SQL_INJECTION.*ARGS:area/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005741) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin UPDATE +SecRule REQUEST_LINE "@contains /searchkey.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005741,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/SQL_INJECTION.*ARGS:searchin/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005747) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 UPDATE +SecRule REQUEST_LINE "@contains /searchoption.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005747,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cost1/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005753) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 UPDATE +SecRule REQUEST_LINE "@contains /searchoption.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005753,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cost2/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005759) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 UPDATE +SecRule REQUEST_LINE "@contains /searchoption.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005759,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/SQL_INJECTION.*ARGS:acreage1/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005765) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 UPDATE +SecRule REQUEST_LINE "@contains /searchoption.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005765,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/SQL_INJECTION.*ARGS:squarefeet1/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004665) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004665,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3403'" +SecRule &TX:'/SQL_INJECTION.*ARGS:categoria/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2011159) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /roleManager.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011159,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains type=query&" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003822) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UPDATE +SecRule REQUEST_LINE "@contains /class/debug/debug_show.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003822,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3850'" +SecRule &TX:'/SQL_INJECTION.*ARGS:executed_queries/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003863) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UPDATE +SecRule REQUEST_LINE "@contains /devami.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003863,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3936'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004468) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp UPDATE +SecRule REQUEST_LINE "@contains /cgi-bin/reorder2.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004468,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24226'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004498) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name UPDATE +SecRule REQUEST_LINE "@contains /add2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004498,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22820'" +SecRule &TX:'/SQL_INJECTION.*ARGS:name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004504) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country UPDATE +SecRule REQUEST_LINE "@contains /add2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004504,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22820'" +SecRule &TX:'/SQL_INJECTION.*ARGS:country/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004510) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email UPDATE +SecRule REQUEST_LINE "@contains /add2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004510,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22820'" +SecRule &TX:'/SQL_INJECTION.*ARGS:email/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004516) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website UPDATE +SecRule REQUEST_LINE "@contains /add2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004516,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22820'" +SecRule &TX:'/SQL_INJECTION.*ARGS:website/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004522) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message UPDATE +SecRule REQUEST_LINE "@contains /add2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004522,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22820'" +SecRule &TX:'/SQL_INJECTION.*ARGS:message/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2011730) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /html/studentmain.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011730,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,40737'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:session/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004121) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004121,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3509'" +SecRule &TX:'/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006314) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid UPDATE +SecRule REQUEST_LINE "@contains /utilities/usermessages.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006314,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23372'" +SecRule &TX:'/SQL_INJECTION.*ARGS:mesid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004420) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004420,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded'" +SecRule REQUEST_LINE "@contains serendipity[multiCat][" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005795) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID UPDATE +SecRule REQUEST_LINE "@contains /orange.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005795,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21905'" +SecRule &TX:'/SQL_INJECTION.*ARGS:CatID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003857) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UPDATE +SecRule REQUEST_LINE "@contains /print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003857,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3942'" +SecRule &TX:'/SQL_INJECTION.*ARGS:newsnr/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004784) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UPDATE +SecRule REQUEST_LINE "@contains /logon_user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004784,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UPDATE',tag:'web-application-attack',tag:'cve,CVE-2006-7088'" +SecRule &TX:'/SQL_INJECTION.*ARGS:username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004790) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UPDATE +SecRule REQUEST_LINE "@contains /update_profile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004790,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UPDATE',tag:'web-application-attack',tag:'cve,CVE-2006-7088'" +SecRule &TX:'/SQL_INJECTION.*ARGS:username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005876) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id UPDATE +SecRule REQUEST_LINE "@contains /page.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005876,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3076'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005523) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005523,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ps/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005529) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005529,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" +SecRule &TX:'/SQL_INJECTION.*ARGS:us/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005535) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005535,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" +SecRule &TX:'/SQL_INJECTION.*ARGS:f/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005541) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005541,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" +SecRule &TX:'/SQL_INJECTION.*ARGS:code/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005547) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code UPDATE +SecRule REQUEST_LINE "@contains /dl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005547,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" +SecRule &TX:'/SQL_INJECTION.*ARGS:code/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005553) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f UPDATE +SecRule REQUEST_LINE "@contains /dl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005553,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" +SecRule &TX:'/SQL_INJECTION.*ARGS:f/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us UPDATE +SecRule REQUEST_LINE "@contains /dl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005559,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" +SecRule &TX:'/SQL_INJECTION.*ARGS:us/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005566) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps UPDATE +SecRule REQUEST_LINE "@contains /dl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005566,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ps/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004868) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UPDATE +SecRule REQUEST_LINE "@contains /pop_profile.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004868,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3321'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006134) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent UPDATE +SecRule REQUEST_LINE "@contains /list.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006134,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3001'" +SecRule &TX:'/SQL_INJECTION.*ARGS:agent/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006485) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php UPDATE +SecRule REQUEST_LINE "@contains /game_listing.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006485,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4078'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004384) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004384,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3457'" +SecRule &TX:'/SQL_INJECTION.*ARGS:list/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004821) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category UPDATE +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004821,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/20131'" +SecRule &TX:'/SQL_INJECTION.*ARGS:category/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005157) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE +SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005157,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" +SecRule &TX:'/SQL_INJECTION.*ARGS:wcHeadlines/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004827) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat UPDATE +SecRule REQUEST_LINE "@contains /directory.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004827,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006638) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp UPDATE +SecRule REQUEST_LINE "@contains /sendarticle.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006638,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006644) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp UPDATE +SecRule REQUEST_LINE "@contains /printarticle.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006644,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006650) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID UPDATE +SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006650,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006656) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID UPDATE +SecRule REQUEST_LINE "@contains /preferences.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006656,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005572) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005572,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3124'" +SecRule REQUEST_LINE "@contains board[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006008) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006008,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/SQL_INJECTION.*ARGS:lastname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006014,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/SQL_INJECTION.*ARGS:firstname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006020) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006020,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/SQL_INJECTION.*ARGS:passwordOld/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006026) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006026,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/SQL_INJECTION.*ARGS:passwordNew/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006032) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006032,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006038) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006038,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/SQL_INJECTION.*ARGS:language/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006044) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006044,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/SQL_INJECTION.*ARGS:defaultLetter/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006050) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006050,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/SQL_INJECTION.*ARGS:newuserPass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006056) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006056,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/SQL_INJECTION.*ARGS:newuserType/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006062) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006062,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/SQL_INJECTION.*ARGS:newuserEmail/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006068) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo UPDATE +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006068,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/SQL_INJECTION.*ARGS:goTo/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006074) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search UPDATE +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006074,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/SQL_INJECTION.*ARGS:search/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006080) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName UPDATE +SecRule REQUEST_LINE "@contains /save.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006080,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/SQL_INJECTION.*ARGS:groupAddName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004874) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id UPDATE +SecRule REQUEST_LINE "@contains /h_goster.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004874,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22591'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004677) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug UPDATE +SecRule REQUEST_LINE "@contains /ViewReport.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004677,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24385'" +SecRule &TX:'/SQL_INJECTION.*ARGS:bug/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004682) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s UPDATE +SecRule REQUEST_LINE "@contains /ViewBugs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004682,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22799'" +SecRule &TX:'/SQL_INJECTION.*ARGS:s/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005238) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid UPDATE +SecRule REQUEST_LINE "@contains /banner.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005238,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:bid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006891) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci UPDATE +SecRule REQUEST_LINE "@contains /slideshow.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006891,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21319'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ci/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006897) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci UPDATE +SecRule REQUEST_LINE "@contains /thumbnails.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006897,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21319'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ci/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005008) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp UPDATE +SecRule REQUEST_LINE "@contains /badword.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005008,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22382'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007204) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat UPDATE +SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007204,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007210) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did UPDATE +SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007210,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:did/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005674) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname UPDATE +SecRule REQUEST_LINE "@contains /shopgiftregsearch.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005674,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3115'" +SecRule &TX:'/SQL_INJECTION.*ARGS:LoginLastname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006608) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user UPDATE +SecRule REQUEST_LINE "@contains /vf_memberdetail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006608,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4850'" +SecRule &TX:'/SQL_INJECTION.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006284) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod UPDATE +SecRule REQUEST_LINE "@contains /repass.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006284,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5059'" +SecRule &TX:'/SQL_INJECTION.*ARGS:nick_mod/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006290) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick UPDATE +SecRule REQUEST_LINE "@contains /repass.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006290,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5059'" +SecRule &TX:'/SQL_INJECTION.*ARGS:nick/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006296) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick UPDATE +SecRule REQUEST_LINE "@contains /verify.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006296,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5059'" +SecRule &TX:'/SQL_INJECTION.*ARGS:nick/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006302) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod UPDATE +SecRule REQUEST_LINE "@contains /verify.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006302,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5059'" +SecRule &TX:'/SQL_INJECTION.*ARGS:nick_mod/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005498) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid UPDATE +SecRule REQUEST_LINE "@contains /virtuemart_parser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005498,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22123'" +SecRule &TX:'/SQL_INJECTION.*ARGS:Itemid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005504) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id UPDATE +SecRule REQUEST_LINE "@contains /virtuemart_parser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005504,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22123'" +SecRule &TX:'/SQL_INJECTION.*ARGS:product_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005510) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id UPDATE +SecRule REQUEST_LINE "@contains /virtuemart_parser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005510,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22123'" +SecRule &TX:'/SQL_INJECTION.*ARGS:category_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003998) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003998,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25348'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005894) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id UPDATE +SecRule REQUEST_LINE "@contains /haberdetay.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005894,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3061'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007421) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat UPDATE +SecRule REQUEST_LINE "@contains /cat.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007421,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21190'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword UPDATE +SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007427,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21190'" +SecRule &TX:'/SQL_INJECTION.*ARGS:keyword/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007433) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order UPDATE +SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007433,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21190'" +SecRule &TX:'/SQL_INJECTION.*ARGS:order/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007439) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort UPDATE +SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007439,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21190'" +SecRule &TX:'/SQL_INJECTION.*ARGS:sort/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007445) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect UPDATE +SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007445,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21190'" +SecRule &TX:'/SQL_INJECTION.*ARGS:menuSelect/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007451) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state UPDATE +SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007451,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21190'" +SecRule &TX:'/SQL_INJECTION.*ARGS:state/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004133) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum UPDATE +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004133,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23057'" +SecRule &TX:'/SQL_INJECTION.*ARGS:search_forum/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004139) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user UPDATE +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004139,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23057'" +SecRule &TX:'/SQL_INJECTION.*ARGS:search_user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004652) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id UPDATE +SecRule REQUEST_LINE "@contains /urunbak.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004652,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24364'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005309) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft UPDATE +SecRule REQUEST_LINE "@contains /mailer.w2b" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005309,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3175'" +SecRule &TX:'/SQL_INJECTION.*ARGS:draft/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005191) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay UPDATE +SecRule REQUEST_LINE "@contains /DocPay.w2b" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005191,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3175'" +SecRule &TX:'/SQL_INJECTION.*ARGS:listDocPay/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004317) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004317,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3490'" +SecRule &TX:'/SQL_INJECTION.*ARGS:e_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005954) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key UPDATE +SecRule REQUEST_LINE "@contains /coupon_detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005954,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21824'" +SecRule &TX:'/SQL_INJECTION.*ARGS:key/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003769) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid UPDATE +SecRule REQUEST_LINE "@contains /viewcat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003769,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3670'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004258) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id UPDATE +SecRule REQUEST_LINE "@contains /comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004258,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3477'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006460) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page UPDATE +SecRule REQUEST_LINE "@contains /content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006460,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page UPDATE',tag:'web-application-attack',tag:'url,www.osvdb.org/34164'" +SecRule &TX:'/SQL_INJECTION.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005960) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num UPDATE +SecRule REQUEST_LINE "@contains /phonemessage.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005960,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3032'" +SecRule &TX:'/SQL_INJECTION.*ARGS:num/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005966) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode UPDATE +SecRule REQUEST_LINE "@contains /faqDsp.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005966,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3032'" +SecRule &TX:'/SQL_INJECTION.*ARGS:catcode/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006980) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login UPDATE +SecRule REQUEST_LINE "@contains /process.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006980,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4687'" +SecRule &TX:'/SQL_INJECTION.*ARGS:login/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006986) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password UPDATE +SecRule REQUEST_LINE "@contains /process.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006986,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4687'" +SecRule &TX:'/SQL_INJECTION.*ARGS:password/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006992) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid UPDATE +SecRule REQUEST_LINE "@contains /dlwallpaper.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006992,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4687'" +SecRule &TX:'/SQL_INJECTION.*ARGS:wallpaperid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006998) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid UPDATE +SecRule REQUEST_LINE "@contains /wallpaper.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006998,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2835'" +SecRule &TX:'/SQL_INJECTION.*ARGS:wallpaperid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007075) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID UPDATE +SecRule REQUEST_LINE "@contains /item.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007075,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21324'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ItemID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004759) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004759,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22726'" +SecRule &TX:'/SQL_INJECTION.*ARGS:strid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004765) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UPDATE +SecRule REQUEST_LINE "@contains /filecheck.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004765,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22726'" +SecRule REQUEST_LINE "@contains id[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004916) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID UPDATE +SecRule REQUEST_LINE "@contains /directions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004916,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22559'" +SecRule &TX:'/SQL_INJECTION.*ARGS:testID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004778) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UPDATE +SecRule REQUEST_LINE "@contains /connexion.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004778,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UPDATE',tag:'web-application-attack',tag:'cve,CVE-2006-7089'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004229) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp UPDATE +SecRule REQUEST_LINE "@contains /functions/functions_filters.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004229,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23051'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004234) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name UPDATE +SecRule REQUEST_LINE "@contains /forum/pop_up_member_search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004234,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23051'" +SecRule &TX:'/SQL_INJECTION.*ARGS:name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004240) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID UPDATE +SecRule REQUEST_LINE "@contains /News/page.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004240,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23051'" +SecRule &TX:'/SQL_INJECTION.*ARGS:NewsID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005232) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID UPDATE +SecRule REQUEST_LINE "@contains /eWebQuiz.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005232,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-0527'" +SecRule &TX:'/SQL_INJECTION.*ARGS:QuizID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004145) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order UPDATE +SecRule REQUEST_LINE "@contains /check_vote.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004145,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:order/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004252) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php UPDATE +SecRule REQUEST_LINE "@contains /usergroups.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004252,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22970'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005002) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid UPDATE +SecRule REQUEST_LINE "@contains /pms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005002,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3262'" +SecRule REQUEST_LINE "@contains pmid[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005285) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids UPDATE +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005285,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3144'" +SecRule REQUEST_LINE "@contains boardids[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005291) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board UPDATE +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005291,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3144'" +SecRule REQUEST_LINE "@contains board[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006926) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit UPDATE +SecRule REQUEST_LINE "@contains /thread.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006926,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2841'" +SecRule &TX:'/SQL_INJECTION.*ARGS:threadvisit/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004016) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE +SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004016,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cookie/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004408) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE +SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004408,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE +SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004659,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005662) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005662,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005870) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005870,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2011047) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011047,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:postid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004348) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id UPDATE +SecRule REQUEST_LINE "@contains /devami.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004348,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3469'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005122) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id UPDATE +SecRule REQUEST_LINE "@contains /classes/class.news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005122,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0395'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005128) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from UPDATE +SecRule REQUEST_LINE "@contains /classes/class.news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005128,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0395'" +SecRule &TX:'/SQL_INJECTION.*ARGS:from/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005134) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q UPDATE +SecRule REQUEST_LINE "@contains /classes/class.news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005134,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0395'" +SecRule &TX:'/SQL_INJECTION.*ARGS:q/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004862) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album UPDATE +SecRule REQUEST_LINE "@contains /view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004862,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3327'" +SecRule &TX:'/SQL_INJECTION.*ARGS:album/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005383) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id UPDATE +SecRule REQUEST_LINE "@contains /kernel/group.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005383,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22399'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005389) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid UPDATE +SecRule REQUEST_LINE "@contains /class/table_broken.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005389,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22399'" +SecRule &TX:'/SQL_INJECTION.*ARGS:lid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006491) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id UPDATE +SecRule REQUEST_LINE "@contains /print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006491,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3588'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006218) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news UPDATE +SecRule REQUEST_LINE "@contains /show_news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006218,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21719'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id_news/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005614) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder UPDATE +SecRule REQUEST_LINE "@contains /displaypic.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005614,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21138'" +SecRule &TX:'/SQL_INJECTION.*ARGS:sortorder/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004808) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id UPDATE +SecRule REQUEST_LINE "@contains /functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004808,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22685'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005197) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id UPDATE +SecRule REQUEST_LINE "@contains /mezungiris.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005197,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005203) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass UPDATE +SecRule REQUEST_LINE "@contains /mezungiris.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005203,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:pass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005209) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass UPDATE +SecRule REQUEST_LINE "@contains /ogretmenkontrol.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005209,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:pass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005215) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id UPDATE +SecRule REQUEST_LINE "@contains /ogretmenkontrol.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005215,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003986) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UPDATE +SecRule REQUEST_LINE "@contains /plugins/mp3playlist/mp3playlist.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003986,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3955'" +SecRule &TX:'/SQL_INJECTION.*ARGS:speler/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005984) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode UPDATE +SecRule REQUEST_LINE "@contains /faqDsp.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005984,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3031'" +SecRule &TX:'/SQL_INJECTION.*ARGS:catcode/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005329) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php UPDATE +SecRule REQUEST_LINE "@contains /bb-includes/formatting-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005329,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3244'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005771) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk UPDATE +SecRule REQUEST_LINE "@contains /newsletters/edition.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005771,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20996'" +SecRule &TX:'/SQL_INJECTION.*ARGS:tk/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006176) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse UPDATE +SecRule REQUEST_LINE "@contains /SelGruFra.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006176,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21732'" +SecRule &TX:'/SQL_INJECTION.*ARGS:txtUse/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006182) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas UPDATE +SecRule REQUEST_LINE "@contains /SelGruFra.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006182,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21732'" +SecRule &TX:'/SQL_INJECTION.*ARGS:txtPas/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004058) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category UPDATE +SecRule REQUEST_LINE "@contains /category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004058,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3981'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id_category/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004106) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer UPDATE +SecRule REQUEST_LINE "@contains /manufacturer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004106,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24223'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id_manufacturer/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005038) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id UPDATE +SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005038,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3256'" +SecRule &TX:'/SQL_INJECTION.*ARGS:c_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006956) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006956,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21170'" +SecRule &TX:'/SQL_INJECTION.*ARGS:seite_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006962) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006962,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21170'" +SecRule &TX:'/SQL_INJECTION.*ARGS:gruppe_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006968) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006968,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21170'" +SecRule &TX:'/SQL_INJECTION.*ARGS:go_target/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006620) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc UPDATE +SecRule REQUEST_LINE "@contains /dettaglio.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006620,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21463'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id_doc/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006626) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut UPDATE +SecRule REQUEST_LINE "@contains /dettaglio.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006626,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21463'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id_aut/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005930) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did UPDATE +SecRule REQUEST_LINE "@contains /mod.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005930,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3004'" +SecRule &TX:'/SQL_INJECTION.*ARGS:did/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005936) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid UPDATE +SecRule REQUEST_LINE "@contains /mod.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005936,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3004'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007379) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which UPDATE +SecRule REQUEST_LINE "@contains /index1.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007379,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2829'" +SecRule &TX:'/SQL_INJECTION.*ARGS:which/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007385) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat UPDATE +SecRule REQUEST_LINE "@contains /default2.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007385,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2830'" +SecRule &TX:'/SQL_INJECTION.*ARGS:kat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2007391) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid UPDATE +SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007391,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2828'" +SecRule &TX:'/SQL_INJECTION.*ARGS:fid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004113) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid UPDATE +SecRule REQUEST_LINE "@contains /getnewsitem.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004113,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3988'" +SecRule &TX:'/SQL_INJECTION.*ARGS:newsid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005810) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id UPDATE +SecRule REQUEST_LINE "@contains /display_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005810,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0056'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005816) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie UPDATE +SecRule REQUEST_LINE "@contains /display_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005816,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0056'" +SecRule &TX:'/SQL_INJECTION.*ARGS:user_login_cookie/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005822) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id UPDATE +SecRule REQUEST_LINE "@contains /compare_product.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005822,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3083'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005828) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005828,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3082'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2006614) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE +SecRule &TX:'/SQL_INJECTION.*ARGS:D/' "@gt 0" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006614,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21467',ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004845) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor UPDATE +SecRule REQUEST_LINE "@contains /install.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004845,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded'" +SecRule &TX:'/SQL_INJECTION.*ARGS:bgcolor/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004469) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UNION SELECT +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004469,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24249'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cat_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004473) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004473,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24249'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cat_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004479) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004479,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24249'" +SecRule &TX:'/SQL_INJECTION.*ARGS:year/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004010) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id UPDATE +SecRule REQUEST_LINE "@contains /read/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004010,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3964'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2010619) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /modules/bms/invoices_discount_ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010619,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004904) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid UPDATE +SecRule REQUEST_LINE "@contains /nickpage.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004904,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3299'" +SecRule &TX:'/SQL_INJECTION.*ARGS:npid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004175) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id UPDATE +SecRule REQUEST_LINE "@contains /gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004175,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" +SecRule &TX:'/SQL_INJECTION.*ARGS:image_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id UPDATE +SecRule REQUEST_LINE "@contains /gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004181,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cat_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004187) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id UPDATE +SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004187,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" +SecRule &TX:'/SQL_INJECTION.*ARGS:news_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004193) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id UPDATE +SecRule REQUEST_LINE "@contains /print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004193,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" +SecRule &TX:'/SQL_INJECTION.*ARGS:news_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004199) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id UPDATE +SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004199,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" +SecRule &TX:'/SQL_INJECTION.*ARGS:news_cat_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004205) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id UPDATE +SecRule REQUEST_LINE "@contains /forums.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004205,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cat_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004211) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id UPDATE +SecRule REQUEST_LINE "@contains /forums.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004211,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" +SecRule &TX:'/SQL_INJECTION.*ARGS:topic_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004217) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id UPDATE +SecRule REQUEST_LINE "@contains /forums.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004217,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" +SecRule &TX:'/SQL_INJECTION.*ARGS:post_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004223) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id UPDATE +SecRule REQUEST_LINE "@contains /users.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004223,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" +SecRule &TX:'/SQL_INJECTION.*ARGS:user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2003787) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003787,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3813'" +SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005668) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE +SecRule REQUEST_LINE "@contains /wbsearch.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005668,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3106'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005353) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php UPDATE +SecRule REQUEST_LINE "@contains /vBSupport.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005353,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php UPDATE',tag:'web-application-attack',tag:'url,www.vbulletin.org/forum/showthread.php?t=94023&page=38'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005359) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid UPDATE +SecRule REQUEST_LINE "@contains /vBSupport.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005359,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24397'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ticketid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004753) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UPDATE +SecRule REQUEST_LINE "@contains /printview.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004753,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3351'" +SecRule &TX:'/SQL_INJECTION.*ARGS:topic/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2004886) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004886,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3325'" +SecRule &TX:'/SQL_INJECTION.*ARGS:showonly/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005244) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID UPDATE +SecRule REQUEST_LINE "@contains /gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005244,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3172'" +SecRule &TX:'/SQL_INJECTION.*ARGS:picID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005250) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UPDATE +SecRule REQUEST_LINE "@contains /gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005250,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0270'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005255) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UPDATE +SecRule REQUEST_LINE "@contains /gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005255,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0270'" +SecRule &TX:'/SQL_INJECTION.*ARGS:galleryID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2005163) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UPDATE +SecRule REQUEST_LINE "@contains /xNews.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005163,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3216'" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2011559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011559,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_zoomportfolio" "chain" +SecRule REQUEST_LINE "@contains view=portfolio" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2011382) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /refund_request.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011382,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,41377'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:orderid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2011450) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /classified_img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011450,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,41204'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:clsid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2011835) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /admincp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011835,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains section=smilies" "chain" +SecRule REQUEST_LINE "@contains action=edit" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:smilieid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2011841) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011841,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:album_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2011879) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011879,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:editmenu/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2011934) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /site_info.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011934,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:siid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2011947) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GeekLog filemgt UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /filemgmt/singlefile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011947,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS GeekLog filemgt UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:lid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS GeekLog filemgt UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012005) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS digiSHOP cart.php UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /cart.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012005,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS digiSHOP cart.php UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains m=features" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS digiSHOP cart.php UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012020) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012020,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains view=catalog" "chain" +SecRule REQUEST_LINE "@contains item_type=M" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012030) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /takefreestart.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012030,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:tid2/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012038) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /mod.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012038,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains mod=publisher" "chain" +SecRule REQUEST_LINE "@contains op=printarticle" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:artid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012163) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /informacion_general.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012163,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012215) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /program/moduler_banner_aabn.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012215,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012342) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /infusions/teams_structure/team.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012342,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:team_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012350) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PMB Services id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012350,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PMB Services id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains lvl=coll_see" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PMB Services id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012363) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /notaevento.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012363,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:id_novedad/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012368) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Bexfront sid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /bexfront.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012368,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Bexfront sid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Bexfront sid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012378) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /hilfsmittel.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012378,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains action=read" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:katid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012417) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE +SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012417,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE',tag:'web-application-attack'" +SecRule &TX:'/SQL_INJECTION.*ARGS:post_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012425) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UPDATE +SecRule REQUEST_LINE "@contains /dsp_page.cfm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012425,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UPDATE',tag:'web-application-attack'" +SecRule &TX:'/SQL_INJECTION.*ARGS:pageid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012436) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE +SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012436,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE',tag:'web-application-attack'" +SecRule &TX:'/SQL_INJECTION.*ARGS:topic/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012473) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu UPDATE +SecRule REQUEST_LINE "@contains /public/code/cp_menu_data_file.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012473,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu UPDATE',tag:'web-application-attack'" +SecRule &TX:'/SQL_INJECTION.*ARGS:menu/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012482) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE +SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012482,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE',tag:'web-application-attack'" +SecRule &TX:'/SQL_INJECTION.*ARGS:gall_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012490) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf UPDATE +SecRule REQUEST_LINE "@contains /products.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012490,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf UPDATE',tag:'web-application-attack'" +SecRule &TX:'/SQL_INJECTION.*ARGS:ctf/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012560) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /imprimir.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012560,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012570) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /content/rubric/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012570,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:rubID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012580) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UPDATE +SecRule REQUEST_LINE "@contains /web/classes/autocomplete.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012580,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UPDATE',tag:'web-application-attack'" +SecRule &TX:'/SQL_INJECTION.*ARGS:field/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012600) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UPDATE +SecRule REQUEST_LINE "@contains /web/classes/autocomplete.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012600,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UPDATE',tag:'web-application-attack'" +SecRule &TX:'/SQL_INJECTION.*ARGS:field/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012677) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa UPDATE +SecRule REQUEST_LINE "@contains /plugins/pdfClasses/pdfgen.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012677,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa UPDATE',tag:'web-application-attack'" +SecRule &TX:'/SQL_INJECTION.*ARGS:pdfa/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012655) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /modules/Surveys/modules.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012655,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains name=Surveys" "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:pollID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012665) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /cchatbox.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012665,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,46635'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:messageid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +# (2012702) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /samples/with_db/loaddetails.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012702,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" + + +SecMarker END_SLR_ET_SQLI_RULES diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_slr_et_wordpress_attacks.conf modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_slr_et_wordpress_attacks.conf --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_slr_et_wordpress_attacks.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_slr_et_wordpress_attacks.conf 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,486 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: +# +# http://www.emergingthreats.net/ +# + +SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_et_wordpress.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_ET_WORDPRESS_RULES" + +# (2011256) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-add-excluded-ip.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011256,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:edit "(?i:edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2011257) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-add-excluded-url.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011257,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:edit "(?i:edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2011258) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-new-edit-site.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011258,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:site_id "(?i:site_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2005152) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines SELECT +SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005152,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" +SecRule ARGS:wcHeadlines "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2005153) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UNION SELECT +SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005153,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" +SecRule ARGS:wcHeadlines "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2005155) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines INSERT +SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005155,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" +SecRule ARGS:wcHeadlines "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2005154) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines DELETE +SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005154,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" +SecRule ARGS:wcHeadlines "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2005156) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines ASCII +SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005156,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" +SecRule ARGS:wcHeadlines "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2005157) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE +SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005157,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" +SecRule ARGS:wcHeadlines "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2003508) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt +SecRule REQUEST_LINE "@contains /wp-login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003508,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt',tag:'web-application-attack',tag:'url,www.inliniac.net/blog/?p=71'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:redirect_to=(ht|f)tps?\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2003685) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH +SecRule REQUEST_LINE "@contains /js/wptable-button.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003685,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3824'" +SecRule ARGS:wpPATH "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2003686) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH +SecRule REQUEST_LINE "@contains /wordtube-button.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003686,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3825'" +SecRule ARGS:wpPATH "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2003885) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php +SecRule REQUEST_LINE "@contains /sidebar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003885,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467360/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2004011) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie SELECT +SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004011,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" +SecRule ARGS:cookie "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2004012) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UNION SELECT +SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004012,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" +SecRule ARGS:cookie "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2004013) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie INSERT +SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004013,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" +SecRule ARGS:cookie "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2004014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie DELETE +SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004014,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" +SecRule ARGS:cookie "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2004015) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie ASCII +SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004015,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" +SecRule ARGS:cookie "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2004016) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE +SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004016,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" +SecRule ARGS:cookie "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2004403) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php SELECT +SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004403,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php SELECT',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2004404) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UNION SELECT +SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004404,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UNION SELECT',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2004405) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php INSERT +SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004405,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php INSERT',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2004406) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php DELETE +SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004406,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php DELETE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2004407) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php ASCII +SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004407,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php ASCII',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2004408) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE +SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004408,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2004654) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php SELECT +SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004654,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2004655) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UNION SELECT +SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004655,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2004656) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php INSERT +SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004656,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2004657) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php DELETE +SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004657,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2004658) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII +SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004658,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2004659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE +SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004659,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2005657) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005657,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2005658) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005658,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2005659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005659,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2005660) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005660,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2005661) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005661,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2005662) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005662,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2005865) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005865,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2005866) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005866,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2005867) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005867,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2005868) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005868,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2005869) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005869,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2005870) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005870,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2008725) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Newsletter Plugin newsletter Parameter SQL Injection +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008725,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Newsletter Plugin newsletter Parameter SQL Injection',tag:'web-application-attack'" +SecRule ARGS:newsletter "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Newsletter Plugin newsletter Parameter SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2009010) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure +SecRule REQUEST_LINE "@contains /books/getConfig.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009010,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure',tag:'web-application-attack',tag:'bugtraq,32966'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule QUERY_STRING|REQUEST_BODY "@contains book_id=" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2010473) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt +SecRule REQUEST_LINE "@contains /js/wptable-tinymce.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010473,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ABSPATH "(?i:ABSPATH\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2010728) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module Configuration Security Bypass Attempt +SecRule REQUEST_LINE "@contains /wp-admin/admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010728,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module Configuration Security Bypass Attempt',tag:'web-application-attack',tag:'cve,2009-2334'" +SecRule QUERY_STRING|REQUEST_BODY "@contains page=" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Fwp\x2Dadmin\x2Fadmin\x2Ephp.+page\x3D(\x2Fcollapsing\x2Darchives\x2Foptions\x2Etxt|akismet\x2Freadme\x2Etxt|related\x2Dways\x2Dto\x2Dtake\x2Daction\x2Foptions\x2Ephp|wp\x2Dsecurity\x2Dscan\x2Fsecurityscan\x2Ephp))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module Configuration Security Bypass Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2011006) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/nextgen-gallery/xml/media-rss.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011006,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2010-1186'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mode "(?i:(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2011044) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011044,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:postid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2011045) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011045,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:postid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2011071) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011071,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:postid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2011046) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011046,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:postid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2011047) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011047,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:postid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2011107) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-cumulus/tagcloud.swf" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011107,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains mode=tags" "chain" +SecRule ARGS:tagcloud "(?i:tagcloud\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2011942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011942,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:gid "(?i:gid\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012009) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /plugins/feedlist/handler_image.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012009,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:i "(?i:i\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012072) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-safe-search/wp-safe-search-jx.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012072,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:v1 "(?i:v1\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012164) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /plugins/accept-signups/accept-signups_submit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012164,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:email "(?i:email\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012353) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/audio/getid3/demos/demo.browse.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012353,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:showfile "(?i:showfile\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012356) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /js/modalbox/tests/functional/_ajax_method_get.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012356,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:param "(?i:param\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012407) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012407,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains /options-runnow-iframe.php?wpabs=/" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x00\&)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012408) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012408,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains /options-view_log-iframe.php?wpabs=/" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x00\&logfile\=\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012411) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012411,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:post_id "(?i:post_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012412) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id SELECT +SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012412,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id SELECT',tag:'web-application-attack'" +SecRule ARGS:post_id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012413) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UNION SELECT +SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012413,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UNION SELECT',tag:'web-application-attack'" +SecRule ARGS:post_id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012414) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id INSERT +SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012414,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id INSERT',tag:'web-application-attack'" +SecRule ARGS:post_id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012415) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id DELETE +SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012415,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id DELETE',tag:'web-application-attack'" +SecRule ARGS:post_id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012416) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id ASCII +SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012416,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id ASCII',tag:'web-application-attack'" +SecRule ARGS:post_id "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012417) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE +SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012417,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE',tag:'web-application-attack'" +SecRule ARGS:post_id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012426) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012426,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012428) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/index2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012428,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule REQUEST_LINE "@contains task=dologin" "chain" +SecRule ARGS:option "(?i:option\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012429) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/index2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012429,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule ARGS:mosmsg "(?i:mosmsg\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012431) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic SELECT +SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012431,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic SELECT',tag:'web-application-attack'" +SecRule ARGS:topic "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012432) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UNION SELECT +SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012432,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UNION SELECT',tag:'web-application-attack'" +SecRule ARGS:topic "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012433) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic INSERT +SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012433,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic INSERT',tag:'web-application-attack'" +SecRule ARGS:topic "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012434) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic DELETE +SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012434,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic DELETE',tag:'web-application-attack'" +SecRule ARGS:topic "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012435) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic ASCII +SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012435,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic ASCII',tag:'web-application-attack'" +SecRule ARGS:topic "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012436) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE +SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012436,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE',tag:'web-application-attack'" +SecRule ARGS:topic "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012437) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/zotpress/zotpress.image.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012437,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:citation "(?i:citation\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012476) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/folder.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012476,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:type "(?i:type\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012477) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT +SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012477,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT',tag:'web-application-attack'" +SecRule ARGS:gall_id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012478) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UNION SELECT +SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012478,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UNION SELECT',tag:'web-application-attack'" +SecRule ARGS:gall_id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012479) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id INSERT +SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012479,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id INSERT',tag:'web-application-attack'" +SecRule ARGS:gall_id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012480) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id DELETE +SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012480,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id DELETE',tag:'web-application-attack'" +SecRule ARGS:gall_id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012481) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id ASCII +SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012481,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id ASCII',tag:'web-application-attack'" +SecRule ARGS:gall_id "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012482) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE +SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012482,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE',tag:'web-application-attack'" +SecRule ARGS:gall_id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012571) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/jquery-mega-menu/skin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012571,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:skin "(?i:\.\.\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012581) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/lazyest-gallery/lazyest-popup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012581,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:image "(?i:image\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012601) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/lazyest-gallery/lazyest-popup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012601,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:image "(?i:image\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +# (2012705) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-publication-archive/includes/openfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012705,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" + + +SecMarker END_SLR_ET_WORDPRESS_RULES diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_slr_et_xss_attacks.conf modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_slr_et_xss_attacks.conf --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_slr_et_xss_attacks.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_slr_et_xss_attacks.conf 2011-05-03 19:01:25.000000000 +0000 @@ -0,0 +1,1126 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: +# +# http://www.emergingthreats.net/ +# + +SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_et_xss.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_ET_XSS_RULES" + +# (2003905) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mods +SecRule REQUEST_LINE "@contains /search/list/action_search/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003905,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mods',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" +SecRule REQUEST_LINE "@contains form[mods][" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mods',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003906) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form +SecRule REQUEST_LINE "@contains /search/list/action_search/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003906,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" +SecRule REQUEST_LINE "@contains form[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003907) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- download.php id +SecRule REQUEST_LINE "@contains /modules/dl/download.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003907,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- download.php id',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" +SecRule &TX:'/XSS.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- download.php id',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003908) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat +SecRule REQUEST_LINE "@contains /news/list/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003908,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" +SecRule &TX:'/XSS.*ARGS:form[cat]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003909) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat +SecRule REQUEST_LINE "@contains /action_create/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003909,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" +SecRule &TX:'/XSS.*ARGS:form[cat]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003910) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form name +SecRule REQUEST_LINE "@contains /action_create/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003910,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form name',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" +SecRule &TX:'/XSS.*ARGS:form[name]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form name',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003911) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form message +SecRule REQUEST_LINE "@contains /action_create/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003911,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form message',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" +SecRule &TX:'/XSS.*ARGS:form[message]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form message',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003912) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mail +SecRule REQUEST_LINE "@contains /newsletter/create/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003912,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mail',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" +SecRule &TX:'/XSS.*ARGS:form[mail]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mail',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003886) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_authorization.php +SecRule REQUEST_LINE "@contains /shared/code/cp_authorization.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003886,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_authorization.php',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/1637'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_authorization.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003887) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_config.php +SecRule REQUEST_LINE "@contains /shared/config/cp_config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003887,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_config.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23790'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_config.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010862) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible APC Network Management Card Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /Forms/login" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010862,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible APC Network Management Card Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2009-1798'" +SecRule &TX:'/XSS.*ARGS:login_username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible APC Network Management Card Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004594) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASP-Nuke XSS Attempt -- news.asp id +SecRule REQUEST_LINE "@contains /news.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004594,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS ASP-Nuke XSS Attempt -- news.asp id',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24135'" +SecRule &TX:'/XSS.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASP-Nuke XSS Attempt -- news.asp id',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003915) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Advanced Guestbook XSS Attempt -- picture.php picture +SecRule REQUEST_LINE "@contains /picture.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003915,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Advanced Guestbook XSS Attempt -- picture.php picture',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23873'" +SecRule &TX:'/XSS.*ARGS:picture/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Advanced Guestbook XSS Attempt -- picture.php picture',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010146) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /host-manager/html/add" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010146,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2008-1947'" +SecRule &TX:'/XSS.*ARGS:method/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011114) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ARISg errmsg Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /Aris/wflogin.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011114,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ARISg errmsg Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,38441'" +SecRule &TX:'/XSS.*ARGS:errmsg/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ARISg errmsg Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010082) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt +SecRule REQUEST_LINE "@contains /awstats/awstats.pl" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010082,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2008-3714'" +SecRule &TX:'/XSS.*ARGS:config/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010147) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible bloofoxCMS 'search' Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /search.5.html" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010147,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible bloofoxCMS \'search\' Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36700/info'" +SecRule &TX:'/XSS.*ARGS:search/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible bloofoxCMS \'search\' Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004583) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BoastMachine XSS Attempt -- index.php blog +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004583,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BoastMachine XSS Attempt -- index.php blog',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24156'" +SecRule &TX:'/XSS.*ARGS:blog/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BoastMachine XSS Attempt -- index.php blog',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CactuSoft Parodia XSS Attempt -- cand_login.asp strJobIDs +SecRule REQUEST_LINE "@contains /cand_login.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004559,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS CactuSoft Parodia XSS Attempt -- cand_login.asp strJobIDs',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24078'" +SecRule &TX:'/XSS.*ARGS:strJobIDs/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CactuSoft Parodia XSS Attempt -- cand_login.asp strJobIDs',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011054) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible CactuShop User Invoices Persistent XSS Attempt +SecRule REQUEST_LINE "@contains _invoice.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011054,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible CactuShop User Invoices Persistent XSS Attempt',tag:'web-application-attack',tag:'cve,2010-1486'" +SecRule REQUEST_LINE "@contains script>" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:(alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible CactuShop User Invoices Persistent XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004569) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp brand +SecRule REQUEST_LINE "@contains /scripts/prodList.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004569,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp brand',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25370'" +SecRule &TX:'/XSS.*ARGS:brand/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp brand',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004570) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp Msg +SecRule REQUEST_LINE "@contains /scripts/prodList.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004570,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp Msg',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25370'" +SecRule &TX:'/XSS.*ARGS:Msg/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp Msg',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011676) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Cisco Collaboration Server LoginPage.jhtml Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /webline/html/admin/wcs/LoginPage.jhtml" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011676,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Cisco Collaboration Server LoginPage.jhtml Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2010-0641'" +SecRule &TX:'/XSS.*ARGS:dest/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Cisco Collaboration Server LoginPage.jhtml Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2009590) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb edituser.php XSS attempt +SecRule REQUEST_LINE "@contains /config/edituser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009590,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb edituser.php XSS attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/XSS.*ARGS:username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Citrix XenCenterWeb edituser.php XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2009591) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb console.php XSS attempt +SecRule REQUEST_LINE "@contains /console.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009591,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb console.php XSS attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/XSS.*ARGS:vmname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Citrix XenCenterWeb console.php XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2009592) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcesd.php XSS attempt +SecRule REQUEST_LINE "@contains /forcesd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009592,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcesd.php XSS attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/XSS.*ARGS:vmname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcesd.php XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2009593) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcerestart.php XSS attempt +SecRule REQUEST_LINE "@contains /forcerestart.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009593,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcerestart.php XSS attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/XSS.*ARGS:vmname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcerestart.php XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004566) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php ticketID +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004566,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php ticketID',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24061'" +SecRule &TX:'/XSS.*ARGS:ticketID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php ticketID',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004567) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php view +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004567,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php view',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24061'" +SecRule &TX:'/XSS.*ARGS:view/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php view',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004568) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php fuse +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004568,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php fuse',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24061'" +SecRule &TX:'/XSS.*ARGS:fuse/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php fuse',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004591) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClonusWiki XSS Attempt -- index.php query +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004591,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS ClonusWiki XSS Attempt -- index.php query',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469230/100/0/threaded'" +SecRule &TX:'/XSS.*ARGS:query/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClonusWiki XSS Attempt -- index.php query',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010200) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /siteminderagent/forms/smpwservices.fcc" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010200,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/26375/info'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011152) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Consona Products n6plugindestructor.asp Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /verify/asp/n6plugindestructor.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011152,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Consona Products n6plugindestructor.asp Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,39999'" +SecRule &TX:'/XSS.*ARGS:backurl/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Consona Products n6plugindestructor.asp Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004584) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- footer.php copyright +SecRule REQUEST_LINE "@contains /footer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004584,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- footer.php copyright',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24200'" +SecRule &TX:'/XSS.*ARGS:copyright/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- footer.php copyright',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004585) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- news.php catid +SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004585,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- news.php catid',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24201'" +SecRule &TX:'/XSS.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- news.php catid',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003920) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- loan.php movieid +SecRule REQUEST_LINE "@contains /loan.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003920,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- loan.php movieid',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23764'" +SecRule &TX:'/XSS.*ARGS:movieid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- loan.php movieid',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003921) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- listmovies.php s +SecRule REQUEST_LINE "@contains /listmovies.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003921,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- listmovies.php s',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23764'" +SecRule &TX:'/XSS.*ARGS:s/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- listmovies.php s',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004595) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- info_book.asp Room_name +SecRule REQUEST_LINE "@contains /room/info_book.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004595,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- info_book.asp Room_name',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469589/100/0/threaded'" +SecRule &TX:'/XSS.*ARGS:Room_name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- info_book.asp Room_name',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004596) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- week.asp curYear +SecRule REQUEST_LINE "@contains /room/week.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004596,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- week.asp curYear',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469589/100/0/threaded'" +SecRule &TX:'/XSS.*ARGS:curYear/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- week.asp curYear',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004593) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dokeos XSS Attempt -- editor.php img +SecRule REQUEST_LINE "@contains /main/inc/lib/fckeditor/editor/plugins/ImageManager/editor.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004593,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Dokeos XSS Attempt -- editor.php img',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3974'" +SecRule &TX:'/XSS.*ARGS:img/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dokeos XSS Attempt -- editor.php img',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003876) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- listmembers.php show +SecRule REQUEST_LINE "@contains /listmembers.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003876,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- listmembers.php show',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23951'" +SecRule &TX:'/XSS.*ARGS:show/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- listmembers.php show',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003877) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- stats.php show +SecRule REQUEST_LINE "@contains /stats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003877,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- stats.php show',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23951'" +SecRule &TX:'/XSS.*ARGS:show/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- stats.php show',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011153) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ektron CMS400.NET reterror.aspx info Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /WorkArea/reterror.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011153,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ektron CMS400.NET reterror.aspx info Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,39679'" +SecRule &TX:'/XSS.*ARGS:info/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ektron CMS400.NET reterror.aspx info Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011154) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ektron CMS400.NET medialist.aspx selectids Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /workarea/medialist.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011154,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ektron CMS400.NET medialist.aspx selectids Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,39679'" +SecRule &TX:'/XSS.*ARGS:selectids/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ektron CMS400.NET medialist.aspx selectids Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011256) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-add-excluded-ip.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011256,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:edit/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011257) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-add-excluded-url.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011257,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:edit/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011258) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-new-edit-site.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011258,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:site_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004586) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GMTT Music Distro XSS Attempt -- showown.php st +SecRule REQUEST_LINE "@contains /showown.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004586,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS GMTT Music Distro XSS Attempt -- showown.php st',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469269/100/0/threaded'" +SecRule &TX:'/XSS.*ARGS:st/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS GMTT Music Distro XSS Attempt -- showown.php st',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004563) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004563,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24066'" +SecRule &TX:'/XSS.*ARGS:galix_cat_detail/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004564) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_gal_detail +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004564,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_gal_detail',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24066'" +SecRule &TX:'/XSS.*ARGS:galix_gal_detail/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_gal_detail',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004565) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail_sort +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004565,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail_sort',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24066'" +SecRule &TX:'/XSS.*ARGS:galix_cat_detail_sort/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail_sort',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004562) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Gnatsweb and Gnats XSS Attempt -- gnatsweb.pl database +SecRule REQUEST_LINE "@contains /gnatsweb.pl" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004562,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Gnatsweb and Gnats XSS Attempt -- gnatsweb.pl database',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25333'" +SecRule &TX:'/XSS.*ARGS:database/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Gnatsweb and Gnats XSS Attempt -- gnatsweb.pl database',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004554) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authusername +SecRule REQUEST_LINE "@contains /hlstats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004554,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authusername',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24102'" +SecRule &TX:'/XSS.*ARGS:authusername/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authusername',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004555) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authpassword +SecRule REQUEST_LINE "@contains /hlstats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004555,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authpassword',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24102'" +SecRule &TX:'/XSS.*ARGS:authpassword/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authpassword',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004560) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php +SecRule REQUEST_LINE "@contains /hlstats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004560,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24063'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004561) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php action +SecRule REQUEST_LINE "@contains /hlstats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004561,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php action',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24063'" +SecRule &TX:'/XSS.*ARGS:action/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php action',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010770) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /smhui/getuiinfo" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010770,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2009-4185'" +SecRule REQUEST_LINE "@contains JS" "chain" +SecRule &TX:'/XSS.*ARGS:servercert/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2009647) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hubscript XSS Attempt +SecRule REQUEST_LINE "@contains /patch/single_winner1.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009647,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Hubscript XSS Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.com/0907-exploits/hubscript-xssphpinfo.txt'" +SecRule ARGS_NAMES "(?i:bid_id)" "chain" +SecRule REQUEST_LINE "@contains " "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Hubscript XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010145) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM Rational RequisitePro ReqWebHelp Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /ReqWebHelp/advanced/workingSet.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010145,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM Rational RequisitePro ReqWebHelp Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895'" +SecRule REQUEST_LINE "@contains operation=add" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible IBM Rational RequisitePro ReqWebHelp Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp searchWord Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /ReqWebHelp/basic/searchView.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010181,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp searchWord Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895'" +SecRule &TX:'/XSS.*ARGS:searchWord/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp searchWord Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010182) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp maxHits Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /ReqWebHelp/basic/searchView.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010182,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp maxHits Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895'" +SecRule &TX:'/XSS.*ARGS:maxHits/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp maxHits Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010183) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scopedSearch Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /ReqWebHelp/basic/searchView.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010183,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scopedSearch Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895'" +SecRule &TX:'/XSS.*ARGS:scopedSearch/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scopedSearch Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010184) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scope Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /ReqWebHelp/basic/searchView.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010184,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scope Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895'" +SecRule &TX:'/XSS.*ARGS:scope/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scope Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010865) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Possible Lotus Domino readme.nsf Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /help/readme.nsf/Header" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010865,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Possible Lotus Domino readme.nsf Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/38481'" +SecRule &TX:'/XSS.*ARGS:BaseTarget/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IBM Possible Lotus Domino readme.nsf Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010980) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM ENOVIA SmarTeam v5 LoginPage.aspx Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /WebEditor/Authentication/LoginPage.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010980,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM ENOVIA SmarTeam v5 LoginPage.aspx Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:errMsg/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IBM ENOVIA SmarTeam v5 LoginPage.aspx Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011190) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module cindefn.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /private/cindefn.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011190,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module cindefn.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:INDEX/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module cindefn.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011191) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_management_policy_options.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /private/power_management_policy_options.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011191,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_management_policy_options.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:domain/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_management_policy_options.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011192) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module pm_temp.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /private/pm_temp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011192,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module pm_temp.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:slot/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module pm_temp.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011193) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_module.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /private/power_module.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011193,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_module.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:slot/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_module.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011194) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module blade_leds.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /private/blade_leds.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011194,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module blade_leds.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:WEBINDEX/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module blade_leds.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011195) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module ipmi_bladestatus.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /private/ipmi_bladestatus.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011195,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module ipmi_bladestatus.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:SLOT/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module ipmi_bladestatus.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004576) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_bbcodeloader.php +SecRule REQUEST_LINE "@contains /module_bbcodeloader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004576,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_bbcodeloader.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24244'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_bbcodeloader.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004577) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_div.php +SecRule REQUEST_LINE "@contains /module_div.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004577,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_div.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24244'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_div.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004578) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_email.php +SecRule REQUEST_LINE "@contains /module_email.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004578,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_email.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24244'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_email.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004579) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_image.php +SecRule REQUEST_LINE "@contains /module_image.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004579,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_image.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24244'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_image.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004580) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_link.php +SecRule REQUEST_LINE "@contains /module_link.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004580,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_link.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24244'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_link.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004581) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_table.php editorid +SecRule REQUEST_LINE "@contains /jscripts/folder_rte_files/module_table.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004581,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_table.php editorid',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24244'" +SecRule &TX:'/XSS.*ARGS:editorid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_table.php editorid',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004592) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jelsoft vBulletin XSS Attempt -- calendar.php +SecRule REQUEST_LINE "@contains /calendar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004592,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Jelsoft vBulletin XSS Attempt -- calendar.php',tag:'web-application-attack',tag:'url,www.vbulletin.com/forum/showthread.php?postid=1355012'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jelsoft vBulletin XSS Attempt -- calendar.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004572) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS XSS Attempt -- index.php login +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004572,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS XSS Attempt -- index.php login',tag:'web-application-attack',tag:'url,www.osvdb.org/34791'" +SecRule &TX:'/XSS.*ARGS:login/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jetbox CMS XSS Attempt -- index.php login',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003913) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Kayako eSupport XSS Attempt -- index.php _m +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003913,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Kayako eSupport XSS Attempt -- index.php _m',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467832/100/0/threaded'" +SecRule &TX:'/XSS.*ARGS:_m/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Kayako eSupport XSS Attempt -- index.php _m',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2009990) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM Lotus Connections simpleSearch.do Cross-Site Scripting Attempt +SecRule REQUEST_LINE "@contains /profiles/html/simpleSearch.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009990,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM Lotus Connections simpleSearch.do Cross-Site Scripting Attempt',tag:'web-application-attack',tag:'url,www.securitytracker.com/alerts/2009/Sep/1022945.html'" +SecRule &TX:'/XSS.*ARGS:name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible IBM Lotus Connections simpleSearch.do Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003918) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- sendmail.php +SecRule REQUEST_LINE "@contains /sendmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003918,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- sendmail.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23847'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- sendmail.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003919) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- order_form.php +SecRule REQUEST_LINE "@contains /order_form.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003919,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- order_form.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23847'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- order_form.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003882) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- configure_plugin.tpl.php edit_plugin +SecRule REQUEST_LINE "@contains /configure_plugin.tpl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003882,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- configure_plugin.tpl.php edit_plugin',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23917'" +SecRule &TX:'/XSS.*ARGS:edit_plugin/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- configure_plugin.tpl.php edit_plugin',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003883) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php 1 +SecRule REQUEST_LINE "@contains /web/phpinfo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003883,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php 1',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23917'" +SecRule REQUEST_LINE "@contains 1[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php 1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003884) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php a +SecRule REQUEST_LINE "@contains /web/phpinfo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003884,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php a',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23917'" +SecRule REQUEST_LINE "@contains a[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php a',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011082) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS McAfee Email Gateway queueMsgType Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /admin/queuedMessage.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011082,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS McAfee Email Gateway queueMsgType Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains method=getQueueMessages&" "chain" +SecRule &TX:'/XSS.*ARGS:queueMsgType/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS McAfee Email Gateway queueMsgType Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011083) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS McAfee Email Gateway QtnType Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /admin/queuedMessage.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011083,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS McAfee Email Gateway QtnType Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains method=getQueueMessages&" "chain" +SecRule &TX:'/XSS.*ARGS:QtnType/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS McAfee Email Gateway QtnType Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003894) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- dev_logon.asp username +SecRule REQUEST_LINE "@contains /de/pda/dev_logon.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003894,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- dev_logon.asp username',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded'" +SecRule &TX:'/XSS.*ARGS:username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- dev_logon.asp username',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003895) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- registerAccount.asp +SecRule REQUEST_LINE "@contains /usrmgr/registerAccount.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003895,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- registerAccount.asp',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- registerAccount.asp',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003896) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- create_account.asp +SecRule REQUEST_LINE "@contains /de/create_account.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003896,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- create_account.asp',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- create_account.asp',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010031) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Novell eDirectory 'dconserv.dlm' Cross-Site Scripting Attempt +SecRule REQUEST_LINE "@contains /dhost/modules" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010031,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Novell eDirectory \'dconserv.dlm\' Cross-Site Scripting Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36567/info'" +SecRule &TX:'/XSS.*ARGS:dconserv.dlm/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Novell eDirectory \'dconserv.dlm\' Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003878) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Translation Engine (OTE) XSS Attempt -- header.php ote_home +SecRule REQUEST_LINE "@contains /skins/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003878,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Open Translation Engine (OTE) XSS Attempt -- header.php ote_home',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3838'" +SecRule &TX:'/XSS.*ARGS:ote_home/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Open Translation Engine (OTE) XSS Attempt -- header.php ote_home',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011268) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Oracle Business Process Management context Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /faces/jsf/tips.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011268,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Oracle Business Process Management context Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:context/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Oracle Business Process Management context Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003879) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- settings.php catid +SecRule REQUEST_LINE "@contains /settings.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003879,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- settings.php catid',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23761'" +SecRule &TX:'/XSS.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- settings.php catid',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003880) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- cat.php catid +SecRule REQUEST_LINE "@contains /cat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003880,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- cat.php catid',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23761'" +SecRule &TX:'/XSS.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- cat.php catid',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2001218) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPNuke general XSS attempt +SecRule REQUEST_LINE "@contains /modules.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2001218,rev:11,msg:'SLR: ET WEB_SPECIFIC_APPS PHPNuke general XSS attempt',tag:'web-application-attack',tag:'url,www.waraxe.us/?modname=sa&id=030'" +SecRule &TX:'/XSS.*ARGS:name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPNuke general XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004582) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Particle Gallery XSS Attempt -- search.php order +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004582,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Particle Gallery XSS Attempt -- search.php order',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469985/100/0/threaded'" +SecRule &TX:'/XSS.*ARGS:order/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Particle Gallery XSS Attempt -- search.php order',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003914) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Podium CMS XSS Attempt -- Default.aspx id +SecRule REQUEST_LINE "@contains /Default.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003914,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Podium CMS XSS Attempt -- Default.aspx id',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467823/100/0/threaded'" +SecRule &TX:'/XSS.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Podium CMS XSS Attempt -- Default.aspx id',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011117) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PowerEasy ComeUrl Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /user/User_ChkLogin.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011117,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS PowerEasy ComeUrl Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,39696'" +SecRule &TX:'/XSS.*ARGS:ComeUrl/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PowerEasy ComeUrl Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2009672) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS programsrating rate.php id XSS attempt +SecRule REQUEST_LINE "@contains /rating/rate.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009672,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS programsrating rate.php id XSS attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0907-exploits/programsrating-xss.txt'" +SecRule ARGS_NAMES "(?i:id)" "chain" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains " "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS programsrating rate.php id XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2009673) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS programsrating postcomments.php id XSS attempt +SecRule REQUEST_LINE "@contains /rating/postcomments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009673,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS programsrating postcomments.php id XSS attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0907-exploits/programsrating-xss.txt'" +SecRule ARGS_NAMES "(?i:id)" "chain" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains " "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS programsrating postcomments.php id XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004587) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- awards.php +SecRule REQUEST_LINE "@contains /awards.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004587,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- awards.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- awards.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004588) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- login.php +SecRule REQUEST_LINE "@contains /login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004588,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- login.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- login.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004589) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- register.php +SecRule REQUEST_LINE "@contains /register.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004589,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- register.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- register.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004590) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- weapons.php +SecRule REQUEST_LINE "@contains /weapons.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004590,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- weapons.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- weapons.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004571) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RM EasyMail Plus XSS Attempt -- Login d +SecRule REQUEST_LINE "@contains cp/ps/Main/login/Login" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004571,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS RM EasyMail Plus XSS Attempt -- Login d',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25326'" +SecRule &TX:'/XSS.*ARGS:d/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS RM EasyMail Plus XSS Attempt -- Login d',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003872) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- searchloop.php s +SecRule REQUEST_LINE "@contains /wp-content/themes/redoable/searchloop.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003872,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- searchloop.php s',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468892/100/0/threaded'" +SecRule &TX:'/XSS.*ARGS:s/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- searchloop.php s',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003873) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- header.php s +SecRule REQUEST_LINE "@contains /wp-content/themes/redoable/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003873,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- header.php s',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468892/100/0/threaded'" +SecRule &TX:'/XSS.*ARGS:s/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- header.php s',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003871) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ripe Website Manager XSS Attempt -- index.php ripeformpost +SecRule REQUEST_LINE "@contains /contact/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003871,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Ripe Website Manager XSS Attempt -- index.php ripeformpost',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23597'" +SecRule &TX:'/XSS.*ARGS:ripeformpost/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ripe Website Manager XSS Attempt -- index.php ripeformpost',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011731) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /html/studentmain.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011731,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,40737'" +SecRule &TX:'/XSS.*ARGS:session/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003922) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Sendcard XSS Attempt -- sendcard.php form +SecRule REQUEST_LINE "@contains /sendcard.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003922,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Sendcard XSS Attempt -- sendcard.php form',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25085'" +SecRule &TX:'/XSS.*ARGS:form/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Sendcard XSS Attempt -- sendcard.php form',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003881) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SonicBB XSS Attempt -- search.php part +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003881,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SonicBB XSS Attempt -- search.php part',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0020'" +SecRule &TX:'/XSS.*ARGS:part/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SonicBB XSS Attempt -- search.php part',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011065) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SurgeFTP surgeftpmgr.cgi classid Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /cgi/surgeftpmgr.cgi" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011065,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SurgeFTP surgeftpmgr.cgi classid Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains cmd=class&" "chain" +SecRule &TX:'/XSS.*ARGS:classid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SurgeFTP surgeftpmgr.cgi classid Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003902) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Apache Tomcat XSS Attempt -- implicit-objects.jsp +SecRule REQUEST_LINE "@contains /implicit-objects.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003902,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Apache Tomcat XSS Attempt -- implicit-objects.jsp',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/1729'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Apache Tomcat XSS Attempt -- implicit-objects.jsp',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004575) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tomcat XSS Attempt -- hello.jsp test +SecRule REQUEST_LINE "@contains /appdev/sample/web/hello.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004575,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Tomcat XSS Attempt -- hello.jsp test',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24058'" +SecRule &TX:'/XSS.*ARGS:test/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Tomcat XSS Attempt -- hello.jsp test',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004558) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Track+ XSS Attempt -- reportItem.do projId +SecRule REQUEST_LINE "@contains /reportItem.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004558,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Track+ XSS Attempt -- reportItem.do projId',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24060'" +SecRule &TX:'/XSS.*ARGS:projId/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Track+ XSS Attempt -- reportItem.do projId',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003917) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TurnkeyWebTools SunShop Shopping Cart XSS Attempt -- index.php l +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003917,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TurnkeyWebTools SunShop Shopping Cart XSS Attempt -- index.php l',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23856'" +SecRule &TX:'/XSS.*ARGS:l/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TurnkeyWebTools SunShop Shopping Cart XSS Attempt -- index.php l',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003888) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseCat.php catFile +SecRule REQUEST_LINE "@contains /browseCat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003888,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseCat.php catFile',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3887'" +SecRule &TX:'/XSS.*ARGS:catFile/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseCat.php catFile',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003889) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseSubCat.php catFile +SecRule REQUEST_LINE "@contains /browseSubCat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003889,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseSubCat.php catFile',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3887'" +SecRule &TX:'/XSS.*ARGS:catFile/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseSubCat.php catFile',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003890) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- openTutorial.php id +SecRule REQUEST_LINE "@contains /openTutorial.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003890,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- openTutorial.php id',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3887'" +SecRule &TX:'/XSS.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- openTutorial.php id',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003891) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- topFrame.php id +SecRule REQUEST_LINE "@contains /topFrame.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003891,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- topFrame.php id',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3887'" +SecRule &TX:'/XSS.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- topFrame.php id',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003892) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- editListing.php id +SecRule REQUEST_LINE "@contains /admin/editListing.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003892,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- editListing.php id',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3887'" +SecRule &TX:'/XSS.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- editListing.php id',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003893) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- search.php search +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003893,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- search.php search',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3887'" +SecRule &TX:'/XSS.*ARGS:search/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- search.php search',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004573) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart XSS Attempt -- shopcontent.asp type +SecRule REQUEST_LINE "@contains /shopcontent.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004573,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart XSS Attempt -- shopcontent.asp type',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468834/100/0/threaded'" +SecRule &TX:'/XSS.*ARGS:type/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart XSS Attempt -- shopcontent.asp type',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010167) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp Queue XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/viewHeaders.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010167,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp Queue XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/XSS.*ARGS:Queue/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp Queue XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010168) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp FileName XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/viewHeaders.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010168,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp FileName XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/XSS.*ARGS:FileName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp FileName XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010169) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp IsolatedMessageID XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/viewHeaders.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010169,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp IsolatedMessageID XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/XSS.*ARGS:IsolatedMessageID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp IsolatedMessageID XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010170) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp ServerName XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/viewHeaders.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010170,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp ServerName XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/XSS.*ARGS:ServerName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp ServerName XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010171) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp FileName XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgAnalyse.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010171,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp FileName XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/XSS.*ARGS:FileName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp FileName XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010172) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp IsolatedMessageID XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgAnalyse.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010172,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp IsolatedMessageID XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/XSS.*ARGS:IsolatedMessageID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp IsolatedMessageID XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010173) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp ServerName XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgAnalyse.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010173,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp ServerName XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/XSS.*ARGS:ServerName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp ServerName XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010174) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Dictionary XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgAnalyse.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010174,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Dictionary XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/XSS.*ARGS:Dictionary/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Dictionary XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010175) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Scoring XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgAnalyse.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010175,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Scoring XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/XSS.*ARGS:Scoring/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Scoring XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010176) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp MessagePart XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgAnalyse.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010176,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp MessagePart XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/XSS.*ARGS:MessagePart/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp MessagePart XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010177) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp Queue XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010177,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp Queue XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/XSS.*ARGS:Queue/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp Queue XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010178) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp FileName XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010178,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp FileName XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/XSS.*ARGS:FileName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp FileName XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010179) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp IsolatedMessageID XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010179,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp IsolatedMessageID XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/XSS.*ARGS:IsolatedMessageID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp IsolatedMessageID XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2010180) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp ServerName XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010180,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp ServerName XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/XSS.*ARGS:ServerName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp ServerName XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003916) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WikkaWiki (Wikka Wiki) XSS Attempt -- usersettings.php name +SecRule REQUEST_LINE "@contains /usersettings.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003916,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WikkaWiki (Wikka Wiki) XSS Attempt -- usersettings.php name',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23894'" +SecRule &TX:'/XSS.*ARGS:name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WikkaWiki (Wikka Wiki) XSS Attempt -- usersettings.php name',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004574) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WikyBlog XSS Attempt sessionRegister.php +SecRule REQUEST_LINE "@contains /include/sessionRegister.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004574,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WikyBlog XSS Attempt sessionRegister.php',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25308'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WikyBlog XSS Attempt sessionRegister.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003885) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php +SecRule REQUEST_LINE "@contains /sidebar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003885,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467360/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011006) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/nextgen-gallery/xml/media-rss.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011006,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2010-1186'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/XSS.*ARGS:mode/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011107) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-cumulus/tagcloud.swf" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011107,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains mode=tags" "chain" +SecRule &TX:'/XSS.*ARGS:tagcloud/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004557) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS @Mail XSS Attempt -- ReadMsg.php +SecRule REQUEST_LINE "@contains /ReadMsg.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004557,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS @Mail XSS Attempt -- ReadMsg.php',tag:'web-application-attack',tag:'cve,CVE-2007-2825'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS @Mail XSS Attempt -- ReadMsg.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011115) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cPanel fileop Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /frontend/x3/files/fileop.html" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011115,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS cPanel fileop Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,37394'" +SecRule &TX:'/XSS.*ARGS:fileop/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS cPanel fileop Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003875) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS fotolog XSS Attempt -- all_photos.html user +SecRule REQUEST_LINE "@contains /all_photos.html" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003875,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS fotolog XSS Attempt -- all_photos.html user',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468316/100/0/threaded'" +SecRule &TX:'/XSS.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS fotolog XSS Attempt -- all_photos.html user',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2009671) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS millionpixel payment.php order_id XSS attempt +SecRule REQUEST_LINE "@contains /users/payment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009671,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS millionpixel payment.php order_id XSS attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0907-exploits/millionpixel-xss.txt'" +SecRule ARGS_NAMES "(?i:order_id)" "chain" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains " "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS millionpixel payment.php order_id XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2004552) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpPgAdmin XSS Attempt -- sqledit.php server +SecRule REQUEST_LINE "@contains /sqledit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004552,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpPgAdmin XSS Attempt -- sqledit.php server',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24115'" +SecRule &TX:'/XSS.*ARGS:server/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpPgAdmin XSS Attempt -- sqledit.php server',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003167) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS tikiwiki featured link XSS attempt +SecRule REQUEST_LINE "@contains /tiki-featured_link.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003167,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS tikiwiki featured link XSS attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/450268/30/0'" +SecRule ARGS_NAMES "(?i:type)" "chain" +SecRule REQUEST_LINE "@contains /iframe>" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS tikiwiki featured link XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2003874) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vDesk Webmail XSS Attempt -- printcal.pl +SecRule REQUEST_LINE "@contains /printcal.pl" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003874,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS vDesk Webmail XSS Attempt -- printcal.pl',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24022'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS vDesk Webmail XSS Attempt -- printcal.pl',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011571) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Euchia CMS catalogo.php id_livello Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /catalogo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011571,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Euchia CMS catalogo.php id_livello Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:id_livello/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Euchia CMS catalogo.php id_livello Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011566) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Easypush Server Manager addressbook.cgi page Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /addressbook.cgi" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011566,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Easypush Server Manager addressbook.cgi page Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains show=search" "chain" +SecRule &TX:'/XSS.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Easypush Server Manager addressbook.cgi page Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011383) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CSSTidy css_optimiser.php url Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /plugins/csstidy/css_optimiser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011383,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS CSSTidy css_optimiser.php url Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:url/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CSSTidy css_optimiser.php url Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011423) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Cacti cacti/utilities.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /cacti/utilities.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011423,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Cacti cacti/utilities.php Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2010-2545'" +SecRule &TX:'/XSS.*ARGS:filter/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Cacti cacti/utilities.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011452) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dance Studio Manager dailyview.php date Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /dailyview.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011452,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Dance Studio Manager dailyview.php date Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:date/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dance Studio Manager dailyview.php date Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011845) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Lantern CMS intPassedLocationID Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /html/11-login.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011845,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Lantern CMS intPassedLocationID Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,43865'" +SecRule &TX:'/XSS.*ARGS:intPassedLocationID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Lantern CMS intPassedLocationID Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011852) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /news/search.php3" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011852,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,44370'" +SecRule &TX:'/XSS.*ARGS:bn/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011927) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SiteloomCMS mailform_1 variable Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011927,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS SiteloomCMS mailform_1 variable Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:mailform_1/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SiteloomCMS mailform_1 variable Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2011942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011942,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:gid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012009) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /plugins/feedlist/handler_image.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012009,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:i/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012011) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Horde IMP fetchmailprefs.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /fetchmailprefs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012011,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Horde IMP fetchmailprefs.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains actionID=fetchmail_prefs_save" "chain" +SecRule REQUEST_LINE "@contains fm_driver=imap" "chain" +SecRule &TX:'/XSS.*ARGS:fm_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Horde IMP fetchmailprefs.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012023) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ZyXEL P-660R-T1 HomeCurrent_Date Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /Forms/home_1" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012023,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ZyXEL P-660R-T1 HomeCurrent_Date Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:HomeCurrent_Date/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ZyXEL P-660R-T1 HomeCurrent_Date Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012040) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Contenido idart Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /en/front_content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012040,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Contenido idart Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:idart/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Contenido idart Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012070) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /admin/upgrade_unattended.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012070,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:db_type/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012072) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-safe-search/wp-safe-search-jx.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012072,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:v1/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012164) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /plugins/accept-signups/accept-signups_submit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012164,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:email/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012187) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS bizdir.cgi f_srch Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /bizdir/bizdir.cgi" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012187,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS bizdir.cgi f_srch Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:f_srch/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS bizdir.cgi f_srch Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012190) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zimplit CMS client Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /English_manual_version_2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012190,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Zimplit CMS client Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:client/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Zimplit CMS client Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012191) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zimplit CMS file Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /zimplit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012191,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Zimplit CMS file Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains action=load" "chain" +SecRule &TX:'/XSS.*ARGS:file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Zimplit CMS file Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012216) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS B-Cumulus tagcloud.swf Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /tagcloud.swf" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012216,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS B-Cumulus tagcloud.swf Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains mode=tags" "chain" +SecRule &TX:'/XSS.*ARGS:tagcloud/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS B-Cumulus tagcloud.swf Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012220) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS B-Cumulus tagcloud-ru.swf Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /tagcloud-ru.swf" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012220,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS B-Cumulus tagcloud-ru.swf Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains mode=tags" "chain" +SecRule &TX:'/XSS.*ARGS:tagcloud/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS B-Cumulus tagcloud-ru.swf Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012337) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CultBooking lang Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /cultbooking.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012337,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS CultBooking lang Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:lang/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CultBooking lang Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012351) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Emerson Network AllResults.aspx Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /SearchCenter/Pages/AllResults.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012351,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Emerson Network AllResults.aspx Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:k/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Emerson Network AllResults.aspx Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012353) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/audio/getid3/demos/demo.browse.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012353,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:showfile/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012355) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Moodle PHPCOVERAGE_HOME Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /lib/spikephpcoverage/src/phpcoverage.remote.top.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012355,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Moodle PHPCOVERAGE_HOME Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:PHPCOVERAGE_HOME\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Moodle PHPCOVERAGE_HOME Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012356) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /js/modalbox/tests/functional/_ajax_method_get.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012356,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:param/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012370) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Boonex Dolphin explain Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /explanation.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012370,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Boonex Dolphin explain Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46337'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:explain\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Boonex Dolphin explain Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012371) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Boonex Dolphin relocate Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /modules/boonex/custom_rss/post_mod_crss.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012371,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Boonex Dolphin relocate Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46337'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:relocate\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Boonex Dolphin relocate Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012380) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Podcast Generator themes.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /core/themes.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012380,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Podcast Generator themes.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:L_failedopentheme/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Podcast Generator themes.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012394) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains stconf.nsf/WebMessage" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012394,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2011-1038'" +SecRule REQUEST_LINE "@contains OpenView" "chain" +SecRule &TX:'/XSS.*ARGS:messageString/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012395) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains stconf.nsf" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012395,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2011-1038'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:stconf.nsf.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D).+unescape)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012411) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012411,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:post_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012418) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 1 +SecRule REQUEST_LINE "@contains /shipping/methods/fedex_v7/label_mgr/js_include.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012418,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 1',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:form/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012419) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 2 +SecRule REQUEST_LINE "@contains /shipping/pages/popup_shipping/js_include.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012419,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 2',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:form/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012428) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/index2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012428,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule REQUEST_LINE "@contains task=dologin" "chain" +SecRule &TX:'/XSS.*ARGS:option/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012429) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/index2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012429,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule &TX:'/XSS.*ARGS:mosmsg/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012430) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_xcloner-backupandrestore/index2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012430,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule &TX:'/XSS.*ARGS:mosmsg/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012437) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/zotpress/zotpress.image.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012437,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:citation/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012474) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RecordPress rp-menu.php sess_user Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /admin/rp-menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012474,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS RecordPress rp-menu.php sess_user Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46798'" +SecRule &TX:'/XSS.*ARGS:_SESSION[sess_user]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS RecordPress rp-menu.php sess_user Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012475) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RecordPress header.php titledesc Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012475,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS RecordPress header.php titledesc Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46798'" +SecRule &TX:'/XSS.*ARGS:row[titledesc]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS RecordPress header.php titledesc Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012476) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/folder.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012476,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:type/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012483) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_p_dict Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012483,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_p_dict Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:to_p_dict/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_p_dict Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012484) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_r_list Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012484,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_r_list Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:to_r_list/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_r_list Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012573) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RecordPress header.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012573,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS RecordPress header.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:row[titledesc]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS RecordPress header.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012574) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RecordPress header.php rp-menu.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /admin/rp-menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012574,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS RecordPress header.php rp-menu.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:_SESSION[sess_user]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS RecordPress header.php rp-menu.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012581) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/lazyest-gallery/lazyest-popup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012581,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:image/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012582) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /basicstats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012582,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46771'" +SecRule &TX:'/XSS.*ARGS:AjaxHandler/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012601) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/lazyest-gallery/lazyest-popup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012601,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:image/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012603) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /basicstats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012603,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46771'" +SecRule &TX:'/XSS.*ARGS:AjaxHandler/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012678) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webEdition CMS openBrowser.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /openBrowser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012678,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS webEdition CMS openBrowser.php Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,47047'" +SecRule &TX:'/XSS.*ARGS:onload/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS webEdition CMS openBrowser.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012679) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webEdition CMS edit_shop_editorFrameset.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /we/include/we_modules/shop/edit_shop_editorFrameset.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012679,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS webEdition CMS edit_shop_editorFrameset.php Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,47047'" +SecRule &TX:'/XSS.*ARGS:onload/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS webEdition CMS edit_shop_editorFrameset.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012680) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webEdition CMS we_transaction Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /we/include/we_modules/messaging/messaging_show_folder_content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012680,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS webEdition CMS we_transaction Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,47047'" +SecRule &TX:'/XSS.*ARGS:we_transaction/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS webEdition CMS we_transaction Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012681) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webEdition CMS shop_artikelid Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /we/include/weTracking/econda/weEcondaImplement.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012681,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS webEdition CMS shop_artikelid Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,47047'" +SecRule &TX:'/XSS.*ARGS:shop_artikelid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS webEdition CMS shop_artikelid Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012656) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS eyeOS callback parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /devtools/qooxdoo-sdk/framework/source/resource/qx/test/jsonp_primitive.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012656,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS eyeOS callback parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:callback/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS eyeOS callback parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012658) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OrangeHRM recruitcode parameter Cross Site Script Attempt +SecRule REQUEST_LINE "@contains /templates/recruitment/jobVacancy.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012658,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS OrangeHRM recruitcode parameter Cross Site Script Attempt',tag:'web-application-attack',tag:'bugtraq,47046'" +SecRule &TX:'/XSS.*ARGS:recruitcode/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS OrangeHRM recruitcode parameter Cross Site Script Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012669) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClanSphere 'CKEditorFuncNum' parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /mods/ckeditor/filemanager/connectors/php/upload.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012669,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS ClanSphere \'CKEditorFuncNum\' parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:CKEditorFuncNum/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClanSphere \'CKEditorFuncNum\' parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012670) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PhotoSmash action Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /plugins/photosmash-galleries/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012670,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PhotoSmash action Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:action/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PhotoSmash action Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +# (2012706) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vtiger CRM service parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /vtigerservice.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012706,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS vtiger CRM service parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/XSS.*ARGS:service/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS vtiger CRM service parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" + + +SecMarker END_SLR_ET_XSS_RULES diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_sqli_attacks.conf modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_sqli_attacks.conf --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_sqli_attacks.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_sqli_attacks.conf 2011-04-15 18:25:15.000000000 +0000 @@ -0,0 +1,3324 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under GPL version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: +# +# http://www.emergingthreats.net/ +# + +SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_sqli.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_SQLI_RULES" + +# (2011219) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Campsite article_id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /plugins/campsiteattachment/attachments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011219,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Campsite article_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:article_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Campsite article_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007515) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UPDATE +SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007515,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:categoryID_list/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007521) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UPDATE +SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007521,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:sale_type/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007527) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UPDATE +SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007527,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:stock_number/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007533) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UPDATE +SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007533,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:manufacturer/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007539) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UPDATE +SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007539,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:model/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007545) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE +SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007545,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:vehicleID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007551) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UPDATE +SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007551,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:year/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007557) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UPDATE +SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007557,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:vin/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007563) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UPDATE +SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007563,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:listing_price/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004064) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UPDATE +SecRule REQUEST_LINE "@contains /includes/rating.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004064,rev:8,msg:'SLR: ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:rating/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004076) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UPDATE +SecRule REQUEST_LINE "@contains /includes/rating.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004076,rev:8,msg:'SLR: ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:post_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007222) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UPDATE +SecRule REQUEST_LINE "@contains /admin/edit.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007222,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2853'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005062) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UPDATE +SecRule REQUEST_LINE "@contains /templates/modif.html" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005062,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0388'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id_mod/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005578) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UPDATE +SecRule REQUEST_LINE "@contains /shared/code/cp_authorization.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005578,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22032'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:xuser_name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005584) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UPDATE +SecRule REQUEST_LINE "@contains /public/code/cp_downloads.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005584,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22032'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:did/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004534) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UPDATE +SecRule REQUEST_LINE "@contains /subcat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004534,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3408'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cate_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004540) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UPDATE +SecRule REQUEST_LINE "@contains /view_profile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004540,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3409'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004546) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UPDATE +SecRule REQUEST_LINE "@contains /postingdetails.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004546,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3410'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:postingid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004551) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UPDATE +SecRule REQUEST_LINE "@contains /topic_title.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004551,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3411'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:td_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006824) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UPDATE +SecRule REQUEST_LINE "@contains /forum2.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006824,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:soruid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006830) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UPDATE +SecRule REQUEST_LINE "@contains /kullanicilistesi.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006830,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ak/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006836) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UPDATE +SecRule REQUEST_LINE "@contains /aramayap.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006836,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:kelimeler/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006842) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UPDATE +SecRule REQUEST_LINE "@contains /giris.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006842,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:kullaniciadi/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006848) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UPDATE +SecRule REQUEST_LINE "@contains /mesajkutum.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006848,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:mesajno/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006854) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UPDATE +SecRule REQUEST_LINE "@contains /kullanicilistesi.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006854,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:harf/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006860) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UPDATE +SecRule REQUEST_LINE "@contains /forum.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006860,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:baslik/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005110) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UPDATE +SecRule REQUEST_LINE "@contains /artreplydelete.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005110,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0341'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005169) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UPDATE +SecRule REQUEST_LINE "@contains /news_detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005169,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3187'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005175) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UPDATE +SecRule REQUEST_LINE "@contains /user.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005175,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3186'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005888) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UPDATE +SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005888,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3062'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:iPro/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007005) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UPDATE +SecRule REQUEST_LINE "@contains /listpics.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007005,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21279'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004324) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UPDATE +SecRule REQUEST_LINE "@contains /gallery.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004324,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22988'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:categoryid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007397) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UPDATE +SecRule REQUEST_LINE "@contains /product.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007397,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21166'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:productid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007403) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UPDATE +SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007403,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21166'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:search/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010135) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt +SecRule ARGS_NAMES "(?i:userid)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010135,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'cve,2009-2734'" +SecRule REQUEST_LINE "@contains /dispatch.php?atknodetype=reports.weekreport" "chain" +SecRule QUERY_STRING|REQUEST_BODY "@contains UPDATE" "chain" +SecRule QUERY_STRING|REQUEST_BODY "@contains SET" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007481) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UPDATE +SecRule REQUEST_LINE "@contains /activenews_view.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007481,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21167'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:articleID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007486) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007486,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21167'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007492) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UPDATE +SecRule REQUEST_LINE "@contains /activeNews_categories.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007492,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21167'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:catID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007498) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UPDATE +SecRule REQUEST_LINE "@contains /activeNews_comments.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007498,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21167'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:articleID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007565) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UPDATE +SecRule REQUEST_LINE "@contains /activenews_search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007565,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21167'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:query/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004892) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UPDATE +SecRule REQUEST_LINE "@contains /HaberDetay.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004892,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0620'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004898) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UPDATE +SecRule REQUEST_LINE "@contains /rss.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004898,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0620'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:kid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005777) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005777,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3103'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:lang/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004022) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AlstraSoft E-Friends SQL Injection Attempt -- index.php pack UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004022,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS AlstraSoft E-Friends SQL Injection Attempt -- index.php pack UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3956'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:pack/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AlstraSoft E-Friends SQL Injection Attempt -- index.php pack UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004723) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UPDATE +SecRule REQUEST_LINE "@contains /section/default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004723,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3390'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006566) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UPDATE +SecRule REQUEST_LINE "@contains /email.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006566,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21514/exploit'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006572) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UPDATE +SecRule REQUEST_LINE "@contains /voirannonce.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006572,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21514/exploit'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:no/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006578) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UPDATE +SecRule REQUEST_LINE "@contains /admin/admin_membre/fiche_membre.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006578,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21514/exploit'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:idmembre/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006584) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UPDATE +SecRule REQUEST_LINE "@contains /admin/admin_annonce/okvalannonce.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006584,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21514/exploit'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:idannonce/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006590) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UPDATE +SecRule REQUEST_LINE "@contains /admin/admin_annonce/changeannonce.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006590,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21514/exploit'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:idannonce/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006788) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UPDATE +SecRule REQUEST_LINE "@contains /giris.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006788,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21398'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:kullanici/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006794) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UPDATE +SecRule REQUEST_LINE "@contains /giris.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006794,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21398'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:parola/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004729) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UPDATE +SecRule REQUEST_LINE "@contains /system/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004729,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22728'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:PHPSESSID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007457) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UPDATE +SecRule REQUEST_LINE "@contains /publications_list.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007457,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:vjob/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007463) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UPDATE +SecRule REQUEST_LINE "@contains /publication_view.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007463,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:InfoID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004336) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004336,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3466'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:layout/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007216) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UPDATE +SecRule REQUEST_LINE "@contains /edit.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007216,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2848'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006338) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UPDATE +SecRule REQUEST_LINE "@contains /bt-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006338,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23316'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004833) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UPDATE +SecRule REQUEST_LINE "@contains /admin/config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004833,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/19758'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:sqlcmd/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004028) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UPDATE +SecRule REQUEST_LINE "@contains /account_change.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004028,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3970'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:style/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004034) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UPDATE +SecRule REQUEST_LINE "@contains /account_change.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004034,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3970'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:langue/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004990) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UPDATE +SecRule REQUEST_LINE "@contains /torrents.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004990,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/18549'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:by/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UPDATE +SecRule REQUEST_LINE "@contains /torrents.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004996,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/18549'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:order/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003781) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id UPDATE +SecRule REQUEST_LINE "@contains /bry.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003781,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23678'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006254) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UPDATE +SecRule REQUEST_LINE "@contains /HABERLER.ASP" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006254,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5085'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:kid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006260) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UPDATE +SecRule REQUEST_LINE "@contains /HABERLER.ASP" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006260,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5085'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006266) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UPDATE +SecRule REQUEST_LINE "@contains /ASPKAT.ASP" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006266,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5085'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006272) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UPDATE +SecRule REQUEST_LINE "@contains /ASPKAT.ASP" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006272,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5085'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:kid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006278) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UPDATE +SecRule REQUEST_LINE "@contains /down.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006278,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21676'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003798) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid UPDATE +SecRule REQUEST_LINE "@contains /stylesheet.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003798,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23753'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:templateid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009979) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009979,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/9727'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id_menu/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007892) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UPDATE +SecRule REQUEST_LINE "@contains graph_view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007892,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UPDATE',tag:'web-application-attack',tag:'bugtraq,27749'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:graph_list/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007897) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE +SecRule REQUEST_LINE "@contains tree.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007897,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE',tag:'web-application-attack',tag:'bugtraq,27749'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:leaf_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006170) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UPDATE +SecRule REQUEST_LINE "@contains /calendar_detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006170,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2993'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006188) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UPDATE +SecRule REQUEST_LINE "@contains /admin/admin_mail_adressee.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006188,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2998'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007469) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UPDATE +SecRule REQUEST_LINE "@contains /openPolicy.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007469,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21090/info'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:policy/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007475) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UPDATE +SecRule REQUEST_LINE "@contains /prodList.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007475,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21090/info'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:brand/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007228) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UPDATE +SecRule REQUEST_LINE "@contains /displayCalendar.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007228,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21310'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:date/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007234) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UPDATE +SecRule REQUEST_LINE "@contains /view_gallery.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007234,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:currentpage/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007240) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UPDATE +SecRule REQUEST_LINE "@contains /view_gallery.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007240,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:gallery_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007246) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UPDATE +SecRule REQUEST_LINE "@contains /download_image.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007246,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:image_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007252) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UPDATE +SecRule REQUEST_LINE "@contains /gallery.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007252,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:currentpage/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007258) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UPDATE +SecRule REQUEST_LINE "@contains /gallery.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007258,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:orderby/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007264) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UPDATE +SecRule REQUEST_LINE "@contains /view_recent.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007264,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:currentpage/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007270) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007270,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21302'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:AlphaSort/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007276) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007276,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21302'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:In/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007282) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007282,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21302'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:orderby/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004880) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UPDATE +SecRule REQUEST_LINE "@contains /inc_listnews.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004880,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3317'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:CAT_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006509) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UPDATE +SecRule REQUEST_LINE "@contains /comersus_optReviewReadExec.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006509,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24562'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:idProduct/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004640) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004640,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:epi/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004710) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UPDATE +SecRule REQUEST_LINE "@contains /admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004710,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3352'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:uploadimage/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004716) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004716,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3352'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:p_skin/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007341) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007341,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2822'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:pageid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006308) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UPDATE +SecRule REQUEST_LINE "@contains /haber.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006308,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21626'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004815) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UPDATE +SecRule REQUEST_LINE "@contains /thumbnails.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004815,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3371'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cpg131_fav/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005846) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UPDATE +SecRule REQUEST_LINE "@contains /albmgr.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005846,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21894'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005852) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UPDATE +SecRule REQUEST_LINE "@contains /usermgr.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005852,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21894'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:gid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005858) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UPDATE +SecRule REQUEST_LINE "@contains /db_ecard.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005858,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21894'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:start/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003757) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id UPDATE +SecRule REQUEST_LINE "@contains /error.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003757,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3767'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005864) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UPDATE +SecRule REQUEST_LINE "@contains /cats.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005864,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21929'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004040) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UPDATE +SecRule REQUEST_LINE "@contains /cart.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004040,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010275) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /plus/feedback_js.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010275,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:arcurl/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004088) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UPDATE +SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004088,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24201'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004461) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UPDATE +SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004461,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24212'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:newsid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004688) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UPDATE +SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004688,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21064'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:mid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006086) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UPDATE +SecRule REQUEST_LINE "@contains /set_preferences.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006086,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006092) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UPDATE +SecRule REQUEST_LINE "@contains /send_password_preferences.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006092,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006098) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UPDATE +SecRule REQUEST_LINE "@contains /SecureLoginManager/list.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006098,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006104) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UPDATE +SecRule REQUEST_LINE "@contains /login.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006104,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:sent/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006110) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UPDATE +SecRule REQUEST_LINE "@contains /content.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006110,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:sent/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006116) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UPDATE +SecRule REQUEST_LINE "@contains /members.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006116,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:sent/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006122) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UPDATE +SecRule REQUEST_LINE "@contains /applications/SecureLoginManager/inc_secureloginmanager.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006122,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:sent/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005900) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UPDATE +SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005900,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3089'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ordernum/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004839) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UPDATE +SecRule REQUEST_LINE "@contains /page.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004839,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22636'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:art_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005596) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id UPDATE +SecRule REQUEST_LINE "@contains /visu_user.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005596,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3122'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005840) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id UPDATE +SecRule REQUEST_LINE "@contains /info_book.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005840,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3081'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:book_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010073) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010073,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/507072'" +SecRule REQUEST_LINE "@contains /docebo/docebo" "chain" +SecRule REQUEST_LINE "@contains UPDATE" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:modname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010078) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010078,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/507072'" +SecRule REQUEST_LINE "@contains /docebo/docebo" "chain" +SecRule REQUEST_LINE "@contains UPDATE" "chain" +SecRule REQUEST_LINE "@contains SET" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:modname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004052) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen UPDATE +SecRule REQUEST_LINE "@contains /tracking/courseLog.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004052,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3980'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:scormcontopen/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004070) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UPDATE +SecRule REQUEST_LINE "@contains /main/auth/my_progress.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004070,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3974'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:course/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006146) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID UPDATE +SecRule REQUEST_LINE "@contains /bus_details.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006146,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2992'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004390) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UPDATE +SecRule REQUEST_LINE "@contains /goster.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004390,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22910'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006692) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile UPDATE +SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006692,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21405'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:iFile/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006699) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action UPDATE +SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006699,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21405'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:action/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006705) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType UPDATE +SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006705,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/14034'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:iType/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006711) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006711,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:iCity/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006717) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews UPDATE +SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006717,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/15681'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:iNews/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003775) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a UPDATE +SecRule REQUEST_LINE "@contains /home.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003775,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23727'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:a/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004629) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank UPDATE +SecRule REQUEST_LINE "@contains /listmembers.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004629,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4030'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:rank/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005273) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword UPDATE +SecRule REQUEST_LINE "@contains /admin/memberlist.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005273,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:keyword/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005279) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row UPDATE +SecRule REQUEST_LINE "@contains /admin/memberlist.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005279,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:init_row/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005045) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i UPDATE +SecRule REQUEST_LINE "@contains /add_comment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005045,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22369'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:i/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005050) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id UPDATE +SecRule REQUEST_LINE "@contains /add_comment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005050,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22369'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:post_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005056) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i UPDATE +SecRule REQUEST_LINE "@contains /list_comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005056,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22369'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:i/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId UPDATE +SecRule REQUEST_LINE "@contains /sptrees/default.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006559,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:docId/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005092) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005092,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0424'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:qid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005116) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005116,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3227'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005990) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup UPDATE +SecRule REQUEST_LINE "@contains /admin.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005990,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5150'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:grup/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005996,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5150'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006002) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id UPDATE +SecRule REQUEST_LINE "@contains /admin.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006002,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5150'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006164) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006164,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21726'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:grup/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006454) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UPDATE +SecRule REQUEST_LINE "@contains /mod_banners.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006454,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24478'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006140) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID UPDATE +SecRule REQUEST_LINE "@contains /newsdetail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006140,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2990'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006152) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id UPDATE +SecRule REQUEST_LINE "@contains /Types.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006152,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2989'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:Type_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006158) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID UPDATE +SecRule REQUEST_LINE "@contains /actualpic.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006158,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2991'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:Biz_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007047) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID UPDATE +SecRule REQUEST_LINE "@contains /ad.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007047,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21192'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:AD_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007053) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id UPDATE +SecRule REQUEST_LINE "@contains /ad.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007053,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21192'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cat_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007049) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id UPDATE +SecRule REQUEST_LINE "@contains /ad.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007049,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21192'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:sub_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007035) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid UPDATE +SecRule REQUEST_LINE "@contains /dircat.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007035,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21192'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007041) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid UPDATE +SecRule REQUEST_LINE "@contains /dirSub.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007041,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21192'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007081) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid UPDATE +SecRule REQUEST_LINE "@contains /dircat.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007081,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007087) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid UPDATE +SecRule REQUEST_LINE "@contains /dirSub.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007087,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007093) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID UPDATE +SecRule REQUEST_LINE "@contains /types.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007093,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:TYPE_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007099) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID UPDATE +SecRule REQUEST_LINE "@contains /homeDetail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007099,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:AD_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007105) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat UPDATE +SecRule REQUEST_LINE "@contains /result.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007105,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007111) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare UPDATE +SecRule REQUEST_LINE "@contains /compareHomes.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007111,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:compare/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007117) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear UPDATE +SecRule REQUEST_LINE "@contains /compareHomes.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007117,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:clear/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007123) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID UPDATE +SecRule REQUEST_LINE "@contains /compareHomes.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007123,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:adID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007129) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice UPDATE +SecRule REQUEST_LINE "@contains /result.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007129,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:aminprice/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007135) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice UPDATE +SecRule REQUEST_LINE "@contains /result.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007135,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:amaxprice/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007141) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms UPDATE +SecRule REQUEST_LINE "@contains /result.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007141,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:abedrooms/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005261) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat UPDATE +SecRule REQUEST_LINE "@contains /show_owned.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005261,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22180'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005267) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat UPDATE +SecRule REQUEST_LINE "@contains /show_joined.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005267,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22180'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006224) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user UPDATE +SecRule REQUEST_LINE "@contains /administration/administre2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006224,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2945'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id_user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005882) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id UPDATE +SecRule REQUEST_LINE "@contains /productdetail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005882,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3074'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:product_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005341) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template UPDATE +SecRule REQUEST_LINE "@contains /style.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005341,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4054'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:template/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007065) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno UPDATE +SecRule REQUEST_LINE "@contains /products.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007065,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21323'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:partno/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005086) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id UPDATE +SecRule REQUEST_LINE "@contains /faq.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005086,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3234'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006818) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex UPDATE +SecRule REQUEST_LINE "@contains /articles.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006818,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21296'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ex/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006344) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp UPDATE +SecRule REQUEST_LINE "@contains /vdateUsr.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006344,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23304'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005620) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UPDATE +SecRule REQUEST_LINE "@contains /boxx/ShowAppendix.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005620,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:iid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003851) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref UPDATE +SecRule REQUEST_LINE "@contains /question.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003851,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3943'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:questionref/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006128) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID UPDATE +SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006128,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2997'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006332) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id UPDATE +SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006332,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2906'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003793) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003793,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23752'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:fid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006903) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat UPDATE +SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006903,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21289'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006909) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did UPDATE +SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006909,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21289'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:did/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007187) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id UPDATE +SecRule REQUEST_LINE "@contains /filelist.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007187,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21282'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:show_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007193) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid UPDATE +SecRule REQUEST_LINE "@contains /filelist.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007193,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21282'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:parentid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007199) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid UPDATE +SecRule REQUEST_LINE "@contains /showfile.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007199,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21282'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:fid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003828) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid UPDATE +SecRule REQUEST_LINE "@contains /game.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003828,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3849'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:lid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005151) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user UPDATE +SecRule REQUEST_LINE "@contains /info_user.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005151,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3197'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004923) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UPDATE +SecRule REQUEST_LINE "@contains /listmain.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004923,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22545'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005080) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id UPDATE +SecRule REQUEST_LINE "@contains /windows.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005080,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3233'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:kategori_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005377) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE +SecRule REQUEST_LINE "@contains /down_indir.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005377,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4057'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006466) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm UPDATE +SecRule REQUEST_LINE "@contains /index.cfm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006466,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24498'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006472) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode UPDATE +SecRule REQUEST_LINE "@contains /forum/include/error/autherror.cfm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006472,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24528'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:errorcode/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006194) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId UPDATE +SecRule REQUEST_LINE "@contains /index.cfm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006194,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21727'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:newsId/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006200) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid UPDATE +SecRule REQUEST_LINE "@contains /index.cfm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006200,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21727'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:categoryid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006206) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId UPDATE +SecRule REQUEST_LINE "@contains /index.cfm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006206,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21727'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:langId/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005335) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic UPDATE +SecRule REQUEST_LINE "@contains /low.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005335,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4062'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:topic/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004004) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE +SecRule REQUEST_LINE "@contains /down_indir.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004004,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23714'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004402) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori UPDATE +SecRule REQUEST_LINE "@contains /kategori.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004402,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3437'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:kategori/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user UPDATE +SecRule REQUEST_LINE "@contains /inc/common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005014,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003845) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid UPDATE +SecRule REQUEST_LINE "@contains /glossaire-p-f.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003845,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3932'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004354) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UPDATE +SecRule REQUEST_LINE "@contains /userdetail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004354,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22911'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004360) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id UPDATE +SecRule REQUEST_LINE "@contains /jump.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004360,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22911'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004366) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id UPDATE +SecRule REQUEST_LINE "@contains /detail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004366,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22911'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004372) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url UPDATE +SecRule REQUEST_LINE "@contains /jump.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004372,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22911'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:url/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011266) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /modules/comments/json.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011266,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains task=comment" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:comment_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005226) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id UPDATE +SecRule REQUEST_LINE "@contains /print.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005226,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3195'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007409) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd UPDATE +SecRule REQUEST_LINE "@contains /addrating.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007409,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4689'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ipadd/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007415) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url UPDATE +SecRule REQUEST_LINE "@contains /addrating.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007415,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4689'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:url/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004426) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre UPDATE +SecRule REQUEST_LINE "@contains /giris_yap.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004426,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20375'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:sifre/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004634) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id UPDATE +SecRule REQUEST_LINE "@contains /haberoku.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004634,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24288'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005068) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UPDATE +SecRule REQUEST_LINE "@contains /oku.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005068,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3241'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005644) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id UPDATE +SecRule REQUEST_LINE "@contains /dispimage.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005644,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21131'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005650) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005650,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21131'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:order/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005656) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005656,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21131'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006867) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id UPDATE +SecRule REQUEST_LINE "@contains /rating.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006867,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006873) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid UPDATE +SecRule REQUEST_LINE "@contains /meal_rest.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006873,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:mealid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006879) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid UPDATE +SecRule REQUEST_LINE "@contains /res_details.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006879,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:resid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004802) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UPDATE +SecRule REQUEST_LINE "@contains /classes/class_session.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004802,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2010'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:CLIENT_IP/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006674) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img UPDATE +SecRule REQUEST_LINE "@contains /forum/modules/gallery/post.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006674,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:img/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006680) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006680,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:img/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006686) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid UPDATE +SecRule REQUEST_LINE "@contains /lib/entry_reply_entry.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006686,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:eid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006212) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id UPDATE +SecRule REQUEST_LINE "@contains /ixm_ixpnews.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006212,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21710'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:story_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005347) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE +SecRule REQUEST_LINE "@contains /auth.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005347,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25587'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:pass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005365) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user UPDATE +SecRule REQUEST_LINE "@contains /auth.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005365,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25587'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005371) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE +SecRule REQUEST_LINE "@contains /auth.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005371,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25587'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:pass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004157) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title UPDATE +SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004157,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0940'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:title/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004342) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UPDATE +SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004342,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3470'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:author/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004485) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq UPDATE +SecRule REQUEST_LINE "@contains /G_Display.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004485,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24253'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:iCategoryUnq/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004491) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID UPDATE +SecRule REQUEST_LINE "@contains /Search/DisplayResults.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004491,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24253'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:iSearchID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006497) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UPDATE +SecRule REQUEST_LINE "@contains /login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006497,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4081'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:login_username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006503) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UPDATE +SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006503,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4081'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:item/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004082) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE +SecRule REQUEST_LINE "@contains /admincp/attachment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004082,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE',tag:'web-application-attack',tag:'url,www.vbulletin.com/forum/project.php?issueid=21615'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004151) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE +SecRule REQUEST_LINE "@contains /admincp/attachment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004151,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24503'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004671) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids UPDATE +SecRule REQUEST_LINE "@contains /inlinemod.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004671,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3387'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:postids/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003944) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php UPDATE +SecRule REQUEST_LINE "@contains /main_page.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003944,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php UPDATE',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0027'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003950) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php UPDATE +SecRule REQUEST_LINE "@contains /open_tree.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003950,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php UPDATE',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0027'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003956) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php UPDATE +SecRule REQUEST_LINE "@contains /outputs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003956,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php UPDATE',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0027'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003962) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003962,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view UPDATE',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0027'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:view/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003968) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id UPDATE +SecRule REQUEST_LINE "@contains /admin/cms/opentree.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003968,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id UPDATE',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0027'" +SecRule REQUEST_LINE "@contains id[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003974) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003974,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login UPDATE',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0028'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:login/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007349) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID UPDATE +SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007349,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2836'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:tID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007355) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID UPDATE +SecRule REQUEST_LINE "@contains /openlink.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007355,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21226'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:LinkID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007361) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID UPDATE +SecRule REQUEST_LINE "@contains /viewlinks.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007361,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21226'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:CategoryID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004378) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004378,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3455/'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:salary/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003763) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003763,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3672'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005297) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE +SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005297,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005303) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE +SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005303,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005395) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE +SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005395,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005401) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE +SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005401,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005407) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE +SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005407,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005413) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE +SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005413,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005419) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE +SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005419,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005425) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE +SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005425,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:where/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005431) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE +SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005431,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:where/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005437) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE +SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005437,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:text/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005443) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE +SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005443,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:text/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005449) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE +SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005449,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:text/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005455) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE +SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005455,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:email/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009917) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009917,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9693/'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:option=com_djcatalog&view=showItem&id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009922) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009922,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36427/info'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:option=com_jlord_rss&task=feed&id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_surveymanager" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009942,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36464/info'" +SecRule REQUEST_LINE "@contains task=editsurvey&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009947) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_jbudgetsmagic" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009947,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36461/info'" +SecRule REQUEST_LINE "@contains view=mybudget&" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009960) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_facebook" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009960,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36484/info'" +SecRule REQUEST_LINE "@contains view=student" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009965) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_sportfusion" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009965,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36481/info'" +SecRule REQUEST_LINE "@contains view=teamdetail" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010017) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_gameserver" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010017,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36213/info'" +SecRule REQUEST_LINE "@contains view=gamepanel" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010044) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter UPDATE SET SQL Injection +SecRule REQUEST_LINE "@contains /index.php?option=com_cbresumebuilder" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010044,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36598/info'" +SecRule REQUEST_LINE "@contains task=group_members" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010353) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010353,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_photoblog&" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:&category/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010480) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010480,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt'" +SecRule REQUEST_LINE "@contains index.php?option=com_jshop&" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:&pid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010559,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37178'" +SecRule REQUEST_LINE "@contains /index.php?option=com_joaktree&" "chain" +SecRule REQUEST_LINE "@contains &view=joaktree" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:treeId/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010640) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010640,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37279'" +SecRule REQUEST_LINE "@contains /index.php?option=com_jphoto&" "chain" +SecRule REQUEST_LINE "@contains view=category&" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:Id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010714) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010714,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,36425'" +SecRule REQUEST_LINE "@contains /index.php?option=com_foobla_suggestions&" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:idea_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010754) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010754,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt'" +SecRule REQUEST_LINE "@contains /index.php?option=com_musicgallery&" "chain" +SecRule REQUEST_LINE "@contains &task=itempage" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:Id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010809) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010809,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38022'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_yelp&" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010842) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010842,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37576'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_avosbillets&" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010857) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010857,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_job&" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id_job/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010928) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010928,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11103'" +SecRule REQUEST_LINE "@contains /index.php?option=com_perchagallery&" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010951) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010951,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_hdflvplayer&" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010994) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_sqlreport/ajax/print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010994,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010985) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010985,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37161'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_quicknews&" "chain" +SecRule REQUEST_LINE "@contains &task=view_item" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:newsid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011005) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011005,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38009'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_rsgallery2&" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011026) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011026,rev:11,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38668'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_blog&" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011081) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011081,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_gbufacebook&" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:face_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006765) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UPDATE +SecRule REQUEST_LINE "@contains /search_listing.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006765,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21199'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:category/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006771) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UPDATE +SecRule REQUEST_LINE "@contains /search_listing.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006771,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21199'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:agent/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006777) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UPDATE +SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006777,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21199'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:property_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004646) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UPDATE +SecRule REQUEST_LINE "@contains /news.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004646,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/4040/'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:news_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004127) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004127,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3513/'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:kolumna/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004984) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UPDATE +SecRule REQUEST_LINE "@contains /forum.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004984,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3278/'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:forumid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005801) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UPDATE +SecRule REQUEST_LINE "@contains /down.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005801,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21889'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004694) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004694,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/2863/'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:member_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005074) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UPDATE +SecRule REQUEST_LINE "@contains /i-search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005074,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3232/'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:itemid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005978) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UPDATE +SecRule REQUEST_LINE "@contains /journal.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005978,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:w/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006320) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UPDATE +SecRule REQUEST_LINE "@contains /polls.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006320,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21366'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004528) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UPDATE +SecRule REQUEST_LINE "@contains /guestbook.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004528,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22821'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:country/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007299) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UPDATE +SecRule REQUEST_LINE "@contains /inout/status.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007299,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4704'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007305) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UPDATE +SecRule REQUEST_LINE "@contains /inout/update.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007305,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4704'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007311) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UPDATE +SecRule REQUEST_LINE "@contains /forgotpass.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007311,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4704'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007317) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UPDATE +SecRule REQUEST_LINE "@contains /forgotpass.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007317,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4704'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:uid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007323) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UPDATE +SecRule REQUEST_LINE "@contains /inout/update.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007323,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4704'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:uid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007329) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UPDATE +SecRule REQUEST_LINE "@contains /inout/status.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007329,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4704'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:uid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007335) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UPDATE +SecRule REQUEST_LINE "@contains /details.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007335,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2846'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006662) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UPDATE +SecRule REQUEST_LINE "@contains /navigacija.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006662,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21464'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:IDMeniGlavni/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006668) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UPDATE +SecRule REQUEST_LINE "@contains /prikazInformacije.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006668,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21464'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:IDStranicaPodaci/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007367) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UPDATE +SecRule REQUEST_LINE "@contains /linkslist.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007367,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:psearch/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007373) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UPDATE +SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007373,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004414) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004414,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3416/'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:lcnt/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006478) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UPDATE +SecRule REQUEST_LINE "@contains /categoria.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006478,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/4082/'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005834) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UPDATE +SecRule REQUEST_LINE "@contains /main.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005834,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3073/'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:subcatID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006326) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UPDATE +SecRule REQUEST_LINE "@contains /ProductDetails.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006326,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/2908/'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:PID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004966) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UPDATE +SecRule REQUEST_LINE "@contains /comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004966,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3287/'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004972) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UPDATE +SecRule REQUEST_LINE "@contains /register.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004972,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3288/'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005140) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005140,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22293'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:startrow/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005517) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UPDATE +SecRule REQUEST_LINE "@contains /email.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005517,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3141'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006230) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UPDATE +SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006230,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21073'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:p/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006236) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UPDATE +SecRule REQUEST_LINE "@contains /listings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006236,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21073'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:l/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006242) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UPDATE +SecRule REQUEST_LINE "@contains /listings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006242,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21073'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:typ/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006248) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UPDATE +SecRule REQUEST_LINE "@contains /listings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006248,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21073'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:loc/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003992) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003992,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3944/'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:listid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004432) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UPDATE +SecRule REQUEST_LINE "@contains /moscomment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004432,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20650'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:mcname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004438) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UPDATE +SecRule REQUEST_LINE "@contains /com_comment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004438,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20650'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:mcname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004771) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UPDATE +SecRule REQUEST_LINE "@contains /includes/mambo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004771,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20413'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011095) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /WorkOrder.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011095,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:woID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005146) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UPDATE +SecRule REQUEST_LINE "@contains /news_page.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005146,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3194/'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:uid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004270) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE +SecRule REQUEST_LINE "@contains /product_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004270,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE',tag:'web-application-attack',tag:'cve,CVE-2006-7171'" +SecRule REQUEST_LINE "@contains x[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004276) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UPDATE +SecRule REQUEST_LINE "@contains /product_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004276,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21072'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:t/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004282) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UPDATE +SecRule REQUEST_LINE "@contains /product_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004282,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21072'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:productId/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004288) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UPDATE +SecRule REQUEST_LINE "@contains /product_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004288,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21072'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:sk/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004294) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE +SecRule REQUEST_LINE "@contains /product_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004294,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21072'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:x/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004300) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UPDATE +SecRule REQUEST_LINE "@contains /product_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004300,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21072'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:so/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004306) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UPDATE +SecRule REQUEST_LINE "@contains /order-track.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004306,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21072'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:orderNo/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006350) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa UPDATE +SecRule REQUEST_LINE "@contains /lire-avis.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006350,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21513'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:aa/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006800) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi UPDATE +SecRule REQUEST_LINE "@contains /uye_giris_islem.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006800,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21418'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:kullanici_ismi/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006806) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre UPDATE +SecRule REQUEST_LINE "@contains /uye_giris_islem.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006806,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21418'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:sifre/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005608) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UPDATE +SecRule REQUEST_LINE "@contains /duyuru.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005608,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3120'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007011) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant UPDATE +SecRule REQUEST_LINE "@contains /item_show.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007011,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21273'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id2006quant/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007017) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup UPDATE +SecRule REQUEST_LINE "@contains /item_list.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007017,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21273'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:maingroup/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007023) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup UPDATE +SecRule REQUEST_LINE "@contains /item_list.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007023,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21273'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:secondgroup/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004169) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c UPDATE +SecRule REQUEST_LINE "@contains /forum.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004169,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3519'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:c/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005783) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName UPDATE +SecRule REQUEST_LINE "@contains /admin_check_user.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005783,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3105'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:txtUserName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003840) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003840,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/1830'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006632) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UPDATE +SecRule REQUEST_LINE "@contains /mystats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006632,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UPDATE',tag:'web-application-attack',tag:'cve,CVE-2006-6403'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:details/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004617) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UPDATE +SecRule REQUEST_LINE "@contains /diary.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004617,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:delete/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004100) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004100,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3989/'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004747) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UPDATE +SecRule REQUEST_LINE "@contains /result.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004747,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3355/'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:surv/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006885) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UPDATE +SecRule REQUEST_LINE "@contains /users.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006885,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21227'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006741) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UPDATE +SecRule REQUEST_LINE "@contains /plugins/ipsearch/ipsearch.admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006741,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23180'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006747) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UPDATE +SecRule REQUEST_LINE "@contains /pfs/pfs.edit.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006747,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23180'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006753) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UPDATE +SecRule REQUEST_LINE "@contains /system/core/users/users.register.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006753,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23180'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006759) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UPDATE +SecRule REQUEST_LINE "@contains /polls.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006759,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23180'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007293) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UPDATE +SecRule REQUEST_LINE "@contains /users.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007293,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006552) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id UPDATE +SecRule REQUEST_LINE "@contains /ViewCat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006552,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24584'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:s_user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004163) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID UPDATE +SecRule REQUEST_LINE "@contains /News/page.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004163,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3520/'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:NewsID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004941) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UPDATE +SecRule REQUEST_LINE "@contains /pages/addcomment2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004941,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/19703'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:commentname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004948) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UPDATE +SecRule REQUEST_LINE "@contains /pages/addcomment2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004948,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/19703'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:commentmail/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004954) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UPDATE +SecRule REQUEST_LINE "@contains /pages/addcomment2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004954,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/19703'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:commentwebsite/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004960) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UPDATE +SecRule REQUEST_LINE "@contains /pages/addcomment2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004960,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/19703'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:comment/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005680) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category UPDATE +SecRule REQUEST_LINE "@contains /shared/code/cp_functions_downloads.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005680,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23726'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:download_category/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005020) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id UPDATE +SecRule REQUEST_LINE "@contains /view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005020,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3261'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006596) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid UPDATE +SecRule REQUEST_LINE "@contains /dagent/downloadreport.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006596,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21473'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:agentid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006602) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass UPDATE +SecRule REQUEST_LINE "@contains /dagent/downloadreport.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006602,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21473'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:pass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004312) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE +SecRule REQUEST_LINE "@contains /nukesentinel.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004312,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004735) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE +SecRule REQUEST_LINE "@contains /nukesentinel.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004735,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3338'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004741) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UPDATE +SecRule REQUEST_LINE "@contains /includes/nsbypass.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004741,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3337'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006812) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid UPDATE +SecRule REQUEST_LINE "@contains /viewthread.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006812,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21172'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:pid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010656) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /ossim/repository/repository_attachment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010656,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10479'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id_document/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005602) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id UPDATE +SecRule REQUEST_LINE "@contains /etkinlikbak.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005602,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3135'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004455) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp UPDATE +SecRule REQUEST_LINE "@contains /OmegaMw7.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004455,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24275'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004850) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id UPDATE +SecRule REQUEST_LINE "@contains /user_pages/page.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004850,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3339'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:art_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011061) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /jtfwcpnt.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011061,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,39510'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:query/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate UPDATE +SecRule REQUEST_LINE "@contains /login/register.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005942,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21822'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:UserUpdate/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005948) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp UPDATE +SecRule REQUEST_LINE "@contains /includes/a_register.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005948,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21822'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004246) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip UPDATE +SecRule REQUEST_LINE "@contains /php-stats.recphp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004246,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3497'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ip/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006515) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006515,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3345'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:Outgoing_Type_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006521) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006521,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3345'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:Outgoing_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006527) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006527,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3345'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:Project_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006533) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006533,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3345'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:Client_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006539) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006539,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3345'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:Invoice_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006545) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006545,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3345'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:Vendor_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005972) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE +SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005972,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006974) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE +SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006974,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:hack_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004046) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id UPDATE +SecRule REQUEST_LINE "@contains /modules/admin/modules/gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004046,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/1937'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003810) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UPDATE +SecRule REQUEST_LINE "@contains /admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003810,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23854'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ADMIN_USER/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003816) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UPDATE +SecRule REQUEST_LINE "@contains /admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003816,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23854'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ADMIN_PASS/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004700) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UPDATE +SecRule REQUEST_LINE "@contains /include.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004700,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21002'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005789) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid UPDATE +SecRule REQUEST_LINE "@contains /comment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005789,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21962'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:subid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php UPDATE +SecRule REQUEST_LINE "@contains /admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005181,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2759'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004330) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang UPDATE +SecRule REQUEST_LINE "@contains /mainfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004330,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22909'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:lang/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004856) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id UPDATE +SecRule REQUEST_LINE "@contains /modules.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004856,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3334'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:category_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005461) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active UPDATE +SecRule REQUEST_LINE "@contains /admin/modules/modules.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005461,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22116'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:active/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005467) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class UPDATE +SecRule REQUEST_LINE "@contains /modules/Advertising/admin/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005467,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22116'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ad_class/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005473) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl UPDATE +SecRule REQUEST_LINE "@contains /modules/Advertising/admin/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005473,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22116'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:imageurl/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005479) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl UPDATE +SecRule REQUEST_LINE "@contains /modules/Advertising/admin/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005479,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22116'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:clickurl/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005485) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code UPDATE +SecRule REQUEST_LINE "@contains /modules/Advertising/admin/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005485,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22116'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ad_code/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005492) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position UPDATE +SecRule REQUEST_LINE "@contains /modules/Advertising/admin/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005492,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22116'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:position/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005590) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat UPDATE +SecRule REQUEST_LINE "@contains /blocks/block-Old_Articles.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005590,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22037'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006932) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid UPDATE +SecRule REQUEST_LINE "@contains /modules.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006932,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006938) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid UPDATE +SecRule REQUEST_LINE "@contains /modules.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006938,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:pid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid UPDATE +SecRule REQUEST_LINE "@contains /modules/News/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007181,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011137) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /links.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011137,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,39925'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains op=viewslink&" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011172) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /friend.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011172,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,39992'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains op=FriendSend&" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005906) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage UPDATE +SecRule REQUEST_LINE "@contains /code/guestadd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005906,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3017'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:newmessage/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005912) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname UPDATE +SecRule REQUEST_LINE "@contains /code/guestadd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005912,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3017'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:newname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005918) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite UPDATE +SecRule REQUEST_LINE "@contains /code/guestadd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005918,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3017'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:newwebsite/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005924) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail UPDATE +SecRule REQUEST_LINE "@contains /code/guestadd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005924,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3017'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:newemail/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004611) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004611,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:c/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004935) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UPDATE +SecRule REQUEST_LINE "@contains /item.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004935,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/17974'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006735) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006735,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main UPDATE',tag:'web-application-attack',tag:'cve,CVE-2006-6349'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:main/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004264) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid UPDATE +SecRule REQUEST_LINE "@contains /post.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004264,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3500'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:postid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005221) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month UPDATE +SecRule REQUEST_LINE "@contains /archives.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005221,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:month/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004623) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment UPDATE +SecRule REQUEST_LINE "@contains /viewimage.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004623,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4019'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:editcomment/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004094) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004094,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4003'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:form_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004929) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UPDATE +SecRule REQUEST_LINE "@contains /philboard_forum.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004929,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3295'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:forumid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004910) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id UPDATE +SecRule REQUEST_LINE "@contains /pollmentorres.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004910,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3301'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005626) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid UPDATE +SecRule REQUEST_LINE "@contains /simplog/archive.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005626,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20974/exploit'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:blogid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005632) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid UPDATE +SecRule REQUEST_LINE "@contains /simplog/archive.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005632,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20974/exploit'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:pid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005638) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid UPDATE +SecRule REQUEST_LINE "@contains /simplog/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005638,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20974/exploit'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:blogid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006356) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa UPDATE +SecRule REQUEST_LINE "@contains /lire-avis.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006356,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21516'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:aa/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010189) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /qte_result.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010189,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:title/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005686) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id UPDATE +SecRule REQUEST_LINE "@contains /viewad.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005686,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21197'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005026) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user UPDATE +SecRule REQUEST_LINE "@contains /login.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005026,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005032) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password UPDATE +SecRule REQUEST_LINE "@contains /login.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005032,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:password/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005098) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id UPDATE +SecRule REQUEST_LINE "@contains /user_confirm.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005098,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22350'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005104) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass UPDATE +SecRule REQUEST_LINE "@contains /user_confirm.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005104,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22350'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:pass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006944) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid UPDATE +SecRule REQUEST_LINE "@contains /recipe.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006944,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2834'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:recipeid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006950) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid UPDATE +SecRule REQUEST_LINE "@contains /list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006950,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2834'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:categoryid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003834) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UPDATE +SecRule REQUEST_LINE "@contains /edit_day.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003834,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3931'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id_reserv/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004605) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php UPDATE +SecRule REQUEST_LINE "@contains /inc/class_users.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004605,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4020'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005692) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID UPDATE +SecRule REQUEST_LINE "@contains /listfull.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005692,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005698) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID UPDATE +SecRule REQUEST_LINE "@contains /printmain.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005698,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005704) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat UPDATE +SecRule REQUEST_LINE "@contains /listmain.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005704,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005710) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat UPDATE +SecRule REQUEST_LINE "@contains /searchoption.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005710,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005716) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat UPDATE +SecRule REQUEST_LINE "@contains /searchmain.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005716,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005722) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword UPDATE +SecRule REQUEST_LINE "@contains /searchkey.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005722,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:Keyword/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005728) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area UPDATE +SecRule REQUEST_LINE "@contains /searchmain.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005728,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:area/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005734) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area UPDATE +SecRule REQUEST_LINE "@contains /searchoption.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005734,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:area/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005741) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin UPDATE +SecRule REQUEST_LINE "@contains /searchkey.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005741,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:searchin/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005747) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 UPDATE +SecRule REQUEST_LINE "@contains /searchoption.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005747,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cost1/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005753) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 UPDATE +SecRule REQUEST_LINE "@contains /searchoption.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005753,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cost2/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005759) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 UPDATE +SecRule REQUEST_LINE "@contains /searchoption.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005759,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:acreage1/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005765) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 UPDATE +SecRule REQUEST_LINE "@contains /searchoption.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005765,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:squarefeet1/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004665) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004665,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3403'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:categoria/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011159) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /roleManager.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011159,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains type=query&" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003822) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UPDATE +SecRule REQUEST_LINE "@contains /class/debug/debug_show.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003822,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3850'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:executed_queries/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003863) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UPDATE +SecRule REQUEST_LINE "@contains /devami.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003863,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3936'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004468) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp UPDATE +SecRule REQUEST_LINE "@contains /cgi-bin/reorder2.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004468,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24226'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004498) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name UPDATE +SecRule REQUEST_LINE "@contains /add2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004498,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22820'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004504) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country UPDATE +SecRule REQUEST_LINE "@contains /add2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004504,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22820'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:country/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004510) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email UPDATE +SecRule REQUEST_LINE "@contains /add2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004510,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22820'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:email/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004516) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website UPDATE +SecRule REQUEST_LINE "@contains /add2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004516,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22820'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:website/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004522) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message UPDATE +SecRule REQUEST_LINE "@contains /add2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004522,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22820'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:message/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011730) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /html/studentmain.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011730,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,40737'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:session/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004121) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004121,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3509'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006314) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid UPDATE +SecRule REQUEST_LINE "@contains /utilities/usermessages.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006314,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23372'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:mesid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004420) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004420,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded'" +SecRule REQUEST_LINE "@contains serendipity[multiCat][" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005795) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID UPDATE +SecRule REQUEST_LINE "@contains /orange.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005795,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21905'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:CatID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003857) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UPDATE +SecRule REQUEST_LINE "@contains /print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003857,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3942'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:newsnr/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004784) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UPDATE +SecRule REQUEST_LINE "@contains /logon_user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004784,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UPDATE',tag:'web-application-attack',tag:'cve,CVE-2006-7088'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004790) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UPDATE +SecRule REQUEST_LINE "@contains /update_profile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004790,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UPDATE',tag:'web-application-attack',tag:'cve,CVE-2006-7088'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005876) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id UPDATE +SecRule REQUEST_LINE "@contains /page.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005876,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3076'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005523) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005523,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ps/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005529) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005529,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:us/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005535) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005535,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:f/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005541) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005541,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:code/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005547) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code UPDATE +SecRule REQUEST_LINE "@contains /dl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005547,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:code/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005553) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f UPDATE +SecRule REQUEST_LINE "@contains /dl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005553,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:f/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us UPDATE +SecRule REQUEST_LINE "@contains /dl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005559,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:us/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005566) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps UPDATE +SecRule REQUEST_LINE "@contains /dl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005566,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ps/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004868) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UPDATE +SecRule REQUEST_LINE "@contains /pop_profile.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004868,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3321'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006134) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent UPDATE +SecRule REQUEST_LINE "@contains /list.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006134,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3001'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:agent/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006485) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php UPDATE +SecRule REQUEST_LINE "@contains /game_listing.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006485,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4078'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004384) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004384,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3457'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:list/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004821) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category UPDATE +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004821,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/20131'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:category/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005157) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE +SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005157,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:wcHeadlines/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004827) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat UPDATE +SecRule REQUEST_LINE "@contains /directory.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004827,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006638) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp UPDATE +SecRule REQUEST_LINE "@contains /sendarticle.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006638,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006644) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp UPDATE +SecRule REQUEST_LINE "@contains /printarticle.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006644,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006650) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID UPDATE +SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006650,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006656) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID UPDATE +SecRule REQUEST_LINE "@contains /preferences.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006656,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005572) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005572,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3124'" +SecRule REQUEST_LINE "@contains board[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006008) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006008,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:lastname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006014,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:firstname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006020) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006020,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:passwordOld/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006026) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006026,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:passwordNew/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006032) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006032,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006038) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006038,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:language/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006044) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006044,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:defaultLetter/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006050) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006050,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:newuserPass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006056) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006056,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:newuserType/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006062) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006062,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:newuserEmail/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006068) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo UPDATE +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006068,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:goTo/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006074) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search UPDATE +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006074,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:search/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006080) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName UPDATE +SecRule REQUEST_LINE "@contains /save.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006080,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:groupAddName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004874) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id UPDATE +SecRule REQUEST_LINE "@contains /h_goster.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004874,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22591'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004677) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug UPDATE +SecRule REQUEST_LINE "@contains /ViewReport.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004677,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24385'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:bug/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004682) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s UPDATE +SecRule REQUEST_LINE "@contains /ViewBugs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004682,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22799'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:s/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005238) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid UPDATE +SecRule REQUEST_LINE "@contains /banner.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005238,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:bid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006891) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci UPDATE +SecRule REQUEST_LINE "@contains /slideshow.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006891,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21319'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ci/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006897) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci UPDATE +SecRule REQUEST_LINE "@contains /thumbnails.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006897,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21319'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ci/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005008) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp UPDATE +SecRule REQUEST_LINE "@contains /badword.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005008,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22382'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007204) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat UPDATE +SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007204,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007210) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did UPDATE +SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007210,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:did/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005674) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname UPDATE +SecRule REQUEST_LINE "@contains /shopgiftregsearch.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005674,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3115'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:LoginLastname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006608) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user UPDATE +SecRule REQUEST_LINE "@contains /vf_memberdetail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006608,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4850'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006284) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod UPDATE +SecRule REQUEST_LINE "@contains /repass.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006284,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5059'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:nick_mod/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006290) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick UPDATE +SecRule REQUEST_LINE "@contains /repass.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006290,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5059'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:nick/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006296) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick UPDATE +SecRule REQUEST_LINE "@contains /verify.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006296,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5059'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:nick/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006302) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod UPDATE +SecRule REQUEST_LINE "@contains /verify.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006302,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5059'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:nick_mod/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005498) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid UPDATE +SecRule REQUEST_LINE "@contains /virtuemart_parser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005498,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22123'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:Itemid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005504) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id UPDATE +SecRule REQUEST_LINE "@contains /virtuemart_parser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005504,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22123'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:product_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005510) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id UPDATE +SecRule REQUEST_LINE "@contains /virtuemart_parser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005510,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22123'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:category_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003998) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UPDATE +SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003998,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25348'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005894) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id UPDATE +SecRule REQUEST_LINE "@contains /haberdetay.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005894,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3061'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007421) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat UPDATE +SecRule REQUEST_LINE "@contains /cat.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007421,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21190'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword UPDATE +SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007427,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21190'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:keyword/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007433) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order UPDATE +SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007433,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21190'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:order/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007439) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort UPDATE +SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007439,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21190'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:sort/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007445) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect UPDATE +SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007445,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21190'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:menuSelect/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007451) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state UPDATE +SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007451,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21190'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:state/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004133) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum UPDATE +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004133,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23057'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:search_forum/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004139) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user UPDATE +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004139,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23057'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:search_user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004652) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id UPDATE +SecRule REQUEST_LINE "@contains /urunbak.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004652,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24364'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005309) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft UPDATE +SecRule REQUEST_LINE "@contains /mailer.w2b" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005309,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3175'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:draft/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005191) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay UPDATE +SecRule REQUEST_LINE "@contains /DocPay.w2b" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005191,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3175'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:listDocPay/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004317) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004317,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3490'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:e_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005954) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key UPDATE +SecRule REQUEST_LINE "@contains /coupon_detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005954,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21824'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:key/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003769) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid UPDATE +SecRule REQUEST_LINE "@contains /viewcat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003769,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3670'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004258) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id UPDATE +SecRule REQUEST_LINE "@contains /comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004258,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3477'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006460) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page UPDATE +SecRule REQUEST_LINE "@contains /content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006460,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page UPDATE',tag:'web-application-attack',tag:'url,www.osvdb.org/34164'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005960) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num UPDATE +SecRule REQUEST_LINE "@contains /phonemessage.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005960,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3032'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:num/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005966) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode UPDATE +SecRule REQUEST_LINE "@contains /faqDsp.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005966,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3032'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:catcode/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006980) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login UPDATE +SecRule REQUEST_LINE "@contains /process.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006980,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4687'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:login/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006986) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password UPDATE +SecRule REQUEST_LINE "@contains /process.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006986,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4687'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:password/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006992) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid UPDATE +SecRule REQUEST_LINE "@contains /dlwallpaper.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006992,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4687'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:wallpaperid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006998) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid UPDATE +SecRule REQUEST_LINE "@contains /wallpaper.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006998,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2835'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:wallpaperid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007075) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID UPDATE +SecRule REQUEST_LINE "@contains /item.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007075,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21324'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ItemID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004759) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004759,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22726'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:strid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004765) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UPDATE +SecRule REQUEST_LINE "@contains /filecheck.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004765,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22726'" +SecRule REQUEST_LINE "@contains id[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004916) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID UPDATE +SecRule REQUEST_LINE "@contains /directions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004916,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22559'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:testID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004778) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UPDATE +SecRule REQUEST_LINE "@contains /connexion.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004778,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UPDATE',tag:'web-application-attack',tag:'cve,CVE-2006-7089'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004229) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp UPDATE +SecRule REQUEST_LINE "@contains /functions/functions_filters.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004229,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23051'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004234) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name UPDATE +SecRule REQUEST_LINE "@contains /forum/pop_up_member_search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004234,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23051'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004240) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID UPDATE +SecRule REQUEST_LINE "@contains /News/page.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004240,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23051'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:NewsID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005232) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID UPDATE +SecRule REQUEST_LINE "@contains /eWebQuiz.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005232,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-0527'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:QuizID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004145) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order UPDATE +SecRule REQUEST_LINE "@contains /check_vote.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004145,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:order/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004252) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php UPDATE +SecRule REQUEST_LINE "@contains /usergroups.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004252,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22970'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005002) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid UPDATE +SecRule REQUEST_LINE "@contains /pms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005002,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3262'" +SecRule REQUEST_LINE "@contains pmid[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005285) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids UPDATE +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005285,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3144'" +SecRule REQUEST_LINE "@contains boardids[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005291) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board UPDATE +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005291,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3144'" +SecRule REQUEST_LINE "@contains board[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006926) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit UPDATE +SecRule REQUEST_LINE "@contains /thread.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006926,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2841'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:threadvisit/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004016) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE +SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004016,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cookie/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004408) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE +SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004408,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE +SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004659,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005662) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005662,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005870) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005870,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011047) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011047,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:postid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004348) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id UPDATE +SecRule REQUEST_LINE "@contains /devami.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004348,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3469'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005122) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id UPDATE +SecRule REQUEST_LINE "@contains /classes/class.news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005122,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0395'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005128) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from UPDATE +SecRule REQUEST_LINE "@contains /classes/class.news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005128,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0395'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:from/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005134) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q UPDATE +SecRule REQUEST_LINE "@contains /classes/class.news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005134,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0395'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:q/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004862) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album UPDATE +SecRule REQUEST_LINE "@contains /view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004862,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3327'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:album/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005383) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id UPDATE +SecRule REQUEST_LINE "@contains /kernel/group.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005383,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22399'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005389) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid UPDATE +SecRule REQUEST_LINE "@contains /class/table_broken.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005389,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22399'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:lid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006491) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id UPDATE +SecRule REQUEST_LINE "@contains /print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006491,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3588'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006218) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news UPDATE +SecRule REQUEST_LINE "@contains /show_news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006218,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21719'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id_news/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005614) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder UPDATE +SecRule REQUEST_LINE "@contains /displaypic.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005614,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21138'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:sortorder/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004808) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id UPDATE +SecRule REQUEST_LINE "@contains /functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004808,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22685'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005197) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id UPDATE +SecRule REQUEST_LINE "@contains /mezungiris.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005197,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005203) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass UPDATE +SecRule REQUEST_LINE "@contains /mezungiris.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005203,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:pass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005209) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass UPDATE +SecRule REQUEST_LINE "@contains /ogretmenkontrol.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005209,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:pass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005215) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id UPDATE +SecRule REQUEST_LINE "@contains /ogretmenkontrol.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005215,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003986) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UPDATE +SecRule REQUEST_LINE "@contains /plugins/mp3playlist/mp3playlist.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003986,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3955'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:speler/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005984) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode UPDATE +SecRule REQUEST_LINE "@contains /faqDsp.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005984,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3031'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:catcode/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005329) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php UPDATE +SecRule REQUEST_LINE "@contains /bb-includes/formatting-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005329,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3244'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005771) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk UPDATE +SecRule REQUEST_LINE "@contains /newsletters/edition.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005771,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20996'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:tk/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006176) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse UPDATE +SecRule REQUEST_LINE "@contains /SelGruFra.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006176,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21732'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:txtUse/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006182) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas UPDATE +SecRule REQUEST_LINE "@contains /SelGruFra.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006182,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21732'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:txtPas/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004058) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category UPDATE +SecRule REQUEST_LINE "@contains /category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004058,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3981'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id_category/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004106) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer UPDATE +SecRule REQUEST_LINE "@contains /manufacturer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004106,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24223'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id_manufacturer/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005038) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id UPDATE +SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005038,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3256'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:c_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006956) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006956,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21170'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:seite_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006962) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006962,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21170'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:gruppe_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006968) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006968,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21170'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:go_target/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006620) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc UPDATE +SecRule REQUEST_LINE "@contains /dettaglio.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006620,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21463'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id_doc/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006626) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut UPDATE +SecRule REQUEST_LINE "@contains /dettaglio.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006626,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21463'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id_aut/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005930) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did UPDATE +SecRule REQUEST_LINE "@contains /mod.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005930,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3004'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:did/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005936) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid UPDATE +SecRule REQUEST_LINE "@contains /mod.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005936,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3004'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007379) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which UPDATE +SecRule REQUEST_LINE "@contains /index1.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007379,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2829'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:which/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007385) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat UPDATE +SecRule REQUEST_LINE "@contains /default2.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007385,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2830'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:kat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2007391) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid UPDATE +SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2007391,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2828'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:fid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004113) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid UPDATE +SecRule REQUEST_LINE "@contains /getnewsitem.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004113,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3988'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:newsid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005810) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id UPDATE +SecRule REQUEST_LINE "@contains /display_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005810,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0056'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005816) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie UPDATE +SecRule REQUEST_LINE "@contains /display_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005816,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0056'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:user_login_cookie/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005822) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id UPDATE +SecRule REQUEST_LINE "@contains /compare_product.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005822,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3083'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005828) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id UPDATE +SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005828,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3082'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2006614) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:D/' "@gt 0" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006614,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21467',ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004845) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor UPDATE +SecRule REQUEST_LINE "@contains /install.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004845,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:bgcolor/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004469) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UNION SELECT +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004469,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24249'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cat_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004473) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004473,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24249'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cat_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004479) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004479,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24249'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:year/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004010) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id UPDATE +SecRule REQUEST_LINE "@contains /read/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004010,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3964'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010619) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /modules/bms/invoices_discount_ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010619,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004904) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid UPDATE +SecRule REQUEST_LINE "@contains /nickpage.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004904,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3299'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:npid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004175) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id UPDATE +SecRule REQUEST_LINE "@contains /gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004175,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:image_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id UPDATE +SecRule REQUEST_LINE "@contains /gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004181,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cat_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004187) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id UPDATE +SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004187,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:news_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004193) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id UPDATE +SecRule REQUEST_LINE "@contains /print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004193,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:news_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004199) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id UPDATE +SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004199,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:news_cat_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004205) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id UPDATE +SecRule REQUEST_LINE "@contains /forums.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004205,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cat_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004211) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id UPDATE +SecRule REQUEST_LINE "@contains /forums.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004211,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:topic_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004217) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id UPDATE +SecRule REQUEST_LINE "@contains /forums.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004217,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:post_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004223) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id UPDATE +SecRule REQUEST_LINE "@contains /users.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004223,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003787) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003787,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3813'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005668) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE +SecRule REQUEST_LINE "@contains /wbsearch.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005668,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3106'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005353) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php UPDATE +SecRule REQUEST_LINE "@contains /vBSupport.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005353,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php UPDATE',tag:'web-application-attack',tag:'url,www.vbulletin.org/forum/showthread.php?t=94023&page=38'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005359) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid UPDATE +SecRule REQUEST_LINE "@contains /vBSupport.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005359,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24397'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ticketid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004753) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UPDATE +SecRule REQUEST_LINE "@contains /printview.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004753,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3351'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:topic/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004886) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UPDATE +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004886,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3325'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:showonly/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005244) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID UPDATE +SecRule REQUEST_LINE "@contains /gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005244,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3172'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:picID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005250) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UPDATE +SecRule REQUEST_LINE "@contains /gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005250,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0270'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005255) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UPDATE +SecRule REQUEST_LINE "@contains /gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005255,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0270'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:galleryID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005163) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UPDATE +SecRule REQUEST_LINE "@contains /xNews.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005163,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3216'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011559,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains option=com_zoomportfolio" "chain" +SecRule REQUEST_LINE "@contains view=portfolio" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011382) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /refund_request.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011382,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,41377'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:orderid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011450) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /classified_img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011450,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,41204'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:clsid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011835) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /admincp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011835,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains section=smilies" "chain" +SecRule REQUEST_LINE "@contains action=edit" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:smilieid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011841) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011841,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:album_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011879) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011879,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:editmenu/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011934) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /site_info.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011934,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:siid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011947) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GeekLog filemgt UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /filemgmt/singlefile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011947,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS GeekLog filemgt UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:lid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS GeekLog filemgt UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012005) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS digiSHOP cart.php UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /cart.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012005,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS digiSHOP cart.php UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains m=features" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS digiSHOP cart.php UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012020) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012020,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains view=catalog" "chain" +SecRule REQUEST_LINE "@contains item_type=M" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012030) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /takefreestart.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012030,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:tid2/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012038) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /mod.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012038,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains mod=publisher" "chain" +SecRule REQUEST_LINE "@contains op=printarticle" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:artid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012163) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /informacion_general.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012163,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012215) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /program/moduler_banner_aabn.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012215,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012342) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /infusions/teams_structure/team.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012342,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:team_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012350) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PMB Services id Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012350,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PMB Services id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains lvl=coll_see" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PMB Services id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012363) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /notaevento.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012363,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:id_novedad/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012368) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Bexfront sid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /bexfront.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012368,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Bexfront sid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Bexfront sid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012378) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /hilfsmittel.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012378,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains action=read" "chain" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:katid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012417) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE +SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012417,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:post_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012425) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UPDATE +SecRule REQUEST_LINE "@contains /dsp_page.cfm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012425,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UPDATE',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:pageid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012436) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE +SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012436,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:topic/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012473) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu UPDATE +SecRule REQUEST_LINE "@contains /public/code/cp_menu_data_file.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012473,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu UPDATE',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:menu/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012482) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE +SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012482,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:gall_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012490) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf UPDATE +SecRule REQUEST_LINE "@contains /products.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012490,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf UPDATE',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/SQL_INJECTION.*ARGS:ctf/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +SecMarker END_SLR_SQLI_RULES diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_wordpress_attacks.conf modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_wordpress_attacks.conf --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_wordpress_attacks.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_wordpress_attacks.conf 2011-04-15 18:25:15.000000000 +0000 @@ -0,0 +1,463 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under GPL version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: +# +# http://www.emergingthreats.net/ +# + +SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_wordpress.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_WORDPRESS_RULES" + +# (2011256) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-add-excluded-ip.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011256,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:edit "(?i:edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011257) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-add-excluded-url.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011257,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:edit "(?i:edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011258) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-new-edit-site.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011258,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:site_id "(?i:site_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005152) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines SELECT +SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005152,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" +SecRule ARGS:wcHeadlines "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005153) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UNION SELECT +SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005153,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" +SecRule ARGS:wcHeadlines "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005155) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines INSERT +SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005155,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" +SecRule ARGS:wcHeadlines "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005154) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines DELETE +SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005154,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" +SecRule ARGS:wcHeadlines "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005156) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines ASCII +SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005156,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" +SecRule ARGS:wcHeadlines "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005157) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE +SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005157,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" +SecRule ARGS:wcHeadlines "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003508) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt +SecRule REQUEST_LINE "@contains /wp-login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003508,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt',tag:'web-application-attack',tag:'url,www.inliniac.net/blog/?p=71'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:redirect_to=(ht|f)tps?\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003685) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH +SecRule REQUEST_LINE "@contains /js/wptable-button.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003685,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3824'" +SecRule ARGS:wpPATH "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003686) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH +SecRule REQUEST_LINE "@contains /wordtube-button.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003686,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3825'" +SecRule ARGS:wpPATH "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003885) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php +SecRule REQUEST_LINE "@contains /sidebar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003885,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467360/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004011) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie SELECT +SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004011,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" +SecRule ARGS:cookie "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004012) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UNION SELECT +SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004012,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" +SecRule ARGS:cookie "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004013) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie INSERT +SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004013,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" +SecRule ARGS:cookie "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie DELETE +SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004014,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" +SecRule ARGS:cookie "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004015) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie ASCII +SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004015,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" +SecRule ARGS:cookie "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004016) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE +SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004016,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" +SecRule ARGS:cookie "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004403) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php SELECT +SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004403,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php SELECT',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004404) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UNION SELECT +SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004404,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UNION SELECT',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004405) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php INSERT +SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004405,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php INSERT',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004406) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php DELETE +SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004406,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php DELETE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004407) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php ASCII +SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004407,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php ASCII',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004408) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE +SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004408,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004654) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php SELECT +SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004654,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004655) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UNION SELECT +SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004655,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004656) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php INSERT +SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004656,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004657) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php DELETE +SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004657,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004658) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII +SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004658,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE +SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004659,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005657) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005657,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005658) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005658,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005659,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005660) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005660,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005661) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005661,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005662) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005662,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005865) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005865,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005866) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005866,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005867) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005867,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005868) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005868,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005869) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005869,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2005870) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE +SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005870,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2008725) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Newsletter Plugin newsletter Parameter SQL Injection +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008725,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Newsletter Plugin newsletter Parameter SQL Injection',tag:'web-application-attack'" +SecRule ARGS:newsletter "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Newsletter Plugin newsletter Parameter SQL Injection',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009010) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure +SecRule REQUEST_LINE "@contains /books/getConfig.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009010,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure',tag:'web-application-attack',tag:'bugtraq,32966'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule QUERY_STRING|REQUEST_BODY "@contains book_id=" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010473) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt +SecRule REQUEST_LINE "@contains /js/wptable-tinymce.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010473,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:ABSPATH "(?i:ABSPATH\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010728) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module Configuration Security Bypass Attempt +SecRule REQUEST_LINE "@contains /wp-admin/admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010728,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module Configuration Security Bypass Attempt',tag:'web-application-attack',tag:'cve,2009-2334'" +SecRule QUERY_STRING|REQUEST_BODY "@contains page=" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Fwp\x2Dadmin\x2Fadmin\x2Ephp.+page\x3D(\x2Fcollapsing\x2Darchives\x2Foptions\x2Etxt|akismet\x2Freadme\x2Etxt|related\x2Dways\x2Dto\x2Dtake\x2Daction\x2Foptions\x2Ephp|wp\x2Dsecurity\x2Dscan\x2Fsecurityscan\x2Ephp))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module Configuration Security Bypass Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011006) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/nextgen-gallery/xml/media-rss.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011006,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2010-1186'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:mode "(?i:(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011044) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter SELECT FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011044,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:postid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011045) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter DELETE FROM SQL Injection Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011045,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:postid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011071) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UNION SELECT SQL Injection Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011071,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:postid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011046) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter INSERT INTO SQL Injection Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011046,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:postid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011047) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011047,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:postid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011107) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-cumulus/tagcloud.swf" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011107,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains mode=tags" "chain" +SecRule ARGS:tagcloud "(?i:tagcloud\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011942,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:gid "(?i:gid\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012009) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /plugins/feedlist/handler_image.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012009,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:i "(?i:i\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012072) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-safe-search/wp-safe-search-jx.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012072,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:v1 "(?i:v1\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012164) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /plugins/accept-signups/accept-signups_submit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012164,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:email "(?i:email\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012353) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/audio/getid3/demos/demo.browse.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012353,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:showfile "(?i:showfile\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012356) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /js/modalbox/tests/functional/_ajax_method_get.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012356,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:param "(?i:param\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012407) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012407,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains /options-runnow-iframe.php?wpabs=/" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x00\&)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012408) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability +SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012408,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains /options-view_log-iframe.php?wpabs=/" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x00\&logfile\=\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012411) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012411,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:post_id "(?i:post_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012412) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id SELECT +SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012412,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id SELECT',tag:'web-application-attack'" +SecRule ARGS:post_id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012413) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UNION SELECT +SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012413,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UNION SELECT',tag:'web-application-attack'" +SecRule ARGS:post_id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012414) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id INSERT +SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012414,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id INSERT',tag:'web-application-attack'" +SecRule ARGS:post_id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012415) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id DELETE +SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012415,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id DELETE',tag:'web-application-attack'" +SecRule ARGS:post_id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012416) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id ASCII +SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012416,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id ASCII',tag:'web-application-attack'" +SecRule ARGS:post_id "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012417) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE +SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012417,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE',tag:'web-application-attack'" +SecRule ARGS:post_id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012426) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012426,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule ARGS:config "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012428) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/index2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012428,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule REQUEST_LINE "@contains task=dologin" "chain" +SecRule ARGS:option "(?i:option\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012429) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/index2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012429,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule ARGS:mosmsg "(?i:mosmsg\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012431) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic SELECT +SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012431,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic SELECT',tag:'web-application-attack'" +SecRule ARGS:topic "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012432) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UNION SELECT +SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012432,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UNION SELECT',tag:'web-application-attack'" +SecRule ARGS:topic "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012433) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic INSERT +SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012433,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic INSERT',tag:'web-application-attack'" +SecRule ARGS:topic "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012434) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic DELETE +SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012434,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic DELETE',tag:'web-application-attack'" +SecRule ARGS:topic "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012435) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic ASCII +SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012435,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic ASCII',tag:'web-application-attack'" +SecRule ARGS:topic "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012436) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE +SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012436,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE',tag:'web-application-attack'" +SecRule ARGS:topic "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012437) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/zotpress/zotpress.image.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012437,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:citation "(?i:citation\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012476) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/folder.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012476,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule ARGS:type "(?i:type\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012477) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT +SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012477,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT',tag:'web-application-attack'" +SecRule ARGS:gall_id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012478) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UNION SELECT +SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012478,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UNION SELECT',tag:'web-application-attack'" +SecRule ARGS:gall_id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012479) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id INSERT +SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012479,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id INSERT',tag:'web-application-attack'" +SecRule ARGS:gall_id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012480) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id DELETE +SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012480,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id DELETE',tag:'web-application-attack'" +SecRule ARGS:gall_id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012481) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id ASCII +SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012481,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id ASCII',tag:'web-application-attack'" +SecRule ARGS:gall_id "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id ASCII',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012482) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE +SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012482,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE',tag:'web-application-attack'" +SecRule ARGS:gall_id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +SecMarker END_SLR_WORDPRESS_RULES diff -Nru modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_xss_attacks.conf modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_xss_attacks.conf --- modsecurity-crs-2.1.2/trunk/slr_rules/modsecurity_crs_46_xss_attacks.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/slr_rules/modsecurity_crs_46_xss_attacks.conf 2011-04-15 18:25:15.000000000 +0000 @@ -0,0 +1,1050 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.0 +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under GPL version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: +# +# http://www.emergingthreats.net/ +# + +SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_xss.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_XSS_RULES" + +# (2003905) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mods +SecRule REQUEST_LINE "@contains /search/list/action_search/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003905,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mods',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" +SecRule REQUEST_LINE "@contains form[mods][" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mods',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003906) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form +SecRule REQUEST_LINE "@contains /search/list/action_search/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003906,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" +SecRule REQUEST_LINE "@contains form[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003907) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- download.php id +SecRule REQUEST_LINE "@contains /modules/dl/download.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003907,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- download.php id',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- download.php id',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003908) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat +SecRule REQUEST_LINE "@contains /news/list/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003908,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:form[cat]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003909) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat +SecRule REQUEST_LINE "@contains /action_create/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003909,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:form[cat]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003910) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form name +SecRule REQUEST_LINE "@contains /action_create/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003910,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form name',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:form[name]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form name',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003911) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form message +SecRule REQUEST_LINE "@contains /action_create/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003911,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form message',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:form[message]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form message',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003912) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mail +SecRule REQUEST_LINE "@contains /newsletter/create/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003912,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mail',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:form[mail]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mail',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003886) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_authorization.php +SecRule REQUEST_LINE "@contains /shared/code/cp_authorization.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003886,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_authorization.php',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/1637'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_authorization.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003887) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_config.php +SecRule REQUEST_LINE "@contains /shared/config/cp_config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003887,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_config.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23790'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_config.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010862) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible APC Network Management Card Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /Forms/login" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010862,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible APC Network Management Card Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2009-1798'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:login_username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible APC Network Management Card Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004594) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASP-Nuke XSS Attempt -- news.asp id +SecRule REQUEST_LINE "@contains /news.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004594,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS ASP-Nuke XSS Attempt -- news.asp id',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24135'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ASP-Nuke XSS Attempt -- news.asp id',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003915) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Advanced Guestbook XSS Attempt -- picture.php picture +SecRule REQUEST_LINE "@contains /picture.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003915,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Advanced Guestbook XSS Attempt -- picture.php picture',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23873'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:picture/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Advanced Guestbook XSS Attempt -- picture.php picture',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010146) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /host-manager/html/add" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010146,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2008-1947'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:method/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011114) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ARISg errmsg Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /Aris/wflogin.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011114,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ARISg errmsg Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,38441'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:errmsg/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ARISg errmsg Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010082) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt +SecRule REQUEST_LINE "@contains /awstats/awstats.pl" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010082,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2008-3714'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:config/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010147) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible bloofoxCMS 'search' Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /search.5.html" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010147,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible bloofoxCMS \'search\' Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36700/info'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:search/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible bloofoxCMS \'search\' Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004583) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BoastMachine XSS Attempt -- index.php blog +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004583,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BoastMachine XSS Attempt -- index.php blog',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24156'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:blog/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS BoastMachine XSS Attempt -- index.php blog',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CactuSoft Parodia XSS Attempt -- cand_login.asp strJobIDs +SecRule REQUEST_LINE "@contains /cand_login.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004559,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS CactuSoft Parodia XSS Attempt -- cand_login.asp strJobIDs',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24078'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:strJobIDs/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CactuSoft Parodia XSS Attempt -- cand_login.asp strJobIDs',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011054) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible CactuShop User Invoices Persistent XSS Attempt +SecRule REQUEST_LINE "@contains _invoice.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011054,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible CactuShop User Invoices Persistent XSS Attempt',tag:'web-application-attack',tag:'cve,2010-1486'" +SecRule REQUEST_LINE "@contains script>" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:(alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible CactuShop User Invoices Persistent XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004569) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp brand +SecRule REQUEST_LINE "@contains /scripts/prodList.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004569,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp brand',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25370'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:brand/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp brand',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004570) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp Msg +SecRule REQUEST_LINE "@contains /scripts/prodList.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004570,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp Msg',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25370'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:Msg/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp Msg',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011676) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Cisco Collaboration Server LoginPage.jhtml Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /webline/html/admin/wcs/LoginPage.jhtml" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011676,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Cisco Collaboration Server LoginPage.jhtml Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2010-0641'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:dest/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Cisco Collaboration Server LoginPage.jhtml Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009590) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb edituser.php XSS attempt +SecRule REQUEST_LINE "@contains /config/edituser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009590,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb edituser.php XSS attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Citrix XenCenterWeb edituser.php XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009591) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb console.php XSS attempt +SecRule REQUEST_LINE "@contains /console.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009591,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb console.php XSS attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:vmname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Citrix XenCenterWeb console.php XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009592) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcesd.php XSS attempt +SecRule REQUEST_LINE "@contains /forcesd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009592,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcesd.php XSS attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:vmname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcesd.php XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009593) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcerestart.php XSS attempt +SecRule REQUEST_LINE "@contains /forcerestart.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009593,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcerestart.php XSS attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:vmname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcerestart.php XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004566) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php ticketID +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004566,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php ticketID',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24061'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:ticketID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php ticketID',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004567) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php view +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004567,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php view',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24061'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:view/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php view',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004568) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php fuse +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004568,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php fuse',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24061'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:fuse/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php fuse',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004591) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClonusWiki XSS Attempt -- index.php query +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004591,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS ClonusWiki XSS Attempt -- index.php query',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469230/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:query/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ClonusWiki XSS Attempt -- index.php query',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010200) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /siteminderagent/forms/smpwservices.fcc" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010200,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/26375/info'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011152) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Consona Products n6plugindestructor.asp Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /verify/asp/n6plugindestructor.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011152,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Consona Products n6plugindestructor.asp Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,39999'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:backurl/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Consona Products n6plugindestructor.asp Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004584) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- footer.php copyright +SecRule REQUEST_LINE "@contains /footer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004584,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- footer.php copyright',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24200'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:copyright/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- footer.php copyright',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004585) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- news.php catid +SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004585,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- news.php catid',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24201'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- news.php catid',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003920) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- loan.php movieid +SecRule REQUEST_LINE "@contains /loan.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003920,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- loan.php movieid',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23764'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:movieid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- loan.php movieid',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003921) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- listmovies.php s +SecRule REQUEST_LINE "@contains /listmovies.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003921,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- listmovies.php s',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23764'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:s/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- listmovies.php s',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004595) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- info_book.asp Room_name +SecRule REQUEST_LINE "@contains /room/info_book.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004595,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- info_book.asp Room_name',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469589/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:Room_name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- info_book.asp Room_name',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004596) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- week.asp curYear +SecRule REQUEST_LINE "@contains /room/week.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004596,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- week.asp curYear',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469589/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:curYear/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- week.asp curYear',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004593) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dokeos XSS Attempt -- editor.php img +SecRule REQUEST_LINE "@contains /main/inc/lib/fckeditor/editor/plugins/ImageManager/editor.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004593,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Dokeos XSS Attempt -- editor.php img',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3974'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:img/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dokeos XSS Attempt -- editor.php img',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003876) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- listmembers.php show +SecRule REQUEST_LINE "@contains /listmembers.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003876,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- listmembers.php show',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23951'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:show/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- listmembers.php show',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003877) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- stats.php show +SecRule REQUEST_LINE "@contains /stats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003877,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- stats.php show',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23951'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:show/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- stats.php show',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011153) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ektron CMS400.NET reterror.aspx info Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /WorkArea/reterror.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011153,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ektron CMS400.NET reterror.aspx info Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,39679'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:info/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ektron CMS400.NET reterror.aspx info Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011154) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ektron CMS400.NET medialist.aspx selectids Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /workarea/medialist.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011154,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ektron CMS400.NET medialist.aspx selectids Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,39679'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:selectids/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ektron CMS400.NET medialist.aspx selectids Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011256) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-add-excluded-ip.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011256,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:edit/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011257) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-add-excluded-url.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011257,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:edit/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011258) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-new-edit-site.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011258,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:site_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004586) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GMTT Music Distro XSS Attempt -- showown.php st +SecRule REQUEST_LINE "@contains /showown.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004586,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS GMTT Music Distro XSS Attempt -- showown.php st',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469269/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:st/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS GMTT Music Distro XSS Attempt -- showown.php st',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004563) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004563,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24066'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:galix_cat_detail/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004564) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_gal_detail +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004564,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_gal_detail',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24066'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:galix_gal_detail/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_gal_detail',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004565) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail_sort +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004565,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail_sort',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24066'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:galix_cat_detail_sort/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail_sort',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004562) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Gnatsweb and Gnats XSS Attempt -- gnatsweb.pl database +SecRule REQUEST_LINE "@contains /gnatsweb.pl" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004562,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Gnatsweb and Gnats XSS Attempt -- gnatsweb.pl database',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25333'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:database/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Gnatsweb and Gnats XSS Attempt -- gnatsweb.pl database',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004554) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authusername +SecRule REQUEST_LINE "@contains /hlstats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004554,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authusername',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24102'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:authusername/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authusername',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004555) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authpassword +SecRule REQUEST_LINE "@contains /hlstats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004555,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authpassword',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24102'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:authpassword/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authpassword',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004560) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php +SecRule REQUEST_LINE "@contains /hlstats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004560,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24063'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004561) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php action +SecRule REQUEST_LINE "@contains /hlstats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004561,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php action',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24063'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:action/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php action',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010770) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /smhui/getuiinfo" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010770,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2009-4185'" +SecRule REQUEST_LINE "@contains JS" "chain" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:servercert/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009647) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hubscript XSS Attempt +SecRule REQUEST_LINE "@contains /patch/single_winner1.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009647,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Hubscript XSS Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.com/0907-exploits/hubscript-xssphpinfo.txt'" +SecRule ARGS_NAMES "(?i:bid_id)" "chain" +SecRule REQUEST_LINE "@contains " "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Hubscript XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010145) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM Rational RequisitePro ReqWebHelp Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /ReqWebHelp/advanced/workingSet.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010145,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM Rational RequisitePro ReqWebHelp Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895'" +SecRule REQUEST_LINE "@contains operation=add" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible IBM Rational RequisitePro ReqWebHelp Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp searchWord Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /ReqWebHelp/basic/searchView.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010181,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp searchWord Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:searchWord/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp searchWord Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010182) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp maxHits Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /ReqWebHelp/basic/searchView.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010182,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp maxHits Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:maxHits/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp maxHits Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010183) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scopedSearch Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /ReqWebHelp/basic/searchView.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010183,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scopedSearch Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:scopedSearch/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scopedSearch Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010184) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scope Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /ReqWebHelp/basic/searchView.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010184,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scope Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:scope/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scope Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010865) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Possible Lotus Domino readme.nsf Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /help/readme.nsf/Header" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010865,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Possible Lotus Domino readme.nsf Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/38481'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:BaseTarget/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IBM Possible Lotus Domino readme.nsf Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010980) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM ENOVIA SmarTeam v5 LoginPage.aspx Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /WebEditor/Authentication/LoginPage.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010980,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM ENOVIA SmarTeam v5 LoginPage.aspx Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:errMsg/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IBM ENOVIA SmarTeam v5 LoginPage.aspx Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011190) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module cindefn.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /private/cindefn.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011190,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module cindefn.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:INDEX/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module cindefn.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011191) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_management_policy_options.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /private/power_management_policy_options.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011191,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_management_policy_options.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:domain/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_management_policy_options.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011192) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module pm_temp.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /private/pm_temp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011192,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module pm_temp.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:slot/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module pm_temp.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011193) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_module.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /private/power_module.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011193,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_module.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:slot/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_module.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011194) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module blade_leds.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /private/blade_leds.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011194,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module blade_leds.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:WEBINDEX/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module blade_leds.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011195) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module ipmi_bladestatus.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /private/ipmi_bladestatus.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011195,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module ipmi_bladestatus.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:SLOT/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module ipmi_bladestatus.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004576) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_bbcodeloader.php +SecRule REQUEST_LINE "@contains /module_bbcodeloader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004576,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_bbcodeloader.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24244'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_bbcodeloader.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004577) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_div.php +SecRule REQUEST_LINE "@contains /module_div.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004577,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_div.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24244'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_div.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004578) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_email.php +SecRule REQUEST_LINE "@contains /module_email.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004578,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_email.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24244'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_email.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004579) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_image.php +SecRule REQUEST_LINE "@contains /module_image.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004579,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_image.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24244'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_image.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004580) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_link.php +SecRule REQUEST_LINE "@contains /module_link.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004580,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_link.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24244'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_link.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004581) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_table.php editorid +SecRule REQUEST_LINE "@contains /jscripts/folder_rte_files/module_table.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004581,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_table.php editorid',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24244'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:editorid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_table.php editorid',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004592) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jelsoft vBulletin XSS Attempt -- calendar.php +SecRule REQUEST_LINE "@contains /calendar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004592,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Jelsoft vBulletin XSS Attempt -- calendar.php',tag:'web-application-attack',tag:'url,www.vbulletin.com/forum/showthread.php?postid=1355012'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jelsoft vBulletin XSS Attempt -- calendar.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004572) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS XSS Attempt -- index.php login +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004572,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS XSS Attempt -- index.php login',tag:'web-application-attack',tag:'url,www.osvdb.org/34791'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:login/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Jetbox CMS XSS Attempt -- index.php login',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003913) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Kayako eSupport XSS Attempt -- index.php _m +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003913,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Kayako eSupport XSS Attempt -- index.php _m',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467832/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:_m/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Kayako eSupport XSS Attempt -- index.php _m',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009990) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM Lotus Connections simpleSearch.do Cross-Site Scripting Attempt +SecRule REQUEST_LINE "@contains /profiles/html/simpleSearch.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009990,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM Lotus Connections simpleSearch.do Cross-Site Scripting Attempt',tag:'web-application-attack',tag:'url,www.securitytracker.com/alerts/2009/Sep/1022945.html'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible IBM Lotus Connections simpleSearch.do Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003918) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- sendmail.php +SecRule REQUEST_LINE "@contains /sendmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003918,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- sendmail.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23847'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- sendmail.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003919) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- order_form.php +SecRule REQUEST_LINE "@contains /order_form.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003919,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- order_form.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23847'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- order_form.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003882) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- configure_plugin.tpl.php edit_plugin +SecRule REQUEST_LINE "@contains /configure_plugin.tpl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003882,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- configure_plugin.tpl.php edit_plugin',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23917'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:edit_plugin/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- configure_plugin.tpl.php edit_plugin',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003883) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php 1 +SecRule REQUEST_LINE "@contains /web/phpinfo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003883,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php 1',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23917'" +SecRule REQUEST_LINE "@contains 1[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php 1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003884) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php a +SecRule REQUEST_LINE "@contains /web/phpinfo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003884,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php a',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23917'" +SecRule REQUEST_LINE "@contains a[" "chain" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php a',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011082) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS McAfee Email Gateway queueMsgType Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /admin/queuedMessage.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011082,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS McAfee Email Gateway queueMsgType Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains method=getQueueMessages&" "chain" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:queueMsgType/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS McAfee Email Gateway queueMsgType Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011083) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS McAfee Email Gateway QtnType Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /admin/queuedMessage.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011083,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS McAfee Email Gateway QtnType Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains method=getQueueMessages&" "chain" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:QtnType/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS McAfee Email Gateway QtnType Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003894) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- dev_logon.asp username +SecRule REQUEST_LINE "@contains /de/pda/dev_logon.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003894,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- dev_logon.asp username',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- dev_logon.asp username',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003895) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- registerAccount.asp +SecRule REQUEST_LINE "@contains /usrmgr/registerAccount.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003895,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- registerAccount.asp',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- registerAccount.asp',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003896) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- create_account.asp +SecRule REQUEST_LINE "@contains /de/create_account.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003896,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- create_account.asp',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- create_account.asp',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010031) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Novell eDirectory 'dconserv.dlm' Cross-Site Scripting Attempt +SecRule REQUEST_LINE "@contains /dhost/modules" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010031,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Novell eDirectory \'dconserv.dlm\' Cross-Site Scripting Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36567/info'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:dconserv.dlm/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Possible Novell eDirectory \'dconserv.dlm\' Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003878) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Translation Engine (OTE) XSS Attempt -- header.php ote_home +SecRule REQUEST_LINE "@contains /skins/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003878,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Open Translation Engine (OTE) XSS Attempt -- header.php ote_home',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3838'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:ote_home/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Open Translation Engine (OTE) XSS Attempt -- header.php ote_home',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011268) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Oracle Business Process Management context Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /faces/jsf/tips.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011268,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Oracle Business Process Management context Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:context/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Oracle Business Process Management context Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003879) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- settings.php catid +SecRule REQUEST_LINE "@contains /settings.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003879,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- settings.php catid',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23761'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- settings.php catid',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003880) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- cat.php catid +SecRule REQUEST_LINE "@contains /cat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003880,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- cat.php catid',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23761'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- cat.php catid',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2001218) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPNuke general XSS attempt +SecRule REQUEST_LINE "@contains /modules.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2001218,rev:11,msg:'SLR: ET WEB_SPECIFIC_APPS PHPNuke general XSS attempt',tag:'web-application-attack',tag:'url,www.waraxe.us/?modname=sa&id=030'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PHPNuke general XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004582) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Particle Gallery XSS Attempt -- search.php order +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004582,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Particle Gallery XSS Attempt -- search.php order',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469985/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:order/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Particle Gallery XSS Attempt -- search.php order',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003914) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Podium CMS XSS Attempt -- Default.aspx id +SecRule REQUEST_LINE "@contains /Default.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003914,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Podium CMS XSS Attempt -- Default.aspx id',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467823/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Podium CMS XSS Attempt -- Default.aspx id',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011117) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PowerEasy ComeUrl Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /user/User_ChkLogin.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011117,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS PowerEasy ComeUrl Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,39696'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:ComeUrl/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PowerEasy ComeUrl Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009672) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS programsrating rate.php id XSS attempt +SecRule REQUEST_LINE "@contains /rating/rate.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009672,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS programsrating rate.php id XSS attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0907-exploits/programsrating-xss.txt'" +SecRule ARGS_NAMES "(?i:id)" "chain" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains " "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS programsrating rate.php id XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009673) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS programsrating postcomments.php id XSS attempt +SecRule REQUEST_LINE "@contains /rating/postcomments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009673,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS programsrating postcomments.php id XSS attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0907-exploits/programsrating-xss.txt'" +SecRule ARGS_NAMES "(?i:id)" "chain" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains " "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS programsrating postcomments.php id XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004587) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- awards.php +SecRule REQUEST_LINE "@contains /awards.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004587,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- awards.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- awards.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004588) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- login.php +SecRule REQUEST_LINE "@contains /login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004588,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- login.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- login.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004589) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- register.php +SecRule REQUEST_LINE "@contains /register.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004589,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- register.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- register.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004590) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- weapons.php +SecRule REQUEST_LINE "@contains /weapons.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004590,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- weapons.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- weapons.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004571) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RM EasyMail Plus XSS Attempt -- Login d +SecRule REQUEST_LINE "@contains cp/ps/Main/login/Login" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004571,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS RM EasyMail Plus XSS Attempt -- Login d',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25326'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:d/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS RM EasyMail Plus XSS Attempt -- Login d',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003872) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- searchloop.php s +SecRule REQUEST_LINE "@contains /wp-content/themes/redoable/searchloop.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003872,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- searchloop.php s',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468892/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:s/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- searchloop.php s',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003873) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- header.php s +SecRule REQUEST_LINE "@contains /wp-content/themes/redoable/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003873,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- header.php s',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468892/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:s/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- header.php s',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003871) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ripe Website Manager XSS Attempt -- index.php ripeformpost +SecRule REQUEST_LINE "@contains /contact/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003871,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Ripe Website Manager XSS Attempt -- index.php ripeformpost',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23597'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:ripeformpost/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Ripe Website Manager XSS Attempt -- index.php ripeformpost',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011731) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /html/studentmain.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011731,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,40737'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:session/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003922) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Sendcard XSS Attempt -- sendcard.php form +SecRule REQUEST_LINE "@contains /sendcard.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003922,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Sendcard XSS Attempt -- sendcard.php form',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25085'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:form/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Sendcard XSS Attempt -- sendcard.php form',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003881) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SonicBB XSS Attempt -- search.php part +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003881,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SonicBB XSS Attempt -- search.php part',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0020'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:part/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SonicBB XSS Attempt -- search.php part',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011065) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SurgeFTP surgeftpmgr.cgi classid Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /cgi/surgeftpmgr.cgi" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011065,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SurgeFTP surgeftpmgr.cgi classid Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains cmd=class&" "chain" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:classid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SurgeFTP surgeftpmgr.cgi classid Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003902) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Apache Tomcat XSS Attempt -- implicit-objects.jsp +SecRule REQUEST_LINE "@contains /implicit-objects.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003902,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Apache Tomcat XSS Attempt -- implicit-objects.jsp',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/1729'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Apache Tomcat XSS Attempt -- implicit-objects.jsp',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004575) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tomcat XSS Attempt -- hello.jsp test +SecRule REQUEST_LINE "@contains /appdev/sample/web/hello.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004575,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Tomcat XSS Attempt -- hello.jsp test',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24058'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:test/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Tomcat XSS Attempt -- hello.jsp test',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004558) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Track+ XSS Attempt -- reportItem.do projId +SecRule REQUEST_LINE "@contains /reportItem.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004558,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Track+ XSS Attempt -- reportItem.do projId',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24060'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:projId/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Track+ XSS Attempt -- reportItem.do projId',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003917) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TurnkeyWebTools SunShop Shopping Cart XSS Attempt -- index.php l +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003917,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TurnkeyWebTools SunShop Shopping Cart XSS Attempt -- index.php l',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23856'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:l/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TurnkeyWebTools SunShop Shopping Cart XSS Attempt -- index.php l',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003888) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseCat.php catFile +SecRule REQUEST_LINE "@contains /browseCat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003888,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseCat.php catFile',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3887'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:catFile/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseCat.php catFile',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003889) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseSubCat.php catFile +SecRule REQUEST_LINE "@contains /browseSubCat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003889,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseSubCat.php catFile',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3887'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:catFile/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseSubCat.php catFile',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003890) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- openTutorial.php id +SecRule REQUEST_LINE "@contains /openTutorial.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003890,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- openTutorial.php id',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3887'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- openTutorial.php id',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003891) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- topFrame.php id +SecRule REQUEST_LINE "@contains /topFrame.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003891,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- topFrame.php id',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3887'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- topFrame.php id',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003892) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- editListing.php id +SecRule REQUEST_LINE "@contains /admin/editListing.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003892,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- editListing.php id',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3887'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- editListing.php id',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003893) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- search.php search +SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003893,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- search.php search',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3887'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:search/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- search.php search',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004573) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart XSS Attempt -- shopcontent.asp type +SecRule REQUEST_LINE "@contains /shopcontent.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004573,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart XSS Attempt -- shopcontent.asp type',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468834/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:type/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart XSS Attempt -- shopcontent.asp type',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010167) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp Queue XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/viewHeaders.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010167,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp Queue XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:Queue/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp Queue XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010168) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp FileName XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/viewHeaders.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010168,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp FileName XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:FileName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp FileName XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010169) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp IsolatedMessageID XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/viewHeaders.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010169,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp IsolatedMessageID XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:IsolatedMessageID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp IsolatedMessageID XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010170) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp ServerName XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/viewHeaders.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010170,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp ServerName XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:ServerName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp ServerName XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010171) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp FileName XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgAnalyse.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010171,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp FileName XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:FileName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp FileName XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010172) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp IsolatedMessageID XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgAnalyse.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010172,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp IsolatedMessageID XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:IsolatedMessageID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp IsolatedMessageID XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010173) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp ServerName XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgAnalyse.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010173,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp ServerName XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:ServerName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp ServerName XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010174) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Dictionary XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgAnalyse.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010174,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Dictionary XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:Dictionary/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Dictionary XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010175) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Scoring XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgAnalyse.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010175,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Scoring XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:Scoring/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Scoring XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010176) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp MessagePart XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgAnalyse.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010176,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp MessagePart XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:MessagePart/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp MessagePart XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010177) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp Queue XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010177,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp Queue XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:Queue/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp Queue XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010178) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp FileName XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010178,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp FileName XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:FileName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp FileName XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010179) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp IsolatedMessageID XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010179,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp IsolatedMessageID XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:IsolatedMessageID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp IsolatedMessageID XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2010180) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp ServerName XSS Attempt +SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2010180,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp ServerName XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:ServerName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp ServerName XSS Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003916) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WikkaWiki (Wikka Wiki) XSS Attempt -- usersettings.php name +SecRule REQUEST_LINE "@contains /usersettings.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003916,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WikkaWiki (Wikka Wiki) XSS Attempt -- usersettings.php name',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23894'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WikkaWiki (Wikka Wiki) XSS Attempt -- usersettings.php name',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004574) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WikyBlog XSS Attempt sessionRegister.php +SecRule REQUEST_LINE "@contains /include/sessionRegister.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004574,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WikyBlog XSS Attempt sessionRegister.php',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25308'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WikyBlog XSS Attempt sessionRegister.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003885) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php +SecRule REQUEST_LINE "@contains /sidebar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003885,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467360/100/0/threaded'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011006) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/nextgen-gallery/xml/media-rss.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011006,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2010-1186'" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:mode/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011107) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-cumulus/tagcloud.swf" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011107,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains mode=tags" "chain" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:tagcloud/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004557) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS @Mail XSS Attempt -- ReadMsg.php +SecRule REQUEST_LINE "@contains /ReadMsg.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004557,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS @Mail XSS Attempt -- ReadMsg.php',tag:'web-application-attack',tag:'cve,CVE-2007-2825'" +SecRule REQUEST_LINE "@contains | 3C |" "chain" +SecRule REQUEST_LINE "@contains SCRIPT" "chain" +SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS @Mail XSS Attempt -- ReadMsg.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011115) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cPanel fileop Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /frontend/x3/files/fileop.html" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011115,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS cPanel fileop Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,37394'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:fileop/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS cPanel fileop Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003875) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS fotolog XSS Attempt -- all_photos.html user +SecRule REQUEST_LINE "@contains /all_photos.html" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003875,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS fotolog XSS Attempt -- all_photos.html user',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468316/100/0/threaded'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS fotolog XSS Attempt -- all_photos.html user',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2009671) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS millionpixel payment.php order_id XSS attempt +SecRule REQUEST_LINE "@contains /users/payment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009671,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS millionpixel payment.php order_id XSS attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0907-exploits/millionpixel-xss.txt'" +SecRule ARGS_NAMES "(?i:order_id)" "chain" +SecRule REQUEST_LINE "@contains GET " "chain" +SecRule REQUEST_LINE "@contains " "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS millionpixel payment.php order_id XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2004552) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpPgAdmin XSS Attempt -- sqledit.php server +SecRule REQUEST_LINE "@contains /sqledit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004552,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpPgAdmin XSS Attempt -- sqledit.php server',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24115'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:server/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS phpPgAdmin XSS Attempt -- sqledit.php server',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003167) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS tikiwiki featured link XSS attempt +SecRule REQUEST_LINE "@contains /tiki-featured_link.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003167,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS tikiwiki featured link XSS attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/450268/30/0'" +SecRule ARGS_NAMES "(?i:type)" "chain" +SecRule REQUEST_LINE "@contains /iframe>" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS tikiwiki featured link XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2003874) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vDesk Webmail XSS Attempt -- printcal.pl +SecRule REQUEST_LINE "@contains /printcal.pl" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2003874,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS vDesk Webmail XSS Attempt -- printcal.pl',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24022'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS vDesk Webmail XSS Attempt -- printcal.pl',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011571) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Euchia CMS catalogo.php id_livello Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /catalogo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011571,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Euchia CMS catalogo.php id_livello Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:id_livello/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Euchia CMS catalogo.php id_livello Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011566) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Easypush Server Manager addressbook.cgi page Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /addressbook.cgi" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011566,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Easypush Server Manager addressbook.cgi page Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains show=search" "chain" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Easypush Server Manager addressbook.cgi page Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011383) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CSSTidy css_optimiser.php url Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /plugins/csstidy/css_optimiser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011383,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS CSSTidy css_optimiser.php url Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:url/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CSSTidy css_optimiser.php url Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011423) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Cacti cacti/utilities.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /cacti/utilities.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011423,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Cacti cacti/utilities.php Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2010-2545'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:filter/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Cacti cacti/utilities.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011452) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dance Studio Manager dailyview.php date Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /dailyview.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011452,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Dance Studio Manager dailyview.php date Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:date/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Dance Studio Manager dailyview.php date Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011845) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Lantern CMS intPassedLocationID Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /html/11-login.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011845,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Lantern CMS intPassedLocationID Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,43865'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:intPassedLocationID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Lantern CMS intPassedLocationID Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011852) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /news/search.php3" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011852,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,44370'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:bn/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011927) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SiteloomCMS mailform_1 variable Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011927,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS SiteloomCMS mailform_1 variable Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:mailform_1/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS SiteloomCMS mailform_1 variable Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2011942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2011942,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:gid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012009) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /plugins/feedlist/handler_image.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012009,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:i/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012011) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Horde IMP fetchmailprefs.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /fetchmailprefs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012011,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Horde IMP fetchmailprefs.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains actionID=fetchmail_prefs_save" "chain" +SecRule REQUEST_LINE "@contains fm_driver=imap" "chain" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:fm_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Horde IMP fetchmailprefs.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012023) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ZyXEL P-660R-T1 HomeCurrent_Date Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /Forms/home_1" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012023,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ZyXEL P-660R-T1 HomeCurrent_Date Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:HomeCurrent_Date/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS ZyXEL P-660R-T1 HomeCurrent_Date Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012040) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Contenido idart Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /en/front_content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012040,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Contenido idart Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:idart/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Contenido idart Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012070) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /admin/upgrade_unattended.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012070,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:db_type/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012072) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-safe-search/wp-safe-search-jx.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012072,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:v1/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012164) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /plugins/accept-signups/accept-signups_submit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012164,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:email/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012187) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS bizdir.cgi f_srch Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /bizdir/bizdir.cgi" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012187,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS bizdir.cgi f_srch Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:f_srch/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS bizdir.cgi f_srch Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012190) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zimplit CMS client Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /English_manual_version_2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012190,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Zimplit CMS client Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:client/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Zimplit CMS client Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012191) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zimplit CMS file Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /zimplit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012191,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Zimplit CMS file Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains action=load" "chain" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Zimplit CMS file Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012216) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS B-Cumulus tagcloud.swf Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /tagcloud.swf" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012216,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS B-Cumulus tagcloud.swf Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains mode=tags" "chain" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:tagcloud/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS B-Cumulus tagcloud.swf Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012220) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS B-Cumulus tagcloud-ru.swf Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /tagcloud-ru.swf" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012220,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS B-Cumulus tagcloud-ru.swf Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule REQUEST_LINE "@contains mode=tags" "chain" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:tagcloud/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS B-Cumulus tagcloud-ru.swf Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012337) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CultBooking lang Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /cultbooking.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012337,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS CultBooking lang Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:lang/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS CultBooking lang Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012351) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Emerson Network AllResults.aspx Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /SearchCenter/Pages/AllResults.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012351,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Emerson Network AllResults.aspx Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:k/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Emerson Network AllResults.aspx Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012353) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/audio/getid3/demos/demo.browse.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012353,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:showfile/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012355) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Moodle PHPCOVERAGE_HOME Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /lib/spikephpcoverage/src/phpcoverage.remote.top.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012355,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Moodle PHPCOVERAGE_HOME Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:PHPCOVERAGE_HOME\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Moodle PHPCOVERAGE_HOME Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012356) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /js/modalbox/tests/functional/_ajax_method_get.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012356,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:param/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012370) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Boonex Dolphin explain Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /explanation.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012370,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Boonex Dolphin explain Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46337'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:explain\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Boonex Dolphin explain Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012371) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Boonex Dolphin relocate Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /modules/boonex/custom_rss/post_mod_crss.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012371,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Boonex Dolphin relocate Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46337'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:relocate\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Boonex Dolphin relocate Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012380) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Podcast Generator themes.php Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /core/themes.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012380,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Podcast Generator themes.php Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:L_failedopentheme/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Podcast Generator themes.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012394) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains stconf.nsf/WebMessage" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012394,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2011-1038'" +SecRule REQUEST_LINE "@contains OpenView" "chain" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:messageString/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012395) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains stconf.nsf" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012395,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2011-1038'" +SecRule QUERY_STRING|REQUEST_BODY "(?i:stconf.nsf.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D).+unescape)" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012411) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012411,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:post_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012418) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 1 +SecRule REQUEST_LINE "@contains /shipping/methods/fedex_v7/label_mgr/js_include.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012418,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 1',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:form/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012419) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 2 +SecRule REQUEST_LINE "@contains /shipping/pages/popup_shipping/js_include.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012419,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 2',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:form/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012428) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/index2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012428,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule REQUEST_LINE "@contains task=dologin" "chain" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:option/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012429) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/index2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012429,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:mosmsg/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012430) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /administrator/components/com_xcloner-backupandrestore/index2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012430,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:mosmsg/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012437) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/zotpress/zotpress.image.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012437,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:citation/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012474) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RecordPress rp-menu.php sess_user Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /admin/rp-menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012474,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS RecordPress rp-menu.php sess_user Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46798'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:_SESSION[sess_user]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS RecordPress rp-menu.php sess_user Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012475) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RecordPress header.php titledesc Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012475,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS RecordPress header.php titledesc Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46798'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:row[titledesc]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS RecordPress header.php titledesc Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012476) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/folder.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012476,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:type/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012483) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_p_dict Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012483,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_p_dict Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:to_p_dict/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_p_dict Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +# (2012484) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_r_list Parameter Cross Site Scripting Attempt +SecRule REQUEST_LINE "@contains /_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2012484,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_r_list Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" +SecRule &TX:'/WEB_ATTACK/XSS.*ARGS:to_r_list/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=%{tx.msg} - ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_r_list Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" + + +SecMarker END_SLR_XSS_RULES diff -Nru modsecurity-crs-2.1.2/trunk/util/httpd-guardian.pl modsecurity-crs-2.2.0/trunk/util/httpd-guardian.pl --- modsecurity-crs-2.1.2/trunk/util/httpd-guardian.pl 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/util/httpd-guardian.pl 2009-07-25 04:58:11.000000000 +0000 @@ -0,0 +1,518 @@ +#!/usr/bin/perl -w +# +# httpd-guardian - detect DoS attacks by monitoring requests +# Apache Security, http://www.apachesecurity.net +# Copyright (C) 2005 Ivan Ristic +# +# $Id: httpd-guardian,v 1.6 2005/12/04 11:30:35 ivanr Exp $ +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, version 2. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# + +# This script is designed to monitor all web server requests through +# the piped logging mechanism. It keeps track of the number of requests +# sent from each IP address. Request speed is calculated at 1 minute and +# 5 minute intervals. Once a threshold is reached, httpd-guardian can +# either emit a warning or execute a script to block the IP address. +# +# Error message will be sent to stderr, which means they will end up +# in the Apache error log. +# +# Usage (in httpd.conf) +# --------------------- +# +# Without mod_security, Apache 1.x: +# +# LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %{UNIQUE_ID}e \"-\" %T 0 \"%{modsec_message}i\" 0" guardian +# CustomLog "|/path/to/httpd-guardian" guardian +# +# or without mod_security, Apache 2.x: +# +# LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %{UNIQUE_ID}e \"-\" %T %D \"%{modsec_message}i\" 0" guardian +# CustomLog "|/path/to/httpd-guardian" guardian +# +# or with mod_security (better): +# +# SecGuardianLog "|/path/to/httpd-guardian" +# +# NOTE: In order for this script to be effective it must be able to +# see all requests coming to the web server. This will not happen +# if you are using per-virtual host logging. In such cases either +# use the ModSecurity 1.9 SecGuardianLog directive (which was designed +# for this very purpose). +# +# +# Usage (with Spread) +# ------------------- +# +# 1) First you need to make sure you have Spread running on the machine +# where you intend to run httpd-guardian on. +# +# 2) Then uncomment line "use Spread;" in this script, and change +# $USE_SPREAD to "1". +# +# 3) The default port for Spread is 3333. Change it if you want to +# and then start httpd-guardian. We will be looking for messages +# in the Spread group called "httpd-guardian". + +# TODO Add support to ignore certain log entries based on a +# regex applied script_name. +# +# TODO Warn about session hijacking. +# +# TODO Track ip addresses, sessions, and individual users. +# +# TODO Detect status code anomalies. +# +# TODO Track accesses to specific pages. +# +# TODO Open proxy detection. +# +# TODO Check IP addresses with blacklists (e.g. +# http://www.spamhaus.org/XBL/). +# +# TODO Is there a point to keep per-vhost state? +# +# TODO Enhance the script to tail a log file - useful for test +# runs, in preparation for deployment. +# +# TODO Can we track connections as Apache creates and destroys them? +# +# TODO Command-line option to support multiple log formats. E.g. common, +# combined, vcombined, guardian. +# +# TODO Command-line option not to save state +# + +use strict; +use Time::Local; +# SPREAD UNCOMMENT +# use Spread; + + +# -- Configuration---------------------------------------------------------- + +my $USE_SPREAD = 0; +my $SPREAD_CLIENT_NAME = "httpd-guardian"; +my $SPREAD_DAEMON = "3333"; +my $SPREAD_GROUP_NAME = "httpd-guardian"; +my $SPREAD_TIMEOUT = 1; + +# If defined, execute this command when a threshold is reached +# block the IP address for one hour. +# $PROTECT_EXEC = "/sbin/blacklist block %s 3600"; +# $PROTECT_EXEC = "/sbin/samtool -block -ip %s -dur 3600 snortsam.example.com"; +#my $PROTECT_EXEC; + +# For testing only: +my $PROTECT_EXEC = "/usr/bin/logger Possible DoS Attack from %s"; + +# Max. speed allowed, in requests per +# second, measured over an 1-minute period +#my $THRESHOLD_1MIN = 2; # 120 requests in a minute + +# For testing only: +my $THRESHOLD_1MIN = 0.01; + +# Max. speed allowed, in requests per +# second, measured over a 5-minute period +my $THRESHOLD_5MIN = 1; # 360 requests in 5 minutes + +# If defined, httpd-guardian will make a copy +# of the data it receives from Apache +# $COPY_LOG = ""; +my $COPY_LOG; + +# Remove IP address data after a 10-minute inactivity +my $STALE_INTERVAL = 400; + +# Where to save state (at this point only useful +# for monitoring what the script does) +my $SAVE_STATE_FILE = "/tmp/httpd-guardian.state"; + +# How often to save state (in seconds). +my $SAVE_STATE_INTERVAL = 10; + +my $DEBUG = 0; + + +# ----------------------------------------------------------------- + +my %months = ( + "Jan" => 0, + "Feb" => 1, + "Mar" => 2, + "Apr" => 3, + "May" => 4, + "Jun" => 5, + "Jul" => 6, + "Aug" => 7, + "Sep" => 8, + "Oct" => 9, + "Nov" => 10, + "Dec" => 11 +); + +# -- log parsing regular expression + + +# 127.0.0.1 192.168.2.11 - - [05/Jul/2005:16:56:54 +0100] +# "GET /favicon.ico HTTP/1.1" 404 285 "-" +# "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4" +# - "-" 0 0 "-" 0 + +my $logline_regex = ""; + +# hostname +$logline_regex .= "^(\\S+)"; +# remote host, remote username, local username +$logline_regex .= "\\ (\\S+)\\ (\\S+)\\ (\\S+)"; +# date, time, and gmt offset +$logline_regex .= "\\ \\[([^:]+):(\\d+:\\d+:\\d+)\\ ([^\\]]+)\\]"; +# request method + request uri + protocol (as one field) +$logline_regex .= "\\ \"(.*)\""; +# status, bytes out +$logline_regex .= "\\ (\\d+)\\ (\\S+)"; +# referer, user_agent +$logline_regex .= "\\ \"(.*)\"\\ \"(.*)\""; +# uniqueid, session, duration, duration_msec +$logline_regex .= "\\ (\\S+)\\ \"(.*)\"\\ (\\d+)\\ (\\d+)"; +# modsec_message, modsec_rating +$logline_regex .= "\\ \"(.*)\"\\ (\\d+)"; + +# the rest (always keep this part of the regex) +$logline_regex .= "(.*)\$"; + +my $therequest_regex = "(\\S+)\\ (.*?)\\ (\\S+)"; + +# use strict +my %ipaddresses = (); +my %request; +my $current_time; +my $last_state_save; + +sub parse_logline { + $_ = shift; + + my %request = (); + $request{"invalid"} = 0; + + my @parsed_logline = /$logline_regex/x; + if (@parsed_logline == 0) { + return (0,0); + } + + ( + $request{"hostname"}, + $request{"remote_ip"}, + $request{"remote_username"}, + $request{"username"}, + $request{"date"}, + $request{"time"}, + $request{"gmt_offset"}, + $request{"the_request"}, + $request{"status"}, + $request{"bytes_out"}, + $request{"referer"}, + $request{"user_agent"}, + $request{"unique_id"}, + $request{"session_id"}, + $request{"duration"}, + $request{"duration_msec"}, + $request{"modsec_message"}, + $request{"modsec_rating"}, + $request{"the_rest"} + ) = @parsed_logline; + + if ($DEBUG == 2) { + print "\n"; + print "hostname = " . $request{"hostname"} . "\n"; + print "remote_ip = " . $request{"remote_ip"} . "\n"; + print "remote_username = " . $request{"remote_username"} . "\n"; + print "username = " . $request{"username"} . "\n"; + print "date = " . $request{"date"} . "\n"; + print "time = " . $request{"time"} . "\n"; + print "gmt_offset = " . $request{"gmt_offset"} . "\n"; + print "the_request = " . $request{"the_request"} . "\n"; + print "status = " . $request{"status"} . "\n"; + print "bytes_out = " . $request{"bytes_out"} . "\n"; + print "referer = " . $request{"referer"} . "\n"; + print "user_agent = " . $request{"user_agent"} . "\n"; + print "unique_id = " . $request{"unique_id"} . "\n"; + print "session_id = " . $request{"session_id"} . "\n"; + print "duration = " . $request{"duration"} . "\n"; + print "duration_msec = " . $request{"duration_msec"} . "\n"; + print "modsec_message = " . $request{"modsec_message"} . "\n"; + print "modsec_rating = " . $request{"modsec_rating"} . "\n"; + print "\n\n"; + } + + # parse the request line + $_ = $request{"the_request"}; + my @parsed_therequest = /$therequest_regex/x; + if (@parsed_therequest == 0) { + $request{"invalid"} = "1"; + $request{"request_method"} = ""; + $request{"request_uri"} = ""; + $request{"protocol"} = ""; + } else { + ( + $request{"request_method"}, + $request{"request_uri"}, + $request{"protocol"} + ) = @parsed_therequest; + } + + if ($request{"bytes_out"} eq "-") { + $request{"bytes_out"} = 0; + } + + # print "date=" . $request{"date"} . "\n"; + ( + $request{"time_mday"}, + $request{"time_mon"}, + $request{"time_year"} + ) = ( $request{"date"} =~ m/^(\d+)\/(\S+)\/(\d+)/x ); + + # print "time=" . $request{"time"} . "\n"; + ( + $request{"time_hour"}, + $request{"time_min"}, + $request{"time_sec"} + ) = ( $request{"time"} =~ m/(\d+):(\d+):(\d+)/x ); + + $request{"time_mon"} = $months{$request{"time_mon"}}; + + $request{"time_epoch"} = timelocal( + $request{"time_sec"}, + $request{"time_min"}, + $request{"time_hour"}, + $request{"time_mday"}, + $request{"time_mon"}, + $request{"time_year"} + ); + + # print %request; + + my $offset = index($request{"request_uri"}, "?"); + if ($offset != -1) { + $request{"script_name"} = substr($request{"request_uri"}, 0, $offset); + $request{"query_string"} = substr($request{"request_uri"}, $offset + 1); + } else { + $request{"script_name"} = $request{"request_uri"}; + $request{"query_string"} = ""; + } + + $request{"request_uri"} =~ s/\%([A-Fa-f0-9]{2})/pack('C', hex($1))/seg; + $request{"query_string"} =~ s/\%([A-Fa-f0-9]{2})/pack('C', hex($1))/seg; + + return %request; +} + +sub update_ip_address() { + my $ipd = $ipaddresses{$request{"remote_ip"}}; + if (defined($$ipd{"counter"})) { + $$ipd{"counter"} = $$ipd{"counter"} + 1; + + if ($DEBUG) { + print STDERR "httpd-guardian: Incrementing counter for " . $request{"remote_ip"} . " (" . $$ipd{"counter"} . ")\n"; + } + + my($exec) = 0; + + # check the 1 min counter + if ($current_time - $$ipd{"time_1min"} > 60) { + # check the counters + my $speed = ($$ipd{"counter"} - $$ipd{"counter_1min"}) / ($current_time - $$ipd{"time_1min"}); + if ($speed > $THRESHOLD_1MIN) { + print STDERR "httpd-guardian: IP address " . $ipaddresses{$request{"remote_ip"}} . " reached the 1 min threshold (speed = $speed req/sec, threshold = $THRESHOLD_1MIN req/sec)\n"; + $exec = 1; + } + + # reset the 1 min counter + $$ipd{"time_1min"} = $current_time; + $$ipd{"counter_1min"} = $$ipd{"counter"}; + } + + # check the 5 min counter + if ($current_time - $$ipd{"time_5min"} > 360) { + # check the counters + my $speed = ($$ipd{"counter"} - $$ipd{"counter_5min"}) / ($current_time - $$ipd{"time_5min"}); + if ($speed > $THRESHOLD_5MIN) { + print STDERR "httpd-guardian: IP address " . $request{"remote_ip"} . " reached the 5 min threshold (speed = $speed req/sec, threshold = $THRESHOLD_5MIN req/sec)\n"; + $exec = 1; + } + + # reset the 5 min counter + $$ipd{"time_5min"} = $current_time; + $$ipd{"counter_5min"} = $$ipd{"counter"}; + } + + if (($exec == 1)&&(defined($PROTECT_EXEC))) { + my $cmd = sprintf($PROTECT_EXEC, $request{"remote_ip"}); + print STDERR "httpd-guardian: Executing: $cmd\n"; + system($cmd); + } + + } else { + # start tracking this email address + my %ipd = (); + $ipd{"counter"} = 1; + $ipd{"counter_1min"} = 1; + $ipd{"time_1min"} = $current_time; + $ipd{"counter_5min"} = 1; + $ipd{"time_5min"} = $current_time; + $ipaddresses{$request{"remote_ip"}} = \%ipd; + } +} + +sub process_log_line { + update_ip_address(); +} + +sub remove_stale_data { + while(my($key, $value) = each(%ipaddresses)) { + if ($current_time - $$value{"time_1min"} > $STALE_INTERVAL) { + if ($DEBUG) { + print STDERR "httpd-guardian: Removing key $key\n"; + } + delete($ipaddresses{$key}); + } + } +} + +sub save_state { + if (!defined($SAVE_STATE_FILE)) { + return; + } + + if (!defined($last_state_save)) { + $last_state_save = 0; + } + + if ($current_time - $last_state_save > $SAVE_STATE_INTERVAL) { + open(FILE, ">$SAVE_STATE_FILE") || die("Failed to save state to $SAVE_STATE_FILE"); + print FILE "# $current_time\n"; + print FILE "# IP Address\x09Counter\x09\x091min (time)\x095min (time)\n"; + while(my($key, $value) = each(%ipaddresses)) { + print FILE ("$key" . "\x09" . $$value{"counter"} . "\x09\x09" . $$value{"counter_1min"} . " (" . $$value{"time_1min"} . ")\x09" . $$value{"counter_5min"} . " (" . $$value{"time_5min"} . ")\n"); + } + close(FILE); + $last_state_save = $current_time; + } +} + +# load state from $SAVE_STATE_FILE, store the data into $ipaddresses +sub load_state { + return unless ( defined $SAVE_STATE_FILE ); + return unless ( -e $SAVE_STATE_FILE && -r $SAVE_STATE_FILE ); + open my $fd, "<", $SAVE_STATE_FILE + or die "cannot open state file for reading : $SAVE_STATE_FILE : $!"; + while (<$fd>) { + s/^\s+//; + next if /^#/; + #-------------------------------------------------- + # # 1133599679 + # # IP Address Counter 1min (time) 5min (time) + # 211.19.48.12 396 396 (1133599679) 395 (1133599379) + #-------------------------------------------------- + my ($addr, $counter, $time1, $time5) = split /\t+/, $_; # TAB + my ($counter_1min, $time_1min) = split /\s+/, $time1; + my ($counter_5min, $time_5min) = split /\s+/, $time5; + $ipaddresses{$addr} = { + counter => $counter, + counter_1min => $counter_1min, + time_1min => chop_brace($time_1min), + counter_5min => $counter_5min, + time_5min => chop_brace($time_5min), + } + } + close $fd; +} + +# return strings between braces +sub chop_brace { + my $str = shift; + $str =~ /\((.*)\)/; + return $1; +} +sub process_line { + my $line = shift(@_); + + if (defined($COPY_LOG)) { + print COPY_LOG_FD $line; + } + + if ($DEBUG) { + print STDERR "httpd-guardian: Received: $line"; + } + + %request = parse_logline($line); + if (!defined($request{0})) { + # TODO verify IP address is in correct format + + # extract the time from the log line, to allow the + # script to be used for batch processing too + $current_time = $request{"time_epoch"}; + + remove_stale_data(); + process_log_line(); + save_state(); + } else { + print STDERR "Failed to parse line: " . $line; + } +} + +# ----------------------------------- + +load_state(); +if (defined($COPY_LOG)) { + open(COPY_LOG_FD, ">>$COPY_LOG") || die("Failed to open $COPY_LOG for writing"); + # enable autoflush on the file descriptor + $| = 1, select $_ for select COPY_LOG_FD; +} + +if ($USE_SPREAD) { + my($sperrno); + my %args; + + $args{"spread_name"} = $SPREAD_DAEMON; + $args{"private_name"} = $SPREAD_CLIENT_NAME; + + my($mbox, $privategroup) = Spread::connect(\%args); + if (!defined($mbox)) { + die "Failed to connect to Spread daemon: $sperrno\n"; + } + + Spread::join($mbox, $SPREAD_GROUP_NAME); + + for(;;) { + my($st, $s, $g, $mt, $e, $msg); + while(($st, $s, $g, $mt, $e, $msg) = Spread::receive($mbox, $SPREAD_TIMEOUT)) { + if ((defined($st))&&($st == 2)&&(defined($msg))) { + process_line($msg . "\n"); + } + } + } + +} else { + while() { + process_line($_); + } +} + +if (defined($COPY_LOG)) { + close(COPY_LOG_FD); +} + diff -Nru modsecurity-crs-2.1.2/trunk/util/README modsecurity-crs-2.2.0/trunk/util/README --- modsecurity-crs-2.1.2/trunk/util/README 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/util/README 2010-06-04 18:37:44.000000000 +0000 @@ -0,0 +1,39 @@ +1) To query the repository to see what CRS versions are available - + +$./rules-updater.pl -rhttps://www.modsecurity.org/autoupdate/repository/ -l + +You should see output similar to this - + +Could not load GnuPG module - cannot verify ruleset signatures + +Repository: https://www.modsecurity.org/autoupdate/repository + +modsecurity-crs { + 2.0.0: modsecurity-crs_2.0.0.zip + 2.0.1: modsecurity-crs_2.0.1.zip + 2.0.2: modsecurity-crs_2.0.2.zip + 2.0.3: modsecurity-crs_2.0.3.zip + 2.0.4: modsecurity-crs_2.0.4.zip + 2.0.5: modsecurity-crs_2.0.5.zip + 2.0.6: modsecurity-crs_2.0.6.zip +} + +2) To download the latest CRS version. First you should create a local CRS directory to +place the dowloaded archive into. In my example, I created a local dir called "crs" and +then used this command - + +$ ./rules-updater.pl -rhttp://www.modsecurity.org/autoupdate/repository/ -pcrs - +Smodsecurity-crs + +You should see output similar to this - + +Could not load GnuPG module - cannot verify ruleset signatures +Fetching: modsecurity-crs/modsecurity-crs_2.0.6.zip ... + +Then check the downloaded files - + +$ ls -l crs/modsecurity-crs/* +-rw-r--r-- 1 rbarnett rbarnett 166590 2010-03-10 14:13 crs/modsecurity-crs/modsecurity- +crs_2.0.6.zip +-rw-r--r-- 1 rbarnett rbarnett 490 2010-03-10 14:13 crs/modsecurity-crs/modsecurity- +crs_2.0.6.zip.sig diff -Nru modsecurity-crs-2.1.2/trunk/util/regression_tests/INSTALL modsecurity-crs-2.2.0/trunk/util/regression_tests/INSTALL --- modsecurity-crs-2.1.2/trunk/util/regression_tests/INSTALL 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/util/regression_tests/INSTALL 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,21 @@ +INSTALLATION STEPS: + +1) Edit the rulestest.pl script to define local path to perl + +2) Edit the ruletest.conf script to define the proper global settings for: + - servers to test + - path to the modsecurity audit log + +3) Copy the testserver.cgi script to the /cgi-bin directory if you wish to + test the outbound/response rules. + +4) Edit the modsecurity_crs_10_config.conf file and update/enable the + Regression Testing variable settings. + +5) Copy/Symlink the modsecurity_crs_59_header_tagging.conf file to the + activated_rules directory + +6) Restart Apache + +7) Run the rulestest.pl script using the rules files in the local /tests + directory. diff -Nru modsecurity-crs-2.1.2/trunk/util/regression_tests/modsecurity_crs_59_header_tagging.conf modsecurity-crs-2.2.0/trunk/util/regression_tests/modsecurity_crs_59_header_tagging.conf --- modsecurity-crs-2.1.2/trunk/util/regression_tests/modsecurity_crs_59_header_tagging.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/util/regression_tests/modsecurity_crs_59_header_tagging.conf 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,38 @@ +# +# This section is only used during regression testing to externalize the matched +# rule IDs in response headers so the testing client can verify matches from +# remote ModSecurity installs. +# +# WARNING: You do not want this in normal operations as this will expose +# the inner workings of your ModSecurity configurations. +# +# Must enable/configure the TX:REGRESSION_TESTING variable in the +# modsecurity_crs_10_config.conf file. +# +SecRule &TX:REGRESSION_TESTING|TX:REGRESSION_TESTING "@eq 0" "phase:4,t:none,nolog,id:'981228',pass,skipAfter:END_RESPONSE_HEADER_TAGGING" +SecRule TX:ANOMALY_SCORE "@eq 0" "phase:4,id:'981229',t:none,nolog,pass,skipAfter:END_RESPONSE_HEADER_TAGGING" +SecRule TX:/^\d*\-/ "." "phase:4,id:'981230',t:none,nolog,pass,setvar:tx.counter=+1,setenv:matched_rule-%{tx.counter}=%{matched_var_name},setenv:anomaly_score=%{tx.anomaly_score},setenv:sql_injection_score=%{tx.sql_injection_score},setenv:xss_score=%{tx.xss_score}" + +Header append X-WAF-Events "%{matched_rule-1}e" env=matched_rule-1 +Header append X-WAF-Events "%{matched_rule-2}e" env=matched_rule-2 +Header append X-WAF-Events "%{matched_rule-3}e" env=matched_rule-3 +Header append X-WAF-Events "%{matched_rule-4}e" env=matched_rule-4 +Header append X-WAF-Events "%{matched_rule-5}e" env=matched_rule-5 +Header append X-WAF-Events "%{matched_rule-6}e" env=matched_rule-6 +Header append X-WAF-Events "%{matched_rule-7}e" env=matched_rule-7 +Header append X-WAF-Events "%{matched_rule-8}e" env=matched_rule-8 +Header append X-WAF-Events "%{matched_rule-9}e" env=matched_rule-9 +Header append X-WAF-Events "%{matched_rule-10}e" env=matched_rule-10 +Header append X-WAF-Events "%{matched_rule-11}e" env=matched_rule-11 +Header append X-WAF-Events "%{matched_rule-12}e" env=matched_rule-12 +Header append X-WAF-Events "%{matched_rule-13}e" env=matched_rule-13 +Header append X-WAF-Events "%{matched_rule-14}e" env=matched_rule-14 +Header append X-WAF-Events "%{matched_rule-15}e" env=matched_rule-15 +Header append X-WAF-Events "%{matched_rule-16}e" env=matched_rule-16 +Header append X-WAF-Events "%{matched_rule-17}e" env=matched_rule-17 +Header append X-WAF-Events "%{matched_rule-18}e" env=matched_rule-18 +Header append X-WAF-Events "%{matched_rule-19}e" env=matched_rule-19 +Header append X-WAF-Events "%{matched_rule-20}e" env=matched_rule-20 +Header set X-WAF-Score "Total=%{anomaly_score}e; sqli=%{sql_injection_score}e; xss=%{xss_score}e" env=anomaly_score + +SecMarker END_RESPONSE_HEADER_TAGGING diff -Nru modsecurity-crs-2.1.2/trunk/util/regression_tests/README modsecurity-crs-2.2.0/trunk/util/regression_tests/README --- modsecurity-crs-2.1.2/trunk/util/regression_tests/README 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/util/regression_tests/README 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,105 @@ + +ModSecurity Rules regression testing suite +========================================== + +Rules regression test tool installation: +---------------------------------------- +Test should be run from the same host ModSecurity runs on, or a computer that +has file system access to ModSecurity audit log (see %modseclog in step 5) + +1. Copy rulesregtest.pl, rulesregtest.conf and test files to a directory on the +server. + +2. Put testserver.cgi in the server's /cgi-bin directory (required only if +outbound tests are used) + +3. Set ModSecurity to use serial logging. + +4. Ensure that the web server response with 200 to access the home page (since +default tests use "/" as the URL) + +5. Edit rulesregtest.conf: +- Server address and port (%server directive). The default (127.0.0.1:80) may +be OK. +- Location of ModSecurity audit log file (%modseclog directive). + +Writing tests: +-------------- + +Write a text file with the following directives: + +%test - starts a test and set is name (used for report) + +%status - sets the expected status code + +%event - set a string to search in the audit log of the test. You can +use multiple directives to define many required patterns. For example: + %event [id "960009"] + +%output - set a string to search in the HTTP response. You can use +multiple directives to define many required patterns. + +%request – multiple lines of the request on the following lines, terminated by +the next directive (a line starting with "%"). A request can include variables +using perl notation ($var). this would be replaced when testing with a value +set by the %var directive. + +- Note: Do not forget to leave an empty line as required by HTTP. The script +locks otherwise. + +- Note: Content-Length has to be calculated manually. + +Finding bugs +------------ + +The following directives will help to find the problems: + +%verbose – will output request, reply and new ModSecurity audit log lines for +the current test. + +%relevant – will output verbose output for tests that failed. + + +Variable replacement: +--------------------- +%var variable=value, value, value….. - Set values for a variable, the test +would be repeated using every value. Values are set only for the current test. + +Multiple %var directives for the same variable add values to the list and do +not replace values, so: + +%var variable=value1 +%var variable=value2 + +Would test with both value1 and value2. + +If multiple variables are used in the same test, than the test is carried for +each combination of values of the variables: + +%var var1=v1, v2 +%var var3=v3, v4 + +The test would be repeated 4 times with the test vectors (v1, v3), (v1, v4), +(v2, v3), (v2, v4). + + +Testing responses: +------------------ +To force response content in request, use /cgi-bin/testserver.cgi as the target +URL and add one or more of the following headers to the reuqest: + +Response-Status - Force a response status line. Defaults to "200 OK". +Response-Content - Adds the string to the response. Note that this would not be +the entire response. +Response-Content-Type - sets the value of the content type header, defaults to +"text/html" +Response-Header-Name - Add a header to the response. This defined the new +header's name. Response-Header-Value defines the header's value. +Response-Header-Value - The value of the new header defined by the request +header Response-Header-Name. Note: If Response-Header-Name is empty, then this +parameter will be ignored. + +** NOT IMPLEMENTED YET ** +Response-File - the name of a file to use as the entire response. Name is +reletive to the $RESPONSE_FILE_DIR in the testserver.cgi sctip. +** NOT IMPLEMENTED YET ** diff -Nru modsecurity-crs-2.1.2/trunk/util/regression_tests/rulestest.conf modsecurity-crs-2.2.0/trunk/util/regression_tests/rulestest.conf --- modsecurity-crs-2.1.2/trunk/util/regression_tests/rulestest.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/util/regression_tests/rulestest.conf 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,15 @@ +# Set to the address and port of the web server protected by the tested ruleset. +# +# TODO the web server has to respond with status code 200 to request for the +# home page (/). This is usually the default configuration. +# +# TODO the script 'testserver' should be installed on this web server in the +# /cgi-bin directory to facilitate outbound rules testing. +# +%global server 127.0.0.1:80 +# Set to the path to ModSecurity audit file +# +# TODO set ModSecurity for serial logging. +# +%global mslog /usr/local/apache/logs/audit.log +#%msdebug /usr/local/apache/logs/debug.log diff -Nru modsecurity-crs-2.1.2/trunk/util/regression_tests/rulestest.pl modsecurity-crs-2.2.0/trunk/util/regression_tests/rulestest.pl --- modsecurity-crs-2.1.2/trunk/util/regression_tests/rulestest.pl 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/util/regression_tests/rulestest.pl 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,931 @@ +#!/opt/local/bin/perl +# +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details.# +# For Internal Use only! +# +# Originally writtern by Ofer Shezaf +# + +# !! todo: +# !! ~ request for URI command in conf file +# !! ~ Ensure headers terminators +# !! read rulesets config file for event mane, policy and patterns +# !! fuz patterns from config file +# !! %include directive + +use strict; +#use warnings; +#use diagnostics; +use IO::File; +use IO::Socket; +use IO::Select; +use HTTP::Request; +use HTTP::Response; +use Safe; +use Storable qw(dclone); +use Getopt::Long; +use Pod::Usage; + +# -- Add library +use FindBin qw($Bin $Script); +use lib "$Bin"; + +use Data::Dumper; +autoflush STDOUT; + +# -- consts +our $SKELETON_REQUEST = < '2', 'fuzz' => 1, 'vars' => {}, 'port' => 80 }; +$global_state->{'global'} = $global_state; + +GetOptions +( + $global_state, + 'server|s:s', + 'port|p:s', + 'timeout|t:f', + 'mslog:s', + 'msdebug:s', + 'o:s', + 'i=s@', + 'run:s@', + 'from:s', + 'relevant|r!', + 'fuzz|f!', + 'clean!', + 'check!', + 'verbose|v!', + 'help|h|?', + 'man' +) || pod2usage (-exitstatus => 0, -verbose => 0); + +pod2usage(-exitstatus => 1, -verbose => 1) if $global_state->{'help'}; +pod2usage(-exitstatus => 1, -verbose => 2) if $global_state->{'man'}; + +push @{$global_state->{'input'}}, @ARGV; +pod2usage (2) if $#{$global_state->{'input'}} < 0; + +# -- get list of test files +my $testfiles = []; +my ($progname) = ($Script =~ /(.*)\..*$/); +if (-e "$progname.conf") { + push @$testfiles, "$progname.conf"; +} +foreach my $arg (@{$global_state->{'input'}}) { + push @$testfiles, glob $arg; +} + +foreach my $file (@$testfiles) { + if (!-e $file) { + print STDERR "Error 101: test file $file not found\n"; + exit; + } +} + +my ($outfile, $outfilename); +if ($global_state->{'output'}) { + $outfile = new IO::File ">$global_state->{'output'}"; + if (!$outfile) { + print STDERR "Error 106: unable to create report file $global_state->{'output'}. $@\n"; + exit; + } + $outfilename = $global_state->{'output'}; +} +else { + $outfile = *STDOUT; + $outfilename = 'STDOUT'; +} + +report_header($outfile, $outfilename); + +foreach my $filename (@$testfiles) { + parse_test_file ($outfile, $filename, $global_state); +} +exit (0); + +# -- read an input file and execute tests in it +sub parse_test_file +{ + my ($outfile, $filename, $parent_state) = @_; + my $file_state = inherit_state ($parent_state); + + report_file_header($outfile, $filename); + + my $linenumber = 0; + my $testfile = new IO::File "<$filename"; + if (!$testfile) { + print STDERR "Error 105: unable to open tests file $filename. $@\n"; + print $outfile "unable to open file"; + return; + } + + + my $state = $file_state; + while (defined(my $line=<$testfile>)) { + $linenumber++; + $line = tchomp ($line); + $state = parse_test_line ($line, $state, $testfile); + if (!ref $state) { + print STDERR "$state in file $filename at line $linenumber\n"; + print STDERR "line: $line\n" if $parent_state->{'check'}; + + return; + } + while (my $test = shift @{$file_state->{'tests'}}) { + run_test ($outfile, $test, $filename); + } + } + run_test ($outfile, $state, $filename) if $state->{'name'}; +} + + +# -- parse the next input line +sub parse_test_line +{ + my ($line, $state, $file) = @_; + + # -- Handle EOF + return $state unless defined $line; + + # -- Hande multi line remarks + if ($state->{'multi_line_cmd'} eq "remark") { + undef $state->{'multi_line_cmd'} if ($line =~ /^\%endremark/i); + return $state; + } + + # -- Handle multi line directives + if (my $incmd = $state->{'multi_line_cmd'}) { + + # -- Request parser + if ($incmd =~ /^request$/i) { + if (my ($len) = $line =~ /^Content-Length: (\d+)$/) { + $state->{'request_len'} = $len; + } elsif ($state->{'request_state'} eq 'headers' && $line =~ /^$/) { + $state->{'request_state'} = 'body'; + $state->{'multi_line_value'} .= "$line\x0D\x0A"; + if (defined $state->{'request_len'}) { + my $result = read $file, my $buffer, $state->{'request_len'}; + return "Error 110: Error reading file" if !defined $result; + return "Error 111: File terminated unexpectedly (read $result char of required $state->{'request_len'})" if $result != $state->{'request_len'}; + #print "==>$state->{'multi_line_value'}<==\n$buffer\n----\n"; + $state->{'multi_line_value'} .= $buffer; + return $state; + undef $state->{'request_len'}; + } + } + } + + # X-Real-Content-Length: + # -- Append to value if not yet next directive + if ($line !~ /^\%/) { + $state->{'multi_line_value'} .= "$line\x0D\x0A"; + return $state; + } + + # -- Otherwise use directive + $state = use_test_directive ($state, $incmd, $state->{'multi_line_value'}, $state->{'multi_line_global'}); + return $state if (!ref $state); + undef $state->{'multi_line_cmd'}; + undef $state->{'multi_line_value'}; + undef $state->{'request_len'}; + } + + # -- Handle empty lines and single line remarks + return $state if $line =~ /^\s*(\#|$)/; + + # -- Parse directive + my ($global); + $line =~ /^\%(\w+)\s*(.*)?$/; + my ($cmd, $operand) = ($1,$2); + if ($cmd =~ /^global$/i) { + $global = 1; + ($cmd, $operand) = ($operand =~ /^\s*(\w+)\s*(.*)?$/); + } + if (!$operand) { + $operand = 1; + if ($cmd =~ /^no(.*)$/) { + $cmd = $1; + $operand = 0; + } + } + $cmd = lc $cmd; + + # -- Start multi line directives + if ($cmd =~ /^(?:request|remark)$/i) { + $state->{'multi_line_cmd'} = $cmd; + $state->{'multi_line_global'} = $global; + return $state; + } + + return use_test_directive ($state, $cmd, $operand, $global); +} + +sub use_test_directive +{ + my ($state, $cmd, $operand, $global) = @_; + + # -- Simple directives + if ($cmd =~ /^(?:server|port|timeout|verbose|relevant|mslog|msdebug|request|uri|request|fuzz|clean|pause)$/i) { + if ($global) { + $state->{'global'}->{$cmd} = $operand; + } + $state->{$cmd} = $operand; + $state->{'request_state'} = 'headers'; + } + + # -- List directives + elsif ($cmd =~ /^(?:status|remote_event|event|audit|output)$/i) { + push_state ($state, $state->{'global'}, $cmd, $global, $operand); + } + + # -- Variable assignment + elsif ($cmd =~ /^(?:var)$/i) { + my ($var, $values) = ($operand =~ /\s*(\w+)\s*=\s*?(.*)/); + my @values = split /\s*,\s*/, $values; + push_state ($state->{'vars'}, $state->{'global'}->{'vars'}, $var, $global, @values); + } + + # -- End test (return to file context) + elsif ($cmd =~ /endtest/i) { + if ($state->{'name'}) { + push @{$state->{'parent'}->{'tests'}}, $state; + } + else { + return "Error 107: %endtest directive without a preceding %test directive"; + } + $state = $state->{'parent'}; + } + + # -- New test (end test and start a new one) + elsif ($cmd =~ /test/i) { + if ($state->{'name'}) { + push @{$state->{'parent'}->{'tests'}}, $state; + $state = inherit_state ($state->{'parent'}); + } + else { + $state = inherit_state ($state); + } + $state->{'name'} = $operand; + } + + # -- error + else { + return "Error 102: syntax error"; + } + + return $state; +} + + +sub reconfigure +{ + my ($state) = @_; + + my ($restart) = 0; + if ($state->{'clean'}) { + unlink $state->{'mslog'} if $state->{'mslog'}; + unlink $state->{'msdebug'} if $state->{'msdebug'}; + $restart = 1; + global_clear ($state, 'clean'); + } + if ($restart) { + print "## Restarting apache\n"; + print STDERR `/usr/local/apache/bin/apachectl restart`; + sleep (1); + } +} + +sub inherit_state +{ + my ($state) = @_; + my $clone = dclone $state; + $clone->{'parent'} = $state; + $clone->{'global'} = $state->{'global'}; + delete $clone->{'tests'}; + return $clone; +} + +# -- Add values to key in state taking into about both overriding and global +sub push_state +{ + my ($hash, $global_hash, $key, $global, @values) = @_; + if ($global) { + push @{$global_hash->{$key}}, @values; + } + elsif (!$hash->{"_OVERRIDE_$key"}) { + $hash->{$key} = []; + } + $hash->{"_OVERRIDE_$key"} = 1; + push @{$hash->{$key}}, @values; +} + +sub global_clear +{ + my ($state, $key) = @_; + while ($state) { + undef $state->{$key}; + $state = $state->{'parent'}; + } +} + +sub run_test +{ + my ($outfile, $state, $file) = @_; + + return if $state->{'check'}; + if ($state->{'from'}) { + return if $state->{'name'} !~ /$state->{'from'}/; + } + global_clear ($state, 'from'); + + my $do_test = $#{$state->{'run'}} < 0; + foreach my $select (@{$state->{'run'}}) { + $do_test ||= ($state->{'name'} =~ /$select/); + } + return if !$do_test; + + if ($state->{'request'} && $state->{'uri'}) { + print STDERR "Error 103: cannot use both %request and %uri in test $state->{'name'} in file $file\n"; + exit; + } + reconfigure($state); + if ($state->{'uri'}) { + $state->{'request'} = $SKELETON_REQUEST; + $state->{'request'} =~ s/\$URI/$state->{'uri'}/; + } + my $requests = $state->{'fuzz'} ? + generate_vectors ($state->{'request'}, $state->{'vars'}, $state->{'verbose'}) : + {'' => $state->{'request'}}; + VECTOR: while (my ($vars, $request) = each %$requests) + { + my $test = inherit_state ($state); + $test->{'request'} = $request; + if ($test->{'mslog'}) { + my $output = `wc $test->{'mslog'}`; + $output =~ /\s*(\d+)/; + $test->{'mslog_start'} = $1; + } + if ($test->{'msdebug'}) { + my $output = `wc $test->{'msdebug'}`; + $output =~ /\s*(\d+)/; + $test->{'msdebug_start'} = $1; + } + my ($server, $port) = ($test->{'server'}, $test->{'port'}); + if (!$port && ($server =~ /^(.+)\:(\d+)$/)) { + $server = $1; + $port = $2; + } + my $sock = IO::Socket::INET->new(PeerAddr => $server, PeerPort => $port); + if (!$sock) { + print STDERR "Error 104: error connecting to server $server. $@\n"; + exit; + } + + print $sock $request; + my $line; + do { + my @ready; + @ready = IO::Select->new($sock)->can_read($test->{'timeout'}); + if ($#ready < 0) { + $test->{'response'} = $test->{'response_status'} = "N/A"; + report_test ($outfile, 'TIMEOUT', $test, $request, $vars); + next VECTOR; + } + + if (defined($line = <$sock>)) { + $test->{'response'} .= $line; + if (!$test->{'response_status'}) { + if ($line =~ /^HTTP\S*\s+(\d+)/) { + $test->{'response_status'} = $1; + } + elsif ($line =~ /400 Bad Request<\/title>/) { + $test->{'response_status'} = 400; + } + } + } + } while (defined($line)); + + if ($test->{'mslog'}) { + my $output = `wc $test->{'mslog'}`; + $output =~ /\s*(\d+)/; + my $lines = $1 - $test->{'mslog_start'}; + $test->{'mslog'} = `tail -n $lines $test->{'mslog'}`; + } + + if ($test->{'msdebug'}) { + my $output = `wc $test->{'msdebug'}`; + $output =~ /\s*(\d+)/; + my $lines = $1 - $test->{'msdebug_start'}; + $test->{'msdebug'} = `tail -n $lines $test->{'msdebug'}`; + } + + $test->{'match_status'} = check_match ($test->{'response_status'}, $test->{'status'}); + $test->{'match_output'} = check_match ($test->{'response'}, $test->{'output'}); + $test->{'match_audit'} = !$test->{'mslog'} || check_match ($test->{'mslog'}, $test->{'audit'}); + my $test_events; + foreach my $event (@{$test->{'event'}}) { + if ($event =~ /^\!(.*)$/) { + push @$test_events, "!\\[id \\\"$1\\\"\\]" + } + else { + push @$test_events, "\\[id \\\"$event\\\"\\]" + } + } + $test->{'match_events'} = !$test->{'mslog'} || check_match ($test->{'mslog'}, $test_events); + my $result = + ($test->{'match_status'} + && $test->{'match_output'} + && $test->{'match_audit'} + && $test->{'match_events'}) ? "OK" : "FAIL" ; + report_test ($outfile, $result, $test, $request, $vars); + sleep $test->{'pause'} if $test->{'pause'}; + } +} + +sub check_match +{ + my ($text, $patterns) = @_; + my $match = 1; + foreach my $pattern (@$patterns) { + if ($pattern =~ /^\!(.*)$/) { + return 0 if $text =~ /$1/sm; + } + else { + return 0 if $text !~ /$pattern/sm; + } + } + return $match; +} + +sub report_header +{ + my ($outfile, $outfilename) = @_; + print $outfile "\nModSecurity rules test report generated to $outfilename on " . localtime() . "\n"; + print $outfile "Produced by rulestest.pl, (c) Trustwave Holdings Inc, 2011\n"; +} + +sub report_file_header +{ + my ($outfile, $filename) = @_; + print $outfile "\n## reading tests file $filename\n"; +} + +sub report_test +{ + my ($outfile, $result, $test, $request, $vars) = @_; + + + print $outfile "\n" if $result ne "OK"; + print $outfile "$result: "; + print $outfile "$test->{'name'}"; + print $outfile " ($vars)" if $vars; + print $outfile ", status = $test->{'response_status'}"; + my (@events) = ($test->{'mslog'} =~ /\[id \"(\d+)\"\]/gim); + print $outfile $#events < 0 ? ", no events recieved" : ", event(s) = " . (join ",", @events) ; + if ($result eq "FAIL") { + print $outfile "\n"; + if (!$test->{'match_status'}) { + print $outfile "Expected status code(s): " . (join ",", @{$test->{'status'}}) . "\n"; + } + if (!$test->{'match_events'}) { + print $outfile "Expected event(s): " . (join ",", @{$test->{'event'}}) . "\n"; + } + if (!$test->{'match_audit'}) { + print $outfile "Audit does not match\n"; + } + if (!$test->{'match_output'}) { + print $outfile "Output does not match\n"; + } + #$test->{'match_events'} && print "Events: $test->{'response_status'} and not " . (join ",", $test->{'status'}) . "\n"; + print_details ($test) if $test->{'verbose'} || $test->{'relevant'}; + } + print $outfile "\n"; + print_details ($test) if $test->{'verbose'}; +} + + +sub print_details +{ + my ($test) = @_; + print $outfile "---------\nRequest:\n$test->{'request'}\n"; + print $outfile "---------\nResponse:\n$test->{'response'}\n"; + print $outfile "---------\nLog:\n$test->{'mslog'}\n" if ($test->{'mslog'}); + print $outfile "---------\nDebug:\n$test->{'msdebug'}\n" if ($test->{'msdebug'}); +} + +sub generate_vectors +{ + my ($script, $vars, $verbose) = @_; + my $test_requests = []; + + my $vectors = [ {} ]; + while (my ($var, $values) = each %$vars) { + next if $var =~ /^_OVERRIDE_/; + next if $script !~ /\$$var\b/; + foreach my $vector (@$vectors) { + $vector->{$var} = $values->[0]; + } + if ($#$values > 0) { + my $collect_vectors = []; + shift @$values; + foreach my $value (@$values) { + my $new_vectors = dclone $vectors; + foreach my $vector (@$new_vectors) { + $vector->{$var} = $value; + } + push @$collect_vectors, @$new_vectors; + }; + push @$vectors, @$collect_vectors; + } + } + + $script =~ s/\$([a-zA-Z_]+)/\$vector->{$1}/g; + #print "SCRIPT=>$script\n"; + my $results; + foreach our $vector (@$vectors) { + my $var = join ",", map { "$_=$vector->{$_}" } keys %$vector; + $vector->{'CONTENT_LENGTH'} = '$CONTENT_LENGHT'; + my $result; + if (!defined($result = eval_expression ($script, $vector, $verbose))) { + print STDERR "Error 109: unable to fuzz request. Not fuzzing test.\n"; + return ({'' => $script}); + } + #my $req = HTTP::Request->parse($result); + my ($content) = $result =~ /.*?\x0D\x0A\x0D\x0A(.*)/sm; + $vector->{'CONTENT_LENGTH'} = length $1; + $result = eval_expression ($script, $vector, $verbose); + $results->{$var} = $result; + } + return $results; +} + + +sub eval_expression +{ + my ($script, $vector, $verbose) = @_; + + $script =~ s/([\"\@\%])/\\$1/g; + my $result; + my $warn; + local $SIG{__WARN__} = sub { $warn = $_[0] }; + eval { + my $safe = new Safe; + $safe->share ('$vector'); + $result = $safe->reval ("return \"$script\""); + }; + if ((my $error = $@) || $warn) { + print STDERR "Error 108: unable to evaluate expression\n"; + print STDERR "SCRIPT: $script\n" if $verbose; + print STDERR "EVAL ERROR: $error\n" if $error && $verbose; + print STDERR "EVAL WARNING: $warn\n" if $warn && $verbose; + return undef; + } + return $result; +} + +sub tchomp { + my ($text) = @_; + $text =~ s/^(.*?)(?:\x0D\x0A|\x0A|\x0D|\x0C|\x{2028}|\x{2029})/$1/s; + return $text; +} + + + +__END__ + +=head1 NAME + +rulestest.pl + +=head1 SYNOPSIS + +rulestest.pl [options] [test files ...] + +This program reads and executed tests in input test file(s) agains a +ModSecurity protected web application. + +use -help for options. +use -man for detailed usage information. + +=head1 OPTIONS + +the following options can be used either on the command line or (using the +long version) as directives (prefixed by %) in test files. + + -s or -server <address>[:<port>] + address of server to send. Mandatory before any test, but can appear + in the test files themselves + + -p or -port <port> + port to send tests to, defaults to 80 + + -t or -timeout <time> + time in seconds, possibly fractional, to wait for server response. + If the server does not respond within this period the test fails. + the default is 10 seconds. + + Timeout should be small for synthetic tests, such as those + generated from capture files as the server would respond fast. + The timeout may need to be longer for real world servers. + + -f or -fuzz + Whether to use fuzzing or not. You may not want to use fuzzing in + case the requests where generated automatically and may includes + syntax that will be considered by rulestest as substitutable + variables. + + -mslog <file name> + ModSecurity log file to search for events in. If not specified + events are not (useful if tests are not run locally). + + -msdebug <file name> + ModSecurity debug file to extract debug information + to test report. If not specified, debug information is not + add to the report. + + -o <file name> + name of output file. Defaults to STDOUT. Not relevant as directive + in test files. + + -i <file name> + Names of input files. can also appear as parameters on the command + line. Not relevant as directive in test files. + + -check + Does not run test but only parses the input file + + -run <regular expression> + a regular expresion to select tests to perfrom. Only tests whose + name match the regular expression are executed. The option + (or directive) can be used multiple times, so a test matching + any of the regular expressions will be executed. + + -from <regular expression> + a regular expression selecting the first test to perform. + + -r or -relevant + Detailed information in the test report in case + of a test failure. + + -v or -verbose + Detailed information for all tests. Verbose will also cause specific + errors to include print more information. + + -c or -clean + deletes log and debug files and restart apache (using apachctl). + Significantly enhance performance of the tests and can be used as + many times as needed in test files. + + Clean is executed once, when starting the 1st test after it is + defined regardless of the scope it is defined at. Specifically + it will remove the log and debug files as defined when the test + start: this enables the use of -clean on the command line even + though file locations are defined only later on, for example in + rulestest.conf. + + +=head1 INSTALLATION & CONFIGURATION + +Test should be run from the same host ModSecurity runs on, or a computer that +has file system access to ModSecurity audit log to. This allows rulestest to +examine ModSecurity audit log for events and extract information from +ModSecurity debug log to the test report. + +In order to test for events, ensure that ModSecurity is set use serial logging. + +=head2 Local and Global Settings: + +When used in a file, directives are local to the file, and when used whithin +a test they are local to a test. To specify global settings preced the directive +wiht the keyword global: + +%global server 127.0.0.1:80 + +if a file with the name rulestest.conf exists in the same directory as the +script, it will be read. I can contain any directive valid in a test file. +It can be used to set default + +=head2 Binary Attrbiutes: + +Directives that except a yes/no value can be set in varios ways. Providing the +value 0 or 1 will set them to no and yes respectively. The directive without +any values is eqvivalent to setting it to 1, and the directive preceded by "no" +is eqvivalent to 0, for example: + +%noverbose + +will set the current scope to not report verbosely. + +=head2 Default Settings: + +The file rulestest.conf is automatically read by rulestest.pl before any +tests file and may contain global setup directives. You may especially want to +set there settings such as %server, %mslog and %msdebug as well as reporting +level using %verbose and %relevant. + +=head1 WRITING TESTS + +To write a test use the following directives: + +=head2 defining the test request + + %test <name> - + starts a test and set is name as shown in the report + + %endtest - + used to terminate a test. Ususally there is no need to use this + directive as the next %test directive implicitly defines the end of + a test. You may want to use it if you want to set additional file + level settings for the remaining tests. + + %remark - + Ignore all lines (including directives) until a matching %endremark + directive. use # at the beginning of a line to add a remark line to + the file, if not in the middle of a multi-line directive such as + %request. + + %request - + multiple lines of the request should appear on the lines follwing + the directive terminated by the next =directive (a line starting + with "%"). Do not forget to leave an empty line as required by + HTTP. + + You can use the special variable $CONTENT_LENGTH to have + rulestest set the correct content length for the request. + $CONTENT_LENGTH can save counting, but its main use is to enable + fuzzing of requests with variables in the post data. + + %uri - + a uri to send to the server. it would be embedded in a + standard request + + %pause - + define a delay in seconds after the test and before the next test. + Useful if the feature tested involves timeouts. + +either a %uri or a %request directive must appeat in a test. A %request or a +%uri can include variables using perl notation ($varname). this would be +replaced when testing with a value set by the %var directive. + +Empty lines are skipped if not in the middle of multi-line directives such +as %request. + +=head2 defining expected output + + %status <regexp> - + The expected response status code(s). + + %event <regexp> - + A regexp that should match event ids generated by the test in + the audit log. + + %audit <regexp> - + A regexp that should match in the audit log of the test. + + %output <regexp> - + A regexp that should match in set a string to search in the HTTP + response. You can use multiple directives to define many required + patterns. + +for %event, %audit and %output you can use multiple directives to define +many required patterns. All of them must match for the rule to match. Use the +regular expresion or (|) option to check for at least one option from a group +of patterns. + +Each regular expression can be preceded by a "!" mark to negate the test. the +regular expression following must not appear in the test result. + +=head1 REPORTING + +By default rulestest will provide brief message describing if the test succeded +in any of the checks done: status code, events generated, pattern in audit log +and pattern in response. + +the following directives allow control on the level of details of the report: + + %verbose - + from the test for which the directive appears onward, output request, + reply and new ModSecurity audit log lines for each test. set to 0 to + stop (1 is implicit on set). + + %relevant - + from the test for which the directive appears onward, output verbose + output for tests that failed any check. set to 0 to stop (1 is + implicit on set). + +In most cases, you will only be interested in the failed tests. In that case, +you can use awk with the following command: +gawk '$1=="OK:" {printme=0}; $1=="FAIL:" {printme=1}; $1=="##" {printme=1}; printme==1 {print}' + +=head1 VARIABLE SUBSTITUTION (FUZZING) + +The directive "%var variable=value[, value[, valueM-^E..]] sets values for a +variable which are embedded in the request sent. The test would be repeated +using every value. Values are set only for the current test. Use the +%globalvar directive to set global variables. + +Multiple %var directives for the same variable add values to the list and do +not replace values, so: + +%var variable=value1 + +%var variable=value2 + +Would test with both value1 and value2. + +If multiple variables are used in the same test, than the test is carried for +each combination of values of the variables: + +%var var1=v1, v2 + +%var var3=v3, v4 + +The test would be repeated 4 times with the test vectors (v1, v3), (v1, v4), +(v2, v3), (v2, v4). + +As noted before, the special variable $CONTENT_LENGTH can be used to +automatically calculate the content length based on the actually generated +request after variable substitution. + +=head1 TESTING RESPONSES + +In order for outbound tests the script testserver.cgi has to be installed in +the web server's /cgi-bin directory. + +To force response content in request, use /cgi-bin/testserver.cgi as the target +URL and add one or more of the following headers to the reuqest: + +Response-Status: - Force a response status line. Defaults to "200 OK". + +Response-Content: - Adds the string to the response. Note that this would not be +the entire response. + +Response-Content-Type: - sets the value of the content type header, defaults to +"text/html" + +Response-Header-Name: - Adds a header to the response. This defined the new +header's name. Response-Header-Value defines the header's value. + +Response-Header-Value: - The value of the new header defined by the request +header Response-Header-Name. Note: If Response-Header-Name is empty, then this +parameter will be ignored. + +=head1 ERRORS + + Error 101: + test file <file> not found. Check that all options are valid and no + option was considered a test file. + + Error 102: + syntax error in file <file> on line <line>. a line which is not + a remark, not a directive and not in any multiline section (request + and multi line remark) was found at specified line and file. + + Error 103: + cannot use both %request and %uri. Only one of these directive can + be specified in each test. + + Error 104: + error connecting to server. The specific error is also displayed. + This error usually implies a communication problem or specificaiton + of a wrong server or port. + + Error 105: + Error occured when trying to open a tests file. Tests will continue + with next tests file. + + Error 106: + Error occured when trying to create report file. + + Error 107: + %endtest directive without a preceding %test directive + + Error 108: + The expression evulator (using Perl eval function) failed. The + expression probably includes some Perl syntax. use -verbose to + print the actual error returned. + + Error 109: + Fuzzing the request failed. This probably implies that the test + request includes some Perl syntax. You may want to use the nofuzz + option to overcome the problem. + + +=cut diff -Nru modsecurity-crs-2.1.2/trunk/util/regression_tests/tests/modsecurity_crs_20_protocol_violations.tests modsecurity-crs-2.2.0/trunk/util/regression_tests/tests/modsecurity_crs_20_protocol_violations.tests --- modsecurity-crs-2.1.2/trunk/util/regression_tests/tests/modsecurity_crs_20_protocol_violations.tests 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/util/regression_tests/tests/modsecurity_crs_20_protocol_violations.tests 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,526 @@ +%timeout 10 +# FILE 20 - protocol violations + +%test Invalid request line 1 +##################################################### +%status 400 +%event 981227 +%request + GET / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + + +%test Invalid request line 2 +##################################################### +%status 400 +%event 981227 +%request +GET \index.html HTTP\1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + + +%test Invalid request line 3 +##################################################### +%status 501 +%event 960911 +%request +|GET / HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + + +%test POST without content length +##################################################### +%output 960012 +%event 960012 +%request +POST / HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Content-Type: application/x-www-form-urlencoded + + +%test Invalid Request Body (multipart) 1 +##################################################### +%event 960912|960914 +#%event 960914 +%output 960912|960914 +%request +POST / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Keep-Alive: 300 +Proxy-Connection: keep-alive +Referer: http://192.168.3.2/form.html +Content-Type: multipart/form-data; boundary=---------------------------265001916915724 +Content-Length: $CONTENT_LENGTH + +-----------------------------265001916915724 +Contt-Disposition: form-data; name="file"; filename="test" +Content-Type: application/octet-stream + +Rotem & Ayala + +-----------------------------265001916915724 +Content-Disition: form-data; name="name" + +tt2 +-----------------------------265001916915724 +Content-Disposition: form-data; name="B1" + +Submit +-----------------------------265001916915724-- + + +%test Invalid Request Body (multipart) 2 +##################################################### +%event 960912|960914 +%output 960912|960914 +%request +POST / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Keep-Alive: 300 +Proxy-Connection: keep-alive +Referer: http://192.168.3.2/form.html +Content-Type: multipart/form-data; boundary=---------------------------265001916915724 +Content-Length: $CONTENT_LENGTH + +-----------------------------265001916915724 +Content-Disposition: form-data; name='name; filename="'; name=payload;" +Content-Type: application/octet-stream + +Rotem & Ayala + +-----------------------------265001916915724 +Content-Disposition: form-data; name="name" + +tt2 +-----------------------------265001916915724 +Content-Disposition: form-data; name="B1" + +Submit +-----------------------------265001916915724-- + + +%test Invalid Request Body (multipart) 3 +##################################################### +%event 960915 +%output 960915 +%request +POST / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Keep-Alive: 300 +Proxy-Connection: keep-alive +Referer: http://192.168.3.2/form.html +Content-Type: multipart/form-data; boundary=---------------------------265001916915724 +Content-Length: $CONTENT_LENGTH + +-----------------------------265001916915724 +Content-Disposition: form-data; name="file"; filename="test" +Content-Type: application/octet-stream + +Rotem & Ayala + +-----------------------------265001916915724 +Content-Disposition: form-data; name="name" + +tt2 +-----------------------------265001916915724 +Content-Disposition: form-data; name="B1" + +Submit +-----------------------------265001916915725-- + + +%test Invalid Request Body (multipart) 4 +##################################################### +%event 960000 +%output 960000 +%request +POST / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Keep-Alive: 300 +Proxy-Connection: keep-alive +Referer: http://192.168.3.2/form.html +Content-Type: multipart/form-data; boundary=---------------------------265001916915724 +Content-Length: $CONTENT_LENGTH + +-----------------------------265001916915724 +Content-Disposition: form-data; name="fi;le"; filename="test" +Content-Type: application/octet-stream + +Rotem & Ayala + +-----------------------------265001916915724 +Content-Disposition: form-data; name="name" + +tt2 +-----------------------------265001916915724 +Content-Disposition: form-data; name="B1" + +Submit +-----------------------------265001916915724-- + + +%test Invalid Request Body (XML) +##################################################### +%event 960912 +%output 960912 +%request +POST / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Keep-Alive: 300 +Proxy-Connection: keep-alive +Referer: http://192.168.3.2/form.html +Content-Type: text/xml +Content-Length: $CONTENT_LENGTH + +<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <SOAP-ENV:Body> + <xkms:StatusRequest xmlns:xkms="http://www.w3.org/2002/03/xkms#" Id="_6ee48478-fdd6-4d7d-b1bf-e7b4c3254659" ResponseId="_c1c36b3f-f962-4aea-bfbd-07ed58468c9b" Service="http://www.soapclient.com/xml/xkms2"> + <xkms:ResponseMechanism>http://www.w3.org/2002/03/xkms#Pending</xkms:ResponseMechanism> + <xkms:RespondWith>http://www.w3.org/2002/03/xkms#X509Cert</xkms:RespondWith> + </xkms:StatusRequest> + </SOAP-ENV:Body><error></err> +</SOAP-ENV:Envelope> + + +%test Accept only digits in content length 1 +##################################################### +%status 413 +%event 960016 +%request +POST / HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Content-Type: application/x-www-form-urlencoded +Content-Length: 3 +Content-Length: 3 + +abc + + +%test Accept only digits in content length 2 +##################################################### +%status 413 +%event 960016 +%request +POST / HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Content-Type: application/x-www-form-urlencoded +Content-Length: 3; + +abc + + +%test GET/HEAD Request with Body +##################################################### +%output 960011 +%event 960011 +%request +GET / HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Content-Type: application/x-www-form-urlencoded +Content-Length: 3 + +abc + + +%test Identity Content Encodings +##################################################### +%output 960902 +%event 960902 +%request +GET / HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Content-Encoding: Identity + + +%test Expect Header +##################################################### +%output 960022 +%event 960022 +%request +GET / HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Expect: 100-continue + + +%test Pragma Header Requires Cache-Control +##################################################### +%output 960020 +%event 960020 +%request +GET / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Pragma: no-cache + + +%test Range Header +##################################################### +%output 958291 +%event 958291 +%request +GET / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Range: bytes=0- + + +%test Duplicate Connection Headers +##################################################### +%output 958295 +%event 958295 +%var connection=keep-alive +%var connection=close +%request +GET / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Connection: $connection, $connection + +%test Validate Encoding (Request URI) +##################################################### +%output 950107 +%event 950107 +%var encoded_arg=%1G +%var encoded_arg=%7%6F%6D%65%74%65%78%74%5F%31%32%33% +%request +GET /?parm=$encoded_arg HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + + +%test Validate Encoding (Request Body) +##################################################### +%output 950108 +%event 950108 +%var encoded_arg=%1G +%var encoded_arg=%7%6F%6D%65%74%65%78%74%5F%31%32%33% +%request +POST / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Keep-Alive: 300 +Proxy-Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: $CONTENT_LENGTH + +param=$encoded_arg + + +%test Multiple URL Encoding +##################################################### +%output 950109 +%event 950109 +%var encoded_arg=%25%37%33%25%36%46%25%36%44%25%36%35%25%37%34%25%36%35%25%37%38%25%37%34%25%35%46%25%33%31%25%33%32%25%33%33%25%33%34 +#%var encoded_arg=%7%6F%6D%65%74%65%78%74%5F%31%32%33% +%request +GET /?parm=$encoded_arg HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + + +%test Validate Encoding (XML) +##################################################### +%event 950108 +%output 950108 +%request +POST / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Keep-Alive: 300 +Proxy-Connection: keep-alive +Content-Type: text/xml +Content-Length: $CONTENT_LENGTH + +<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <SOAP-ENV:Body> + <xkms:StatusRequest xmlns:xkms="http://www.w3.org/2002/03/xkms#" Id="_6ee48478-fdd6-4d7d-b1bf-e7b4c3254659" ResponseId="_c1c36b3f-f962-4aea-bfbd-07ed58468c9b" Service="http://www.soapclient.com/xml/xkms2"> + <xkms:ResponseMechanism>http://www.w3.org/2002/03/xkms#Pending</xkms:ResponseMechanism> + <xkms:RespondWith>%1Gwww.attack.org</xkms:RespondWith> + </xkms:StatusRequest> + </SOAP-ENV:Body> +</SOAP-ENV:Envelope> + + +%test Validate encoding (negative, %u in req) +##################################################### +#%status 200 +%event !50107 +%request +GET / HTTP/1.1 +X-Real-Content-Length: 803 +Accept: */* +X-Original-Client: 212.199.066.195:01078 +X-Unique-Transaction-Id: 54222 +x-flash-version: 8,0,22,0 +Cache-Control: no-transform +Accept-Encoding: gzip, deflate +If-Modified-Since: Wed, 04 Aug 2004 13:45:45 GMT +If-None-Match: "2c011d-1708-4110e889" +User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) +Host: galim.org.il +Connection: Keep-Alive +Cookie: _HangMan=%u05D0%u05D0%u05D1%u05D2%u05D3%u05D4%u05D5%u05D6%u05D7%u05D8%u05D9%u05DB%u05DC%u05DE%u05E0%u05E1%u05E2%u05E4%u05E6%u05E7%u05E8%u05E9%u05EA%u05DC%u05D9%u05D1%20%u05D4%u05D0%u05D8%u05DC%u05D4*; request_uri=http%3A%2F%2Fpopup.galim.org.il%2Fcgi-bin%2Fgalim%2Fmywaves%2Fclick_milon.pl%3Fword%3D%EE%F9%E7%F7%E9%ED%26act%3Dhh%26visual%3D0 + + +%test Validate utf-8 encoding +##################################################### +%output 950801 +%event 950801 +%var arg=%c0%af +%var arg=%c0 +%var arg=%F5%80%BF%BF +%request +GET /?param=$arg HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + + +%test Identify full-width unicode encoding +##################################################### +%output 950116 +%event 950116 +%request +GET /?param=foo%uFF01 HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + + +%test Proxy access attempt +##################################################### +%output 960014 +%event 960014 +%request +GET http://www.some_remote_site.com/ HTTP/1.0 +Host: www.some_remote_site.com +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + + +%test Validate Byte Range 1 (NulBytes) +##################################################### +%output 960901 +%event 960901 +%request +GET /?param=foo%00 HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + + +%test Validate Byte Range 2 (NulBytes) +##################################################### +%output 960018 +%event 960018 +%request +GET /?param=foo%09 HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + +%endtest + diff -Nru modsecurity-crs-2.1.2/trunk/util/regression_tests/tests/modsecurity_crs_40_generic_attacks_misc.tests modsecurity-crs-2.2.0/trunk/util/regression_tests/tests/modsecurity_crs_40_generic_attacks_misc.tests --- modsecurity-crs-2.1.2/trunk/util/regression_tests/tests/modsecurity_crs_40_generic_attacks_misc.tests 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/util/regression_tests/tests/modsecurity_crs_40_generic_attacks_misc.tests 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,97 @@ +%timeout 6 + +%test HTTP Request Smuggling 1 +################################### +%status 501 +%event 950012 +%request +GET / HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Transfer-Encoding: utf-8 +Transfer-Encoding: utf-8 + + +%test HTTP Request Smuggling 2 +################################### +%status 413 +%event 950012 +%request +POST / HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Content-Length: 3 +Content-Length: 3 + +abc + + +%test HTTP response splitting +################################### +%event 950910|950911 +%output 950910|950911 +%request +GET /?lang=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<html>Shazam</html> HTTP/1.1 +Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* +Referer: http://www.mummy.com/index.html +Accept-Language: zh-sg +Content-Type: application/x-www-form-urlencoded +Accept-Encoding: gzip, deflate +User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) +Host: www.mummy.com +Content-Length: 0 +Connection: Keep-Alive +Cache-Control: no-cache + + +%test XML Support +################################### +%event 950908 +%output 950908 +%request +POST / HTTP/1.0 +User-Agent: SQLData Client/3.02 +Host: www.soapclient.com:80 +Connection: Close +Accept: */* +Content-Length: $CONTENT_LENGTH +SOAPAction: "" +Content-Type: text/xml; charset="utf-8" + +<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <SOAP-ENV:Body> + <xkms:StatusRequest xmlns:xkms="http://www.w3.org/2002/03/xkms#" Id="_6ee48478-fdd6-4d7d-b1bf-e7b4c3254659" ResponseId="_c1c36b3f-f962-4aea-bfbd-07ed58468c9b" Service="http://www.soapclient.com/xml/xkms2"> + <xkms:ResponseMechanism>http://www.w3.org/2002/03/xkms#Pending</xkms:ResponseMechanism> + <xkms:RespondWith>http://www.w3.org/2002/03/xkms#KeyName</xkms:RespondWith> + <xkms:RespondWith>http://www.w3.org/2002/03/xkms#KeyValue</xkms:RespondWith> + <xkms:RespondWith>http://www.w3.org/2002/03/xkms#X509Cert</xkms:RespondWith> + <xkms:RespondWith>root@</xkms:RespondWith> + </xkms:StatusRequest> + </SOAP-ENV:Body> +</SOAP-ENV:Envelope> + + +%test email injection +################################### +%event 950019 +%output 950019 +%request +POST / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Content-Length:$CONTENT_LENGTH +Content-Type: application/x-www-form-urlencoded +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0. + +sender=haxor@attack.xxx%0ASubject:Ooops%0ABcc:target@nothappy.xxx%0AContent-Type:multipart/mixed;%20boundary=frog;%0A--frog%0AContent-Type:text/html%0A%0AHTML%20Message.%0A%0A--frog%0AContent-Type:text/html;name=Nastycode.html;%0AContent-Transfer-Encoding:8bit%0AContent-Disposition:attachment%0A%0AHTML%20File%0A%0A--frog--%0A + +%endtest + diff -Nru modsecurity-crs-2.1.2/trunk/util/regression_tests/tests/modsecurity_crs_40_sql_injection_attacks.tests modsecurity-crs-2.2.0/trunk/util/regression_tests/tests/modsecurity_crs_40_sql_injection_attacks.tests --- modsecurity-crs-2.1.2/trunk/util/regression_tests/tests/modsecurity_crs_40_sql_injection_attacks.tests 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/util/regression_tests/tests/modsecurity_crs_40_sql_injection_attacks.tests 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,376 @@ + +# File 40 +%request +GET /?v=$sig HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0. + + +%test SQL injection - sp_addextendedproc +######################################## +%event 959037 +%output 959037 +%var sig=sp_addextendedproc +%endtest + +%test SQL injection - sp_execute +######################################## +%event 959038 +%output 959038 +%var sig=sp_execute +%endtest + +%test SQL injection - sp_executesql +######################################## +%event 959039 +%output 959039 +%var sig=sp_executesql +%endtest + +%test SQL injection - sp_makewebtask +######################################## +%event 959040 +%output 959040 +%var sig=sp_makewebtask +%endtest + +%test SQL injection - sp_oacreate +######################################## +%event 959041 +%output 959041 +%var sig=sp_oacreate +%endtest + +%test SQL injection - sp_prepare +######################################## +%event 959042 +%output 959042 +%var sig=sp_prepare +%endtest + +%test SQL injection - sp_sqlexec +######################################## +%event 959043 +%output 959043 +%var sig=sp_sqlexec +%endtest + +%test SQL injection - sql_longvarchar +######################################## +%event 959044 +%output 959044 +%var sig=sql_longvarchar +%endtest + +%test SQL injection - sql_variant +######################################## +%event 959045 +%output 959045 +%var sig=sql_variant +%endtest + +%test SQL injection - tbcreator +######################################## +%event 959046 +%output 959046 +%var sig=tbcreator +%endtest + +%test SQL injection - utl_file +######################################## +%event 959048 +%output 959048 +%var sig=utl_file +%endtest + +%test SQL injection - utl_http +######################################## +%event 959049 +%output 959049 +%var sig=utl_http +%endtest + +%test SQL injection - varchar +######################################## +%event 959050 +%output 959050 +%var sig=varchar +%endtest + +%test SQL injection - xp_availablemedia +######################################## +%event 959051 +%output 959051 +%var sig=xp_availablemedia +%endtest + +%test SQL injection - xp_cmdshell +######################################## +%event 959052 +%output 959052 +%var sig=xp_cmdshell +%endtest + +%test SQL injection - xp_dirtree +######################################## +%event 959053 +%output 959053 +%var sig=xp_dirtree +%endtest + +%test SQL injection - xp_enumdsn +######################################## +%event 959054 +%output 959054 +%var sig=xp_enumdsn +%endtest + +%test SQL injection - xp_execresultset +######################################## +%event 959055 +%output 959055 +%var sig=xp_execresultset +%endtest + +%test SQL injection - xp_filelist +######################################## +%event 959056 +%output 959056 +%var sig=xp_filelist +%endtest + +%test SQL injection - xp_loginconfig +######################################## +%event 959057 +%output 959057 +%var sig=xp_loginconfig +%endtest + +%test SQL injection - xp_makecab +######################################## +%event 959058 +%output 959058 +%var sig=xp_makecab +%endtest + +%test SQL injection - xp_ntsec +######################################## +%event 959059 +%output 959059 +%var sig=xp_ntsec +%endtest + +%test SQL injection - xp_regaddmultistring +######################################## +%event 959060 +%output 959060 +%var sig=xp_regaddmultistring +%endtest + +%test SQL injection - xp_regdeletekey +######################################## +%event 959061 +%output 959061 +%var sig=xp_regdeletekey +%endtest + +%test SQL injection - xp_regdeletevalue +######################################## +%event 959062 +%output 959062 +%var sig=xp_regdeletevalue +%endtest + +%test SQL injection - xp_regenumkeys +######################################## +%event 959063 +%output 959063 +%var sig=xp_regenumkeys +%endtest + +%test SQL injection - xp_regenumvalues +######################################## +%event 959064 +%output 959064 +%var sig=xp_regenumvalues +%endtest + +%test SQL injection - xp_regread +######################################## +%event 959065 +%output 959065 +%var sig=xp_regread +%endtest + +%test SQL injection - xp_regremovemultistring +######################################## +%event 959066 +%output 959066 +%var sig=xp_regremovemultistring +%endtest + +%test SQL injection - xp_regwrite +######################################## +%event 959067 +%output 959067 +%var sig=xp_regwrite +%endtest + +%test SQL injection - xp_terminate +######################################## +%event 959068 +%output 959068 +%var sig=xp_terminate +%endtest + +%test SQL injection - 'sqloledb' +######################################## +%event 959003 +%output 959003 +%var sig='sqloledb' +%endtest + +%test SQL injection - 'sa' +######################################## +%event 959026 +%output 959026 +%var sig='sa' +%endtest + +%test SQL injection - 'dbo' +######################################## +%event 959010 +%output 959010 +%var sig='dbo' +%endtest + +%test SQL injection - @@version +######################################## +%event 959004 +%output 959004 +%var sig=@@version +%endtest + +%test SQL injection - autonomous_transaction +######################################## +%event 959005 +%output 959005 +%var sig=autonomous_transaction +%endtest + +%test SQL injection - coalesce +######################################## +%event 950908 +%output 950908 +%var sig=coalesce +%endtest + +%test SQL injection - dbms_java +######################################## +%event 959009 +%output 959009 +%var sig=dbms_java +%endtest + +%test SQL injection - 'msdasql' +######################################## +%event 959020 +%output 959020 +%var sig='msdasql' +%endtest + +%test SQL injection - nvarchar +######################################## +%event 959021 +%output 959021 +%var sig=nvarchar +%endtest + +%test SQL injection - openquery +######################################## +%event 959022 +%output 959022 +%var sig=openquery +%endtest + +%test SQL injection - openrowset +######################################## +%event 959023 +%output 959023 +%var sig=openrowset +%endtest + +%test SQL injection - ;%20drop +######################################## +%event 959001 +%output 959001 +%var sig=;%20drop +%endtest + +%test SQL injection - ;%20\*%20test%20remark%20\*%20shutdown +######################################## +%event 950902 +%output 950902 +%var sig=;%20\*%20test%20remark%20\*%20shutdown +%endtest + +%test SQL injection - root@ +######################################## +%event 950908 +%output 950908 +%var sig=root@ +%endtest + +%test SQL injection - '%20or%20'1'%3d'1 +######################################## +%event 950901 +%output 950901 +%var sig='%20or%20'1'%3d'1 +%endtest + +%test SQL injection - '%20having%20'1'%3d'1 +######################################## +%event 959070 +%output 959070 +%var sig='%20having%20'1'%3d'1 +%endtest + +%test SQL injection - '%20and%20'1'%3d'1 +######################################## +%event 959072 +%output 959072 +%var sig='%20and%20'1'%3d'1 +%endtest + +%test SQL injection - 1%27%3Bdelete+from+%270%3A0%3A15%27%3B-- +######################################## +%event 959075 +%output 959075 +%var sig=1%27%3Bdelete+from+%270%3A0%3A15%27%3B-- +%endtest + +%test SQL injection - 'avi'%3d'avi +######################################## +%event 950901 +%output 950901 +%var sig='avi'%3d'avi +%endtest + +%test SQL injection - 1%3d1 +######################################## +%event 950901 +%output 950901 +%var sig=1%3d1 +%endtest + +%test SQL injection - dba_users +######################################## +%event 959007 +%output 959007 +%var sig=dba_users +%endtest + + + + diff -Nru modsecurity-crs-2.1.2/trunk/util/regression_tests/tests/modsecurity_crs_50_outbound.tests modsecurity-crs-2.2.0/trunk/util/regression_tests/tests/modsecurity_crs_50_outbound.tests --- modsecurity-crs-2.1.2/trunk/util/regression_tests/tests/modsecurity_crs_50_outbound.tests 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/util/regression_tests/tests/modsecurity_crs_50_outbound.tests 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,122 @@ +# FILE 50 +%timeout 10 + +%test weblogic information disclosure +######################################## +%event 970021 +%output 970021 +%request +GET /cgi-bin/testserver.cgi HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Response-Status: 500 Internal Server Error +Response-Content: <title>JSP compile error + +%endtest + +%test Zope information leakage +######################################## +%event 970007 +%output 970007 +%request +GET /cgi-bin/testserver.cgi HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Response-Content:

Site Error

An error was encountered while publishing this resource. + +%endtest + +%test CF information leakage +######################################## +%event 970008 +%output 970008 +%request +GET /cgi-bin/testserver.cgi HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Response-Content: The error occurred in script.cfm: line 11 bla bla bla Please try the following:
Check the ColdFusion documentation to verify that you are using the correct syntax. bla bla Stack Trace (click to expand) + +%endtest + +%test PHP information leakage +######################################## +%event 970009 +%output 970009 +%request +GET /cgi-bin/testserver.cgi HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Response-Content: Warning mysql_fetch_row(): supplied argument ... in /web/jvcjazz/intl_view.php on line 142 + + +%endtest + +%test ISA server existence revealed +######################################## +%event 970010 +%output 970010 +%request +GET /cgi-bin/testserver.cgi HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Response-Content: 403 Forbidden - The ISA Server denies the specified Uniform Resource ...bla bla bla... Internet Security and Acceleration Server + +%endtest + +%test Local file link +######################################## +%event 970011 +%output 970011 +%request +GET /cgi-bin/testserver.cgi HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Response-Content: This is my sensitive data, do not touch + +%endtest + +%test Microsoft office doc properties leakage +######################################## +%event 970012 +%output 970012 +%request +GET /cgi-bin/testserver.cgi HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Response-Content: + +%endtest + +%test Directory Listing (apache) +######################################## +%event 971200 +%output 971200 +%request +GET /cgi-bin/testserver.cgi HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Response-Content: Index of /~avi

Index of /~avi

+ +%endtest + +%test CF source code leakage +######################################## +%event 970016 +%output 970016 +%request +GET /cgi-bin/testserver.cgi HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Response-Content: " + +# Output lots of debugging info? +Debug False diff -Nru modsecurity-crs-2.1.2/trunk/util/rules-updater.pl modsecurity-crs-2.2.0/trunk/util/rules-updater.pl --- modsecurity-crs-2.1.2/trunk/util/rules-updater.pl 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/util/rules-updater.pl 2010-08-27 16:59:49.000000000 +0000 @@ -0,0 +1,454 @@ +#!/usr/bin/perl +# +# Fetches the latest ModSecurity Ruleset +# + +use strict; +use Sys::Hostname; +use LWP::UserAgent (); +use LWP::Debug qw(-); +use URI (); +use HTTP::Date (); +use Cwd qw(getcwd); +use Getopt::Std; + +my $VERSION = "0.0.1"; +my($SCRIPT) = ($0 =~ m/([^\/\\]+)$/); +my $CRLFRE = qr/\015?\012/; +my $HOST = Sys::Hostname::hostname(); +my $UNZIP = [qw(unzip -a)]; +my $SENDMAIL = [qw(/usr/lib/sendmail -oi -t)]; +my $HAVE_GNUPG = 0; +my %PREFIX_MAP = ( + -dev => 0, + -rc => 1, + "" => 9, +); +my %GPG_TRUST = (); +my $REQUIRED_SIG_TRUST; + +eval "use GnuPG qw(:trust)"; +if ($@) { + warn "Could not load GnuPG module - cannot verify ruleset signatures\n"; +} +else { + $HAVE_GNUPG = 1; + %GPG_TRUST = ( + &TRUST_UNDEFINED => "not", + &TRUST_NEVER => "not", + &TRUST_MARGINAL => "marginally", + &TRUST_FULLY => "fully", + &TRUST_ULTIMATE => "ultimatly", + ); + $REQUIRED_SIG_TRUST = &TRUST_FULLY; +} + +################################################################################ +################################################################################ + +my @fetched = (); +my %opt = (); +getopts('c:r:p:s:v:t:e:f:EuS:D:R:U:F:ldh', \%opt); + +usage(1) if(defined $opt{h}); +usage(1) if(@ARGV > 1); + +# Make sure we have an action +if (! grep { defined } @opt{qw(S D R U F l)}) { + usage(1, "Action required."); +} + +# Merge config with commandline opts +if ($opt{c}) { + %opt = parse_config($opt{c}, \%opt); +} + +LWP::Debug::level("+") if ($opt{d}); + +# Make the version into a regex +if (defined $opt{v}) { + my($a,$b,$c,$d) = ($opt{v} =~ m/^(\d+)\.?(\d+)?\.?(\d+)?(?:-(\D+\d+$)|($))/); + if (defined $d) { + (my $key = $d) =~ s/^(\D+)\d+$/-$1/; + unless (exists $PREFIX_MAP{$key}) { + usage(1, "Invalid version (bad suffix \"$d\"): $opt{v}"); + } + $opt{v} = qr/^$a\.$b\.$c-$d$/; + } + elsif (defined $c) { + $opt{v} = qr/^$a\.$b\.$c(?:-|$)/; + } + elsif (defined $b) { + $opt{v} = qr/^$a\.$b\./; + } + elsif (defined $a) { + $opt{v} = qr/^$a\./; + } + else { + usage(1, "Invalid version: $opt{v}"); + } + if ($opt{d}) { + print STDERR "Using version regex: $opt{v}\n"; + } +} +else { + $opt{v} = qr/^/; +} + +# Remove trailing slashes from uri and path +$opt{r} =~ s/\/+$//; +$opt{p} =~ s/\/+$//; + +# Required opts +usage(1, "Repository (-r) required.") unless(defined $opt{r}); +usage(1, "Local path (-p) required.") unless(defined $opt{p} or defined $opt{l}); + +my $ua = LWP::UserAgent->new( + agent => "ModSecurity Updator/$VERSION", + keep_alive => 1, + env_proxy => 1, + max_redirect => 5, + requests_redirectable => [qw(GET HEAD)], + timeout => ($opt{t} || 600), +); + +sub usage { + my $rc = defined($$_[0]) ? $_[0] : 0; + my $msg = defined($_[1]) ? "\n$_[1]\n\n" : ""; + + print STDERR << "EOT"; +${msg}Usage: $SCRIPT [-c config_file] [[options] [action] + + Options (commandline will override config file): + -r uri RepositoryURI Repository URI. + -p path LocalRepository Local repository path to use as base for downloads. + -s path LocalRules Local rules base path to use for unpacking. + -v text Version Full/partial version (EX: 1, 1.5, 1.5.2, 1.5.2-dev3) + -t secs Timeout Timeout for fetching data in seconds (default 600). + -e addr NotifyEmail Notify via email on update (comma separated list). + -f addr NotifyEmailFrom From address for notification email. + -u Unpack Unpack into LocalRules/version path. + -d Debug Print out lots of debugging. + + Actions: + -S name Fetch the latest stable ruleset, "name" + -D name Fetch the latest development ruleset, "name" + -R name Fetch the latest release candidate ruleset, "name" + -U name Fetch the latest unstable (non-stable) ruleset, "name" + -F name Fetch the latest ruleset, "name" + -l Print listing of what is available + + Misc: + -c Specify a config file for options. + -h This help + +Examples: + +# Get a list of what the repository contains: +$SCRIPT -rhttp://host/repo/ -l + +# Get a partial list of versions 1.5.x: +$SCRIPT -rhttp://host/repo/ -v1.5 -l + +# Get the latest stable version of "breach_ModSecurityCoreRules": +$SCRIPT -rhttp://host/repo/ -p/my/repo -Sbreach_ModSecurityCoreRules + +# Get the latest stable 1.5 release of "breach_ModSecurityCoreRules": +$SCRIPT -rhttp://host/repo/ -p/my/repo -v1.5 -Sbreach_ModSecurityCoreRules +EOT + exit $rc; +} + +sub sort_versions { + (my $A = $a) =~ s/^(\d+)\.(\d+)\.(\d+)(-[^-\d]+|)(\d*)$/sprintf("%03d%03d%03d%03d%03d", $1, $2, $3, $PREFIX_MAP{$4}, $5)/e; + (my $B = $b) =~ s/^(\d+)\.(\d+)\.(\d+)(-[^-\d]+|)(\d*)$/sprintf("%03d%03d%03d%03d%03d", $1, $2, $3, $PREFIX_MAP{$4}, $5)/e; + return $A cmp $B; +} + +sub parse_config { + my($file,$clo) = @_; + my %cfg = (); + + print STDERR "Parsing config: $file\n" if ($opt{d}); + open(CFG, "<$file") or die "Failed to open config \"$file\": $!\n"; + while() { + # Skip comments and empty lines + next if (/^\s*(?:#|$)/); + + # Parse + chomp; + my($var,$q1,$val,$q2) = (m/^\s*(\S+)\s+(['"]?)(.*?)(\2)\s*$/); + + # Fixup values + $var = lc($var); + if ($val =~ m/^(?:true|on)$/i) { $val = 1 }; + if ($val =~ m/^(?:false|off)$/i) { $val = 0 }; + + # Set opts + if ($var eq "repositoryuri") { $cfg{r} = $val } + elsif ($var eq "localrepository") { $cfg{p} = $val } + elsif ($var eq "localrules") { $cfg{s} = $val } + elsif ($var eq "version") { $cfg{v} = $val } + elsif ($var eq "timeout") { $cfg{t} = $val } + elsif ($var eq "notifyemail") { $cfg{e} = $val } + elsif ($var eq "notifyemailfrom") { $cfg{f} = $val } + elsif ($var eq "notifyemaildiff") { $cfg{E} = $val } + elsif ($var eq "unpack") { $cfg{u} = $val } + elsif ($var eq "debug") { $cfg{d} = $val } + else { die "Invalid config directive: $var\n" } + } + close CFG; + + my($k, $v); + while (($k, $v) = each %{$clo || {}}) { + $cfg{$k} = $v if (defined $v); + } + + return %cfg; +} + +sub repository_dump { + my @replist = repository_listing(); + + print STDERR "\nRepository: $opt{r}\n\n"; + unless (@replist) { + print STDERR "No matching entries.\n"; + return; + } + + for my $repo (@replist) { + print "$repo {\n"; + my @versions = ruleset_available_versions($repo); + for my $version (@versions) { + if ($version =~ m/$opt{v}/) { + printf "%15s: %s_%s.zip\n", $version, $repo, $version; + } + elsif ($opt{d}) { + print STDERR "Skipping version: $version\n"; + } + } + print "}\n"; + } +} + +sub repository_listing { + my $res = $ua->get("$opt{r}/.listing"); + unless ($res->is_success()) { + die "Failed to get repository listing \"$opt{r}/.listing\": ".$res->status_line()."\n"; + } + return grep(/\S/, split(/$CRLFRE/, $res->content)) ; +} + +sub ruleset_listing { + my $res = $ua->get("$opt{r}/$_[0]/.listing"); + unless ($res->is_success()) { + die "Failed to get ruleset listing \"$opt{r}/$_[0]/.listing\": ".$res->status_line()."\n"; + } + return grep(/\S/, split(/$CRLFRE/, $res->content)) ; +} + +sub ruleset_available_versions { + return sort sort_versions map { m/_([^_]+)\.zip.*$/; $1 } ruleset_listing($_[0]); +} + +sub ruleset_fetch { + my($repo, $version) = @_; + + # Create paths + if (! -e "$opt{p}" ) { + mkdir "$opt{p}" or die "Failed to create \"$opt{p}\": $!\n"; + } + if (! -e "$opt{p}/$repo" ) { + mkdir "$opt{p}/$repo" or die "Failed to create \"$opt{p}/$repo\": $!\n"; + } + + my $fn = "${repo}_$version.zip"; + my $ruleset = "$repo/$fn"; + my $ruleset_sig = "$repo/$fn.sig"; + + if (-e "$opt{p}/$ruleset") { + die "Refused to overwrite ruleset \"$opt{p}/$ruleset\".\n"; + } + + # Fetch the ruleset + print STDERR "Fetching: $ruleset ...\n"; + my $res = $ua->get( + "$opt{r}/$ruleset", + ":content_file" => "$opt{p}/$ruleset", + ); + die "Failed to retrieve ruleset $ruleset: ".$res->status_line()."\n" unless ($res->is_success()); + + # Fetch the ruleset signature + if (-e "$opt{p}/$ruleset_sig") { + die "Refused to overwrite ruleset signature \"$opt{p}/$ruleset_sig\".\n"; + } + $res = $ua->get( + "$opt{r}/$ruleset_sig", + ":content_file" => "$opt{p}/$ruleset_sig", + ); + + # Verify the signature if we can + if ($HAVE_GNUPG) { + die "Failed to retrieve ruleset signature $ruleset_sig: ".$res->status_line()."\n" unless ($res->is_success()); + + ruleset_verifysig("$opt{p}/$ruleset", "$opt{p}/$ruleset_sig"); + } + push @fetched, [$repo, $version, $ruleset, undef]; +} + +sub ruleset_unpack { + my($repo, $version, $ruleset) = @{ $_[0] || [] }; + my $fn = "$opt{p}/$ruleset"; + + if (! -e "$fn" ) { + die "Internal Error: No ruleset to unpack - \"$fn\"\n"; + } + + # Create paths + if (! -e "$opt{s}" ) { + mkdir "$opt{s}" or die "Failed to create \"$opt{p}\": $!\n"; + } + if (! -e "$opt{s}/$repo" ) { + mkdir "$opt{s}/$repo" or die "Failed to create \"$opt{p}/$repo\": $!\n"; + } + if (! -e "$opt{s}/$repo/$version" ) { + mkdir "$opt{s}/$repo/$version" or die "Failed to create \"$opt{p}/$repo/$version\": $!\n"; + } + else { + die "Refused to overwrite previously unpacked \"$opt{s}/$repo/$version\".\n"; + } + + # TODO: Verify sig + + my $pwd = getcwd(); + my $unpackdir = "$opt{s}/$repo/$version"; + chdir "$unpackdir"; + if ($@) { + my $err = $!; + chdir $pwd; + die "Failed to chdir to \"$unpackdir\": $err\n"; + } + undef $!; + system(@$UNZIP, $fn); + if ($? != 0) { + my $err = $!; + chdir $pwd; + die "Failed to unpack \"$unpackdir\"".($err?": $err":".")."\n"; + } + chdir $pwd; + + # Add where we unpacked it + $_->[3] = $unpackdir; + + return 0; +} + +sub ruleset_fetch_latest { + my($repo, $type) = @_; + my @versions = ruleset_available_versions($repo); + my $verre = defined($opt{v}) ? qr/^$opt{v}/ : qr/^/; + my $typere = undef; + + # Figure out what to look for + if (defined($type) and $type ne "") { + if ($type eq "UNSTABLE") { + $typere = qr/\d-\D+\d+$/; + } + else { + $typere = qr/\d-$type\d+$/; + } + } + elsif (defined($type)) { + qr/\.\d+$/; + } + + while (@versions) { + my $last = pop(@versions); + # Check REs on version + if ($last =~ m/$opt{v}/ and (!defined($typere) || $last =~ m/$typere/)) { + return ruleset_fetch($repo, $last); + } + if ($opt{d}) { + print STDERR "Skipping version: $last\n"; + } + } + + die "No $type ruleset found.\n"; +} + +sub notify_email { + my $version_text = join("\n", map { "$_->[0] v$_->[1]".(defined($_->[3])?": $_->[3]":"") } @_); + my $from = $opt{f} ? "From: $opt{f}\n" : ""; + my $body = << "EOT"; +ModSecurity rulesets updated and ready to install on host $HOST: + +$version_text + +ModSecurity - http://www.modsecurity.org/ +EOT + + # TODO: Diffs + + open(SM, "|-", @$SENDMAIL) or die "Failed to send mail: $!\n"; + print STDERR "Sending notification email to: $opt{e}\n"; + print SM << "EOT"; +${from}To: $opt{e} +Subject: [$HOST] ModSecurity Ruleset Update Notification + +$body +EOT + close SM; +} + +sub ruleset_verifysig { + my($fn, $sigfn) = @_; + + print STDERR "Verifying \"$fn\" with signature \"$sigfn\"\n"; + my $gpg = new GnuPG(); + my $sig = eval { $gpg->verify( signature => $sigfn, file => $fn ) }; + if (defined $sig) { + print STDERR sig2str($sig)."\n"; + } + if (!defined($sig)) { + die "Signature validation failed.\n"; + } + if ( $sig->{trust} < $REQUIRED_SIG_TRUST ) { + die "Signature is not trusted ".$GPG_TRUST{$REQUIRED_SIG_TRUST}.".\n"; + } + + return; +} + +sub sig2str { + my %sig = %{ $_[0] || {} }; + "Signature made ".localtime($sig{timestamp})." by $sig{user} (ID: $sig{keyid}) and is $GPG_TRUST{$sig{trust}} trusted."; +} + +################################################################################ +################################################################################ + +# List what is there +if ($opt{l}) { repository_dump(); exit 0 } +# Latest stable +elsif (defined($opt{S})) { ruleset_fetch_latest($opt{S}, "") } +# Latest development +elsif (defined($opt{D})) { ruleset_fetch_latest($opt{D}, "dev") } +# Latest release candidate +elsif (defined($opt{R})) { ruleset_fetch_latest($opt{R}, "rc") } +# Latest unstable +elsif (defined($opt{U})) { ruleset_fetch_latest($opt{U}, "UNSTABLE") } +# Latest (any type) +elsif (defined($opt{F})) { ruleset_fetch_latest($opt{F}, undef) } + +# Unpack +if ($opt{u}) { + if (! defined $opt{s} ) { usage(1, "LocalRules is required for unpacking.") } + for (@fetched) { + ruleset_unpack($_); + } +} + +# Unpack +if ($opt{e}) { + notify_email(@fetched); +} diff -Nru modsecurity-crs-2.1.2/trunk/util/rules-updater.pl.in modsecurity-crs-2.2.0/trunk/util/rules-updater.pl.in --- modsecurity-crs-2.1.2/trunk/util/rules-updater.pl.in 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/util/rules-updater.pl.in 2010-06-04 18:37:44.000000000 +0000 @@ -0,0 +1,454 @@ +#!@PERL@ +# +# Fetches the latest ModSecurity Ruleset +# + +use strict; +use Sys::Hostname; +use LWP::UserAgent (); +use LWP::Debug qw(-); +use URI (); +use HTTP::Date (); +use Cwd qw(getcwd); +use Getopt::Std; + +my $VERSION = "0.0.1"; +my($SCRIPT) = ($0 =~ m/([^\/\\]+)$/); +my $CRLFRE = qr/\015?\012/; +my $HOST = Sys::Hostname::hostname(); +my $UNZIP = [qw(unzip -a)]; +my $SENDMAIL = [qw(/usr/lib/sendmail -oi -t)]; +my $HAVE_GNUPG = 0; +my %PREFIX_MAP = ( + -dev => 0, + -rc => 1, + "" => 9, +); +my %GPG_TRUST = (); +my $REQUIRED_SIG_TRUST; + +eval "use GnuPG qw(:trust)"; +if ($@) { + warn "Could not load GnuPG module - cannot verify ruleset signatures\n"; +} +else { + $HAVE_GNUPG = 1; + %GPG_TRUST = ( + &TRUST_UNDEFINED => "not", + &TRUST_NEVER => "not", + &TRUST_MARGINAL => "marginally", + &TRUST_FULLY => "fully", + &TRUST_ULTIMATE => "ultimatly", + ); + $REQUIRED_SIG_TRUST = &TRUST_FULLY; +} + +################################################################################ +################################################################################ + +my @fetched = (); +my %opt = (); +getopts('c:r:p:s:v:t:e:f:EuS:D:R:U:F:ldh', \%opt); + +usage(1) if(defined $opt{h}); +usage(1) if(@ARGV > 1); + +# Make sure we have an action +if (! grep { defined } @opt{qw(S D R U F l)}) { + usage(1, "Action required."); +} + +# Merge config with commandline opts +if ($opt{c}) { + %opt = parse_config($opt{c}, \%opt); +} + +LWP::Debug::level("+") if ($opt{d}); + +# Make the version into a regex +if (defined $opt{v}) { + my($a,$b,$c,$d) = ($opt{v} =~ m/^(\d+)\.?(\d+)?\.?(\d+)?(?:-(\D+\d+$)|($))/); + if (defined $d) { + (my $key = $d) =~ s/^(\D+)\d+$/-$1/; + unless (exists $PREFIX_MAP{$key}) { + usage(1, "Invalid version (bad suffix \"$d\"): $opt{v}"); + } + $opt{v} = qr/^$a\.$b\.$c-$d$/; + } + elsif (defined $c) { + $opt{v} = qr/^$a\.$b\.$c(?:-|$)/; + } + elsif (defined $b) { + $opt{v} = qr/^$a\.$b\./; + } + elsif (defined $a) { + $opt{v} = qr/^$a\./; + } + else { + usage(1, "Invalid version: $opt{v}"); + } + if ($opt{d}) { + print STDERR "Using version regex: $opt{v}\n"; + } +} +else { + $opt{v} = qr/^/; +} + +# Remove trailing slashes from uri and path +$opt{r} =~ s/\/+$//; +$opt{p} =~ s/\/+$//; + +# Required opts +usage(1, "Repository (-r) required.") unless(defined $opt{r}); +usage(1, "Local path (-p) required.") unless(defined $opt{p} or defined $opt{l}); + +my $ua = LWP::UserAgent->new( + agent => "ModSecurity Updator/$VERSION", + keep_alive => 1, + env_proxy => 1, + max_redirect => 5, + requests_redirectable => [qw(GET HEAD)], + timeout => ($opt{t} || 600), +); + +sub usage { + my $rc = defined($$_[0]) ? $_[0] : 0; + my $msg = defined($_[1]) ? "\n$_[1]\n\n" : ""; + + print STDERR << "EOT"; +${msg}Usage: $SCRIPT [-c config_file] [[options] [action] + + Options (commandline will override config file): + -r uri RepositoryURI Repository URI. + -p path LocalRepository Local repository path to use as base for downloads. + -s path LocalRules Local rules base path to use for unpacking. + -v text Version Full/partial version (EX: 1, 1.5, 1.5.2, 1.5.2-dev3) + -t secs Timeout Timeout for fetching data in seconds (default 600). + -e addr NotifyEmail Notify via email on update (comma separated list). + -f addr NotifyEmailFrom From address for notification email. + -u Unpack Unpack into LocalRules/version path. + -d Debug Print out lots of debugging. + + Actions: + -S name Fetch the latest stable ruleset, "name" + -D name Fetch the latest development ruleset, "name" + -R name Fetch the latest release candidate ruleset, "name" + -U name Fetch the latest unstable (non-stable) ruleset, "name" + -F name Fetch the latest ruleset, "name" + -l Print listing of what is available + + Misc: + -c Specify a config file for options. + -h This help + +Examples: + +# Get a list of what the repository contains: +$SCRIPT -rhttp://host/repo/ -l + +# Get a partial list of versions 1.5.x: +$SCRIPT -rhttp://host/repo/ -v1.5 -l + +# Get the latest stable version of "breach_ModSecurityCoreRules": +$SCRIPT -rhttp://host/repo/ -p/my/repo -Sbreach_ModSecurityCoreRules + +# Get the latest stable 1.5 release of "breach_ModSecurityCoreRules": +$SCRIPT -rhttp://host/repo/ -p/my/repo -v1.5 -Sbreach_ModSecurityCoreRules +EOT + exit $rc; +} + +sub sort_versions { + (my $A = $a) =~ s/^(\d+)\.(\d+)\.(\d+)(-[^-\d]+|)(\d*)$/sprintf("%03d%03d%03d%03d%03d", $1, $2, $3, $PREFIX_MAP{$4}, $5)/e; + (my $B = $b) =~ s/^(\d+)\.(\d+)\.(\d+)(-[^-\d]+|)(\d*)$/sprintf("%03d%03d%03d%03d%03d", $1, $2, $3, $PREFIX_MAP{$4}, $5)/e; + return $A cmp $B; +} + +sub parse_config { + my($file,$clo) = @_; + my %cfg = (); + + print STDERR "Parsing config: $file\n" if ($opt{d}); + open(CFG, "<$file") or die "Failed to open config \"$file\": $!\n"; + while() { + # Skip comments and empty lines + next if (/^\s*(?:#|$)/); + + # Parse + chomp; + my($var,$q1,$val,$q2) = (m/^\s*(\S+)\s+(['"]?)(.*)(\2)\s*$/); + + # Fixup values + $var = lc($var); + if ($val =~ m/^(?:true|on)$/i) { $val = 1 }; + if ($val =~ m/^(?:false|off)$/i) { $val = 0 }; + + # Set opts + if ($var eq "repositoryuri") { $cfg{r} = $val } + elsif ($var eq "localrepository") { $cfg{p} = $val } + elsif ($var eq "localrules") { $cfg{s} = $val } + elsif ($var eq "version") { $cfg{v} = $val } + elsif ($var eq "timeout") { $cfg{t} = $val } + elsif ($var eq "notifyemail") { $cfg{e} = $val } + elsif ($var eq "notifyemailfrom") { $cfg{f} = $val } + elsif ($var eq "notifyemaildiff") { $cfg{E} = $val } + elsif ($var eq "unpack") { $cfg{u} = $val } + elsif ($var eq "debug") { $cfg{d} = $val } + else { die "Invalid config directive: $var\n" } + } + close CFG; + + my($k, $v); + while (($k, $v) = each %{$clo || {}}) { + $cfg{$k} = $v if (defined $v); + } + + return %cfg; +} + +sub repository_dump { + my @replist = repository_listing(); + + print STDERR "\nRepository: $opt{r}\n\n"; + unless (@replist) { + print STDERR "No matching entries.\n"; + return; + } + + for my $repo (@replist) { + print "$repo {\n"; + my @versions = ruleset_available_versions($repo); + for my $version (@versions) { + if ($version =~ m/$opt{v}/) { + printf "%15s: %s_%s.zip\n", $version, $repo, $version; + } + elsif ($opt{d}) { + print STDERR "Skipping version: $version\n"; + } + } + print "}\n"; + } +} + +sub repository_listing { + my $res = $ua->get("$opt{r}/.listing"); + unless ($res->is_success()) { + die "Failed to get repository listing \"$opt{r}/.listing\": ".$res->status_line()."\n"; + } + return grep(/\S/, split(/$CRLFRE/, $res->content)) ; +} + +sub ruleset_listing { + my $res = $ua->get("$opt{r}/$_[0]/.listing"); + unless ($res->is_success()) { + die "Failed to get ruleset listing \"$opt{r}/$_[0]/.listing\": ".$res->status_line()."\n"; + } + return grep(/\S/, split(/$CRLFRE/, $res->content)) ; +} + +sub ruleset_available_versions { + return sort sort_versions map { m/_([^_]+)\.zip.*$/; $1 } ruleset_listing($_[0]); +} + +sub ruleset_fetch { + my($repo, $version) = @_; + + # Create paths + if (! -e "$opt{p}" ) { + mkdir "$opt{p}" or die "Failed to create \"$opt{p}\": $!\n"; + } + if (! -e "$opt{p}/$repo" ) { + mkdir "$opt{p}/$repo" or die "Failed to create \"$opt{p}/$repo\": $!\n"; + } + + my $fn = "${repo}_$version.zip"; + my $ruleset = "$repo/$fn"; + my $ruleset_sig = "$repo/$fn.sig"; + + if (-e "$opt{p}/$ruleset") { + die "Refused to overwrite ruleset \"$opt{p}/$ruleset\".\n"; + } + + # Fetch the ruleset + print STDERR "Fetching: $ruleset ...\n"; + my $res = $ua->get( + "$opt{r}/$ruleset", + ":content_file" => "$opt{p}/$ruleset", + ); + die "Failed to retrieve ruleset $ruleset: ".$res->status_line()."\n" unless ($res->is_success()); + + # Fetch the ruleset signature + if (-e "$opt{p}/$ruleset_sig") { + die "Refused to overwrite ruleset signature \"$opt{p}/$ruleset_sig\".\n"; + } + $res = $ua->get( + "$opt{r}/$ruleset_sig", + ":content_file" => "$opt{p}/$ruleset_sig", + ); + + # Verify the signature if we can + if ($HAVE_GNUPG) { + die "Failed to retrieve ruleset signature $ruleset_sig: ".$res->status_line()."\n" unless ($res->is_success()); + + ruleset_verifysig("$opt{p}/$ruleset", "$opt{p}/$ruleset_sig"); + } + push @fetched, [$repo, $version, $ruleset, undef]; +} + +sub ruleset_unpack { + my($repo, $version, $ruleset) = @{ $_[0] || [] }; + my $fn = "$opt{p}/$ruleset"; + + if (! -e "$fn" ) { + die "Internal Error: No ruleset to unpack - \"$fn\"\n"; + } + + # Create paths + if (! -e "$opt{s}" ) { + mkdir "$opt{s}" or die "Failed to create \"$opt{p}\": $!\n"; + } + if (! -e "$opt{s}/$repo" ) { + mkdir "$opt{s}/$repo" or die "Failed to create \"$opt{p}/$repo\": $!\n"; + } + if (! -e "$opt{s}/$repo/$version" ) { + mkdir "$opt{s}/$repo/$version" or die "Failed to create \"$opt{p}/$repo/$version\": $!\n"; + } + else { + die "Refused to overwrite previously unpacked \"$opt{s}/$repo/$version\".\n"; + } + + # TODO: Verify sig + + my $pwd = getcwd(); + my $unpackdir = "$opt{s}/$repo/$version"; + chdir "$unpackdir"; + if ($@) { + my $err = $!; + chdir $pwd; + die "Failed to chdir to \"$unpackdir\": $err\n"; + } + undef $!; + system(@$UNZIP, $fn); + if ($? != 0) { + my $err = $!; + chdir $pwd; + die "Failed to unpack \"$unpackdir\"".($err?": $err":".")."\n"; + } + chdir $pwd; + + # Add where we unpacked it + $_->[3] = $unpackdir; + + return 0; +} + +sub ruleset_fetch_latest { + my($repo, $type) = @_; + my @versions = ruleset_available_versions($repo); + my $verre = defined($opt{v}) ? qr/^$opt{v}/ : qr/^/; + my $typere = undef; + + # Figure out what to look for + if (defined($type) and $type ne "") { + if ($type eq "UNSTABLE") { + $typere = qr/\d-\D+\d+$/; + } + else { + $typere = qr/\d-$type\d+$/; + } + } + elsif (defined($type)) { + qr/\.\d+$/; + } + + while (@versions) { + my $last = pop(@versions); + # Check REs on version + if ($last =~ m/$opt{v}/ and (!defined($typere) || $last =~ m/$typere/)) { + return ruleset_fetch($repo, $last); + } + if ($opt{d}) { + print STDERR "Skipping version: $last\n"; + } + } + + die "No $type ruleset found.\n"; +} + +sub notify_email { + my $version_text = join("\n", map { "$_->[0] v$_->[1]".(defined($_->[3])?": $_->[3]":"") } @_); + my $from = $opt{f} ? "From: $opt{f}\n" : ""; + my $body = << "EOT"; +ModSecurity rulesets updated and ready to install on host $HOST: + +$version_text + +ModSecurity - http://www.modsecurity.org/ +EOT + + # TODO: Diffs + + open(SM, "|-", @$SENDMAIL) or die "Failed to send mail: $!\n"; + print STDERR "Sending notification email to: $opt{e}\n"; + print SM << "EOT"; +${from}To: $opt{e} +Subject: [$HOST] ModSecurity Ruleset Update Notification + +$body +EOT + close SM; +} + +sub ruleset_verifysig { + my($fn, $sigfn) = @_; + + print STDERR "Verifying \"$fn\" with signature \"$sigfn\"\n"; + my $gpg = new GnuPG(); + my $sig = eval { $gpg->verify( signature => $sigfn, file => $fn ) }; + if (defined $sig) { + print STDERR sig2str($sig)."\n"; + } + if (!defined($sig)) { + die "Signature validation failed.\n"; + } + if ( $sig->{trust} < $REQUIRED_SIG_TRUST ) { + die "Signature is not trusted ".$GPG_TRUST{$REQUIRED_SIG_TRUST}.".\n"; + } + + return; +} + +sub sig2str { + my %sig = %{ $_[0] || {} }; + "Signature made ".localtime($sig{timestamp})." by $sig{user} (ID: $sig{keyid}) and is $GPG_TRUST{$sig{trust}} trusted."; +} + +################################################################################ +################################################################################ + +# List what is there +if ($opt{l}) { repository_dump(); exit 0 } +# Latest stable +elsif (defined($opt{S})) { ruleset_fetch_latest($opt{S}, "") } +# Latest development +elsif (defined($opt{D})) { ruleset_fetch_latest($opt{D}, "dev") } +# Latest release candidate +elsif (defined($opt{R})) { ruleset_fetch_latest($opt{R}, "rc") } +# Latest unstable +elsif (defined($opt{U})) { ruleset_fetch_latest($opt{U}, "UNSTABLE") } +# Latest (any type) +elsif (defined($opt{F})) { ruleset_fetch_latest($opt{F}, undef) } + +# Unpack +if ($opt{u}) { + if (! defined $opt{s} ) { usage(1, "LocalRules is required for unpacking.") } + for (@fetched) { + ruleset_unpack($_); + } +} + +# Unpack +if ($opt{e}) { + notify_email(@fetched); +} diff -Nru modsecurity-crs-2.1.2/trunk/util/runAV/common.c modsecurity-crs-2.2.0/trunk/util/runAV/common.c --- modsecurity-crs-2.1.2/trunk/util/runAV/common.c 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/util/runAV/common.c 2010-12-29 16:46:58.000000000 +0000 @@ -0,0 +1,653 @@ +#include "common.h" + +int lock_file(char *filename) +{ + int fd; + + if (!filename) + return -1; + + if ((fd = open(filename,O_RDONLY | O_CREAT , S_IRWXU)) < 0) { + print_error("lock_file","open",modsec_rpc_log_file,errno); + return -1; + } + + flock(fd,LOCK_EX); + + return fd; +} + +int unlock_file(int fd) +{ + flock(fd,LOCK_UN); + return 0; +} + +int print_request(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask) +{ + char time_str[64], line[1024*1024]; + time_t t; + int fd; + int i; + + switch (atoi(modsec_rpc_log_level)) { + case DEBUG: + time(&t); + ctime_r(&t,time_str); + time_str[strlen(time_str)-1] = '\0'; + if ((fd = open(modsec_rpc_log_file,O_WRONLY | O_CREAT | O_APPEND | O_SYNC , S_IRWXU)) < 0) { + print_error("print_request","open",modsec_rpc_log_file,errno); + fd=2; + } + flock(fd,LOCK_EX); + sprintf(line,"%s:REQUEST-BEGIN:======================================\n",time_str); + line[1024*1024-1]='\0'; + write(fd,line,strlen(line)); + snprintf(line,1024*1024,"URL:%s\nCommand:%s\n",url,command); + line[1024*1024-1]='\0'; + write(fd,line,strlen(line)); + for (i=0; i 0 && output) output[0]='\0'; + if (!(fp=popen(command,"r"))) { + print_error("run_cmd","popen",command,errno); + return -1; + } + + while (output_size && fgets(line,output_size>1024?1024:output_size,fp)) { + strcat(output, line); + output_size -= strlen(line); + } + + if (!output_size) + while (fgets(line,1024,fp)); + + pclose(fp); + return 0; +} + +int find_param_idx(char *parameter_name, parameter_t *parameters, int max_parameters) +{ + int i, idx=-1; + + for (i = 0; (i < max_parameters) && (idx < 0); i++) + if ( strstr(parameters[i].name,parameter_name) ) + idx=i; + return idx; +} + +int parse_file(char *filename, parameter_t *parameters, int max_parameters) +{ + char line[1024], *ptr; + int i; + FILE *fp; + + if (!max_parameters || (parameters == NULL) || (filename == NULL)) { + print_error("parse_file","invalid input parameters","none",0); + return 0; + } + + if ((fp = fopen(filename,"r")) == NULL ) { + print_error("parse_file","fopen",filename,errno); + return 0; + } + + i=0; + while ( i < max_parameters && fgets(line,1024,fp)) { + if (ptr = strstr(line,"#")) + *ptr='\0'; + if (sscanf(line,"%[^=]=%s",parameters[i].name,parameters[i].value) != 2) + continue; + i++; + } + + fclose(fp); + + return i; +} + +int change_file(char *filename, parameter_t parameter) +{ + char line[1024], *name, *value; + int i, found=0; + FILE *fp; + + if (filename == NULL) + return 0; + + if ((fp = fopen(filename,"r+")) == NULL ) + return 0; + + i=0; + while ( fgets(line,1024,fp)) { + sscanf(line,"%[^=]=%s",name,value); + if (name && !strcmp(name,parameter.name)) { + fprintf(fp,"%s=%s\n",name,parameter.value); + found=1; + continue; + } else fprintf(fp,"%s",line); + } + + fclose(fp); + return found; +} + +int copy_file(char *src_file, char *dst_file) +{ + char line[1024]; + FILE *sfp, *dfp; + + if (src_file == NULL || dst_file == NULL) + return 0; + + if ((sfp = fopen(src_file,"r")) == NULL ) + return 0; + + if ((dfp = fopen(dst_file,"w")) == NULL ) { + fclose(sfp); + return 0; + } + + while ( fgets(line,1024,sfp)) + fprintf(dfp,"%s",line); + + fclose(sfp); + fclose(dfp); + return 1; +} + +int parse_query(char *query, parameter_t *parameters, int max_parameters) +{ + char *ptr, *dst_ptr, num[3]; + int i, len; + + if (!max_parameters || (parameters == NULL) || (query == NULL)) + return 0; + + ptr=query; + i=0; + while ((i < max_parameters) && *ptr) { + parameters[i].name[0] = '\0'; + dst_ptr = parameters[i].name; + len=0; + while (*ptr && (*ptr != '=') && (len++ < MAX_NAME_LENGTH)) { + if (*ptr == '%' && *(ptr+1) && *(ptr+2)) { + num[0]=*(ptr+1); + num[1]=*(ptr+2); + num[2]='\0'; + ptr += 3; + *dst_ptr=(char)strtol(num,NULL,16); + if (*dst_ptr) dst_ptr++; + } else *dst_ptr++ = *ptr++; + } + if (len >= MAX_NAME_LENGTH) + while (*ptr && (*ptr != '=')) + *ptr++; + if (*ptr) ptr++; + *dst_ptr = '\0'; + parameters[i].value[0] = '\0'; + dst_ptr = parameters[i].value; + len=0; + while (*ptr && (*ptr != '&') && (len++ < MAX_VALUE_LENGTH)) { + if (*ptr == '%' && *(ptr+1) && *(ptr+2)) { + num[0]=*(ptr+1); + num[1]=*(ptr+2); + num[2]='\0'; + ptr += 3; + *dst_ptr=(char)strtol(num,NULL,16); + if (*dst_ptr) dst_ptr++; + } else *dst_ptr++ = *ptr++; + } + if (len >= MAX_VALUE_LENGTH) + while (*ptr && (*ptr != '&')) + *ptr++; + if (*ptr) ptr++; + *dst_ptr = '\0'; + i++; + } + + return i; +} + +int parse_query_and_body (parameter_t *parameters, int max_parameters) +{ + char *query, *content_length_env; + int i, num_of_params, body_len, content_length; + + query = getenv("QUERY_STRING"); + if (query && *query) + return(parse_query(query,parameters,max_parameters)); + else { + content_length_env = getenv("CONTENT_LENGTH"); + if (!content_length_env) + return 0; + if (! *content_length_env) + return 0; + content_length=atol(content_length_env); + if (!(query=malloc(content_length+1))) + return 0; + i = 1; body_len=0; + while ( (body_len < content_length) && (i>0) ) { + i = read(0,query+body_len,(content_length-body_len)<1024?(content_length-body_len):1024); + if (i > 0 ) body_len+=i; + } + query[body_len] = '\0'; + num_of_params = parse_query(query,parameters,max_parameters); + free(query); + return num_of_params; + } +} + +int parse_cli (parameter_t *parameters, int max_parameters, int num_of_args, char *args[]) +{ + char name[MAX_NAME_LENGTH], value[MAX_VALUE_LENGTH]; + int i, num_of_params=0; + + if (num_of_args > 0) + for (i=0; i0) ) { + i = read(sock,reply+reply_len,(max_reply_size-reply_len)<1024?(max_reply_size-reply_len):1024); + if (i > 0 ) reply_len+=i; + } + reply[reply_len] = '\0'; + + shutdown(sock,SHUT_RDWR); + close(sock); + return reply_len; +} + +int find_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips) +{ + int i, idx=-1; + + for (i = 0; (i < num_of_ips) && (idx < 0); i++) + if ( strstr(blocklist[i].ip,ip) ) + idx=i; + return idx; +} + +int remove_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips) +{ + int i, j, idx=-1; + time_t t; + + time(&t); + for (i = 0; i < num_of_ips; i++) + if ( (ip && strstr(blocklist[i].ip,ip)) || (!ip && (t > blocklist[i].end)) ) { + idx=i; + for (j=i; j<(num_of_ips-1); j++) { + strcpy(blocklist[j].ip,blocklist[j+1].ip); + blocklist[j].start = blocklist[j+1].start; + blocklist[j].duration = blocklist[j+1].duration; + blocklist[j].end = blocklist[j+1].end; + strcpy(blocklist[j].token,blocklist[j+1].token); + } + num_of_ips--; + } + return idx; +} + +int read_conf_file (char *filename) +{ + int idx, num_of_params; + parameter_t parameters[MAX_PARAMS]; + + num_of_params=parse_file(filename,parameters,MAX_PARAMS); + + if ((idx = find_param_idx("MODSEC_CLI_HOME",parameters,num_of_params)) >= 0) + strcpy(modsec_cli_home,parameters[idx].value); + if ((idx = find_param_idx("MODSEC_RPC_HOME",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_home,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_LOG_FILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_log_file,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_LOG_LEVEL",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_log_level,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_SSL_LOCKFILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_ssl_lockfile,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_SENSOR_LOCKFILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_sensor_lockfile,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_REVERSEPROXY_LOCKFILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_reverseproxy_lockfile,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_EXTERNALNIC_LOCKFILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_externalnic_lockfile,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_MUI_LOCKFILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_mui_lockfile,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_LOG_LEVEL",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_log_level,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_HOME",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_home,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_IP",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_ip,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_PORT",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_port,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_NETWORK_PREFIX",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_network_prefix,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_BIN",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_bin,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_CONF",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_conf,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_EXT_NIC",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_ext_nic,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_PID",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_pid,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_WHITELIST",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_whitelist,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_BLACKLIST",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_blacklist,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_TIMEOUT",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_timeout,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_EXCHANGE",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_exchange,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_EXT_IPS",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_ext_ips,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_MUI_UI_ADMIN",parameters,num_of_params)) >= 0) + strcpy(modsec_mui_ui_admin,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_PASSWORD_FILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_password_file,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_MUI_UI_IPADDRESS",parameters,num_of_params)) >= 0) + strcpy(modsec_mui_ui_ipaddress,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_MUI_UI_PORT",parameters,num_of_params)) >= 0) + strcpy(modsec_mui_ui_port,parameters[idx].value); + + if ((idx = find_param_idx("SENSOR_ID",parameters,num_of_params)) >= 0) + strcpy(sensor_id,parameters[idx].value); + + if ((idx = find_param_idx("SERIAL",parameters,num_of_params)) >= 0) + strcpy(serial,parameters[idx].value); + + if ((idx = find_param_idx("VERSION_NUMBER",parameters,num_of_params)) >= 0) + strcpy(version_number,parameters[idx].value); + + if ((idx = find_param_idx("RELEASE_DATE",parameters,num_of_params)) >= 0) + strcpy(release_date,parameters[idx].value); + + if ((idx = find_param_idx("BRIDGE_MODE",parameters,num_of_params)) >= 0) + strcpy(bridge_mode,parameters[idx].value); + + if ((idx = find_param_idx("DATA_DISK_SPACE",parameters,num_of_params)) >= 0) + strcpy(data_disk_space,parameters[idx].value); + + if ((idx = find_param_idx("CONN_RATE",parameters,num_of_params)) >= 0) + strcpy(conn_rate,parameters[idx].value); + + if ((idx = find_param_idx("CONN_RATE_PER_ADDR",parameters,num_of_params)) >= 0) + strcpy(conn_rate_per_addr,parameters[idx].value); + + if ((idx = find_param_idx("CONNS",parameters,num_of_params)) >= 0) + strcpy(conns,parameters[idx].value); + + if ((idx = find_param_idx("CONNS_PER_ADDR",parameters,num_of_params)) >= 0) + strcpy(conns_per_addr,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_SCRIPT",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_script,parameters[idx].value); + + return num_of_params; +} + +int init_cgi() +{ + char *modsec; + + setresuid(0,0,0); + setresgid(0,0,0); + + strcpy(modsec_cli_home,"/opt/modsecurity-cli"); + strcpy(modsec_rpc_home,"/opt/modsecurity-rpc"); + strcpy(modsec_rpc_log_file,"/opt/modsecurity-rpc/var/logs/rpc.log"); + strcpy(modsec_rpc_log_level,"0"); + strcpy(modsec_rpc_ssl_lockfile,"/opt/modsecurity-rpc/var/run/ssl.lock"); + strcpy(modsec_rpc_sensor_lockfile,"/opt/modsecurity-rpc/var/run/sensor.lock"); + strcpy(modsec_rpc_externalnic_lockfile,"/opt/modsecurity-rpc/var/run/externalnic.lock"); + strcpy(modsec_rpc_reverseproxy_lockfile,"/opt/modsecurity-rpc/var/run/reverseproxy.lock"); + strcpy(modsec_rpc_mui_lockfile,"/opt/modsecurity-rpc/var/run/mui.lock"); + strcpy(modsec_proxy_home,"/opt/modsecurity-proxy"); + strcpy(modsec_proxy_ip,"127.0.0.2"); + strcpy(modsec_proxy_port,"80"); + strcpy(modsec_proxy_bin,"/bin/modsec-proxyd"); + strcpy(modsec_proxy_script,"/etc/init.d/modsec-proxy"); + strcpy(modsec_proxy_conf,"/etc/httpd.conf"); + strcpy(modsec_proxy_ext_nic,"eth0"); + strcpy(modsec_proxy_network_prefix,"172.16.0.0/12"); + strcpy(modsec_proxy_pid,"/opt/modsecurity-proxy/var/run/httpd.pid"); + strcpy(modsec_proxy_whitelist,"/opt/breach/etc/modsec_whitelist.conf"); + strcpy(modsec_proxy_blacklist,"/opt/breach/etc/modsec_blacklist.conf"); + strcpy(modsec_proxy_timeout,"120"); + strcpy(modsec_proxy_exchange,"/opt/modsecurity-proxy/var/exchange"); + strcpy(modsec_proxy_ext_ips,"/opt/breach/etc/modsec_ips.conf"); + strcpy(modsec_mui_ui_ipaddress,"127.0.0.1"); + strcpy(modsec_mui_ui_port,"443"); + strcpy(modsec_rpc_password_file,"/opt/modsecurity-rpc/etc/.htpasswd"); + strcpy(modsec_mui_ui_admin,"admin"); + strcpy(sensor_id,"1"); + strcpy(serial,"1"); + strcpy(version_number,"2.0"); + strcpy(bridge_mode,"off"); + strcpy(data_disk_space,"60"); + strcpy(release_date,"11-15-2006"); + strcpy(conn_rate,"0"); + strcpy(conn_rate_per_addr,"0"); + strcpy(conns,"0"); + strcpy(conns_per_addr,"0"); + + if (modsec = getenv("MODSEC")) + read_conf_file(modsec); + else { + if (!read_conf_file("/opt/breach/etc/modsec.conf")) + read_conf_file("/etc/modsec.conf"); + } + + return 0; +} + diff -Nru modsecurity-crs-2.1.2/trunk/util/runAV/common.h modsecurity-crs-2.2.0/trunk/util/runAV/common.h --- modsecurity-crs-2.1.2/trunk/util/runAV/common.h 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/util/runAV/common.h 2010-12-29 16:46:58.000000000 +0000 @@ -0,0 +1,99 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define MAX_PARAMS 256 +#define MAX_IPS 256 +#define MAX_NAME_LENGTH 256 +#define MAX_VALUE_LENGTH 1024 +#define MAX_CMD_LENGTH 1024 +#define MAX_TOKEN_LENGTH 1024 +#define MAX_OUTPUT_LINE_LEN (1024) +#define MAX_OUTPUT_SIZE (MAX_OUTPUT_LINE_LEN*1024) +#define WHITE 1 +#define BLACK 0 +#define NONE 0 +#define DEBUG 1 + +typedef struct { + char name[MAX_NAME_LENGTH]; + char value[MAX_VALUE_LENGTH]; +} parameter_t; + +typedef struct { + char ip[16]; + time_t start; + long duration; + time_t end; + char token[MAX_TOKEN_LENGTH]; +} blocklist_t; + +EXTERN int lock_file(char *filename); +EXTERN int unlock_file(int fd); +EXTERN int print_reply(char *reply); +EXTERN int print_error(char *func1, char* func2, char* str, int err); +EXTERN int print_request(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask); +EXTERN int print_request_force(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask); +EXTERN int is_proxy_up(); +EXTERN int run_cmd(char *command, char *output, int output_size); +EXTERN int parse_cli (parameter_t *parameters, int max_parameters, int num_of_args, char *args[]); +EXTERN int parse_query_and_body(parameter_t *parameters, int max_parameters); +EXTERN int parse_query(char *query, parameter_t *parameters, int max_parameters); +EXTERN int parse_file(char *filename, parameter_t *parameters, int max_parameters); +EXTERN int copy_file(char *src_file, char *dst_file); +EXTERN int change_file(char *filename, parameter_t parameter); +EXTERN int find_param_idx(char *parameter_name, parameter_t *parameters, int max_parameters); +EXTERN int init_cgi(); +EXTERN int send_request(char *request,char *ip,char *port,char *reply,int max_reply_size); +EXTERN int find_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips); +EXTERN int remove_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips); + +EXTERN char modsec_rpc[1024]; +EXTERN char modsec_rpc_home[1024]; +EXTERN char modsec_rpc_log_file[1024]; +EXTERN char modsec_rpc_log_level[1024]; +EXTERN char modsec_rpc_ssl_lockfile[1024]; +EXTERN char modsec_rpc_externalnic_lockfile[1024]; +EXTERN char modsec_rpc_sensor_lockfile[1024]; +EXTERN char modsec_rpc_reverseproxy_lockfile[1024]; +EXTERN char modsec_rpc_mui_lockfile[1024]; +EXTERN char modsec_proxy[1024]; +EXTERN char modsec_proxy_home[1024]; +EXTERN char modsec_proxy_script[1024]; +EXTERN char modsec_proxy_ip[1024]; +EXTERN char modsec_proxy_port[1024]; +EXTERN char modsec_proxy_bin[1024]; +EXTERN char modsec_proxy_conf[1024]; +EXTERN char modsec_proxy_ext_nic[1024]; +EXTERN char modsec_proxy_pid[1024]; +EXTERN char modsec_proxy_whitelist[1024]; +EXTERN char modsec_proxy_blacklist[1024]; +EXTERN char modsec_proxy_network_prefix[1024]; +EXTERN char modsec_proxy_timeout[1024]; +EXTERN char modsec_proxy_exchange[1024]; +EXTERN char modsec_proxy_ext_ips[1024]; +EXTERN char modsec_rpc_password_file[1024]; +EXTERN char modsec_mui_ui_admin[1024]; +EXTERN char modsec_mui_ui_ipaddress[1024]; +EXTERN char modsec_mui_ui_port[1024]; +EXTERN char modsec_cli_home[1024]; +EXTERN char sensor_id[1024]; +EXTERN char serial[1024]; +EXTERN char version_number[1024]; +EXTERN char bridge_mode[1024]; +EXTERN char data_disk_space[1024]; +EXTERN char release_date[1024]; +EXTERN char conn_rate[1024]; +EXTERN char conn_rate_per_addr[1024]; +EXTERN char conns[1024]; +EXTERN char conns_per_addr[1024]; diff -Nru modsecurity-crs-2.1.2/trunk/util/runAV/comp modsecurity-crs-2.2.0/trunk/util/runAV/comp --- modsecurity-crs-2.1.2/trunk/util/runAV/comp 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/util/runAV/comp 2010-12-29 16:46:58.000000000 +0000 @@ -0,0 +1,2 @@ +gcc -c -o common.o -DEXTERN= common.c +gcc -o runAV -DEXTERN=extern common.o runAV.c diff -Nru modsecurity-crs-2.1.2/trunk/util/runAV/runAV.c modsecurity-crs-2.2.0/trunk/util/runAV/runAV.c --- modsecurity-crs-2.1.2/trunk/util/runAV/runAV.c 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/util/runAV/runAV.c 2010-12-29 16:46:58.000000000 +0000 @@ -0,0 +1,48 @@ +#include "common.h" + +main(int argc, char *argv[]) +{ + char cmd[MAX_OUTPUT_SIZE]; + char output[MAX_OUTPUT_SIZE]; + int error; + char *colon; + char *keyword; + + if (argc > 1) { + sprintf (cmd, "/usr/bin/clamscan --no-summary %s", argv[1]); + output[0] = '\0'; + error = run_cmd(cmd,output,MAX_OUTPUT_SIZE); + if (error != 0) { + printf ("1 exec error %d: OK", error); + } else if (!*output) { + printf ("1 exec empty: OK"); + } + else { + colon = strstr(output, ":"); + if (colon) { colon += 2; } + if (!colon) { + printf ("0 unable to parse clamscan output [%s] for cmd [%s]", output, cmd); + } + else if (keyword = strstr(colon, " FOUND")) { + *keyword = '\0'; + printf ("0 clamscan: %s", colon); + } + else if (keyword = strstr(colon, " ERROR")) { + *keyword = '\0'; + printf ("0 clamscan: %s", colon); + } + else if (keyword = strstr(colon, "OK")) { + printf ("1 clamscan: OK"); + } + else if (keyword = strstr(colon, "Empty file")) { + printf ("1 empty file"); + } + else if (keyword = strstr(colon, "Can't access file ")) { + printf ("0 invalid file %s", keyword+18); + } + else { + printf ("0 unable to parse clamscan output [%s] for cmd [%s]", output, cmd); + } + } + } +} diff -Nru modsecurity-crs-2.1.2/trunk/util/runAV/runAV-clamd.c modsecurity-crs-2.2.0/trunk/util/runAV/runAV-clamd.c --- modsecurity-crs-2.1.2/trunk/util/runAV/runAV-clamd.c 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/util/runAV/runAV-clamd.c 2010-12-29 16:46:58.000000000 +0000 @@ -0,0 +1,48 @@ +#include "common.h" + +main(int argc, char *argv[]) +{ + char cmd[MAX_OUTPUT_SIZE]; + char output[MAX_OUTPUT_SIZE]; + int error; + char *colon; + char *keyword; + + if (argc > 1) { + sprintf (cmd, "/usr/bin/clamdscan --no-summary %s", argv[1]); + output[0] = '\0'; + error = run_cmd(cmd,output,MAX_OUTPUT_SIZE); + if (error != 0) { + printf ("1 exec error %d: OK", error); + } else if (!*output) { + printf ("1 exec empty: OK"); + } + else { + colon = strstr(output, ":"); + if (colon) { colon += 2; } + if (!colon) { + printf ("0 unable to parse clamdscan output [%s] for cmd [%s]", output, cmd); + } + else if (keyword = strstr(colon, " FOUND")) { + *keyword = '\0'; + printf ("0 clamdscan: %s", colon); + } + else if (keyword = strstr(colon, " ERROR")) { + *keyword = '\0'; + printf ("0 clamdscan: %s", colon); + } + else if (keyword = strstr(colon, "OK")) { + printf ("1 clamdscan: OK"); + } + else if (keyword = strstr(colon, "Empty file")) { + printf ("1 empty file"); + } + else if (keyword = strstr(colon, "Can't access file ")) { + printf ("0 invalid file %s", keyword+18); + } + else { + printf ("0 unable to parse clamdscan output [%s] for cmd [%s]", output, cmd); + } + } + } +} diff -Nru modsecurity-crs-2.1.2/trunk/util/runav.pl modsecurity-crs-2.2.0/trunk/util/runav.pl --- modsecurity-crs-2.1.2/trunk/util/runav.pl 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/trunk/util/runav.pl 2010-12-29 16:46:58.000000000 +0000 @@ -0,0 +1,40 @@ +#!/usr/bin/perl +# +# runav.pl +# Copyright (c) 2004-2011 Trustwave +# +# This script is an interface between ModSecurity and its +# ability to intercept files being uploaded through the +# web server, and ClamAV + + +$CLAMSCAN = "clamscan"; + +if ($#ARGV != 0) { + print "Usage: modsec-clamscan.pl \n"; + exit; +} + +my ($FILE) = shift @ARGV; + +$cmd = "$CLAMSCAN --stdout --disable-summary $FILE"; +$input = `$cmd`; +$input =~ m/^(.+)/; +$error_message = $1; + +$output = "0 Unable to parse clamscan output [$1]"; + +if ($error_message =~ m/: Empty file\.?$/) { + $output = "1 empty file"; +} +elsif ($error_message =~ m/: (.+) ERROR$/) { + $output = "0 clamscan: $1"; +} +elsif ($error_message =~ m/: (.+) FOUND$/) { + $output = "0 clamscan: $1"; +} +elsif ($error_message =~ m/: OK$/) { + $output = "1 clamscan: OK"; +} + +print "$output\n"; diff -Nru modsecurity-crs-2.1.2/util/regression_tests/INSTALL modsecurity-crs-2.2.0/util/regression_tests/INSTALL --- modsecurity-crs-2.1.2/util/regression_tests/INSTALL 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/util/regression_tests/INSTALL 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,21 @@ +INSTALLATION STEPS: + +1) Edit the rulestest.pl script to define local path to perl + +2) Edit the ruletest.conf script to define the proper global settings for: + - servers to test + - path to the modsecurity audit log + +3) Copy the testserver.cgi script to the /cgi-bin directory if you wish to + test the outbound/response rules. + +4) Edit the modsecurity_crs_10_config.conf file and update/enable the + Regression Testing variable settings. + +5) Copy/Symlink the modsecurity_crs_59_header_tagging.conf file to the + activated_rules directory + +6) Restart Apache + +7) Run the rulestest.pl script using the rules files in the local /tests + directory. diff -Nru modsecurity-crs-2.1.2/util/regression_tests/modsecurity_crs_59_header_tagging.conf modsecurity-crs-2.2.0/util/regression_tests/modsecurity_crs_59_header_tagging.conf --- modsecurity-crs-2.1.2/util/regression_tests/modsecurity_crs_59_header_tagging.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/util/regression_tests/modsecurity_crs_59_header_tagging.conf 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,38 @@ +# +# This section is only used during regression testing to externalize the matched +# rule IDs in response headers so the testing client can verify matches from +# remote ModSecurity installs. +# +# WARNING: You do not want this in normal operations as this will expose +# the inner workings of your ModSecurity configurations. +# +# Must enable/configure the TX:REGRESSION_TESTING variable in the +# modsecurity_crs_10_config.conf file. +# +SecRule &TX:REGRESSION_TESTING|TX:REGRESSION_TESTING "@eq 0" "phase:4,t:none,nolog,id:'981228',pass,skipAfter:END_RESPONSE_HEADER_TAGGING" +SecRule TX:ANOMALY_SCORE "@eq 0" "phase:4,id:'981229',t:none,nolog,pass,skipAfter:END_RESPONSE_HEADER_TAGGING" +SecRule TX:/^\d*\-/ "." "phase:4,id:'981230',t:none,nolog,pass,setvar:tx.counter=+1,setenv:matched_rule-%{tx.counter}=%{matched_var_name},setenv:anomaly_score=%{tx.anomaly_score},setenv:sql_injection_score=%{tx.sql_injection_score},setenv:xss_score=%{tx.xss_score}" + +Header append X-WAF-Events "%{matched_rule-1}e" env=matched_rule-1 +Header append X-WAF-Events "%{matched_rule-2}e" env=matched_rule-2 +Header append X-WAF-Events "%{matched_rule-3}e" env=matched_rule-3 +Header append X-WAF-Events "%{matched_rule-4}e" env=matched_rule-4 +Header append X-WAF-Events "%{matched_rule-5}e" env=matched_rule-5 +Header append X-WAF-Events "%{matched_rule-6}e" env=matched_rule-6 +Header append X-WAF-Events "%{matched_rule-7}e" env=matched_rule-7 +Header append X-WAF-Events "%{matched_rule-8}e" env=matched_rule-8 +Header append X-WAF-Events "%{matched_rule-9}e" env=matched_rule-9 +Header append X-WAF-Events "%{matched_rule-10}e" env=matched_rule-10 +Header append X-WAF-Events "%{matched_rule-11}e" env=matched_rule-11 +Header append X-WAF-Events "%{matched_rule-12}e" env=matched_rule-12 +Header append X-WAF-Events "%{matched_rule-13}e" env=matched_rule-13 +Header append X-WAF-Events "%{matched_rule-14}e" env=matched_rule-14 +Header append X-WAF-Events "%{matched_rule-15}e" env=matched_rule-15 +Header append X-WAF-Events "%{matched_rule-16}e" env=matched_rule-16 +Header append X-WAF-Events "%{matched_rule-17}e" env=matched_rule-17 +Header append X-WAF-Events "%{matched_rule-18}e" env=matched_rule-18 +Header append X-WAF-Events "%{matched_rule-19}e" env=matched_rule-19 +Header append X-WAF-Events "%{matched_rule-20}e" env=matched_rule-20 +Header set X-WAF-Score "Total=%{anomaly_score}e; sqli=%{sql_injection_score}e; xss=%{xss_score}e" env=anomaly_score + +SecMarker END_RESPONSE_HEADER_TAGGING diff -Nru modsecurity-crs-2.1.2/util/regression_tests/README modsecurity-crs-2.2.0/util/regression_tests/README --- modsecurity-crs-2.1.2/util/regression_tests/README 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/util/regression_tests/README 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,105 @@ + +ModSecurity Rules regression testing suite +========================================== + +Rules regression test tool installation: +---------------------------------------- +Test should be run from the same host ModSecurity runs on, or a computer that +has file system access to ModSecurity audit log (see %modseclog in step 5) + +1. Copy rulesregtest.pl, rulesregtest.conf and test files to a directory on the +server. + +2. Put testserver.cgi in the server's /cgi-bin directory (required only if +outbound tests are used) + +3. Set ModSecurity to use serial logging. + +4. Ensure that the web server response with 200 to access the home page (since +default tests use "/" as the URL) + +5. Edit rulesregtest.conf: +- Server address and port (%server directive). The default (127.0.0.1:80) may +be OK. +- Location of ModSecurity audit log file (%modseclog directive). + +Writing tests: +-------------- + +Write a text file with the following directives: + +%test - starts a test and set is name (used for report) + +%status - sets the expected status code + +%event - set a string to search in the audit log of the test. You can +use multiple directives to define many required patterns. For example: + %event [id "960009"] + +%output - set a string to search in the HTTP response. You can use +multiple directives to define many required patterns. + +%request – multiple lines of the request on the following lines, terminated by +the next directive (a line starting with "%"). A request can include variables +using perl notation ($var). this would be replaced when testing with a value +set by the %var directive. + +- Note: Do not forget to leave an empty line as required by HTTP. The script +locks otherwise. + +- Note: Content-Length has to be calculated manually. + +Finding bugs +------------ + +The following directives will help to find the problems: + +%verbose – will output request, reply and new ModSecurity audit log lines for +the current test. + +%relevant – will output verbose output for tests that failed. + + +Variable replacement: +--------------------- +%var variable=value, value, value….. - Set values for a variable, the test +would be repeated using every value. Values are set only for the current test. + +Multiple %var directives for the same variable add values to the list and do +not replace values, so: + +%var variable=value1 +%var variable=value2 + +Would test with both value1 and value2. + +If multiple variables are used in the same test, than the test is carried for +each combination of values of the variables: + +%var var1=v1, v2 +%var var3=v3, v4 + +The test would be repeated 4 times with the test vectors (v1, v3), (v1, v4), +(v2, v3), (v2, v4). + + +Testing responses: +------------------ +To force response content in request, use /cgi-bin/testserver.cgi as the target +URL and add one or more of the following headers to the reuqest: + +Response-Status - Force a response status line. Defaults to "200 OK". +Response-Content - Adds the string to the response. Note that this would not be +the entire response. +Response-Content-Type - sets the value of the content type header, defaults to +"text/html" +Response-Header-Name - Add a header to the response. This defined the new +header's name. Response-Header-Value defines the header's value. +Response-Header-Value - The value of the new header defined by the request +header Response-Header-Name. Note: If Response-Header-Name is empty, then this +parameter will be ignored. + +** NOT IMPLEMENTED YET ** +Response-File - the name of a file to use as the entire response. Name is +reletive to the $RESPONSE_FILE_DIR in the testserver.cgi sctip. +** NOT IMPLEMENTED YET ** diff -Nru modsecurity-crs-2.1.2/util/regression_tests/rulestest.conf modsecurity-crs-2.2.0/util/regression_tests/rulestest.conf --- modsecurity-crs-2.1.2/util/regression_tests/rulestest.conf 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/util/regression_tests/rulestest.conf 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,15 @@ +# Set to the address and port of the web server protected by the tested ruleset. +# +# TODO the web server has to respond with status code 200 to request for the +# home page (/). This is usually the default configuration. +# +# TODO the script 'testserver' should be installed on this web server in the +# /cgi-bin directory to facilitate outbound rules testing. +# +%global server 127.0.0.1:80 +# Set to the path to ModSecurity audit file +# +# TODO set ModSecurity for serial logging. +# +%global mslog /usr/local/apache/logs/audit.log +#%msdebug /usr/local/apache/logs/debug.log diff -Nru modsecurity-crs-2.1.2/util/regression_tests/rulestest.pl modsecurity-crs-2.2.0/util/regression_tests/rulestest.pl --- modsecurity-crs-2.1.2/util/regression_tests/rulestest.pl 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/util/regression_tests/rulestest.pl 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,931 @@ +#!/opt/local/bin/perl +# +# Copyright (C) 2006-2011 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details.# +# For Internal Use only! +# +# Originally writtern by Ofer Shezaf +# + +# !! todo: +# !! ~ request for URI command in conf file +# !! ~ Ensure headers terminators +# !! read rulesets config file for event mane, policy and patterns +# !! fuz patterns from config file +# !! %include directive + +use strict; +#use warnings; +#use diagnostics; +use IO::File; +use IO::Socket; +use IO::Select; +use HTTP::Request; +use HTTP::Response; +use Safe; +use Storable qw(dclone); +use Getopt::Long; +use Pod::Usage; + +# -- Add library +use FindBin qw($Bin $Script); +use lib "$Bin"; + +use Data::Dumper; +autoflush STDOUT; + +# -- consts +our $SKELETON_REQUEST = < '2', 'fuzz' => 1, 'vars' => {}, 'port' => 80 }; +$global_state->{'global'} = $global_state; + +GetOptions +( + $global_state, + 'server|s:s', + 'port|p:s', + 'timeout|t:f', + 'mslog:s', + 'msdebug:s', + 'o:s', + 'i=s@', + 'run:s@', + 'from:s', + 'relevant|r!', + 'fuzz|f!', + 'clean!', + 'check!', + 'verbose|v!', + 'help|h|?', + 'man' +) || pod2usage (-exitstatus => 0, -verbose => 0); + +pod2usage(-exitstatus => 1, -verbose => 1) if $global_state->{'help'}; +pod2usage(-exitstatus => 1, -verbose => 2) if $global_state->{'man'}; + +push @{$global_state->{'input'}}, @ARGV; +pod2usage (2) if $#{$global_state->{'input'}} < 0; + +# -- get list of test files +my $testfiles = []; +my ($progname) = ($Script =~ /(.*)\..*$/); +if (-e "$progname.conf") { + push @$testfiles, "$progname.conf"; +} +foreach my $arg (@{$global_state->{'input'}}) { + push @$testfiles, glob $arg; +} + +foreach my $file (@$testfiles) { + if (!-e $file) { + print STDERR "Error 101: test file $file not found\n"; + exit; + } +} + +my ($outfile, $outfilename); +if ($global_state->{'output'}) { + $outfile = new IO::File ">$global_state->{'output'}"; + if (!$outfile) { + print STDERR "Error 106: unable to create report file $global_state->{'output'}. $@\n"; + exit; + } + $outfilename = $global_state->{'output'}; +} +else { + $outfile = *STDOUT; + $outfilename = 'STDOUT'; +} + +report_header($outfile, $outfilename); + +foreach my $filename (@$testfiles) { + parse_test_file ($outfile, $filename, $global_state); +} +exit (0); + +# -- read an input file and execute tests in it +sub parse_test_file +{ + my ($outfile, $filename, $parent_state) = @_; + my $file_state = inherit_state ($parent_state); + + report_file_header($outfile, $filename); + + my $linenumber = 0; + my $testfile = new IO::File "<$filename"; + if (!$testfile) { + print STDERR "Error 105: unable to open tests file $filename. $@\n"; + print $outfile "unable to open file"; + return; + } + + + my $state = $file_state; + while (defined(my $line=<$testfile>)) { + $linenumber++; + $line = tchomp ($line); + $state = parse_test_line ($line, $state, $testfile); + if (!ref $state) { + print STDERR "$state in file $filename at line $linenumber\n"; + print STDERR "line: $line\n" if $parent_state->{'check'}; + + return; + } + while (my $test = shift @{$file_state->{'tests'}}) { + run_test ($outfile, $test, $filename); + } + } + run_test ($outfile, $state, $filename) if $state->{'name'}; +} + + +# -- parse the next input line +sub parse_test_line +{ + my ($line, $state, $file) = @_; + + # -- Handle EOF + return $state unless defined $line; + + # -- Hande multi line remarks + if ($state->{'multi_line_cmd'} eq "remark") { + undef $state->{'multi_line_cmd'} if ($line =~ /^\%endremark/i); + return $state; + } + + # -- Handle multi line directives + if (my $incmd = $state->{'multi_line_cmd'}) { + + # -- Request parser + if ($incmd =~ /^request$/i) { + if (my ($len) = $line =~ /^Content-Length: (\d+)$/) { + $state->{'request_len'} = $len; + } elsif ($state->{'request_state'} eq 'headers' && $line =~ /^$/) { + $state->{'request_state'} = 'body'; + $state->{'multi_line_value'} .= "$line\x0D\x0A"; + if (defined $state->{'request_len'}) { + my $result = read $file, my $buffer, $state->{'request_len'}; + return "Error 110: Error reading file" if !defined $result; + return "Error 111: File terminated unexpectedly (read $result char of required $state->{'request_len'})" if $result != $state->{'request_len'}; + #print "==>$state->{'multi_line_value'}<==\n$buffer\n----\n"; + $state->{'multi_line_value'} .= $buffer; + return $state; + undef $state->{'request_len'}; + } + } + } + + # X-Real-Content-Length: + # -- Append to value if not yet next directive + if ($line !~ /^\%/) { + $state->{'multi_line_value'} .= "$line\x0D\x0A"; + return $state; + } + + # -- Otherwise use directive + $state = use_test_directive ($state, $incmd, $state->{'multi_line_value'}, $state->{'multi_line_global'}); + return $state if (!ref $state); + undef $state->{'multi_line_cmd'}; + undef $state->{'multi_line_value'}; + undef $state->{'request_len'}; + } + + # -- Handle empty lines and single line remarks + return $state if $line =~ /^\s*(\#|$)/; + + # -- Parse directive + my ($global); + $line =~ /^\%(\w+)\s*(.*)?$/; + my ($cmd, $operand) = ($1,$2); + if ($cmd =~ /^global$/i) { + $global = 1; + ($cmd, $operand) = ($operand =~ /^\s*(\w+)\s*(.*)?$/); + } + if (!$operand) { + $operand = 1; + if ($cmd =~ /^no(.*)$/) { + $cmd = $1; + $operand = 0; + } + } + $cmd = lc $cmd; + + # -- Start multi line directives + if ($cmd =~ /^(?:request|remark)$/i) { + $state->{'multi_line_cmd'} = $cmd; + $state->{'multi_line_global'} = $global; + return $state; + } + + return use_test_directive ($state, $cmd, $operand, $global); +} + +sub use_test_directive +{ + my ($state, $cmd, $operand, $global) = @_; + + # -- Simple directives + if ($cmd =~ /^(?:server|port|timeout|verbose|relevant|mslog|msdebug|request|uri|request|fuzz|clean|pause)$/i) { + if ($global) { + $state->{'global'}->{$cmd} = $operand; + } + $state->{$cmd} = $operand; + $state->{'request_state'} = 'headers'; + } + + # -- List directives + elsif ($cmd =~ /^(?:status|remote_event|event|audit|output)$/i) { + push_state ($state, $state->{'global'}, $cmd, $global, $operand); + } + + # -- Variable assignment + elsif ($cmd =~ /^(?:var)$/i) { + my ($var, $values) = ($operand =~ /\s*(\w+)\s*=\s*?(.*)/); + my @values = split /\s*,\s*/, $values; + push_state ($state->{'vars'}, $state->{'global'}->{'vars'}, $var, $global, @values); + } + + # -- End test (return to file context) + elsif ($cmd =~ /endtest/i) { + if ($state->{'name'}) { + push @{$state->{'parent'}->{'tests'}}, $state; + } + else { + return "Error 107: %endtest directive without a preceding %test directive"; + } + $state = $state->{'parent'}; + } + + # -- New test (end test and start a new one) + elsif ($cmd =~ /test/i) { + if ($state->{'name'}) { + push @{$state->{'parent'}->{'tests'}}, $state; + $state = inherit_state ($state->{'parent'}); + } + else { + $state = inherit_state ($state); + } + $state->{'name'} = $operand; + } + + # -- error + else { + return "Error 102: syntax error"; + } + + return $state; +} + + +sub reconfigure +{ + my ($state) = @_; + + my ($restart) = 0; + if ($state->{'clean'}) { + unlink $state->{'mslog'} if $state->{'mslog'}; + unlink $state->{'msdebug'} if $state->{'msdebug'}; + $restart = 1; + global_clear ($state, 'clean'); + } + if ($restart) { + print "## Restarting apache\n"; + print STDERR `/usr/local/apache/bin/apachectl restart`; + sleep (1); + } +} + +sub inherit_state +{ + my ($state) = @_; + my $clone = dclone $state; + $clone->{'parent'} = $state; + $clone->{'global'} = $state->{'global'}; + delete $clone->{'tests'}; + return $clone; +} + +# -- Add values to key in state taking into about both overriding and global +sub push_state +{ + my ($hash, $global_hash, $key, $global, @values) = @_; + if ($global) { + push @{$global_hash->{$key}}, @values; + } + elsif (!$hash->{"_OVERRIDE_$key"}) { + $hash->{$key} = []; + } + $hash->{"_OVERRIDE_$key"} = 1; + push @{$hash->{$key}}, @values; +} + +sub global_clear +{ + my ($state, $key) = @_; + while ($state) { + undef $state->{$key}; + $state = $state->{'parent'}; + } +} + +sub run_test +{ + my ($outfile, $state, $file) = @_; + + return if $state->{'check'}; + if ($state->{'from'}) { + return if $state->{'name'} !~ /$state->{'from'}/; + } + global_clear ($state, 'from'); + + my $do_test = $#{$state->{'run'}} < 0; + foreach my $select (@{$state->{'run'}}) { + $do_test ||= ($state->{'name'} =~ /$select/); + } + return if !$do_test; + + if ($state->{'request'} && $state->{'uri'}) { + print STDERR "Error 103: cannot use both %request and %uri in test $state->{'name'} in file $file\n"; + exit; + } + reconfigure($state); + if ($state->{'uri'}) { + $state->{'request'} = $SKELETON_REQUEST; + $state->{'request'} =~ s/\$URI/$state->{'uri'}/; + } + my $requests = $state->{'fuzz'} ? + generate_vectors ($state->{'request'}, $state->{'vars'}, $state->{'verbose'}) : + {'' => $state->{'request'}}; + VECTOR: while (my ($vars, $request) = each %$requests) + { + my $test = inherit_state ($state); + $test->{'request'} = $request; + if ($test->{'mslog'}) { + my $output = `wc $test->{'mslog'}`; + $output =~ /\s*(\d+)/; + $test->{'mslog_start'} = $1; + } + if ($test->{'msdebug'}) { + my $output = `wc $test->{'msdebug'}`; + $output =~ /\s*(\d+)/; + $test->{'msdebug_start'} = $1; + } + my ($server, $port) = ($test->{'server'}, $test->{'port'}); + if (!$port && ($server =~ /^(.+)\:(\d+)$/)) { + $server = $1; + $port = $2; + } + my $sock = IO::Socket::INET->new(PeerAddr => $server, PeerPort => $port); + if (!$sock) { + print STDERR "Error 104: error connecting to server $server. $@\n"; + exit; + } + + print $sock $request; + my $line; + do { + my @ready; + @ready = IO::Select->new($sock)->can_read($test->{'timeout'}); + if ($#ready < 0) { + $test->{'response'} = $test->{'response_status'} = "N/A"; + report_test ($outfile, 'TIMEOUT', $test, $request, $vars); + next VECTOR; + } + + if (defined($line = <$sock>)) { + $test->{'response'} .= $line; + if (!$test->{'response_status'}) { + if ($line =~ /^HTTP\S*\s+(\d+)/) { + $test->{'response_status'} = $1; + } + elsif ($line =~ /400 Bad Request<\/title>/) { + $test->{'response_status'} = 400; + } + } + } + } while (defined($line)); + + if ($test->{'mslog'}) { + my $output = `wc $test->{'mslog'}`; + $output =~ /\s*(\d+)/; + my $lines = $1 - $test->{'mslog_start'}; + $test->{'mslog'} = `tail -n $lines $test->{'mslog'}`; + } + + if ($test->{'msdebug'}) { + my $output = `wc $test->{'msdebug'}`; + $output =~ /\s*(\d+)/; + my $lines = $1 - $test->{'msdebug_start'}; + $test->{'msdebug'} = `tail -n $lines $test->{'msdebug'}`; + } + + $test->{'match_status'} = check_match ($test->{'response_status'}, $test->{'status'}); + $test->{'match_output'} = check_match ($test->{'response'}, $test->{'output'}); + $test->{'match_audit'} = !$test->{'mslog'} || check_match ($test->{'mslog'}, $test->{'audit'}); + my $test_events; + foreach my $event (@{$test->{'event'}}) { + if ($event =~ /^\!(.*)$/) { + push @$test_events, "!\\[id \\\"$1\\\"\\]" + } + else { + push @$test_events, "\\[id \\\"$event\\\"\\]" + } + } + $test->{'match_events'} = !$test->{'mslog'} || check_match ($test->{'mslog'}, $test_events); + my $result = + ($test->{'match_status'} + && $test->{'match_output'} + && $test->{'match_audit'} + && $test->{'match_events'}) ? "OK" : "FAIL" ; + report_test ($outfile, $result, $test, $request, $vars); + sleep $test->{'pause'} if $test->{'pause'}; + } +} + +sub check_match +{ + my ($text, $patterns) = @_; + my $match = 1; + foreach my $pattern (@$patterns) { + if ($pattern =~ /^\!(.*)$/) { + return 0 if $text =~ /$1/sm; + } + else { + return 0 if $text !~ /$pattern/sm; + } + } + return $match; +} + +sub report_header +{ + my ($outfile, $outfilename) = @_; + print $outfile "\nModSecurity rules test report generated to $outfilename on " . localtime() . "\n"; + print $outfile "Produced by rulestest.pl, (c) Trustwave Holdings Inc, 2011\n"; +} + +sub report_file_header +{ + my ($outfile, $filename) = @_; + print $outfile "\n## reading tests file $filename\n"; +} + +sub report_test +{ + my ($outfile, $result, $test, $request, $vars) = @_; + + + print $outfile "\n" if $result ne "OK"; + print $outfile "$result: "; + print $outfile "$test->{'name'}"; + print $outfile " ($vars)" if $vars; + print $outfile ", status = $test->{'response_status'}"; + my (@events) = ($test->{'mslog'} =~ /\[id \"(\d+)\"\]/gim); + print $outfile $#events < 0 ? ", no events recieved" : ", event(s) = " . (join ",", @events) ; + if ($result eq "FAIL") { + print $outfile "\n"; + if (!$test->{'match_status'}) { + print $outfile "Expected status code(s): " . (join ",", @{$test->{'status'}}) . "\n"; + } + if (!$test->{'match_events'}) { + print $outfile "Expected event(s): " . (join ",", @{$test->{'event'}}) . "\n"; + } + if (!$test->{'match_audit'}) { + print $outfile "Audit does not match\n"; + } + if (!$test->{'match_output'}) { + print $outfile "Output does not match\n"; + } + #$test->{'match_events'} && print "Events: $test->{'response_status'} and not " . (join ",", $test->{'status'}) . "\n"; + print_details ($test) if $test->{'verbose'} || $test->{'relevant'}; + } + print $outfile "\n"; + print_details ($test) if $test->{'verbose'}; +} + + +sub print_details +{ + my ($test) = @_; + print $outfile "---------\nRequest:\n$test->{'request'}\n"; + print $outfile "---------\nResponse:\n$test->{'response'}\n"; + print $outfile "---------\nLog:\n$test->{'mslog'}\n" if ($test->{'mslog'}); + print $outfile "---------\nDebug:\n$test->{'msdebug'}\n" if ($test->{'msdebug'}); +} + +sub generate_vectors +{ + my ($script, $vars, $verbose) = @_; + my $test_requests = []; + + my $vectors = [ {} ]; + while (my ($var, $values) = each %$vars) { + next if $var =~ /^_OVERRIDE_/; + next if $script !~ /\$$var\b/; + foreach my $vector (@$vectors) { + $vector->{$var} = $values->[0]; + } + if ($#$values > 0) { + my $collect_vectors = []; + shift @$values; + foreach my $value (@$values) { + my $new_vectors = dclone $vectors; + foreach my $vector (@$new_vectors) { + $vector->{$var} = $value; + } + push @$collect_vectors, @$new_vectors; + }; + push @$vectors, @$collect_vectors; + } + } + + $script =~ s/\$([a-zA-Z_]+)/\$vector->{$1}/g; + #print "SCRIPT=>$script\n"; + my $results; + foreach our $vector (@$vectors) { + my $var = join ",", map { "$_=$vector->{$_}" } keys %$vector; + $vector->{'CONTENT_LENGTH'} = '$CONTENT_LENGHT'; + my $result; + if (!defined($result = eval_expression ($script, $vector, $verbose))) { + print STDERR "Error 109: unable to fuzz request. Not fuzzing test.\n"; + return ({'' => $script}); + } + #my $req = HTTP::Request->parse($result); + my ($content) = $result =~ /.*?\x0D\x0A\x0D\x0A(.*)/sm; + $vector->{'CONTENT_LENGTH'} = length $1; + $result = eval_expression ($script, $vector, $verbose); + $results->{$var} = $result; + } + return $results; +} + + +sub eval_expression +{ + my ($script, $vector, $verbose) = @_; + + $script =~ s/([\"\@\%])/\\$1/g; + my $result; + my $warn; + local $SIG{__WARN__} = sub { $warn = $_[0] }; + eval { + my $safe = new Safe; + $safe->share ('$vector'); + $result = $safe->reval ("return \"$script\""); + }; + if ((my $error = $@) || $warn) { + print STDERR "Error 108: unable to evaluate expression\n"; + print STDERR "SCRIPT: $script\n" if $verbose; + print STDERR "EVAL ERROR: $error\n" if $error && $verbose; + print STDERR "EVAL WARNING: $warn\n" if $warn && $verbose; + return undef; + } + return $result; +} + +sub tchomp { + my ($text) = @_; + $text =~ s/^(.*?)(?:\x0D\x0A|\x0A|\x0D|\x0C|\x{2028}|\x{2029})/$1/s; + return $text; +} + + + +__END__ + +=head1 NAME + +rulestest.pl + +=head1 SYNOPSIS + +rulestest.pl [options] [test files ...] + +This program reads and executed tests in input test file(s) agains a +ModSecurity protected web application. + +use -help for options. +use -man for detailed usage information. + +=head1 OPTIONS + +the following options can be used either on the command line or (using the +long version) as directives (prefixed by %) in test files. + + -s or -server <address>[:<port>] + address of server to send. Mandatory before any test, but can appear + in the test files themselves + + -p or -port <port> + port to send tests to, defaults to 80 + + -t or -timeout <time> + time in seconds, possibly fractional, to wait for server response. + If the server does not respond within this period the test fails. + the default is 10 seconds. + + Timeout should be small for synthetic tests, such as those + generated from capture files as the server would respond fast. + The timeout may need to be longer for real world servers. + + -f or -fuzz + Whether to use fuzzing or not. You may not want to use fuzzing in + case the requests where generated automatically and may includes + syntax that will be considered by rulestest as substitutable + variables. + + -mslog <file name> + ModSecurity log file to search for events in. If not specified + events are not (useful if tests are not run locally). + + -msdebug <file name> + ModSecurity debug file to extract debug information + to test report. If not specified, debug information is not + add to the report. + + -o <file name> + name of output file. Defaults to STDOUT. Not relevant as directive + in test files. + + -i <file name> + Names of input files. can also appear as parameters on the command + line. Not relevant as directive in test files. + + -check + Does not run test but only parses the input file + + -run <regular expression> + a regular expresion to select tests to perfrom. Only tests whose + name match the regular expression are executed. The option + (or directive) can be used multiple times, so a test matching + any of the regular expressions will be executed. + + -from <regular expression> + a regular expression selecting the first test to perform. + + -r or -relevant + Detailed information in the test report in case + of a test failure. + + -v or -verbose + Detailed information for all tests. Verbose will also cause specific + errors to include print more information. + + -c or -clean + deletes log and debug files and restart apache (using apachctl). + Significantly enhance performance of the tests and can be used as + many times as needed in test files. + + Clean is executed once, when starting the 1st test after it is + defined regardless of the scope it is defined at. Specifically + it will remove the log and debug files as defined when the test + start: this enables the use of -clean on the command line even + though file locations are defined only later on, for example in + rulestest.conf. + + +=head1 INSTALLATION & CONFIGURATION + +Test should be run from the same host ModSecurity runs on, or a computer that +has file system access to ModSecurity audit log to. This allows rulestest to +examine ModSecurity audit log for events and extract information from +ModSecurity debug log to the test report. + +In order to test for events, ensure that ModSecurity is set use serial logging. + +=head2 Local and Global Settings: + +When used in a file, directives are local to the file, and when used whithin +a test they are local to a test. To specify global settings preced the directive +wiht the keyword global: + +%global server 127.0.0.1:80 + +if a file with the name rulestest.conf exists in the same directory as the +script, it will be read. I can contain any directive valid in a test file. +It can be used to set default + +=head2 Binary Attrbiutes: + +Directives that except a yes/no value can be set in varios ways. Providing the +value 0 or 1 will set them to no and yes respectively. The directive without +any values is eqvivalent to setting it to 1, and the directive preceded by "no" +is eqvivalent to 0, for example: + +%noverbose + +will set the current scope to not report verbosely. + +=head2 Default Settings: + +The file rulestest.conf is automatically read by rulestest.pl before any +tests file and may contain global setup directives. You may especially want to +set there settings such as %server, %mslog and %msdebug as well as reporting +level using %verbose and %relevant. + +=head1 WRITING TESTS + +To write a test use the following directives: + +=head2 defining the test request + + %test <name> - + starts a test and set is name as shown in the report + + %endtest - + used to terminate a test. Ususally there is no need to use this + directive as the next %test directive implicitly defines the end of + a test. You may want to use it if you want to set additional file + level settings for the remaining tests. + + %remark - + Ignore all lines (including directives) until a matching %endremark + directive. use # at the beginning of a line to add a remark line to + the file, if not in the middle of a multi-line directive such as + %request. + + %request - + multiple lines of the request should appear on the lines follwing + the directive terminated by the next =directive (a line starting + with "%"). Do not forget to leave an empty line as required by + HTTP. + + You can use the special variable $CONTENT_LENGTH to have + rulestest set the correct content length for the request. + $CONTENT_LENGTH can save counting, but its main use is to enable + fuzzing of requests with variables in the post data. + + %uri - + a uri to send to the server. it would be embedded in a + standard request + + %pause - + define a delay in seconds after the test and before the next test. + Useful if the feature tested involves timeouts. + +either a %uri or a %request directive must appeat in a test. A %request or a +%uri can include variables using perl notation ($varname). this would be +replaced when testing with a value set by the %var directive. + +Empty lines are skipped if not in the middle of multi-line directives such +as %request. + +=head2 defining expected output + + %status <regexp> - + The expected response status code(s). + + %event <regexp> - + A regexp that should match event ids generated by the test in + the audit log. + + %audit <regexp> - + A regexp that should match in the audit log of the test. + + %output <regexp> - + A regexp that should match in set a string to search in the HTTP + response. You can use multiple directives to define many required + patterns. + +for %event, %audit and %output you can use multiple directives to define +many required patterns. All of them must match for the rule to match. Use the +regular expresion or (|) option to check for at least one option from a group +of patterns. + +Each regular expression can be preceded by a "!" mark to negate the test. the +regular expression following must not appear in the test result. + +=head1 REPORTING + +By default rulestest will provide brief message describing if the test succeded +in any of the checks done: status code, events generated, pattern in audit log +and pattern in response. + +the following directives allow control on the level of details of the report: + + %verbose - + from the test for which the directive appears onward, output request, + reply and new ModSecurity audit log lines for each test. set to 0 to + stop (1 is implicit on set). + + %relevant - + from the test for which the directive appears onward, output verbose + output for tests that failed any check. set to 0 to stop (1 is + implicit on set). + +In most cases, you will only be interested in the failed tests. In that case, +you can use awk with the following command: +gawk '$1=="OK:" {printme=0}; $1=="FAIL:" {printme=1}; $1=="##" {printme=1}; printme==1 {print}' + +=head1 VARIABLE SUBSTITUTION (FUZZING) + +The directive "%var variable=value[, value[, valueM-^E..]] sets values for a +variable which are embedded in the request sent. The test would be repeated +using every value. Values are set only for the current test. Use the +%globalvar directive to set global variables. + +Multiple %var directives for the same variable add values to the list and do +not replace values, so: + +%var variable=value1 + +%var variable=value2 + +Would test with both value1 and value2. + +If multiple variables are used in the same test, than the test is carried for +each combination of values of the variables: + +%var var1=v1, v2 + +%var var3=v3, v4 + +The test would be repeated 4 times with the test vectors (v1, v3), (v1, v4), +(v2, v3), (v2, v4). + +As noted before, the special variable $CONTENT_LENGTH can be used to +automatically calculate the content length based on the actually generated +request after variable substitution. + +=head1 TESTING RESPONSES + +In order for outbound tests the script testserver.cgi has to be installed in +the web server's /cgi-bin directory. + +To force response content in request, use /cgi-bin/testserver.cgi as the target +URL and add one or more of the following headers to the reuqest: + +Response-Status: - Force a response status line. Defaults to "200 OK". + +Response-Content: - Adds the string to the response. Note that this would not be +the entire response. + +Response-Content-Type: - sets the value of the content type header, defaults to +"text/html" + +Response-Header-Name: - Adds a header to the response. This defined the new +header's name. Response-Header-Value defines the header's value. + +Response-Header-Value: - The value of the new header defined by the request +header Response-Header-Name. Note: If Response-Header-Name is empty, then this +parameter will be ignored. + +=head1 ERRORS + + Error 101: + test file <file> not found. Check that all options are valid and no + option was considered a test file. + + Error 102: + syntax error in file <file> on line <line>. a line which is not + a remark, not a directive and not in any multiline section (request + and multi line remark) was found at specified line and file. + + Error 103: + cannot use both %request and %uri. Only one of these directive can + be specified in each test. + + Error 104: + error connecting to server. The specific error is also displayed. + This error usually implies a communication problem or specificaiton + of a wrong server or port. + + Error 105: + Error occured when trying to open a tests file. Tests will continue + with next tests file. + + Error 106: + Error occured when trying to create report file. + + Error 107: + %endtest directive without a preceding %test directive + + Error 108: + The expression evulator (using Perl eval function) failed. The + expression probably includes some Perl syntax. use -verbose to + print the actual error returned. + + Error 109: + Fuzzing the request failed. This probably implies that the test + request includes some Perl syntax. You may want to use the nofuzz + option to overcome the problem. + + +=cut diff -Nru modsecurity-crs-2.1.2/util/regression_tests/tests/modsecurity_crs_20_protocol_violations.tests modsecurity-crs-2.2.0/util/regression_tests/tests/modsecurity_crs_20_protocol_violations.tests --- modsecurity-crs-2.1.2/util/regression_tests/tests/modsecurity_crs_20_protocol_violations.tests 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/util/regression_tests/tests/modsecurity_crs_20_protocol_violations.tests 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,526 @@ +%timeout 10 +# FILE 20 - protocol violations + +%test Invalid request line 1 +##################################################### +%status 400 +%event 981227 +%request + GET / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + + +%test Invalid request line 2 +##################################################### +%status 400 +%event 981227 +%request +GET \index.html HTTP\1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + + +%test Invalid request line 3 +##################################################### +%status 501 +%event 960911 +%request +|GET / HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + + +%test POST without content length +##################################################### +%output 960012 +%event 960012 +%request +POST / HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Content-Type: application/x-www-form-urlencoded + + +%test Invalid Request Body (multipart) 1 +##################################################### +%event 960912|960914 +#%event 960914 +%output 960912|960914 +%request +POST / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Keep-Alive: 300 +Proxy-Connection: keep-alive +Referer: http://192.168.3.2/form.html +Content-Type: multipart/form-data; boundary=---------------------------265001916915724 +Content-Length: $CONTENT_LENGTH + +-----------------------------265001916915724 +Contt-Disposition: form-data; name="file"; filename="test" +Content-Type: application/octet-stream + +Rotem & Ayala + +-----------------------------265001916915724 +Content-Disition: form-data; name="name" + +tt2 +-----------------------------265001916915724 +Content-Disposition: form-data; name="B1" + +Submit +-----------------------------265001916915724-- + + +%test Invalid Request Body (multipart) 2 +##################################################### +%event 960912|960914 +%output 960912|960914 +%request +POST / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Keep-Alive: 300 +Proxy-Connection: keep-alive +Referer: http://192.168.3.2/form.html +Content-Type: multipart/form-data; boundary=---------------------------265001916915724 +Content-Length: $CONTENT_LENGTH + +-----------------------------265001916915724 +Content-Disposition: form-data; name='name; filename="'; name=payload;" +Content-Type: application/octet-stream + +Rotem & Ayala + +-----------------------------265001916915724 +Content-Disposition: form-data; name="name" + +tt2 +-----------------------------265001916915724 +Content-Disposition: form-data; name="B1" + +Submit +-----------------------------265001916915724-- + + +%test Invalid Request Body (multipart) 3 +##################################################### +%event 960915 +%output 960915 +%request +POST / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Keep-Alive: 300 +Proxy-Connection: keep-alive +Referer: http://192.168.3.2/form.html +Content-Type: multipart/form-data; boundary=---------------------------265001916915724 +Content-Length: $CONTENT_LENGTH + +-----------------------------265001916915724 +Content-Disposition: form-data; name="file"; filename="test" +Content-Type: application/octet-stream + +Rotem & Ayala + +-----------------------------265001916915724 +Content-Disposition: form-data; name="name" + +tt2 +-----------------------------265001916915724 +Content-Disposition: form-data; name="B1" + +Submit +-----------------------------265001916915725-- + + +%test Invalid Request Body (multipart) 4 +##################################################### +%event 960000 +%output 960000 +%request +POST / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Keep-Alive: 300 +Proxy-Connection: keep-alive +Referer: http://192.168.3.2/form.html +Content-Type: multipart/form-data; boundary=---------------------------265001916915724 +Content-Length: $CONTENT_LENGTH + +-----------------------------265001916915724 +Content-Disposition: form-data; name="fi;le"; filename="test" +Content-Type: application/octet-stream + +Rotem & Ayala + +-----------------------------265001916915724 +Content-Disposition: form-data; name="name" + +tt2 +-----------------------------265001916915724 +Content-Disposition: form-data; name="B1" + +Submit +-----------------------------265001916915724-- + + +%test Invalid Request Body (XML) +##################################################### +%event 960912 +%output 960912 +%request +POST / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Keep-Alive: 300 +Proxy-Connection: keep-alive +Referer: http://192.168.3.2/form.html +Content-Type: text/xml +Content-Length: $CONTENT_LENGTH + +<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <SOAP-ENV:Body> + <xkms:StatusRequest xmlns:xkms="http://www.w3.org/2002/03/xkms#" Id="_6ee48478-fdd6-4d7d-b1bf-e7b4c3254659" ResponseId="_c1c36b3f-f962-4aea-bfbd-07ed58468c9b" Service="http://www.soapclient.com/xml/xkms2"> + <xkms:ResponseMechanism>http://www.w3.org/2002/03/xkms#Pending</xkms:ResponseMechanism> + <xkms:RespondWith>http://www.w3.org/2002/03/xkms#X509Cert</xkms:RespondWith> + </xkms:StatusRequest> + </SOAP-ENV:Body><error></err> +</SOAP-ENV:Envelope> + + +%test Accept only digits in content length 1 +##################################################### +%status 413 +%event 960016 +%request +POST / HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Content-Type: application/x-www-form-urlencoded +Content-Length: 3 +Content-Length: 3 + +abc + + +%test Accept only digits in content length 2 +##################################################### +%status 413 +%event 960016 +%request +POST / HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Content-Type: application/x-www-form-urlencoded +Content-Length: 3; + +abc + + +%test GET/HEAD Request with Body +##################################################### +%output 960011 +%event 960011 +%request +GET / HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Content-Type: application/x-www-form-urlencoded +Content-Length: 3 + +abc + + +%test Identity Content Encodings +##################################################### +%output 960902 +%event 960902 +%request +GET / HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Content-Encoding: Identity + + +%test Expect Header +##################################################### +%output 960022 +%event 960022 +%request +GET / HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Expect: 100-continue + + +%test Pragma Header Requires Cache-Control +##################################################### +%output 960020 +%event 960020 +%request +GET / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Pragma: no-cache + + +%test Range Header +##################################################### +%output 958291 +%event 958291 +%request +GET / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Range: bytes=0- + + +%test Duplicate Connection Headers +##################################################### +%output 958295 +%event 958295 +%var connection=keep-alive +%var connection=close +%request +GET / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Connection: $connection, $connection + +%test Validate Encoding (Request URI) +##################################################### +%output 950107 +%event 950107 +%var encoded_arg=%1G +%var encoded_arg=%7%6F%6D%65%74%65%78%74%5F%31%32%33% +%request +GET /?parm=$encoded_arg HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + + +%test Validate Encoding (Request Body) +##################################################### +%output 950108 +%event 950108 +%var encoded_arg=%1G +%var encoded_arg=%7%6F%6D%65%74%65%78%74%5F%31%32%33% +%request +POST / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Keep-Alive: 300 +Proxy-Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: $CONTENT_LENGTH + +param=$encoded_arg + + +%test Multiple URL Encoding +##################################################### +%output 950109 +%event 950109 +%var encoded_arg=%25%37%33%25%36%46%25%36%44%25%36%35%25%37%34%25%36%35%25%37%38%25%37%34%25%35%46%25%33%31%25%33%32%25%33%33%25%33%34 +#%var encoded_arg=%7%6F%6D%65%74%65%78%74%5F%31%32%33% +%request +GET /?parm=$encoded_arg HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + + +%test Validate Encoding (XML) +##################################################### +%event 950108 +%output 950108 +%request +POST / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Keep-Alive: 300 +Proxy-Connection: keep-alive +Content-Type: text/xml +Content-Length: $CONTENT_LENGTH + +<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <SOAP-ENV:Body> + <xkms:StatusRequest xmlns:xkms="http://www.w3.org/2002/03/xkms#" Id="_6ee48478-fdd6-4d7d-b1bf-e7b4c3254659" ResponseId="_c1c36b3f-f962-4aea-bfbd-07ed58468c9b" Service="http://www.soapclient.com/xml/xkms2"> + <xkms:ResponseMechanism>http://www.w3.org/2002/03/xkms#Pending</xkms:ResponseMechanism> + <xkms:RespondWith>%1Gwww.attack.org</xkms:RespondWith> + </xkms:StatusRequest> + </SOAP-ENV:Body> +</SOAP-ENV:Envelope> + + +%test Validate encoding (negative, %u in req) +##################################################### +#%status 200 +%event !50107 +%request +GET / HTTP/1.1 +X-Real-Content-Length: 803 +Accept: */* +X-Original-Client: 212.199.066.195:01078 +X-Unique-Transaction-Id: 54222 +x-flash-version: 8,0,22,0 +Cache-Control: no-transform +Accept-Encoding: gzip, deflate +If-Modified-Since: Wed, 04 Aug 2004 13:45:45 GMT +If-None-Match: "2c011d-1708-4110e889" +User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) +Host: galim.org.il +Connection: Keep-Alive +Cookie: _HangMan=%u05D0%u05D0%u05D1%u05D2%u05D3%u05D4%u05D5%u05D6%u05D7%u05D8%u05D9%u05DB%u05DC%u05DE%u05E0%u05E1%u05E2%u05E4%u05E6%u05E7%u05E8%u05E9%u05EA%u05DC%u05D9%u05D1%20%u05D4%u05D0%u05D8%u05DC%u05D4*; request_uri=http%3A%2F%2Fpopup.galim.org.il%2Fcgi-bin%2Fgalim%2Fmywaves%2Fclick_milon.pl%3Fword%3D%EE%F9%E7%F7%E9%ED%26act%3Dhh%26visual%3D0 + + +%test Validate utf-8 encoding +##################################################### +%output 950801 +%event 950801 +%var arg=%c0%af +%var arg=%c0 +%var arg=%F5%80%BF%BF +%request +GET /?param=$arg HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + + +%test Identify full-width unicode encoding +##################################################### +%output 950116 +%event 950116 +%request +GET /?param=foo%uFF01 HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + + +%test Proxy access attempt +##################################################### +%output 960014 +%event 960014 +%request +GET http://www.some_remote_site.com/ HTTP/1.0 +Host: www.some_remote_site.com +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + + +%test Validate Byte Range 1 (NulBytes) +##################################################### +%output 960901 +%event 960901 +%request +GET /?param=foo%00 HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + + +%test Validate Byte Range 2 (NulBytes) +##################################################### +%output 960018 +%event 960018 +%request +GET /?param=foo%09 HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + +%endtest + diff -Nru modsecurity-crs-2.1.2/util/regression_tests/tests/modsecurity_crs_40_generic_attacks_misc.tests modsecurity-crs-2.2.0/util/regression_tests/tests/modsecurity_crs_40_generic_attacks_misc.tests --- modsecurity-crs-2.1.2/util/regression_tests/tests/modsecurity_crs_40_generic_attacks_misc.tests 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/util/regression_tests/tests/modsecurity_crs_40_generic_attacks_misc.tests 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,97 @@ +%timeout 6 + +%test HTTP Request Smuggling 1 +################################### +%status 501 +%event 950012 +%request +GET / HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Transfer-Encoding: utf-8 +Transfer-Encoding: utf-8 + + +%test HTTP Request Smuggling 2 +################################### +%status 413 +%event 950012 +%request +POST / HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Content-Length: 3 +Content-Length: 3 + +abc + + +%test HTTP response splitting +################################### +%event 950910|950911 +%output 950910|950911 +%request +GET /?lang=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<html>Shazam</html> HTTP/1.1 +Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* +Referer: http://www.mummy.com/index.html +Accept-Language: zh-sg +Content-Type: application/x-www-form-urlencoded +Accept-Encoding: gzip, deflate +User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) +Host: www.mummy.com +Content-Length: 0 +Connection: Keep-Alive +Cache-Control: no-cache + + +%test XML Support +################################### +%event 950908 +%output 950908 +%request +POST / HTTP/1.0 +User-Agent: SQLData Client/3.02 +Host: www.soapclient.com:80 +Connection: Close +Accept: */* +Content-Length: $CONTENT_LENGTH +SOAPAction: "" +Content-Type: text/xml; charset="utf-8" + +<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <SOAP-ENV:Body> + <xkms:StatusRequest xmlns:xkms="http://www.w3.org/2002/03/xkms#" Id="_6ee48478-fdd6-4d7d-b1bf-e7b4c3254659" ResponseId="_c1c36b3f-f962-4aea-bfbd-07ed58468c9b" Service="http://www.soapclient.com/xml/xkms2"> + <xkms:ResponseMechanism>http://www.w3.org/2002/03/xkms#Pending</xkms:ResponseMechanism> + <xkms:RespondWith>http://www.w3.org/2002/03/xkms#KeyName</xkms:RespondWith> + <xkms:RespondWith>http://www.w3.org/2002/03/xkms#KeyValue</xkms:RespondWith> + <xkms:RespondWith>http://www.w3.org/2002/03/xkms#X509Cert</xkms:RespondWith> + <xkms:RespondWith>root@</xkms:RespondWith> + </xkms:StatusRequest> + </SOAP-ENV:Body> +</SOAP-ENV:Envelope> + + +%test email injection +################################### +%event 950019 +%output 950019 +%request +POST / HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Content-Length:$CONTENT_LENGTH +Content-Type: application/x-www-form-urlencoded +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0. + +sender=haxor@attack.xxx%0ASubject:Ooops%0ABcc:target@nothappy.xxx%0AContent-Type:multipart/mixed;%20boundary=frog;%0A--frog%0AContent-Type:text/html%0A%0AHTML%20Message.%0A%0A--frog%0AContent-Type:text/html;name=Nastycode.html;%0AContent-Transfer-Encoding:8bit%0AContent-Disposition:attachment%0A%0AHTML%20File%0A%0A--frog--%0A + +%endtest + diff -Nru modsecurity-crs-2.1.2/util/regression_tests/tests/modsecurity_crs_40_sql_injection_attacks.tests modsecurity-crs-2.2.0/util/regression_tests/tests/modsecurity_crs_40_sql_injection_attacks.tests --- modsecurity-crs-2.1.2/util/regression_tests/tests/modsecurity_crs_40_sql_injection_attacks.tests 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/util/regression_tests/tests/modsecurity_crs_40_sql_injection_attacks.tests 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,376 @@ + +# File 40 +%request +GET /?v=$sig HTTP/1.0 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0. + + +%test SQL injection - sp_addextendedproc +######################################## +%event 959037 +%output 959037 +%var sig=sp_addextendedproc +%endtest + +%test SQL injection - sp_execute +######################################## +%event 959038 +%output 959038 +%var sig=sp_execute +%endtest + +%test SQL injection - sp_executesql +######################################## +%event 959039 +%output 959039 +%var sig=sp_executesql +%endtest + +%test SQL injection - sp_makewebtask +######################################## +%event 959040 +%output 959040 +%var sig=sp_makewebtask +%endtest + +%test SQL injection - sp_oacreate +######################################## +%event 959041 +%output 959041 +%var sig=sp_oacreate +%endtest + +%test SQL injection - sp_prepare +######################################## +%event 959042 +%output 959042 +%var sig=sp_prepare +%endtest + +%test SQL injection - sp_sqlexec +######################################## +%event 959043 +%output 959043 +%var sig=sp_sqlexec +%endtest + +%test SQL injection - sql_longvarchar +######################################## +%event 959044 +%output 959044 +%var sig=sql_longvarchar +%endtest + +%test SQL injection - sql_variant +######################################## +%event 959045 +%output 959045 +%var sig=sql_variant +%endtest + +%test SQL injection - tbcreator +######################################## +%event 959046 +%output 959046 +%var sig=tbcreator +%endtest + +%test SQL injection - utl_file +######################################## +%event 959048 +%output 959048 +%var sig=utl_file +%endtest + +%test SQL injection - utl_http +######################################## +%event 959049 +%output 959049 +%var sig=utl_http +%endtest + +%test SQL injection - varchar +######################################## +%event 959050 +%output 959050 +%var sig=varchar +%endtest + +%test SQL injection - xp_availablemedia +######################################## +%event 959051 +%output 959051 +%var sig=xp_availablemedia +%endtest + +%test SQL injection - xp_cmdshell +######################################## +%event 959052 +%output 959052 +%var sig=xp_cmdshell +%endtest + +%test SQL injection - xp_dirtree +######################################## +%event 959053 +%output 959053 +%var sig=xp_dirtree +%endtest + +%test SQL injection - xp_enumdsn +######################################## +%event 959054 +%output 959054 +%var sig=xp_enumdsn +%endtest + +%test SQL injection - xp_execresultset +######################################## +%event 959055 +%output 959055 +%var sig=xp_execresultset +%endtest + +%test SQL injection - xp_filelist +######################################## +%event 959056 +%output 959056 +%var sig=xp_filelist +%endtest + +%test SQL injection - xp_loginconfig +######################################## +%event 959057 +%output 959057 +%var sig=xp_loginconfig +%endtest + +%test SQL injection - xp_makecab +######################################## +%event 959058 +%output 959058 +%var sig=xp_makecab +%endtest + +%test SQL injection - xp_ntsec +######################################## +%event 959059 +%output 959059 +%var sig=xp_ntsec +%endtest + +%test SQL injection - xp_regaddmultistring +######################################## +%event 959060 +%output 959060 +%var sig=xp_regaddmultistring +%endtest + +%test SQL injection - xp_regdeletekey +######################################## +%event 959061 +%output 959061 +%var sig=xp_regdeletekey +%endtest + +%test SQL injection - xp_regdeletevalue +######################################## +%event 959062 +%output 959062 +%var sig=xp_regdeletevalue +%endtest + +%test SQL injection - xp_regenumkeys +######################################## +%event 959063 +%output 959063 +%var sig=xp_regenumkeys +%endtest + +%test SQL injection - xp_regenumvalues +######################################## +%event 959064 +%output 959064 +%var sig=xp_regenumvalues +%endtest + +%test SQL injection - xp_regread +######################################## +%event 959065 +%output 959065 +%var sig=xp_regread +%endtest + +%test SQL injection - xp_regremovemultistring +######################################## +%event 959066 +%output 959066 +%var sig=xp_regremovemultistring +%endtest + +%test SQL injection - xp_regwrite +######################################## +%event 959067 +%output 959067 +%var sig=xp_regwrite +%endtest + +%test SQL injection - xp_terminate +######################################## +%event 959068 +%output 959068 +%var sig=xp_terminate +%endtest + +%test SQL injection - 'sqloledb' +######################################## +%event 959003 +%output 959003 +%var sig='sqloledb' +%endtest + +%test SQL injection - 'sa' +######################################## +%event 959026 +%output 959026 +%var sig='sa' +%endtest + +%test SQL injection - 'dbo' +######################################## +%event 959010 +%output 959010 +%var sig='dbo' +%endtest + +%test SQL injection - @@version +######################################## +%event 959004 +%output 959004 +%var sig=@@version +%endtest + +%test SQL injection - autonomous_transaction +######################################## +%event 959005 +%output 959005 +%var sig=autonomous_transaction +%endtest + +%test SQL injection - coalesce +######################################## +%event 950908 +%output 950908 +%var sig=coalesce +%endtest + +%test SQL injection - dbms_java +######################################## +%event 959009 +%output 959009 +%var sig=dbms_java +%endtest + +%test SQL injection - 'msdasql' +######################################## +%event 959020 +%output 959020 +%var sig='msdasql' +%endtest + +%test SQL injection - nvarchar +######################################## +%event 959021 +%output 959021 +%var sig=nvarchar +%endtest + +%test SQL injection - openquery +######################################## +%event 959022 +%output 959022 +%var sig=openquery +%endtest + +%test SQL injection - openrowset +######################################## +%event 959023 +%output 959023 +%var sig=openrowset +%endtest + +%test SQL injection - ;%20drop +######################################## +%event 959001 +%output 959001 +%var sig=;%20drop +%endtest + +%test SQL injection - ;%20\*%20test%20remark%20\*%20shutdown +######################################## +%event 950902 +%output 950902 +%var sig=;%20\*%20test%20remark%20\*%20shutdown +%endtest + +%test SQL injection - root@ +######################################## +%event 950908 +%output 950908 +%var sig=root@ +%endtest + +%test SQL injection - '%20or%20'1'%3d'1 +######################################## +%event 950901 +%output 950901 +%var sig='%20or%20'1'%3d'1 +%endtest + +%test SQL injection - '%20having%20'1'%3d'1 +######################################## +%event 959070 +%output 959070 +%var sig='%20having%20'1'%3d'1 +%endtest + +%test SQL injection - '%20and%20'1'%3d'1 +######################################## +%event 959072 +%output 959072 +%var sig='%20and%20'1'%3d'1 +%endtest + +%test SQL injection - 1%27%3Bdelete+from+%270%3A0%3A15%27%3B-- +######################################## +%event 959075 +%output 959075 +%var sig=1%27%3Bdelete+from+%270%3A0%3A15%27%3B-- +%endtest + +%test SQL injection - 'avi'%3d'avi +######################################## +%event 950901 +%output 950901 +%var sig='avi'%3d'avi +%endtest + +%test SQL injection - 1%3d1 +######################################## +%event 950901 +%output 950901 +%var sig=1%3d1 +%endtest + +%test SQL injection - dba_users +######################################## +%event 959007 +%output 959007 +%var sig=dba_users +%endtest + + + + diff -Nru modsecurity-crs-2.1.2/util/regression_tests/tests/modsecurity_crs_50_outbound.tests modsecurity-crs-2.2.0/util/regression_tests/tests/modsecurity_crs_50_outbound.tests --- modsecurity-crs-2.1.2/util/regression_tests/tests/modsecurity_crs_50_outbound.tests 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-2.2.0/util/regression_tests/tests/modsecurity_crs_50_outbound.tests 2011-05-26 18:18:01.000000000 +0000 @@ -0,0 +1,122 @@ +# FILE 50 +%timeout 10 + +%test weblogic information disclosure +######################################## +%event 970021 +%output 970021 +%request +GET /cgi-bin/testserver.cgi HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Response-Status: 500 Internal Server Error +Response-Content: <title>JSP compile error + +%endtest + +%test Zope information leakage +######################################## +%event 970007 +%output 970007 +%request +GET /cgi-bin/testserver.cgi HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Response-Content:

Site Error

An error was encountered while publishing this resource. + +%endtest + +%test CF information leakage +######################################## +%event 970008 +%output 970008 +%request +GET /cgi-bin/testserver.cgi HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Response-Content: The error occurred in script.cfm: line 11 bla bla bla Please try the following:
Check the ColdFusion documentation to verify that you are using the correct syntax. bla bla Stack Trace (click to expand) + +%endtest + +%test PHP information leakage +######################################## +%event 970009 +%output 970009 +%request +GET /cgi-bin/testserver.cgi HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Response-Content: Warning mysql_fetch_row(): supplied argument ... in /web/jvcjazz/intl_view.php on line 142 + + +%endtest + +%test ISA server existence revealed +######################################## +%event 970010 +%output 970010 +%request +GET /cgi-bin/testserver.cgi HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Response-Content: 403 Forbidden - The ISA Server denies the specified Uniform Resource ...bla bla bla... Internet Security and Acceleration Server + +%endtest + +%test Local file link +######################################## +%event 970011 +%output 970011 +%request +GET /cgi-bin/testserver.cgi HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Response-Content: This is my sensitive data, do not touch + +%endtest + +%test Microsoft office doc properties leakage +######################################## +%event 970012 +%output 970012 +%request +GET /cgi-bin/testserver.cgi HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Response-Content: + +%endtest + +%test Directory Listing (apache) +######################################## +%event 971200 +%output 971200 +%request +GET /cgi-bin/testserver.cgi HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Response-Content: Index of /~avi

Index of /~avi

[ICO]NameLast modifiedSizeDescription
[DIR]Parent Directory   -
[DIR]03.17/ 21-Jul-2007 17:20 -
+ +%endtest + +%test CF source code leakage +######################################## +%event 970016 +%output 970016 +%request +GET /cgi-bin/testserver.cgi HTTP/1.1 +Host: local +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +Response-Content:
[ICO]NameLast modifiedSizeDescription
[DIR]Parent Directory   -
[DIR]03.17/ 21-Jul-2007 17:20 -