ModSecurity Rules


Note: if you use curl or wget in your scripts, ModSecurity will filter these out.
Comment out the appropriate rules if this is the case.

####################################
# GENERAL CONFIG
####################################

# Turn the filtering engine On or Off
SecFilterEngine On

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding Off

# Unicode encoding check
SecFilterCheckUnicodeEncoding Off

# Only allow bytes from this range
SecFilterForceByteRange 0 255

# Only log suspicious requests
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log

# Debug level set to a minimum
SecFilterDebugLog /var/log/httpd/modsec_debug_log
SecFilterDebugLevel 0

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction "deny,log,status:403"

# no ban to localhost
SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow

####################################
# Frontpage Compatibility Rules
####################################
SecFilter "_vti_bin" allow
SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" pass
SecFilterSelective THE_REQUEST "/fpremadm\.exe" pass
SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" pass
SecFilterSelective THE_REQUEST "/scripts/Fpadmcgi\.exe" pass
SecFilterSelective THE_REQUEST "/_private/orders\.txt" pass
SecFilterSelective THE_REQUEST "/_private/form_results\.txt" pass
SecFilterSelective THE_REQUEST "/_private/registrations\.htm" pass
SecFilterSelective THE_REQUEST "/cfgwiz\.exe" pass
SecFilterSelective THE_REQUEST "/authors\.pwd" pass
SecFilterSelective THE_REQUEST "/_vti_bin/_vti_aut/author\.exe" pass
SecFilterSelective THE_REQUEST "/administrators\.pwd" pass
SecFilterSelective THE_REQUEST "/_private/form_results\.htm" pass
SecFilterSelective THE_REQUEST "/_vti_pvt/access\.cnf" pass
SecFilterSelective THE_REQUEST "/_private/register\.txt" pass
SecFilterSelective THE_REQUEST "/_private/registrations\.txt" pass
SecFilterSelective THE_REQUEST "/_vti_pvt/service\.cnf" pass
SecFilterSelective THE_REQUEST "/service\.pwd" pass
SecFilterSelective THE_REQUEST "/_vti_pvt/service\.stp" pass
SecFilterSelective THE_REQUEST "/_vti_pvt/services\.cnf" pass
SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" pass
SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" pass
SecFilterSelective THE_REQUEST "/users\.pwd" pass
SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" pass
SecFilterSelective THE_REQUEST "/dvwssr\.dll" pass
SecFilterSelective THE_REQUEST "/_private/register\.htm" pass
SecFilterSelective THE_REQUEST "/_vti_bin/" pass

####################################
# GENERAL WEB AND SPAM ATTACKS
####################################
SecFilter "tftp\x20"
SecFilter "wget\x20"
SecFilter "uname\x20-a"
SecFilter "g\+\+\x20"
SecFilter "gcc\x20-o"
SecFilter "nmap\x20"
SecFilter "/etc/shadow"
SecFilter "/etc/passwd"
Secfilter "bcc:  "
SecFilterSelective THE_REQUEST "bcc:|Bcc:|BCc:|BCC:|bCc:|bCC:|bcC:|BcC:"
# Allow added to fix blocking problem with the To: filter in squirrelmail
Secfilter "/src/compose.php" allow
Secfilter "To:  "

SecFilterSelective THE_REQUEST "/bin/ps"
SecFilterSelective THE_REQUEST "/bin/sh"
SecFilterSelective THE_REQUEST "/tmp/sh"
SecFilterSelective THE_REQUEST "/usr/bin/id"
SecFilterSelective THE_REQUEST "/bin/kill"
SecFilterSelective THE_REQUEST "/usr/bin/gcc"
SecFilterSelective THE_REQUEST "/usr/bin/cc"
SecFilterSelective THE_REQUEST "/usr/bin/g\+\+"
SecFilterSelective THE_REQUEST "/bin/ping"
SecFilterSelective THE_REQUEST "/bin/mail"
SecFilterSelective THE_REQUEST "/bin/ls"
SecFilterSelective THE_REQUEST "/usr/sbin/httpd"

SecFilterSelective THE_REQUEST "lsof\x20" chain
SecFilterSelective !POST_PAYLOAD "lsof\x20"

SecFilterSelective THE_REQUEST "perl\x20" chain
SecFilterSelective !POST_PAYLOAD "perl\x20"

#SecFilter "Content-Type\:" chain
#SecFilter "Content-Type\:"

####################################
# Formmail - allows cPanel formmail
####################################
SecFilter "/cgi-sys/formmail.cgi" allow
SecFilter "/cgi-sys/formmail.pl" allow
SecFilter "/cgi-sys/FormMail.cgi" allow
SecFilter "/cgi-sys/FormMail.pl" allow
SecFilter "formmail.php$|formmail.php*/$"
SecFilter "formmail.cgi$|formmail.cgi*/$"
SecFilter "formmail.pl$|formmail.pl*/$"

####################################
# GENERAL BAD STUFF
####################################

# *%0a.pl access
SecFilterSelective THE_REQUEST "/*\x0a\.pl"

# cross site scripting \(img src=javascript\) attempt
SecFilter "img src=javascript"

####################################
# SYSTEM FILE/COMMAND PROTECTION
####################################

SecFilterSelective ARGS "wget "
SecFilterSelective ARGS "lynx "

# Disabled due to too many complaines
#SecFilterSelective ARGS "curl "

# .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"

# Apache Chunked-Encoding worm attempt
SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA"

####################################
# SYSTEM USER PROTECTION
####################################

# /~nobody access
SecFilterSelective THE_REQUEST "/~nobody"

# /~root access
SecFilterSelective THE_REQUEST "/~root"

# /~ftp access
SecFilterSelective THE_REQUEST "/~ftp"

# /~cpanel access
SecFilterSelective THE_REQUEST "/~cpanel"

####################################
# RootKits and /tmp, /dev/shm hacks
####################################

SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" chain
SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" chain
SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"
SecFilterSelective REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?"
SecFilterSelective THE_REQUEST "/(cse|cmd)\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) "
SecFilterSelective REQUEST_URI "/terminatorX-exp.*\.(gif|jpg|txt|bmp|php|png)\?"
SecFilterSelective REQUEST_URI "/\.it/viewde"
SecFilterSelective REQUEST_URI "/cmd\?&(command|cmd)="
SecFilterSelective REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)="
SecFilterSelective REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)="
SecFilterSelective REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|htm|
html|tmp|php|asp).\?&(cmd|command)="
SecFilterSelective REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|j
pg|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?"
SecFilterSelective REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "/(gif|jpg|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?"
SecFilterSelective REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"

#Known rootkits
SecFilterSelective THE_REQUEST "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecFilterSelective THE_REQUEST "\./xkernel\;"
SecFilterSelective THE_REQUEST "/kaiten\.c"
SecFilterSelective THE_REQUEST "/mampus\?&(cmd|command)"

#Generic remote perl execution with .pl and .txt extension
SecFilterSelective REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.pl"
SecFilterSelective REQUEST_URI "perl .*\.txt(\s|\t)*\;"
SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.txt"

#Known rootkit Defacing Tool 2.0
SecFilterSelective REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)="
SecFilterSelective REQUEST_URI "/tool\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)="
SecFilterSelective REQUEST_URI "/tool25\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)="
SecFilterSelective REQUEST_URI "/therules25\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)="

#other known tools
SecFilterSelective REQUEST_URI "/xpl\.php\?&(cmd|command)="
SecFilterSelective REQUEST_URI "/(ssh2?|sfdg2)\.php"
SecFilter "/tmp/sh"


####################################
# PHPFanBase v2.0
####################################
SecFilterSelective REQUEST_URI "protection.php\?action=logout&siteurl=(http|https|ftp)\:/"

####################################
# Advanced Guestbook
####################################
# http://securitydot.net/xpl/exploits/vulnerabilities/articles/856/exploit.html
SecFilterSelective THE_REQUEST "/admin/addentry\.php\?"
SecFilterSelective THE_REQUEST "/addentry\.php\?"

####################################
# eSupport
####################################
SecFilterSelective THE_REQUEST "autoclose.php" chain
SecFilterSelective ARG_subd ".*(http|https|ftp)\:/"

####################################
# FlashChat
####################################
SecFilterSelective THE_REQUEST "aedating4CMS.php\?dir\[inc\]=(http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "aedatingCMS.php\?dir\[inc\]=(http|https|ftp)\:/"

SecFilterSelective THE_REQUEST "dbal.php\?eqdkp_root_path=(http|https|ftp)\:/"

###################################
#EXTCALENDAR
###################################
SecFilterSelective THE_REQUEST "admin_events.php\?CONFIG_EXT\[LANGUAGES_DIR\]=(http|https|ftp)\:/"

#New kit
SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)(\;|\w)"
SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)\.(txt|php|gif|jpg|dat|bmp|png)(\;|\w)"

#new kir
SecFilterSelective REQUEST_URI "/dblib\.php\?&(cmd|command)="

#suntzu
SecFilterSelective THE_REQUEST|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="

#proxysx.gif?
SecFilterSelective THE_REQUEST "/proxysx\.(gif|jpg|bmp|txt|asp|png)\?"

#phpbackdoor
SecFilterSelective THE_REQUEST "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="

#new unknown kit
SecFilterSelective REQUEST_URI "/oops?&"

# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecFilterSelective THE_REQUEST   "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecFilterSelective THE_REQUEST   "(wiki_up|temp)/(gif|ion|jpg|lala)\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
SecFilterSelective REQUEST_URI   "/phpterm"

#Fantastico worm
SecFilterSelective THE_REQUEST "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"

#new unknown kits
SecFilterSelective REQUEST_URI   "/iblis\.htm\?" 
SecFilterSelective REQUEST_URI   "/gif\.gif\?" 
SecFilterSelective REQUEST_URI   "/go\.php\.txt\?" 
SecFilterSelective REQUEST_URI   "/sh[0-9]\.(gif|jpg|txt|bmp|png)\?" 
SecFilterSelective REQUEST_URI   "/iys\.(gif|jpg|txt|bmp|png)\?" 
SecFilterSelective REQUEST_URI   "/shell[0-9]\.(gif|jpg|txt|bmp|png)\?" 
SecFilterSelective REQUEST_URI   "/zehir\.asp"
SecFilterSelective REQUEST_URI   "/aflast\.txt\?"
SecFilterSelective REQUEST_URI   "/sikat\.txt\?&cmd" 
SecFilterSelective REQUEST_URI   "/t\.gif\?" 
SecFilterSelective REQUEST_URI   "/phpbb_patch\?&"
SecFilterSelective REQUEST_URI   "/phpbb2_patch\?&"
SecFilterSelective REQUEST_URI   "/lukka\?&"

#new kit
SecFilterSelective REQUEST_URI   "/c99shell\.txt"
SecFilterSelective REQUEST_URI   "/c99\.txt\?"

#remote bash shell
SecFilterSelective REQUEST_URI "/shell\.php\&cmd="
SecFilterSelective ARGS "/shell\.php\&cmd="

#zencart exploit
SecFilterSelective REQUEST_URI "/ipn\.php\?cmd="

#new pattern
SecFilterSelective REQUEST_URI "btn_lists\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "dsoul/tool\?"

#generic suntzu payload
SecFilterSelective THE_REQUEST   "HiMaster\!\<\?php system\("
SecFilterSelective THE_REQUEST   "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system"
SecFilterSelective REQUEST_URI   "help_text_vars\.php\?suntzu="

#25dec new one
SecFilterSelective REQUEST_URI   "anggands\.(gif|jpg|txt|bmp|png)\?"

#26dec new kit
SecFilterSelective REQUEST_URI   "newfile[0-9]\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI   "/vsf\.vsf\?&"

#27dec
SecFilterSelective REQUEST_URI   "/scan1\.0/scan/"
SecFilterSelective REQUEST_URI   "test\.txt\?&"

#30dec
SecFilterSelective REQUEST_URI   "\.k4ka\.txt\?"
#31dec
SecFilterSelective REQUEST_URI   "/php\.txt\?"

#1 jan
SecFilterSelective REQUEST_URI   "/sql\.txt\?"
SecFilterSelective REQUEST_URI   "bind\.(gif|jpg|txt|bmp|png)\?"

#22feb
SecFilterSelective REQUEST_URI   "/juax\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI   "/linuxdaybot/\.(gif|jpg|txt|bmp|png)\?"

#24mar
SecFilterSelective REQUEST_URI   "/docLib/cmd\.asp"
SecFilterSelective REQUEST_URI   "\.asp\?pageName=AppFileExplorer"
SecFilterSelective REQUEST_URI   "\.asp\?.*showUpload&thePath="
SecFilterSelective REQUEST_URI   "\.asp\?.*theAct=inject&thePath="

#some broken attack program
SecFilterSelective THE_REQUEST "PUT /.*_@@RNDSTR@@"
SecFilterSelective THE_REQUEST "trojan\.htm"

SecFilterSelective REQUEST_URI "/r57en\.php"

#c99 rootshell
SecFilterSelective REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)"

#generic shell
SecFilterSelective REQUEST_URI "shell\.txt"

#wormsign
SecFilterSelective POST_PAYLOAD "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"

#dm mass mailer
SecFilter "dm.pl\x20"
SecFilter "dm.cgi\x20"
SecFilter "unziper.pl\x20"
SecFilter "unziper.cgi\x20"
Secfilter "cmd.txt"
Secfilter "miro$"


#mdarui
SecFilterSelective THE_REQUEST ".php\?incl=(http|https|ftp)"


########################################################################
## CMS and other PHP-based script patches
########################################################################

####################################
# Bingo News
####################################
SecFilterSelective THE_REQUEST "bp_ncom.php\?bnrep=(http|https|ftp)"


####################################
# Coppermine Photo Gallery
####################################
SecFilterSelective THE_REQUEST "/index.php\?lang=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/theme.php\?THEME_DIR=(http|https|ftp)/:/"

####################################
# e107
####################################
SecFilterSelective SCRIPT_FILENAME "news.php$" chain
SecFilterSelective ARG_list "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*|
 ]+[[:space:]](from|into|table|database|index|view)"

####################################
# eGroupWare
####################################
SecFilterSelective THE_REQUEST "/index.php?menuaction=preferences.uicategories.index&cats_app=*(delete|insert|drop|do|alter|replace|
truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|se
lect)"
SecFilterSelective THE_REQUEST "/tts/index.php?filter=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|s
elect|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective THE_REQUEST "/sitemgr/sitemgr-site/?category_id=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|h
ttps|ftp):/)"
SecFilterSelective THE_REQUEST "/index.php?page=RecentChanges.*((javascript|script|about|applet|activex|chrome)*>|html|(http|https|f
tp):/)"
SecFilterSelective THE_REQUEST "/index.php?action=history&page=.*〈=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|h
ttps|ftp):/)"
SecFilterSelective THE_REQUEST "/index.php?menuaction=addressbook.uiaddressbook.edit&ab_id=.*((javascript|script|about|applet|active
x|chrome)*>|html|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/index.php?menuaction=manual.uimanual.view&page=ManualAddressbook.*((javascript|script|about|applet|
activex|chrome)*>|html|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/index.php?menuaction=forum.uiforum.post&type=new.*((javascript|script|about|applet|activex|chrome)*
>|html|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/index.php?menuaction=wiki.uiwiki.edit&page=setup.*((javascript|script|about|applet|activex|chrome)*
>|html|(http|https|ftp):/)"

####################################
# Exhibit Engine
####################################
#http://securitydot.net/xpl/exploits/vulnerabilities/articles/1974/exploit.html
SecFilterSelective THE_REQUEST "styles.php\?toroot=(http|https|ftp)"

####################################
# Invision Power Board
####################################
SecFilterSelective THE_REQUEST "/ad_member.php" chain
SecFilter "emailer.php"
SecFilterSelective THE_REQUEST "/ipchat.php*root_path*conf_global.php"
SecFilterSelective THE_REQUEST "/forums/index.php\?act=.*&max_results=.*&filter=.*&sort_order=.*&sort_key=.*&st=*(UNION|SELECT|DELET
E|INSERT)"


####################################
#Mambo
####################################
SecFilterSelective THE_REQUEST "mosConfig_absolute_path=(http|https|ftp):/"
#SecFilterSelective REQUEST_URI "/modules/mod_mainmenu.php\?mosConfig_absolute_path=(http|https|ftp):/"
SecFilterSelective THE_REQUEST "/coppermine/displayimage/meta=lastcom/cat=.*((javascript|script|about|applet|activex|chrome)*>|(http
|https|ftp):/).*/pos=.*.html"
SecFilterSelective THE_REQUEST "/components/com_facileforms/facileforms.frame.php" chain
SecFilterSelective ARG_ff_compath ".*(http|https|ftp)\:/"

####################################
# ModernBill Remote File Include Vulnerability patch 
# http://archives.neohapsis.com/archives/bugtraq/2005-04/0129.html
####################################
SecFilter "samples/news.php"
SecFilter "samples/domain_search.php"
SecFilter "samples/faq.php"
SecFilter "samples/login.sample.php"

####################################
# OpenBB
####################################
SecFilterSelective THE_REQUEST "/(board|read|member).php" chain
SecFilterSelective ARG_FID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-
Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/(board|read|member).php" chain
SecFilterSelective ARG_TID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-
Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/(board|read|member).php" chain
SecFilterSelective ARG_UID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-
Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

####################################
# OSCommerce
####################################
SecFilterSelective THE_REQUEST "/default.php?(error_message|info_message)=.*((javascript|script|about|applet|activex|chrome)*>|(http
|https|ftp):/)"

####################################
# osTicket
####################################
SecFilterSelective THE_REQUEST "/attachments.php\?file=../.."
SecFilterSelective THE_REQUEST "include/main.php\?config.*=.*\&include_dir=(http|https|ftp):/"
SecFilterSelective THE_REQUEST "/admin.php\?a=view&id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|s
elect|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]]+(from|into|table|database|index|view|select)"
SecFilterSelective THE_REQUEST "/view.php?s=.*&query=*&cat=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|descr
ibe|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective THE_REQUEST "/view.php" chain
SecFilterSelective ARG_t ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-
Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

####################################
# Owl
####################################
SecFilterSelective THE_REQUEST "/browse.php?sess=.*parent=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create
|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

####################################
# phpAds
####################################
SecFilterSelective THE_REQUEST "view.inc.php\?phpAds_path=(http|https|ftp)"

####################################
# PHP-Wiki
####################################
SecFilterSelective THE_REQUEST "<script"

####################################
# phpCOIN
####################################
SecFilterSelective THE_REQUEST "api.php?_CCFG"
SecFilterSelective THE_REQUEST "common.php?_CCFG"
SecFilterSelective THE_REQUEST "constants.php?_CCFG"
SecFilterSelective THE_REQUEST "core.php?_CCFG"
SecFilterSelective THE_REQUEST "custom.php?_CCFG"
SecFilterSelective THE_REQUEST "db.php?_CCFG"
root@claire [/usr/local/apache/conf]# cat  modsec.conf 
# Last Updated 12/19/2006
####################################
# GENERAL CONFIG
####################################

# Turn the filtering engine On or Off
SecFilterEngine On

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding Off

# Unicode encoding check
SecFilterCheckUnicodeEncoding Off

# Only allow bytes from this range
SecFilterForceByteRange 0 255

# Only log suspicious requests
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log

# Debug level set to a minimum
SecFilterDebugLog /var/log/httpd/modsec_debug_log
SecFilterDebugLevel 0

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction "deny,log,status:403"

# no ban to localhost
SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow

####################################
# Frontpage Compatibility Rules
####################################
SecFilter "_vti_bin" allow
SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" pass
SecFilterSelective THE_REQUEST "/fpremadm\.exe" pass
SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" pass
SecFilterSelective THE_REQUEST "/scripts/Fpadmcgi\.exe" pass
SecFilterSelective THE_REQUEST "/_private/orders\.txt" pass
SecFilterSelective THE_REQUEST "/_private/form_results\.txt" pass
SecFilterSelective THE_REQUEST "/_private/registrations\.htm" pass
SecFilterSelective THE_REQUEST "/cfgwiz\.exe" pass
SecFilterSelective THE_REQUEST "/authors\.pwd" pass
SecFilterSelective THE_REQUEST "/_vti_bin/_vti_aut/author\.exe" pass
SecFilterSelective THE_REQUEST "/administrators\.pwd" pass
SecFilterSelective THE_REQUEST "/_private/form_results\.htm" pass
SecFilterSelective THE_REQUEST "/_vti_pvt/access\.cnf" pass
SecFilterSelective THE_REQUEST "/_private/register\.txt" pass
SecFilterSelective THE_REQUEST "/_private/registrations\.txt" pass
SecFilterSelective THE_REQUEST "/_vti_pvt/service\.cnf" pass
SecFilterSelective THE_REQUEST "/service\.pwd" pass
SecFilterSelective THE_REQUEST "/_vti_pvt/service\.stp" pass
SecFilterSelective THE_REQUEST "/_vti_pvt/services\.cnf" pass
SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" pass
SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" pass
SecFilterSelective THE_REQUEST "/users\.pwd" pass
SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" pass
SecFilterSelective THE_REQUEST "/dvwssr\.dll" pass
SecFilterSelective THE_REQUEST "/_private/register\.htm" pass
SecFilterSelective THE_REQUEST "/_vti_bin/" pass

####################################
# GENERAL WEB AND SPAM ATTACKS
####################################
SecFilter "tftp\x20"
SecFilter "wget\x20"
SecFilter "uname\x20-a"
SecFilter "g\+\+\x20"
SecFilter "gcc\x20-o"
SecFilter "nmap\x20"
SecFilter "/etc/shadow"
SecFilter "/etc/passwd"
Secfilter "bcc:  "
SecFilterSelective THE_REQUEST "bcc:|Bcc:|BCc:|BCC:|bCc:|bCC:|bcC:|BcC:"
# Allow added to fix blocking problem with the To: filter in squirrelmail
Secfilter "/src/compose.php" allow
Secfilter "To:  "

SecFilterSelective THE_REQUEST "/bin/ps"
SecFilterSelective THE_REQUEST "/bin/sh"
SecFilterSelective THE_REQUEST "/tmp/sh"
SecFilterSelective THE_REQUEST "/usr/bin/id"
SecFilterSelective THE_REQUEST "/bin/kill"
SecFilterSelective THE_REQUEST "/usr/bin/gcc"
SecFilterSelective THE_REQUEST "/usr/bin/cc"
SecFilterSelective THE_REQUEST "/usr/bin/g\+\+"
SecFilterSelective THE_REQUEST "/bin/ping"
SecFilterSelective THE_REQUEST "/bin/mail"
SecFilterSelective THE_REQUEST "/bin/ls"
SecFilterSelective THE_REQUEST "/usr/sbin/httpd"

SecFilterSelective THE_REQUEST "lsof\x20" chain
SecFilterSelective !POST_PAYLOAD "lsof\x20"

SecFilterSelective THE_REQUEST "perl\x20" chain
SecFilterSelective !POST_PAYLOAD "perl\x20"

#SecFilter "Content-Type\:" chain
#SecFilter "Content-Type\:"

####################################
# Formmail - allows cPanel formmail
####################################
SecFilter "/cgi-sys/formmail.cgi" allow
SecFilter "/cgi-sys/formmail.pl" allow
SecFilter "/cgi-sys/FormMail.cgi" allow
SecFilter "/cgi-sys/FormMail.pl" allow
SecFilter "formmail.php$|formmail.php*/$"
SecFilter "formmail.cgi$|formmail.cgi*/$"
SecFilter "formmail.pl$|formmail.pl*/$"

####################################
# GENERAL BAD STUFF
####################################

# *%0a.pl access
SecFilterSelective THE_REQUEST "/*\x0a\.pl"

# cross site scripting \(img src=javascript\) attempt
SecFilter "img src=javascript"

####################################
# SYSTEM FILE/COMMAND PROTECTION
####################################

SecFilterSelective ARGS "wget "
SecFilterSelective ARGS "lynx "

# Disabled due to too many complaines
#SecFilterSelective ARGS "curl "

# .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"

# Apache Chunked-Encoding worm attempt
SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA"

####################################
# SYSTEM USER PROTECTION
####################################

# /~nobody access
SecFilterSelective THE_REQUEST "/~nobody"

# /~root access
SecFilterSelective THE_REQUEST "/~root"

# /~ftp access
SecFilterSelective THE_REQUEST "/~ftp"

# /~cpanel access
SecFilterSelective THE_REQUEST "/~cpanel"

####################################
# RootKits and /tmp, /dev/shm hacks
####################################

SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" chain
SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" chain
SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"
SecFilterSelective REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?"
SecFilterSelective THE_REQUEST "/(cse|cmd)\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) "
SecFilterSelective REQUEST_URI "/terminatorX-exp.*\.(gif|jpg|txt|bmp|php|png)\?"
SecFilterSelective REQUEST_URI "/\.it/viewde"
SecFilterSelective REQUEST_URI "/cmd\?&(command|cmd)="
SecFilterSelective REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)="
SecFilterSelective REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)="
SecFilterSelective REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)="
SecFilterSelective REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?"
SecFilterSelective REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "/(gif|jpg|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?"
SecFilterSelective REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"

#Known rootkits
SecFilterSelective THE_REQUEST "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecFilterSelective THE_REQUEST "\./xkernel\;"
SecFilterSelective THE_REQUEST "/kaiten\.c"
SecFilterSelective THE_REQUEST "/mampus\?&(cmd|command)"

#Generic remote perl execution with .pl and .txt extension
SecFilterSelective REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.pl"
SecFilterSelective REQUEST_URI "perl .*\.txt(\s|\t)*\;"
SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.txt"

#Known rootkit Defacing Tool 2.0
SecFilterSelective REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)="
SecFilterSelective REQUEST_URI "/tool\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)="
SecFilterSelective REQUEST_URI "/tool25\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)="
SecFilterSelective REQUEST_URI "/therules25\.(d(ao)t|gif|jpg|bmp|txt|png|asp)\?&?(cmd|command)="

#other known tools
SecFilterSelective REQUEST_URI "/xpl\.php\?&(cmd|command)="
SecFilterSelective REQUEST_URI "/(ssh2?|sfdg2)\.php"
SecFilter "/tmp/sh"


####################################
# PHPFanBase v2.0
####################################
SecFilterSelective REQUEST_URI "protection.php\?action=logout&siteurl=(http|https|ftp)\:/"

####################################
# Advanced Guestbook
####################################
# http://securitydot.net/xpl/exploits/vulnerabilities/articles/856/exploit.html
SecFilterSelective THE_REQUEST "/admin/addentry\.php\?"
SecFilterSelective THE_REQUEST "/addentry\.php\?"

####################################
# eSupport
####################################
SecFilterSelective THE_REQUEST "autoclose.php" chain
SecFilterSelective ARG_subd ".*(http|https|ftp)\:/"

####################################
# FlashChat
####################################
SecFilterSelective THE_REQUEST "aedating4CMS.php\?dir\[inc\]=(http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "aedatingCMS.php\?dir\[inc\]=(http|https|ftp)\:/"

SecFilterSelective THE_REQUEST "dbal.php\?eqdkp_root_path=(http|https|ftp)\:/"

###################################
#EXTCALENDAR
###################################
SecFilterSelective THE_REQUEST "admin_events.php\?CONFIG_EXT\[LANGUAGES_DIR\]=(http|https|ftp)\:/"

#New kit
SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)(\;|\w)"
SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)\.(txt|php|gif|jpg|dat|bmp|png)(\;|\w)"

#new kir
SecFilterSelective REQUEST_URI "/dblib\.php\?&(cmd|command)="

#suntzu
SecFilterSelective THE_REQUEST|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="

#proxysx.gif?
SecFilterSelective THE_REQUEST "/proxysx\.(gif|jpg|bmp|txt|asp|png)\?"

#phpbackdoor
SecFilterSelective THE_REQUEST "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="

#new unknown kit
SecFilterSelective REQUEST_URI "/oops?&"

# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecFilterSelective THE_REQUEST   "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecFilterSelective THE_REQUEST   "(wiki_up|temp)/(gif|ion|jpg|lala)\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
SecFilterSelective REQUEST_URI   "/phpterm"

#Fantastico worm
SecFilterSelective THE_REQUEST "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"

#new unknown kits
SecFilterSelective REQUEST_URI   "/iblis\.htm\?" 
SecFilterSelective REQUEST_URI   "/gif\.gif\?" 
SecFilterSelective REQUEST_URI   "/go\.php\.txt\?" 
SecFilterSelective REQUEST_URI   "/sh[0-9]\.(gif|jpg|txt|bmp|png)\?" 
SecFilterSelective REQUEST_URI   "/iys\.(gif|jpg|txt|bmp|png)\?" 
SecFilterSelective REQUEST_URI   "/shell[0-9]\.(gif|jpg|txt|bmp|png)\?" 
SecFilterSelective REQUEST_URI   "/zehir\.asp"
SecFilterSelective REQUEST_URI   "/aflast\.txt\?"
SecFilterSelective REQUEST_URI   "/sikat\.txt\?&cmd" 
SecFilterSelective REQUEST_URI   "/t\.gif\?" 
SecFilterSelective REQUEST_URI   "/phpbb_patch\?&"
SecFilterSelective REQUEST_URI   "/phpbb2_patch\?&"
SecFilterSelective REQUEST_URI   "/lukka\?&"

#new kit
SecFilterSelective REQUEST_URI   "/c99shell\.txt"
SecFilterSelective REQUEST_URI   "/c99\.txt\?"

#remote bash shell
SecFilterSelective REQUEST_URI "/shell\.php\&cmd="
SecFilterSelective ARGS "/shell\.php\&cmd="

#zencart exploit
SecFilterSelective REQUEST_URI "/ipn\.php\?cmd="

#new pattern
SecFilterSelective REQUEST_URI "btn_lists\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "dsoul/tool\?"

#generic suntzu payload
SecFilterSelective THE_REQUEST   "HiMaster\!\<\?php system\("
SecFilterSelective THE_REQUEST   "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system"
SecFilterSelective REQUEST_URI   "help_text_vars\.php\?suntzu="

#25dec new one
SecFilterSelective REQUEST_URI   "anggands\.(gif|jpg|txt|bmp|png)\?"

#26dec new kit
SecFilterSelective REQUEST_URI   "newfile[0-9]\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI   "/vsf\.vsf\?&"

#27dec
SecFilterSelective REQUEST_URI   "/scan1\.0/scan/"
SecFilterSelective REQUEST_URI   "test\.txt\?&"

#30dec
SecFilterSelective REQUEST_URI   "\.k4ka\.txt\?"
#31dec
SecFilterSelective REQUEST_URI   "/php\.txt\?"

#1 jan
SecFilterSelective REQUEST_URI   "/sql\.txt\?"
SecFilterSelective REQUEST_URI   "bind\.(gif|jpg|txt|bmp|png)\?"

#22feb
SecFilterSelective REQUEST_URI   "/juax\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI   "/linuxdaybot/\.(gif|jpg|txt|bmp|png)\?"

#24mar
SecFilterSelective REQUEST_URI   "/docLib/cmd\.asp"
SecFilterSelective REQUEST_URI   "\.asp\?pageName=AppFileExplorer"
SecFilterSelective REQUEST_URI   "\.asp\?.*showUpload&thePath="
SecFilterSelective REQUEST_URI   "\.asp\?.*theAct=inject&thePath="

#some broken attack program
SecFilterSelective THE_REQUEST "PUT /.*_@@RNDSTR@@"
SecFilterSelective THE_REQUEST "trojan\.htm"

SecFilterSelective REQUEST_URI "/r57en\.php"

#c99 rootshell
SecFilterSelective REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)"

#generic shell
SecFilterSelective REQUEST_URI "shell\.txt"

#wormsign
SecFilterSelective POST_PAYLOAD "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"

#dm mass mailer
SecFilter "dm.pl\x20"
SecFilter "dm.cgi\x20"
SecFilter "unziper.pl\x20"
SecFilter "unziper.cgi\x20"
Secfilter "cmd.txt"
Secfilter "miro$"


#mdarui
SecFilterSelective THE_REQUEST ".php\?incl=(http|https|ftp)"


########################################################################
## CMS and other PHP-based script patches
########################################################################

####################################
# Bingo News
####################################
SecFilterSelective THE_REQUEST "bp_ncom.php\?bnrep=(http|https|ftp)"


####################################
# Coppermine Photo Gallery
####################################
SecFilterSelective THE_REQUEST "/index.php\?lang=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/theme.php\?THEME_DIR=(http|https|ftp)/:/"

####################################
# e107
####################################
SecFilterSelective SCRIPT_FILENAME "news.php$" chain
SecFilterSelective ARG_list "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)"

####################################
# eGroupWare
####################################
SecFilterSelective THE_REQUEST "/index.php?menuaction=preferences.uicategories.index&cats_app=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective THE_REQUEST "/tts/index.php?filter=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective THE_REQUEST "/sitemgr/sitemgr-site/?category_id=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/index.php?page=RecentChanges.*((javascript|script|about|applet|activex|chrome)*>|html|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/index.php?action=history&page=.*〈=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/index.php?menuaction=addressbook.uiaddressbook.edit&ab_id=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/index.php?menuaction=manual.uimanual.view&page=ManualAddressbook.*((javascript|script|about|applet|activex|chrome)*>|html|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/index.php?menuaction=forum.uiforum.post&type=new.*((javascript|script|about|applet|activex|chrome)*>|html|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/index.php?menuaction=wiki.uiwiki.edit&page=setup.*((javascript|script|about|applet|activex|chrome)*>|html|(http|https|ftp):/)"

####################################
# Exhibit Engine
####################################
#http://securitydot.net/xpl/exploits/vulnerabilities/articles/1974/exploit.html
SecFilterSelective THE_REQUEST "styles.php\?toroot=(http|https|ftp)"

####################################
# Invision Power Board
####################################
SecFilterSelective THE_REQUEST "/ad_member.php" chain
SecFilter "emailer.php"
SecFilterSelective THE_REQUEST "/ipchat.php*root_path*conf_global.php"
SecFilterSelective THE_REQUEST "/forums/index.php\?act=.*&max_results=.*&filter=.*&sort_order=.*&sort_key=.*&st=*(UNION|SELECT|DELETE|INSERT)"


####################################
#Mambo
####################################
SecFilterSelective THE_REQUEST "mosConfig_absolute_path=(http|https|ftp):/"
#SecFilterSelective REQUEST_URI "/modules/mod_mainmenu.php\?mosConfig_absolute_path=(http|https|ftp):/"
SecFilterSelective THE_REQUEST "/coppermine/displayimage/meta=lastcom/cat=.*((javascript|script|about|applet|activex|chrome)*>|(http|https|ftp):/).*/pos=.*.html"
SecFilterSelective THE_REQUEST "/components/com_facileforms/facileforms.frame.php" chain
SecFilterSelective ARG_ff_compath ".*(http|https|ftp)\:/"

####################################
# ModernBill Remote File Include Vulnerability patch 
# http://archives.neohapsis.com/archives/bugtraq/2005-04/0129.html
####################################
SecFilter "samples/news.php"
SecFilter "samples/domain_search.php"
SecFilter "samples/faq.php"
SecFilter "samples/login.sample.php"

####################################
# OpenBB
####################################
SecFilterSelective THE_REQUEST "/(board|read|member).php" chain
SecFilterSelective ARG_FID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/(board|read|member).php" chain
SecFilterSelective ARG_TID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/(board|read|member).php" chain
SecFilterSelective ARG_UID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

####################################
# OSCommerce
####################################
SecFilterSelective THE_REQUEST "/default.php?(error_message|info_message)=.*((javascript|script|about|applet|activex|chrome)*>|(http|https|ftp):/)"

####################################
# osTicket
####################################
SecFilterSelective THE_REQUEST "/attachments.php\?file=../.."
SecFilterSelective THE_REQUEST "include/main.php\?config.*=.*\&include_dir=(http|https|ftp):/"
SecFilterSelective THE_REQUEST "/admin.php\?a=view&id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]]+(from|into|table|database|index|view|select)"
SecFilterSelective THE_REQUEST "/view.php?s=.*&query=*&cat=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective THE_REQUEST "/view.php" chain
SecFilterSelective ARG_t ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

####################################
# Owl
####################################
SecFilterSelective THE_REQUEST "/browse.php?sess=.*parent=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

####################################
# phpAds
####################################
SecFilterSelective THE_REQUEST "view.inc.php\?phpAds_path=(http|https|ftp)"

####################################
# PHP-Wiki
####################################
SecFilterSelective THE_REQUEST "<script"

####################################
# phpCOIN
####################################
SecFilterSelective THE_REQUEST "api.php?_CCFG"
SecFilterSelective THE_REQUEST "common.php?_CCFG"
SecFilterSelective THE_REQUEST "constants.php?_CCFG"
SecFilterSelective THE_REQUEST "core.php?_CCFG"
SecFilterSelective THE_REQUEST "custom.php?_CCFG"
SecFilterSelective THE_REQUEST "db.php?_CCFG"
SecFilterSelective THE_REQUEST "redirect.php?_CCFG"
SecFilterSelective THE_REQUEST "session_set.php?_CCFG"

####################################
# PHPLIB
####################################
SecFilter "_PHPLIB\[libdir\]"

####################################
# PHPNuke
####################################
SecFilter "/modules/My_eGallery/"
SecFilterSelective THE_REQUEST "/setup/" chain
SecFilter "GALLERY_BASEDIR=(http|https|ftp):/"
SecFilterSelective THE_REQUEST "/banners.php?op=EmailStats&name=.*&bid=.*((javascript|script|about|applet|activex|chrome)*>|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/modules.php?name=.*((javascript|script|about|applet|activex|chrome)*>|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/modules.php?name=Search&author=.*&topic=.*&min.*((javascript|script|about|applet|activex|chrome)*>|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/modules.php?name=FAQ&.*=.*&id_cat=.*&categories=.*((javascript|script|about|applet|activex|chrome)*>|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/modules.php?op=EmailStats&login=.*&cid=.*&bid=.*((javascript|script|about|applet|activex|chrome)*>|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/modules.php?name=Encyclopedia&file=.*&op=.*&eid.*1&ltr=.*((javascript|script|about|applet|activex|chrome)*>|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/modules.php?name=Top&querylang=.*(UNION|SELECT|DELETE|INSERT).*,"
SecFilterSelective SCRIPT_FILENAME "modules.php$" chain
SecFilterSelective ARG_email "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective SCRIPT_FILENAME "modules.php$" chain
SecFilterSelective ARG_ratenum "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective SCRIPT_FILENAME "modules.php$" chain
SecFilterSelective ARG_min "(dselect|grant|elete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective SCRIPT_FILENAME "modules.php$" chain
SecFilterSelective ARG_show "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective SCRIPT_FILENAME "modules.php$" chain
SecFilterSelective ARG_orderby "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective SCRIPT_FILENAME "modules.php$" chain
SecFilterSelective ARG_url "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective SCRIPT_FILENAME "modules.php$" chain
SecFilterSelective ARG_category "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "modules.php?name=Surveys&pollID=.*&forwarder=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/modules.php?name=Downloads&d_op=.*&title=.*&url=.*&description=.*&email=',*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/modules.php?name=Downloads&d_op=.*&url=',*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/modules.php?name=Downloads&d_op=viewsdownload&min=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|*]+(from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/modules.php?name=Downloads&d_op=search&min=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/admin_styles.php?phpbb_root_path=(http|https|ftp):/"

####################################
# PHPBB Vulnerabilities
####################################
SecFilterSelective QUERY_STRING|POST_PAYLOAD|ARGS "echr\("
SecFilterSelective "THE_REQUEST" "(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite)\s*\("
SecFilter "viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)" "deny,log"
SecFilterSelective THE_REQUEST "&highlight='\.mysql_query\("
SecFilter "&highlight=\x2527\x252Esystem\("
SecFilter "/tmp/php" 
SecFilterSelective THE_REQUEST "/quick-reply.php" chain
SecFilter "phpbb_root_path="
SecFilterSelective ARG_highlight "(x27|%27|x2527|%2527)"
SecFilterSelective THE_REQUEST "/viewtopic.php?" chain
SecFilterSelective ARGS "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)(([0-9a-fA-Fx]{1,3}))"
SecFilterSelective REQUEST_URI "admin/admin_styles.php?mode=addnew&install_to=../../"
SecFilterSelective THE_REQUEST "/downloads.php?cat=.*(UNION|SELECT|delete|insert)*user_password.*phpbb_users"
SecFilterSelective THE_REQUEST "/cal_view_month.php?month=.*&year=.*&category=.*(UNION|SELECT|DELETE|INSERT)"
SecFilterSelective THE_REQUEST "/links.php?func=show&id='"
SecFilterSelective THE_REQUEST "/dlman.php?func=file_info&file_id='"
SecFilterSelective THE_REQUEST "/groupcp.php?g=.*sid='"
SecFilterSelective THE_REQUEST "/index.php?(c|mark)=*'"
SecFilterSelective THE_REQUEST "/portal.php?article=*'"
SecFilterSelective THE_REQUEST "/viewforum.php?f=.*sid='"
SecFilterSelective THE_REQUEST "/viewtopic.php?p=.*sid='"
SecFilterSelective THE_REQUEST "/album_search.php?mode='"
SecFilterSelective THE_REQUEST "/album_cat.php?cat_id=.*sid='"
SecFilterSelective THE_REQUEST "/album_comment.php?pic_id=.*sid='"
SecFilterSelective THE_REQUEST "/moddb/mod.php?id='"
SecFilterSelective THE_REQUEST "/auction_rating.php?mode=.*&u=.*'"
SecFilterSelective THE_REQUEST "/auction_offer.php?mode=.*&ar=.*'"
SecFilterSelective THE_REQUEST "/profile.php?mode=viewprofile&u=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/viewtopic.php?p=.*&highlight=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/posting_notes.php?mode=editpost&*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|select)"
SecFilterSelective THE_REQUEST "/(viewtopic|privmsg|bbcode).php?" chain
SecFilterSelective THE_REQUEST "/admin_forums.php?" chain

####################################
# pmachine
####################################
SecFilterSelective THE_REQUEST "lib.inc.php" chain
SecFilter "pm_path=(http|https|ftp):/"
SecFilterSelective THE_REQUEST "lib.inc.php.*pm_path.*(http|https|ftp):/"

####################################
# Phorum
####################################
SecFilterSelective THE_REQUEST "/support/common.php"

####################################
# Phorm
####################################
SecFilterSelective THE_REQUEST "/phorm.php" chain
SecFilterSelective ARG_PHORM_* "(http|https|ftp):/"

####################################
# phpSysInfo
####################################
SecFilterSelective THE_REQUEST "/index.php?sensor_program=.*(script|(http|https|ftp):/)"

####################################
# PunBB
####################################
SecFilterSelective THE_REQUEST "/profile.php" chain
SecFilterSelective ARG_temp "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "redirect_url.*(http|https|ftp):/.*cmd="

####################################
# phpWebSite
####################################
SecFilterSelective THE_REQUEST "index.php" chain
SecFilterSelective ARG_mod "(../|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view))"
SecFilterSelective THE_REQUEST "index.php" chain
SecFilterSelective ARG_module "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

####################################
# PHP Surveyor
####################################
SecFilterSelective THE_REQUEST "/admin/" chain
SecFilterSelective ARG_sid "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/admin/" chain
SecFilterSelective ARG_start "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/admin/" chain
SecFilterSelective ARG_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/admin/" chain
SecFilterSelective ARG_lid "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

####################################
# PHPlist
####################################
SecFilterSelective THE_REQUEST "lists/admin/?page=admin&id=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

####################################
# PHP-Fusion
####################################
SecFilterSelective THE_REQUEST "/messages.php?msg_view='"

####################################
# Santy.e Worm Patch
####################################
SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
SecFilterSelective THE_REQUEST "&highlight='\.fwrite\(fopen\("

####################################
# Squirrel Mail
####################################
SecFilterSelective THE_REQUEST "/left_main\.php" chain
SecFilter "cmdd="

####################################
# Soholaunch
####################################
#http://www.milw0rm.com/exploits/2724
SecFilterSelective THE_REQUEST "shared_functions.php\?_SESSION\[docroot_path\]=(http|https|ftp)"
SecFilterSelective THE_REQUEST "pgm-shopping_css.inc.php\?_SESSION\[docroot_path\]=(http|https|ftp)"

####################################
# TikiWiki
####################################
SecFilter "/tiki-map.phtml?mapfile=../../"
SecFilterSelective THE_REQUEST "/tiki-list_faqs.php?offset=(http|https|ftp):/"

####################################
# Typo3
####################################
SecFilterSelective THE_REQUEST "/translations.php" chain
SecFilter "ONLY=x2e"
SecFilterSelective THE_REQUEST "/dev/translations.php?ONLY=x2ex2e/x2ex2e/x2ex2e/x2ex2e/x2ex2e/.*x00"

####################################
# UBB
####################################
SecFilterSelective THE_REQUEST "/printthread.php*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/download.php?Number=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/calendar.php?Cat=.*&month=.*&year=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/calendar.php?Cat=&month=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view).*year=.*"
SecFilterSelective THE_REQUEST "/modifypost.phpCat=.*&Username=.*&Number=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view).*&Board=UBB8"
SecFilterSelective THE_REQUEST "/mailthread.php?Cat=.*&Board=.*&Number=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/viewmessage.php?Cat=&message=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "/(addfav|notifymod|grabnext).php?Cat=.*&Board=.*&main=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

####################################
# vBulletin
####################################
SecFilterSelective THE_REQUEST "/calendar.php?calbirthdays=.*&action=getday&day=.*&comma=x22;"
SecFilterSelective THE_REQUEST ".php\?step=(http|https|ftp)"

####################################
# WebChat
####################################
SecFilterSelective THE_REQUEST "/defines.php" chain
SecFilter "db_mysql.php"
SecFilterSelective THE_REQUEST "/defines.php" chain
SecFilter "english.php"

####################################
# WordPress
####################################
SecFilterSelective REQUEST_URI "/wordpress/" chain
SecFilterSelective ARG_cat "!^[0-9]*$"

####################################
# XMB
####################################
SecFilterSelective THE_REQUEST "/xmb.php" chain
SecFilterSelective ARG_in "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective THE_REQUEST "include/u2u.inc.php" chain
SecFilterSelective ARG_u2u_select "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

####################################
# Xoops
####################################
SecFilterSelective THE_REQUEST "/modules/newbb/index.php?viewcat='"
SecFilterSelective THE_REQUEST "/modules/sections/index.php?op=viewarticle&artid=9x2c+9x2c+9"
SecFilterSelective THE_REQUEST "modules/newbb/viewforum.php?sortname=p.post_time&sortorder=.*&sortdays=.*((javascript|script|about|applet|activex|chrome)*>|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/modules/newbb/index.php?viewcat=.*((javascript|script|about|applet|activex|chrome)*>|(http|https|ftp):/)"
SecFilterSelective THE_REQUEST "/xmlrpc.php" chain
SecFilterSelective POST_PAYLOAD "blogger.getUsersBlogs" chain

####################################
# YaBB SE
####################################
SecFilterSelective THE_REQUEST "/packages.php" chain
SecFilter "packer.php"

There are no comments on this page. [Add comment]

Valid XHTML 1.0 Transitional :: Valid CSS :: Powered by WikkaWiki