diff options
Diffstat (limited to 'files/mod_security/custom_rules/jitp.conf')
| -rw-r--r-- | files/mod_security/custom_rules/jitp.conf | 4442 |
1 files changed, 0 insertions, 4442 deletions
diff --git a/files/mod_security/custom_rules/jitp.conf b/files/mod_security/custom_rules/jitp.conf deleted file mode 100644 index 3fb523c..0000000 --- a/files/mod_security/custom_rules/jitp.conf +++ /dev/null @@ -1,4442 +0,0 @@ -# http://www.gotroot.com/mod_security+rules -# Gotroot.com ModSecurity rules -# Just In Time Patches for Vulnerable Applications Rules for modsec 2.x -# -# Version: N-20061022-01 -# -# Download from: http://www.gotroot.com/downloads/ftp/mod_security/jitp.conf -# -# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com) -# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved. -# Redistribution is strictly prohibited in any form, including whole or in part. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF -# THE POSSIBILITY OF SUCH DAMAGE. -# - -#-------------------------------- -# notes -#-------------------------------- -# Rules work with modsecurity 2.x and above only - -#-------------------------------- -#start rules -#-------------------------------- - -# WEB-CGI formmail -SecRule REQUEST_URI "/(formmail|mailform)(\x0a|\.pl\x0a)" - -#pals-cgi arbitrary file access attempt -SecRule REQUEST_URI "/pals-cgi.*documentName=" - -# WEB-CGI phf arbitrary command execution attempt -SecRule REQUEST_URI "/phf" chain -SecRule REQUEST_URI "\x0a/" -# WEB-CGI phf access -SecRule REQUEST_URI "/phf\?" - -# WEB-CGI htsearch arbitrary file read attempt -SecRule REQUEST_URI "/htsearch\?exclude=\`" - -# WEB-CGI csSearch.cgi arbitrary command execution attempt -SecRule REQUEST_URI "/csSearch\.cgi\?" chain -SecRule REQUEST_URI "\`" - -## WEB-CGI FormHandler.cgi directory traversal attempt attempt -SecRule REQUEST_URI "/FormHandler\.cgi" chain -SecRule REQUEST_URI "/\.\./" - -# WEB-CGI FormHandler.cgi external site redirection attempt -SecRule REQUEST_URI "/FormHandler\.cgi" chain -SecRule REQUEST_URI "redirect=http" - -# WEB-PHP squirrel mail spell-check arbitrary command attempt -SecRule REQUEST_URI "/squirrelspell/modules/check_me\.mod\.php" chain -SecRule REQUEST_URI "SQSPELL_APP\[" - -# WEB-PHP squirrel mail theme arbitrary command attempt -SecRule REQUEST_URI "/left_main\.php" chain -SecRule REQUEST_URI "cmdd=" - -# WEB-PHP directory.php arbitrary command attempt -SecRule REQUEST_URI "/directory\.php\?" chain -SecRule REQUEST_URI "\;" - -# WEB-PHP PHPLIB remote commanSelective REQUEST_URI|REQUEST_BODYd attempt -SecRule REQUEST_URI|REQUEST_BODY "_PHPLIB\[libdir\]" - -# WEB-PHP PHPLIB remote command attempt -SecRule REQUEST_URI "/db_mysql\.inc" - -# Exploit phpBB Highlighting Code Execution Attempt -SecRule REQUEST_URI|REQUEST_BODY "(\;|\&)highlight=\'\.system\(" - -# Exploit phpBB Highlighting SQL Injection -SecRule REQUEST_URI|REQUEST_BODY "&highlight=\'\.mysql_query\(" - -# Exploit phpBB Highlighting Code Execution - Santy.A Worm -SecRule REQUEST_URI|REQUEST_BODY "&highlight=\'\.fwrite\(fopen\(" - -# Exploit phpBB Highlight Exploit Attempt -SecRule REQUEST_URI|REQUEST_BODY "&highlight=\x2527\x252Esystem\(" - -# WEB-CGI dcforum.cgi directory traversal attempt -SecRule REQUEST_URI "/dcforum\.cgi" chain -SecRule REQUEST_URI "forum=\.\./\.\." - -# WEB-CGI dcboard.cgi invalid user addition attempt -SecRule REQUEST_URI "/dcboard\.cgi.*\|admin" - -# WEB-CGI alchemy http server PRN arbitrary command execution attempt -SecRule REQUEST_URI|REQUEST_BODY "/PRN/\.\./\.\./" - -# WEB-CGI alchemy http server NUL arbitrary command execution attempt -SecRule REQUEST_URI|REQUEST_BODY "/NUL/\.\./\.\./" - -# WEB-CGI AltaVista Intranet Search directory traversal attempt -SecRule REQUEST_URI "/query\?mss=\.\." - -# WEB-CGI hello.bat arbitrary command execution attempt -SecRule REQUEST_URI "/hello\.bat" chain -SecRule REQUEST_URI "\&" - -# WEB-CGI Home Free search.cgi directory traversal attempt -SecRule REQUEST_URI "/search\.cgi" chain -SecRule REQUEST_URI "letter=\.\./\.\." - -#campus attempt -SecRule REQUEST_URI "/campus\?\|0A\|" - -# WEB-CGI pfdispaly.cgi arbitrary command execution attempt -SecRule REQUEST_URI "/pfdispaly\.cgi\?\'" - -# WEB-CGI talkback.cgi directory traversal attempt -SecRule REQUEST_URI "/talkbalk\.cgi" chain -SecRule REQUEST_URI "article=\.\./\.\./" - -# WEB-CGI technote main.cgi file directory traversal attempt -SecRule REQUEST_URI "/technote/main\.cgi" chain -SecRule REQUEST_URI "\.\./\.\./" - -# WEB-CGI technote print.cgi directory traversal attempt -SecRule REQUEST_URI "/technote/print\.cgi.*\x00" - -# WEB-CGI eXtropia webstore directory traversal -SecRule REQUEST_URI "/web_store\.cgi" chain -SecRule REQUEST_URI "page=\.\./" - -# WEB-CGI shopping cart directory traversal -SecRule REQUEST_URI "/shop\.cgi" chain -SecRule REQUEST_URI "page=\.\./" - -# WEB-CGI Allaire Pro Web Shell attempt -SecRule REQUEST_URI "/authenticate\.cgi\?PASSWORD" chain -SecRule REQUEST_URI "config\.ini" - -# WEB-CGI Armada Style Master Index directory traversal -SecRule REQUEST_URI "/search\.cgi\?keys" chain -SecRule REQUEST_URI "catigory=\.\./" - -# WEB-CGI cached_feed.cgi moreover shopping cart directory traversal -SecRule REQUEST_URI "/cached_feed\.cgi" chain -SecRule REQUEST_URI "\.\./" - -# WEB-CGI Talentsoft Web+ exploit attempt -SecRule REQUEST_URI "/webplus\.cgi\?Script=/webplus/webping/webping\.wml" - -# WEB-CGI txt2html.cgi directory traversal attempt -SecRule REQUEST_URI "/txt2html\.cgi" chain -SecRule REQUEST_URI "/\.\./\.\./\.\./\.\./" - -# WEB-CGI store.cgi directory traversal attempt -SecRule REQUEST_URI "/store\.cgi" chain -SecRule REQUEST_URI "\.\./" - -# WEB-CGI mrtg.cgi directory traversal attempt -SecRule REQUEST_URI "/mrtg\.cgi" chain -SecRule REQUEST_URI "cfg=/\.\./" - -# WEB-CGI CCBill whereami.cgi arbitrary command execution attempt -SecRule REQUEST_URI "/whereami\.cgi\?g=" - -# WEB-CGI WhatsUpGold instancename overflow attempt -SecRule REQUEST_URI "/_maincfgret\.cgi" - -#Demarc SQL injection attempt -SecRule REQUEST_URI "/dm/demarc.*s_key=.*\'" - -# WEB-MISC apache directory disclosure attempt -SecRule REQUEST_URI|REQUEST_BODY "////////" - -# WEB-MISC htgrep attempt -SecRule REQUEST_URI "/htgrep" chain -SecRule REQUEST_URI "hdr=/" - -#musicat empower attempt -SecRule REQUEST_URI "/empower\?DB=" - -# WEB-PHP DNSTools administrator authentication bypass attempt -SecRule REQUEST_URI "/dnstools\.php" chain -SecRule REQUEST_URI "user_dnstools_administrator=true" - -# WEB-PHP DNSTools authentication bypass attempt -SecRule REQUEST_URI "/dnstools\.php" chain -SecRule REQUEST_URI "user_logged_in=true" - -#General phpbb_root_path vulnerabilities -SecRule ARGS:phpbb_root_path "((ht|f)tps?\:/|\.\./)" "id:390070,rev:1,severity:2,msg:'JITP: Generic phpbb_root_path exploit'" - -# WEB-PHP phpbb quick-reply.php arbitrary command attempt -SecRule REQUEST_URI "/quick-reply\.php" chain -SecRule REQUEST_URI "phpbb_root_path=" - -# WEB-PHP Blahz-DNS dostuff.php modify user attempt -SecRule REQUEST_URI "/dostuff\.php\?action=modify_user" - -# WEB-PHP PHP-Wiki cross site scripting attempt -SecRule REQUEST_URI "/modules\.php\?*name=Wiki*\<*(script|about|applet|activex|chrome)*\>" - -# WEB-MISC *%0a.pl access -SecRule REQUEST_URI "/*\x0a\.pl" - -# WEB-PHP strings overflow -SecRule REQUEST_URI|REQUEST_BODY "\?STRENGUR" - -# WEB-PHP shoutbox.php directory traversal attempt -SecRule REQUEST_URI "/shoutbox\.php" chain -SecRule REQUEST_URI "\.\./" - -# WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt -SecRule REQUEST_URI "/gm-2-b2\.php" chain -SecRule REQUEST_URI "b2inc=(http|https|ftp)\:/" - -# WEB-PHP BLNews objects.inc.php4 remote file include attempt -SecRule REQUEST_URI "/objects\.inc\.php*" chain -SecRule REQUEST_URI "Server\[path\]=(http|https|ftp)\:/" - -# WEB-PHP ttCMS header.php remote file include attempt -SecRule REQUEST_URI "/admin/templates/header\.php" chain -SecRule REQUEST_URI "admin_root=(http|https|ftp)\:/" - -# WEB-PHP autohtml.php directory traversal attempt -SecRule REQUEST_URI "/autohtml\.php" chain -SecRule REQUEST_URI "\.\./\.\./" - -# WEB-PHP ttforum remote file include attempt -SecRule REQUEST_URI "forum/index\.php" chain -SecRule REQUEST_URI "template=" - -# WEB-PHP pmachine remote file include attempt -SecRule REQUEST_URI "lib\.inc\.php" chain -SecRule REQUEST_URI "pm_path=(http|https|ftp)\:/" -SecRule REQUEST_URI "lib\.inc\.php.*pm_path.*(http|https|ftp)\:/" - -#rolis guestbook remote file include attempt -SecRule REQUEST_URI "/insert\.inc\.php*path=" - -# IdeaBox cord.php file include -SecRule REQUEST_URI "/index\.php*ideaDir*cord\.php" - -#IdeaBox notification.php file include -SecRule REQUEST_URI "/index\.php*gorumDir*notification\.php" - -# WEB-PHP DCP-Portal remote file include attempt -SecRule REQUEST_URI "/library/lib\.php" chain -SecRule REQUEST_URI "root=" - -# WEB-PHP IdeaBox cord.php file include -SecRule REQUEST_URI "/index\.php" chain -SecRule REQUEST_URI "cord\.php" - -# WEB-PHP IdeaBox notification.php file include -SecRule REQUEST_URI "/index\.php" chain -SecRule REQUEST_URI "notification\.php" - -# WEB-PHP Invision Board emailer.php file include -SecRule REQUEST_URI "/ad_member\.php" chain -SecRule REQUEST_URI "emailer\.php" - -# WEB-PHP WebChat db_mysql.php file include -SecRule REQUEST_URI "/defines\.php" chain -SecRule REQUEST_URI "db_mysql\.php" - -# WEB-PHP WebChat english.php file include -SecRule REQUEST_URI "/defines\.php" chain -SecRule REQUEST_URI "english\.php" - -# WEB-PHP Typo3 translations.php file include -SecRule REQUEST_URI "/translations\.php" chain -SecRule REQUEST_URI "ONLY=\x2e" - -# WEB-PHP news.php file include -SecRule REQUEST_URI "/news\.php" chain -SecRule REQUEST_URI "template" - -# WEB-PHP YaBB SE packages.php file include -SecRule REQUEST_URI "/packages\.php" chain -SecRule REQUEST_URI "packer\.php" - -# WEB-PHP newsPHP Language file include attempt -SecRule REQUEST_URI "/nphpd\.php" chain -SecRule REQUEST_URI "LangFile" - -#myphpPagetool pt_config.inc file include -SecRule REQUEST_URI "/doc/admin*ptinclude*pt_config\.inc" - -#Invision Board ipchat.php file include -SecRule REQUEST_URI "/ipchat\.php*root_path*conf_global\.php" - -# WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt -SecRule REQUEST_URI "/authentication_index\.php" chain -SecRule REQUEST_URI "PGV_BASE_DIRECTORY=(http|https|ftp)\:/" - -# WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt -SecRule REQUEST_URI "/functions\.php" chain -SecRule REQUEST_URI "PGV_BASE_DIRECTORY" - -# WEB-PHP TUTOS path disclosure attempt -SecRule REQUEST_URI "/note_overview\.php" chain -SecRule REQUEST_URI "id=" - -# WEB-PHP PhpGedView PGV base directory manipulation -SecRule REQUEST_URI "_conf\.php" chain -SecRule REQUEST_URI "PGV_BASE_DIRECTORY" - -#PHPBB worm sigs -SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)" - -#Mailto domain search possible MyDoom.M,O -SecRule REQUEST_URI "/search\?hl=en&ie=UTF-8&oe=UTF-8&q=mailto\+" chain -SecRule REQUEST_URI "Host\: www\.google\.com" - -#WEB-PHP EasyDynamicPages exploit -SecRule REQUEST_URI "edp_relative_path=" - -#Calendar XSS -SecRule REQUEST_URI "/(calendar|setup).php\?phpc_root_path=((http|https|ftp)\:/|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>)" - -#phpMyAdmin Export.PHP File Disclosure Vulnerability -SecRule SCRIPT_FILENAME "export\.php$" chain -SecRule ARGS:what "\.\." - -#nmap version request -SecRule REQUEST_URI|REQUEST_BODY "^(HELP|default|\||TNMP|DmdT|\:)$" - -#More PHPBB worms -SecRule REQUEST_URI "/viewtopic\.php\?" chain -SecRule ARGS "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(([0-9a-fA-Fx]{1,3})\)" - -# TIKIWIKI -SecRule REQUEST_URI "/tiki-map.phtml\?mapfile=\.\./\.\./" - -# WEB-MISC BitKeeper arbitrary command attempt -SecRule REQUEST_URI "/diffs/" chain -SecRule REQUEST_URI "\'" - -#awstats probe -SecRule REQUEST_URI|REQUEST_BODY "/awstats\.pl HTTP\/(0\.9|1\.0|1\.1)$" "id:390000,rev:1,severity:2,msg:'JITP: Awstats.pl probe'" - -#/forum/viewtopic.php?x=http:// -SecRule REQUEST_URI "/forum/viewtopic\.php\?x=(http|https|ftp)\:/" - -# WEB-MISC Crystal Reports crystalImageHandler.aspx directory traversal attempt -SecRule REQUEST_URI "/crystalimagehandler\.aspx" chain -SecRule REQUEST_URI "dynamicimage=\.\./" - -#mailman 2.x path recursion attack -SecRule REQUEST_URI|REQUEST_BODY "mailman/private/.*\.\.\./\.\.\.\.///" -SecRule REQUEST_URI|REQUEST_BODY "/mailman/.*\.\.\./" - -#ftp.pl attempt -SecRule REQUEST_URI "/ftp\.pl\?dir=\.\./\.\." - -#Tomcat server snoop access -SecRule REQUEST_URI "/jsp/snp/.*\.snp" - -# WEB-CGI HyperSeek hsx.cgi directory traversal attempt -SecRule REQUEST_URI "/hsx\.cgi.*\x00" - -# WEB-CGI SWSoft ASPSeek Overflow attempt -SecRule REQUEST_URI "/s\.cgi" chain -SecRule REQUEST_URI "tmpl=" - -# WEB-CGI /wwwboard/passwd.txt access -SecRule REQUEST_URI "/wwwboard/passwd\.txt" - -# WEB-CGI webplus directory traversal -SecRule REQUEST_URI "/webplus\?script" chain -SecRule REQUEST_URI "\.\./" - -# WEB-CGI websendmail access -SecRule REQUEST_URI "/websendmail" - -# WEB-CGI anaconda directory transversal attempt -SecRule REQUEST_URI "/(apexec|anacondaclip)\.pl" chain -SecRule REQUEST_URI "template=\.\./" - -# WEB-CGI imagemap.exe overflow attempt -SecRule REQUEST_URI "/imagemap\.exe\?" - -# WEB-CGI htmlscript attempt -SecRule REQUEST_URI "/htmlscript\?\.\./\.\." - -# WEB-CGI nph-test-cgi access -SecRule REQUEST_URI "/nph-test-cgi" - - -# WEB-CGI rwwwshell.pl access -SecRule REQUEST_URI "/rwwwshell\.pl" - -# WEB-CGI view-source directory traversal -SecRule REQUEST_URI "/view-source" chain -SecRule REQUEST_URI "\.\./" - -# WEB-CGI calendar_admin.pl arbitrary command execution attempt -SecRule REQUEST_URI "/calendar_admin.pl\?config=\|7C\|" - -# WEB-CGI bb-hist.sh attempt -SecRule REQUEST_URI "/bb-hist\.sh\?HISTFILE=\.\./\.\." - -# WEB-CGI bb-hostscv.sh attempt -SecRule REQUEST_URI "/bb-hostsvc\.sh\?HOSTSVC\?\.\./\.\." - -# WEB-CGI wayboard attempt -SecRule REQUEST_URI "/way-board/way-board\.cgi" chain -SecRule REQUEST_URI "\.\./\.\." - -# WEB-CGI commerce.cgi arbitrary file access attempt -SecRule REQUEST_URI "/commerce\.cgi" chain -SecRule REQUEST_URI "/\.\./" - -# WEB-CGI Amaya templates sendtemp.pl directory traversal attempt -SecRule REQUEST_URI "/sendtemp\.pl" chain -SecRule REQUEST_URI "templ=" - -# WEB-CGI webspirs.cgi directory traversal attempt -SecRule REQUEST_URI "/webspirs\.cgi" chain -SecRule REQUEST_URI "\.\./\.\./" - -# WEB-CGI auktion.cgi directory traversal attempt -SecRule REQUEST_URI "/auktion\.cgi" chain -SecRule REQUEST_URI "menue=\.\./\.\./" - -# WEB-CGI cgiforum.pl attempt -SecRule REQUEST_URI "/cgiforum\.pl\?thesection=\.\./\.\." - -# WEB-CGI directorypro.cgi attempt -SecRule REQUEST_URI "/directorypro\.cgi" chain -SecRule REQUEST_URI "\.\./\.\." - -# WEB-CGI Web Shopper shopper.cgi attempt -SecRule REQUEST_URI "/shopper\.cgi" chain -SecRule REQUEST_URI "newpage=\.\./" - -# WEB-CGI cal_make.pl directory traversal attempt -SecRule REQUEST_URI "/cal_make\.pl" chain -SecRule REQUEST_URI "p0=\.\./\.\./" - -# WEB-CGI ttawebtop.cgi arbitrary file attempt -SecRule REQUEST_URI "/ttawebtop\.cgi" chain -SecRule REQUEST_URI "pg=\.\./" - -# WEB-CGI ustorekeeper.pl directory traversal attempt -SecRule REQUEST_URI "/ustorekeeper\.pl" chain -SecRule REQUEST_URI "file=\.\./\.\./" - -# WEB-CGI htsearch arbitrary configuration file attempt -SecRule REQUEST_URI "/htsearch\?\-c" - - -# WEB-CGI alibaba.pl arbitrary command execution attempt -SecRule REQUEST_URI "/alibaba\.pl(\|7C\||\x7C)" - -# WEB-CGI AltaVista Intranet Search directory traversal attempt -SecRule REQUEST_URI "/query\?mss=\.\." - -# WEB-CGI test.bat arbitrary command execution attempt -SecRule REQUEST_URI "/test.bat(\|7C\||\x7C)" - -# WEB-CGI input.bat arbitrary command execution attempt -SecRule REQUEST_URI "/input.bat(\|7C\||\x7C)" - -# WEB-CGI envout.bat arbitrary command execution attempt -SecRule REQUEST_URI "/envout.bat(\|7C\||\x7C)" - -# WEB-CGI hello.bat arbitrary command execution attempt -SecRule REQUEST_URI "/hello\.bat" chain -SecRule REQUEST_URI "\&" - -# WEB-CGI csSearch.cgi arbitrary command execution attempt -SecRule REQUEST_URI "/csSearch\.cgi" chain -SecRule REQUEST_URI "\`" - -# WEB-CGI eshop.pl arbitrary commane execution attempt -SecRule REQUEST_URI "/eshop\.pl\?seite=(\|3B\|\x3B)" - -# WEB-CGI loadpage.cgi directory traversal attempt -SecRule REQUEST_URI "/loadpage\.cgi" chain -SecRule REQUEST_URI "file=\.\./" - -#faqmanager.cgi arbitrary file access attempt -SecRule REQUEST_URI "/faqmanager\.cgi\?toc=*/" -SecRule REQUEST_URI "/faqmanager\.cgi\?(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(s|r)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)" - -# WEB-CGI Home Free search.cgi directory traversal attempt -SecRule REQUEST_URI "/search\.cgi" chain -SecRule REQUEST_URI "letter=\.\./\.\." - -# WEB-CGI pfdispaly.cgi arbitrary command execution attempt -SecRule REQUEST_URI "/pfdispaly\.cgi\?'" - -# WEB-CGI pagelog.cgi directory traversal attempt -SecRule REQUEST_URI "/pagelog\.cgi" chain -SecRule REQUEST_URI "name=\.\./" - -# WEB-CGI talkback.cgi directory traversal attempt -SecRule REQUEST_URI "/talkbalk\.cgi" chain -SecRule REQUEST_URI "article=\.\./\.\./" - -# WEB-CGI emumail.cgi NULL attempt -SecRule REQUEST_URI "/emumail\.cgi.*\x00" - -# WEB-CGI technote main.cgi file directory traversal attempt -SecRule REQUEST_URI "/technote/main\.cgi" chain -SecRule REQUEST_URI "\.\./\.\./" - -# WEB-CGI technote print.cgi directory traversal attempt -SecRule REQUEST_URI "/technote/print\.cgi.*\x00" - -# WEB-CGI Allaire Pro Web Shell attempt -SecRule REQUEST_URI "/authenticate.cgi\?PASSWORD" chain -SecRule REQUEST_URI "config\.ini" - -# WEB-CGI Armada Style Master Index directory traversal -SecRule REQUEST_URI "/search\.cgi\?keys" chain -SecRule REQUEST_URI "catigory=\.\./" - -# WEB-CGI cached_feed.cgi moreover shopping cart directory traversal -SecRule REQUEST_URI "/cached_feed\.cgi" chain -SecRule REQUEST_URI "\.\./" - -# WEB-CGI Talentsoft Web+ exploit attempt -SecRule REQUEST_URI "/webplus.cgi\?Script=/webplus/webping/webping\.wml" - -# WEB-CGI bizdbsearch attempt -SecRule REQUEST_URI "/bizdb1-search\.cgi" chain -SecRule REQUEST_URI "mail" - -# WEB-CGI sojourn.cgi File attempt -SecRule REQUEST_URI "/sojourn\.cgi\?cat=.*\x00" - -# WEB-CGI SGI InfoSearch fname attempt -SecRule REQUEST_URI "/infosrch\.cgi\?" chain -SecRule REQUEST_URI "fname=" - - -# WEB-CGI store.cgi directory traversal attempt -SecRule REQUEST_URI "/store\.cgi" chain -SecRule REQUEST_URI "\.\./" - -# WEB-CGI SIX webboard generate.cgi attempt -SecRule REQUEST_URI "/generate\.cgi" chain -SecRule REQUEST_URI "content=\.\./" - -# WEB-CGI story.pl arbitrary file read attempt -SecRule REQUEST_URI "/story\.pl" chain -SecRule REQUEST_URI "next=\.\./" - -# WEB-CGI mrtg.cgi directory traversal attempt -SecRule REQUEST_URI "/mrtg\.cgi" chain -SecRule REQUEST_URI "cfg=/\.\./" - -#alienform.cgi directory traversal attempt -SecRule REQUEST_URI "/alienform\.cgi.*\.\|7C\|\./\.\|7C\|\." -SecRule REQUEST_URI "/af\.cgi.*\.\|7C\|\./\.\|7C\|\." - -# WEB-CGI CCBill whereami.cgi arbitrary command execution attempt -SecRule REQUEST_URI "/whereami\.cgi\?g=" - -# WEB-CGI MDaemon form2raw.cgi overflow attempt -SecRule REQUEST_URI "/form2raw\.cgi" - -# WEB-CGI WhatsUpGold instancename overflow attempt -SecRule REQUEST_URI "/_maincfgret\.cgi" - -#honeypot -SecRule REQUEST_URI|REQUEST_BODY "clamav-partial " -SecRule REQUEST_URI|REQUEST_BODY "vi\.recover " - -# WEB-COLDFUSION cfcache.map access -SecRule REQUEST_URI "/cfcache\.map" - -# WEB-COLDFUSION exampleapp application.cfm -SecRule REQUEST_URI "/cfdocs/exampleapp/email/application\.cfm" - -# WEB-COLDFUSION application.cfm access -SecRule REQUEST_URI "/cfdocs/exampleapp/publish/admin/application\.cfm" - -# WEB-COLDFUSION getfile.cfm access -SecRule REQUEST_URI "/cfdocs/exampleapp/email/getfile\.cfm" - -# WEB-COLDFUSION addcontent.cfm access -SecRule REQUEST_URI "/cfdocs/exampleapp/publish/admin/addcontent\.cfm" - -# WEB-COLDFUSION administrator access -SecRule REQUEST_URI "/cfide/administrator/index\.cfm" - -# WEB-COLDFUSION fileexists.cfm access -SecRule REQUEST_URI "/cfdocs/snippets/fileexists\.cfm" - -# WEB-COLDFUSION exprcalc access -SecRule REQUEST_URI "/cfdocs/expeval/exprcalc\.cfm" - -# WEB-COLDFUSION parks access -SecRule REQUEST_URI "/cfdocs/examples/parks/detail\.cfm" - -# WEB-COLDFUSION cfappman access -SecRule REQUEST_URI "/cfappman/index\.cfm" - -# WEB-COLDFUSION beaninfo access -SecRule REQUEST_URI "/cfdocs/examples/cvbeans/beaninfo\.cfm" - -# WEB-COLDFUSION evaluate.cfm access -SecRule REQUEST_URI "/cfdocs/snippets/evaluate\.cfm" - -# WEB-COLDFUSION expeval access -SecRule REQUEST_URI "/cfdocs/expeval/" - -# WEB-COLDFUSION displayfile access -SecRule REQUEST_URI "/cfdocs/expeval/displayopenedfile\.cfm" - -# WEB-COLDFUSION mainframeset access -SecRule REQUEST_URI "/cfdocs/examples/mainframeset\.cfm" - -# WEB-COLDFUSION exampleapp access -SecRule REQUEST_URI "/cfdocs/exampleapp/" - -# WEB-COLDFUSION snippets attempt -SecRule REQUEST_URI "/cfdocs/snippets/" - -# WEB-COLDFUSION cfmlsyntaxcheck.cfm access -SecRule REQUEST_URI "/cfdocs/cfmlsyntaxcheck\.cfm" - -# WEB-COLDFUSION application.cfm access -SecRule REQUEST_URI "/application\.cfm" - -# WEB-COLDFUSION onrequestend.cfm access -SecRule REQUEST_URI "/onrequestend\.cfm" - -# WEB-COLDFUSION startstop DOS access -SecRule REQUEST_URI "/cfide/administrator/startstop\.html" - -# WEB-COLDFUSION gettempdirectory.cfm access -SecRule REQUEST_URI "/cfdocs/snippets/gettempdirectory\.cfm" - -# WEB-COLDFUSION sendmail.cfm access -SecRule REQUEST_URI "/sendmail\.cfm" - -# WEB-COLDFUSION ?Mode=debug attempt -#SecRule REQUEST_URI "Mode=debug" - -# WEB-MISC Tomcat view source attempt -SecRule REQUEST_URI|REQUEST_BODY "\x252ejsp" - -# WEB-MISC unify eWave ServletExec upload -SecRule REQUEST_URI|REQUEST_BODY "/servlet/com\.unify\.servletexec\.UploadServlet" - -# WEB-MISC Talentsoft Web+ Source Code view access -SecRule REQUEST_URI "/webplus\.exe\?script=test\.wml" - -# WEB-MISC ftp.pl attempt -SecRule REQUEST_URI "/ftp\.pl\?dir=\.\./\.\." - -# WEB-MISC apache source.asp file access -SecRule REQUEST_URI "/site/eg/source\.asp" - -# WEB-MISC Tomcat server exploit access -SecRule REQUEST_URI "/contextAdmin/contextAdmin\.html" - -# WEB-MISC Ecommerce import.txt access -SecRule REQUEST_URI "/orders/import\.txt" - -# WEB-MISC Domino catalog.nsf access -SecRule REQUEST_URI "/catalog\.nsf" - -# WEB-MISC Domino domcfg.nsf access -SecRule REQUEST_URI "/domcfg\.nsf" - -# WEB-MISC Domino domlog.nsf access -SecRule REQUEST_URI "/domlog\.nsf" - -# WEB-MISC Domino log.nsf access -SecRule REQUEST_URI "/log\.nsf" - -# WEB-MISC Domino names.nsf access -SecRule REQUEST_URI "/names\.nsf" - -# WEB-MISC Domino mab.nsf access -SecRule REQUEST_URI "/mab\.nsf" - -# WEB-MISC Domino cersvr.nsf access -SecRule REQUEST_URI "/cersvr\.nsf" - -# WEB-MISC Domino setup.nsf access -SecRule REQUEST_URI "/setup\.nsf" - -# WEB-MISC Domino statrep.nsf access -SecRule REQUEST_URI "/statrep\.nsf" - -# WEB-MISC Domino webadmin.nsf access -SecRule REQUEST_URI "/webadmin\.nsf" - -# WEB-MISC Domino events4.nsf access -SecRule REQUEST_URI "/events4\.nsf" - -# WEB-MISC Domino ntsync4.nsf access -SecRule REQUEST_URI "/ntsync4\.nsf" - -# WEB-MISC Domino collect4.nsf access -SecRule REQUEST_URI "/collect4\.nsf" - -# WEB-MISC Domino mailw46.nsf access -SecRule REQUEST_URI "/mailw46\.nsf" - -# WEB-MISC Domino bookmark.nsf access -SecRule REQUEST_URI "/bookmark\.nsf" - -# WEB-MISC Domino agentrunner.nsf access -SecRule REQUEST_URI "/agentrunner\.nsf" - -# WEB-MISC Domino mail.box access -#SecRule REQUEST_URI "/mail.box" - -# WEB-MISC Ecommerce checks.txt access -SecRule REQUEST_URI "/orders/checks\.txt" - -# WEB-MISC mall log order access -SecRule REQUEST_URI "/mall_log_files/order\.log" - -# WEB-MISC ROADS search.pl attempt -SecRule REQUEST_URI "/ROADS/cgi-bin/search\.pl" chain -SecRule REQUEST_URI "form=" - -# WEB-MISC SWEditServlet directory traversal attempt -SecRule REQUEST_URI "/SWEditServlet" chain -SecRule REQUEST_URI "template=\.\./\.\./\.\./" - -# WEB-MISC RBS ISP /newuser directory traversal attempt -SecRule REQUEST_URI "/newuser\?Image=\.\./\.\." - -# WEB-MISC PCCS mysql database admin tool access -SecRule REQUEST_URI "pccsmysqladm/incs/dbconnect\.inc" - -# WEB-MISC ans.pl attempt -SecRule REQUEST_URI "/ans.pl\?p=\.\./\.\./" - -# WEB-MISC Demarc SQL injection attempt -SecRule REQUEST_URI "/dm/demarc" chain -SecRule REQUEST_URI "\'" - -# WEB-MISC philboard_admin.asp authentication bypass attempt -SecRule REQUEST_URI "/philboard_admin\.asp" chain -SecRule REQUEST_URI "philboard_admin=True" - -# WEB-PHP Phorum /support/common.php access -SecRule REQUEST_URI "/support/common\.php" - -# WEB-PHP rolis guestbook remote file include attempt -SecRule REQUEST_URI "/insert\.inc\.php" chain -SecRule REQUEST_URI "path=" - -# book.cgi arbitrary command execution attempt -SecRule REQUEST_URI "/book\.cgi.*current=\|7C\|" - -# WEB-PHP gallery remote file include attempt -SecRule REQUEST_URI "/setup/" chain -SecRule REQUEST_URI "GALLERY_BASEDIR=(http|https|ftp)\:/" - -#Needinit remote file include attempt -SecRule REQUEST_URI "/needinit\.php\?" chain -SecRule REQUEST_URI "GALLERY_BASEDIR=(http|https|ftp)\:/" - -# WEB-PHP IdeaBox cord.php file include -SecRule REQUEST_URI "/index\.php" chain -SecRule REQUEST_URI "cord\.php" - -# WEB-PHP Invision Board ipchat.php file include -SecRule REQUEST_URI "/ipchat\.php" chain -SecRule REQUEST_URI "conf_global\.php" - -# WEB-PHP myphpPagetool pt_config.inc file include -SecRule REQUEST_URI "/doc/admin" chain -SecRule REQUEST_URI "pt_config\.inc" - -# WEB-PHP YaBB SE packages.php file include -SecRule REQUEST_URI "/packages\.php" chain -SecRule REQUEST_URI "packer\.php" - -# WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt -SecRule REQUEST_URI "/authentication_index\.php" chain -SecRule REQUEST_URI "PGV_BASE_DIRECTORY" - -# WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt -SecRule REQUEST_URI "/functions\.php" chain -SecRule REQUEST_URI "PGV_BASE_DIRECTORY" - -# WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt -SecRule REQUEST_URI "/config_gedcom\.php" chain -SecRule REQUEST_URI "PGV_BASE_DIRECTORY" - -# WEB-PHP PhpGedView PGV base directory manipulation -SecRule REQUEST_URI "_conf\.php" chain -SecRule REQUEST_URI "PGV_BASE_DIRECTORY" - -# WEB-PHP WAnewsletter newsletter.php file include attempt -SecRule REQUEST_URI "newsletter\.php" chain -SecRule REQUEST_URI "start\.php" - -# WEB-PHP Opt-X header.php remote file include attempt -SecRule REQUEST_URI "/header\.php" chain -SecRule REQUEST_URI "systempath=" - -#webdav searcg attack -SecRule REQUEST_URI "/_vti_bin/_vti_aut/fp30reg\.dll" - -#/auth.php?path=http://[attacker]/ -SecRule REQUEST_URI "/auth.php\?path=(http|https|ftp)\:/" - -SecRule REQUEST_URI "/dforum/nav\.php3\?page=<[[:space:]]*(script|about|applet|activex|chrome)+.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#phpMyAdmin path vln -SecRule REQUEST_URI "/phpMyAdmin/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=(/|.*\.\./)" - -#PHPBB full path disclosure -SecRule REQUEST_URI "phpBB/db/oracle\.php" -SecRule REQUEST_URI "forum/db/oracle\.php" -SecRule REQUEST_URI "forums/db/oracle\.php" - - -#PHP Form Mail Script File Incusion vuln -SecRule REQUEST_URI "/inc/formmail\.inc\.php\?script_root=(http|https|ftp)\:/" - -#Download Center Lite File Incusion vuln -SecRule REQUEST_URI "/inc/download_center_lite\.inc\.php\?script_root=(http|https|ftp)\:/" - -#/modules/mod_mainmenu.php?mosConfig_absolute_path=http:// -SecRule REQUEST_URI "/modules/mod_mainmenu\.php\?mosConfig_absolute_path=(http|https|ftp)\:/" - -#phpWebLog command execution -SecRule REQUEST_URI "/init\.inc\.php\?G_PATH=(http|https|ftp)\:/" -SecRule REQUEST_URI "/backend/addons/links/index\.php\?PATH=(http|https|ftp)\:/" - -#mcNews command execution -SecRule REQUEST_URI "/mcNews/admin/header\.php\?skinfile=(http|https|ftp)\:/" - -#phpbb -SecRule REQUEST_URI "admin/admin_styles\.php\?mode=addnew\&install_to=\.\./\.\./" -#votebox -SecRule REQUEST_URI "/votebox\.php\?VoteBoxPath=(http|https|ftp)\:/" - -#phpAdsNew path disclosure -SecRule REQUEST_URI "/libraries/lib-xmlrpcs.inc\.php" -SecRule REQUEST_URI "/maintenance/maintenance-activation\.php" -SecRule REQUEST_URI "/maintenance/maintenance-cleantables\.php" -SecRule REQUEST_URI "/maintenance/maintenance-autotargeting\.php" -SecRule REQUEST_URI "/maintenance/maintenance-reports\.php" -SecRule REQUEST_URI "/misc/backwards\x20compatibility/phpads\.php" -SecRule REQUEST_URI "/misc/backwards\x20compatibility/remotehtmlview\.php" -SecRule REQUEST_URI "/misc/backwards\x20compatibility/click\.php" -SecRule REQUEST_URI "/adframe\.php\?refresh=securityreason\.com\'\>" - -#include cgi command exec -SecRule REQUEST_URI "/includer\.cgi\?=\|" - -#citrusDB -#adjust these to your system, you might need to upload -SecRule REQUEST_URI "tools/index\.php\?load=\.\./\.\./" -SecRule REQUEST_URI "citrusdb/tools/index\.php\?load=importcc\&submit=on" -SecRule REQUEST_URI "/citrusdb/tools/uploadcc\.php" - -#awstats vulns -SecRule REQUEST_URI "/awstats\.pl\?(configdir|update|pluginmode|cgi)=(\||echo|\:system\()" -SecRule REQUEST_URI "/awstats\.pl\?(debug=1|pluginmode=rawlog\&loadplugin=rawlog|update=1\&logfile=\|)" -SecRule REQUEST_URI "/awstats\.pl\?[^\r\n]*logfile=\|" -SecRule REQUEST_URI "/awstats\.pl\?configdir=" -SecRule REQUEST_URI "awstats\.pl\?" chain -SecRule ARGS "(debug|configdir|perl|chmod|exec|print|cgi)" - -#yabb -SecRule REQUEST_URI "/YaBB\.pl\?action=usersrecentposts\;username=\<IFRAME.*javascript\:alert\(\'" - -# WEB-FRONTPAGE .... request -SecRule REQUEST_URI|REQUEST_BODY "\.\.\.\./" - -#phpbb XSS -SecRule REQUEST_URI "/posting\.php\?mode=reply&t=.*userid.*phpbb2mysql_t=(\<(script|javascript|about|applet|activex|chrome)|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/posting\.php\\?.*(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI|REQUEST_BODY "/privmsg\.php" chain -SecRule REQUEST_URI|REQUEST_BODY "\<a href=*(script|about|applet|activex|chrome)" - -#proxy grabber -SecRule REQUEST_URI "/proxy-grabber\.com/cgi-bin/v2/nph-env\.cgi\?" - -#Unique stuff caught in our traps -SecRule REQUEST_URI "/mail_autocheck\.php\?pm_path=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -# Remote File Inclusion Vulnerability in phpWebLog -SecRule REQUEST_URI "/include/init\.inc\.php\?G_PATH=(http|https|ftp)\:/" -SecRule REQUEST_URI "addons/links/index\.php\?PATH=(http|https|ftp)\:/" - -#Multiple Vulnerabilities in ProjectBB -SecRule REQUEST_URI "/divers\.php\?action=liste\&liste=\&desc=\&pages=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/divers\.php\?action=liste\&liste=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/Zip/divers\.php\?action =liste&liste=email&desc=.*\'" - -#WebChat english.php or db_mysql.php file include -SecRule REQUEST_URI "/defines\.php*WEBCHATPATH*(db_mysql\.php|english\.php)" - -#Cross-Site Scripting Vulnerability in D-Forum -SecRule REQUEST_URI "/nav\.php3\?page=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#Multiple Vulnerabilities in auraCMS -SecRule REQUEST_URI "/index\.php\?query=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/).*\&pilih=search" -SecRule REQUEST_URI "/hits\.php\?hits=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/counter\.php\?theCount=(\<(javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#vBulletin Remote Command Execution Attempt -SecRule REQUEST_URI "/forumdisplay\.php?[^\r\n]*comma=[^\r\n\x26]*system\x28.*\x29/Ui" -SecRule REQUEST_URI "/forumdisplay\.php\?" chain -SecRule REQUEST_URI|REQUEST_BODY "\.system\(.+\)\." -SecRule REQUEST_URI "/forumdisplay\.php\?*comma=" - -#PHPNuke general XSS attempt -#/modules.php?name=News&file=article&sid=1&optionbox= -SecRule REQUEST_URI "/modules\.php\?*name=*\<*(script|about|applet|activex|chrome)*\>" -SecRule REQUEST_URI "/modules\.php\?op=modload&name=News&file=article&sid=*\<*(script|about|applet|activex|chrome)*\>" - -# PHPNuke SQL injection attempt -SecRule REQUEST_URI "/modules\.php\?*name=Search*instory=" -SecRule REQUEST_URI "/modules\.php\?*name=(Search|Web_Links).*\'" - -#EasyDynamicPages exploit -SecRule REQUEST_URI|REQUEST_BODY "edp_relative_path=" - -#Readfile.tcl Access -SecRule REQUEST_URI "/readfile\.tcl\?file=" - -#phpnuke sql insertion -SecRule REQUEST_URI "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\'/" - -#WAnewsletter newsletter.php file include attempt -SecRule REQUEST_URI "newsletter\.php*waroot*start\.php" - -# Typo3 translations.php file include -SecRule REQUEST_URI "/translations\.php*ONLY" - -#PHP-Nuke remote file include attempt -SecRule REQUEST_URI "/index\.php*file=*(http|https|ftp)\:/" - -#PayPal Storefront remote file include attempt -SecRule REQUEST_URI "do=ext*/page=(http|https|ftp)\:/" - -#PHPOpenChat -SecRule REQUEST_URI "/poc_loginform\.php\?phpbb_root_path=(http|https|ftp)\:/" -SecRule REQUEST_URI "/poc\.php\?phpbb_root_path=(http|https|ftp)\:/" -SecRule REQUEST_URI "/poc\.php\?poc_root_path=(http|https|ftp)\:/" -SecRule REQUEST_URI "/ENGLISH_poc\.php\?poc_root_path=(http|https|ftp)\:/" -SecRule REQUEST_URI "/poc\.php\?sourcedir=(http|https|ftp)\:/" - -#ACS Blog Search.ASP Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/search\.asp\?search=.*iframe\+src.*((javascript|script|about|applet|activex|chrome)*\>|http|https|ftp)\:/" - -#mcNews Remote command execution -SecRule REQUEST_URI "/admin/install\.php\?l=(http|https|ftp)\:/" - -#mailman XSS -SecRule REQUEST_URI|REQUEST_BODY "/mailman/.*\?.*info=*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#Macromedia SiteSpring XSS -SecRule REQUEST_URI|REQUEST_BODY "/error/500error\.jsp.*et=*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#OWA phishing redirect -SecRule REQUEST_URI "/exchweb/bin/auth/owalogon\.asp\?url=(http|https)\:/" - -#ads.cgi command execution attempt -SecRule REQUEST_URI "/ads\.cgi.*file=.*\.\./\.\./" - -#webdist.cgi arbitrary command attemp -SecRule REQUEST_URI "/webdist\.cgi.*distloc=(\|3B\||\x3B)" - -#enter_bug.cgi arbitrary command attempt -SecRule REQUEST_URI "/enter_bug\.cgi.*who.*(\|3B\||\x3B)" - -#cross site scripting HTML Image tag set to javascript attempt -SecRule REQUEST_URI|REQUEST_BODY "img src=javascript" - -#b2 arbitrary command execution attempt -SecRule REQUEST_URI "/b2-include/.*b2inc.*http(\|3A\|//|\x3A)" - -#tomcat servlet mapping XSS -SecRule REQUEST_URI|REQUEST_BODY "/servlet/.*/org\.apache\." - -#RUNCMS,Exoops,CIAMOS highlight file access hole -SecRule REQUEST_URI "/class/debug/highlight\.php\?file=(/|\.\./)" - -#TRG/CzarNews News Script Include File Hole Lets Remote Users Execute Arbitrary Commands -SecRule REQUEST_URI "/install/(article|authorall|comment|display|displayall.)\.php\?dir=(http|https|ftp):/" - -#zpanel XSS -SecRule REQUEST_URI "/zpanel\.php\?page=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#zpanel SQL injection -SecRule REQUEST_URI "/zpanel\.php\?page=.*\'" - -#Phorum HTTP Response Splitting Vulnerability -SecRule REQUEST_URI "/search\.php\?forum_id=.*\&search=.*\&body=.*Content-Length\:.*HTTP/1\.0.*Content-Type\:.*Content-Length\:" - -#Subdreamer Light Global Variables SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php\?categoryid=.*\&.*_sectionid=.*\&.*_imageid=.*\'" - -#PhotoPost Pro -SecRule REQUEST_URI "/showgallery\.php\?cat=[0-9].*\&page=(http|https|ftp)\:/" -SecRule REQUEST_URI "/showgallery\.php\?si=(http|https|ftp)\:/" -SecRule REQUEST_URI "/showgallery\.php\?ppuser=[0-9].*\&cat=(http|https|ftp)\:/" -SecRule REQUEST_URI "/showgallery\.php\?cat=[0-9].*\'" -SecRule REQUEST_URI "/showgallery\.php\?ppuser=[0-9].*\'.*\&cat=" - -#betaparticle blog Discloses Database to Remote Users -#and Lets Remote Users Upload/Delete Arbitrary Files -SecRule REQUEST_URI "/bp/database/dbBlogMX\.mdb" -SecRule REQUEST_URI "/Blog\.mdb" - -#Kayako eSupport Remote Cross Site Scripting Vulnerability -SecRule REQUEST_URI "/eSupport/index.php\?_a=knowledgebase\&_j=questiondetails\&_i=[0-9].*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/eSupport/index.php\?_a=knowledgebase\&_j=questionprint\&_i=[0-9].*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/eSupport/index.php\?_a=troubleshooter\&_c=[0-9].*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/eSupport/index.php\?_a=knowledgebase\&_j=subcat\&_i=[0-9].*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#phpSysInfo XSS vulns -SecRule REQUEST_URI "/index\.php\?sensor_program=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/includes/system_footer\.php\?text[template]=\"\>.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/includes/system_footer\.php\?hide_picklist=.*\&VERSION=\<iframesrc=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#DigitalHive Remote Unathenticated Software Re-install and Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "/base\.php\?page=forum/msg\.php-afs-1-\"/\>\<script\>" -SecRule REQUEST_URI "/hive/base\.php\?page=membres\.php\&mt=\"/\>\<script\>" - -#Topic Calendar Mod for phpBB Cross-Site Scripting Attack -SecRule REQUEST_URI "/calendar_scheduler\.php\?start=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#phpSysInfo Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "/index\.php\?sensor_program=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/includes/system_footer\.php\?text.*=\"\>.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/includes/system_footer\.php\?text[template]=\"\>.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/includes/system_footer\.php\?hide_picklist=.*=\<iframe src.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#Interspire ArticleLive 2005 "ArticleId" Remote Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/articles/newcomment\?ArticleId=\"\>" - -#Dream4 Koobi CMS Index.PHP SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php\?p=articles&area=.*\'" -SecRule REQUEST_URI "/index\.php\?area.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#Vortex Portal Remote File Inclusion and Path Disclosure Vulnerabilities -SecRule REQUEST_URI "/index\.php\?act=(http|https|ftp)\:/" -SecRule REQUEST_URI "/content\.php\?act=(http|https|ftp)\:/" - -#Topic Calendar Cross Site Scripting -SecRule REQUEST_URI "/calendar_scheduler\.php\?start.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#ESMI PayPal Storefront SQL inject and XSS -SecRule REQUEST_URI "/ecdis/pages.php?idpages=\'" -SecRule REQUEST_URI "/ecdis/products.*.php?id=.*&id.*=\'" -SecRule REQUEST_URI "/ecdis/products.*\.php\?id=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#Nuke Bookmarks Marks.php SQL Injection Vulnerability -SecRule REQUEST_URI "modules\.php\?name=Bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9| ]+[[:space:]](from|into|table|database|index|view)" - -#Nuke Bookmarks XSS -SecRule REQUEST_URI "/modules\.php\?name=Bookmarks\&file=(del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#possible new vuln in tikiwiki -SecRule REQUEST_URI "/tiki-list_faqs\.php\?offset=(http|https|ftp)\:/" - -#exoops Input Validation Flaws SQL injection and XSS -SecRule REQUEST_URI "/newbb/index\.php\?viewcat=\'" -SecRule REQUEST_URI "/modules/sections/index\.php\?op=viewarticle&artid=9\x2c+9\x2c+9" -SecRule REQUEST_URI "/newbb/viewforum\.php\?sortname=p\.post_time\&sortorder=.*\&sortdays=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/newbb/index\.php\?viewcat=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#Valdersoft Shopping Cart SQL injection and XSS -SecRule REQUEST_URI "/(item|category).php?sid=.*\&id=\'" -SecRule REQUEST_URI "/index\.php\?sid=.*\&lang=\'" -SecRule REQUEST_URI "/search_result\.php\?sid=.*\&search.*\'" - -#OSCommerce XSS -SecRule REQUEST_URI "/default\.php\?(error_message|info_message)=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#Typo3 remote file retrieval -SecRule REQUEST_URI "/dev/translations\.php\?ONLY=\x2e\x2e/\x2e\x2e/\x2e\x2e/\x2e\x2e/\x2e\x2e/.*\x00" - -#Mambo XSS -SecRule REQUEST_URI "/emailfriend/(emailarticle|emailfaq|emailnews)\.php\?id=\"(\<script|(http|https|ftp)\:/)" - -#Photopost XSS and sql injection -SecRule REQUEST_URI "photos/(showgallery|showmembers|slideshow)\.php\?.*(\'|\<script|(http|https|ftp)\:/)" - -#TKai's Shoutbox XSS -SecRule REQUEST_URI "/shoutact\.php\?yousay=default\&query=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/shoutact\.php\?yousay=default\&name=default&query=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/shoutact\.php\?yousay=default\&email=default\&query=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/shoutact\.php\?yousay=default\&email=default\&name=default\&query=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/shoutact\.php\?yousay=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#EncapsBB Remote File Inclusion Vulnerability -SecRule REQUEST_URI "/index_header.php?root=(http|https|ftp)\:/" - -#CPG Dragonfly CMS Two Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "/index\.php\?name=.*\&profile=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/coppermine/displayimage/meta=lastcom/cat=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/).*/pos=.*\.html" - -#PHPCoin -SecRule REQUEST_URI "phpcoin/auxpage\.php\?page=\.\./\.\." - -#PortalApp SQL injection and XSS -SecRule REQUEST_URI "/ad_click\.asp\?banner _id=\'" -SecRule REQUEST_URI "/content\.asp\?CatId=\'" -SecRule REQUEST_URI "/content\.asp\?ContentId=\'" -SecRule REQUEST_URI "/content\.asp\?contenttype=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/content\.asp\?do_search=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#Lighthouse Development Squirrelcart SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php\?crn=\'" - -#PunBB version <= 1.2.2 auth bypass exploit -SecRule REQUEST_URI "profile\.php\?section=admin\&id=.*\&action=foo" -SecRule REQUEST_COOKIES:punbb_cookie "a\:2\:\{i\:0\;s\:.*\;i\:1\;b\:1\;\}" - -#Multiple sql injection, and xss vulnerabilities in AspApp -SecRule REQUEST_URI "/content\.asp\?CatId=.*\&ContentType=(.*script|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/content\.asp\?CatId=\'" -SecRule REQUEST_URI "/content\.asp\?contenttype=(.*script|(http|https|ftp)\:/)" - -#PaFileDB Version 3.1 and below SQL injection and XSS -SecRule REQUEST_URI "/pafiledb\.php\?action=viewall&id=&start=\'" -SecRule REQUEST_URI "/pafiledb\.php\?action=file&id=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#E-Data 2.0 XSS -SecRule REQUEST_URI "cgi-bin/dir\.pl.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#PHPNuke general SQL injection -SecRule REQUEST_URI "/modules\.php\?.*name=.*UNION.*SELECT" - -#InterAKT Online MX Kart Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php\?mod=pages&idp=\'" -SecRule REQUEST_URI "/MXShop/\?mod=category&id_ctg=\'" -SecRule REQUEST_URI "/index\.php\?mod=category&id_ctg=\'" -SecRule REQUEST_URI "/index\.php\?PHPSESSID=.*&id_man=\'" - -#CPG Dragonfly XSS -SecRule REQUEST_URI "/index\.php\?name=.*\&file=.*\&meta=.*\">.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/index\.php\?name=.*\&mode=.*&id=.*\">.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/coppermine/displayimage/meta=.*/cat=.*\">.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/index\.php\?name=.*&profile=.*\">.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#AlstraSoft EPay Pro Multiple Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "/epal/\?order_num=crap&payment=\">.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/epal/\?order_num=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#AlstraSoft EPay Pro Remote File Include Vulnerability -SecRule REQUEST_URI "/epal/index\.php\?view=(http|https|ftp)\:/" - -#SiteEnable SQL injection and XSS -SecRule REQUEST_URI "content\.asp\?contenttype=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#phpbb 2.0.13 download vuln -SecRule REQUEST_URI "/downloads\.php\?cat=.*(UNION|SELECT|delete|insert)*user_password.*phpbb_users" - -#Turnkey Websites Shopping Cart SQL injection -SecRule REQUEST_URI "/SearchResults\.php\?SearchTerm=\'" -SecRule REQUEST_URI "/SearchResults\.php\?SearchTerm=.*\'" - -#Authenticaion bypass, Directory transversal and XSS vulnerabilities in PayProCart 3.0 -SecRule REQUEST_URI "/usrdetails\.php\?sgnuptype=.*((javsscript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "adminshop/index\.php\?proMod=index\&.*toedit=\.\..*shopincs.*maintopENG" - -#PhpNuke 7.6=>x Multiple vulnerabilities cXIb8O3.12 -SecRule REQUEST_URI "/banners\.php\?op=EmailStats&name=.*&bid=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/modules\.php\?name=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#PHP-Nuke Input Validation Flaws in Search, FAQ, and Banners Modules Permit Cross-Site Scripting Attacks -SecRule REQUEST_URI "/modules\.php\?name=Search&author=.*&topic=.*&min.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/modules\.php\?name=FAQ&.*=.*&id_cat=.*&categories=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/modules\.php\?op=EmailStats&login=.*&cid=.*&bid=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/modules\.php\?name=Encyclopedia&file=.*&op=.*&eid.*1<r=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#phpMyAdmin convcharset Parameter Cross Site Scripting -SecRule REQUEST_URI "/phpmyadmin/index\.php\?pma_username=*&pma_password=*&server=.*&lang=.*&convcharset=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -##phpBB Calendar Pro catergory Parameter SQL Injection -SecRule REQUEST_URI "/cal_view_month\.php\?month=.*&year=.*&category=.*(UNION|SELECT|DELETE|INSERT)" - -#cubecart SQL injection -SecRule REQUEST_URI "/index\.php\?&PHPSESSID=\'" -SecRule REQUEST_URI "/tellafriend\.php\?&product=\'" -SecRule REQUEST_URI "/view_cart\.php\?add=\'" -SecRule REQUEST_URI "/view_product\.php\?product=\'" - -#PHPBB LinksLinks Pro Module SQL Injection Vulnerability -SecRule REQUEST_URI "/links\.php\?func=show&id=\'" - -#LiteCommerce Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/cart\.php\?target=\'" -SecRule REQUEST_URI "/cart\.php\?target=category&category_id=\'" -SecRule REQUEST_URI "/cart\.php\?target=product&product_id=\'" - -#PHP-Nuke "querylang" SQL Injection Vulnerability -SecRule REQUEST_URI "/modules\.php\?name=Top&querylang=.*(UNION|SELECT|DELETE|INSERT).*\," - -#PHPBB DLMan Pro Module SQL Injection Vulnerability -SecRule REQUEST_URI "/dlman\.php\?func=file_info&file_id=\'" - -#ModernBill XSS and file include -SecRule REQUEST_URI "/samples/news\.php\?DIR=(http|https|ftp)\:/" -SecRule REQUEST_URI|REQUEST_BODY "/order/orderwiz\.php\?v=.*&aid=.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|(http|https|ftp)\:/)" - -#TowerBlog! Discloses Hashed Administrative Password to Remote Users -SecRule REQUEST_URI|REQUEST_BODY "/_dat/login" - -#Invision Power Board SQL injection -SecRule REQUEST_URI "/forums/index\.php\?act=.*&max_results=.*&filter=.*&sort_order=.*&sort_key=.*&st=*(UNION|SELECT|DELETE|INSERT)" -#SQL injection in jPortal version 2.3.1 -SecRule REQUEST_URI "/jportal/banner\.php*(UNION|SELECT|DELETE|INSERT)" - - -#PinnacleCart XSS Attack -SecRule REQUEST_URI "/index\.php\?p=catalog&parent=.*&pg=\">" - -#Serendipity exip.php SQL injection -SecRule REQUEST_URI "exit\.php\?entry_id=.*&url_id=.*\x20UNION\x20SELECT\x20(password|username)\x20FROM" - -#phpbb p[lus -SecRule REQUEST_URI "/groupcp\.php\?g=.*sid=\'" -SecRule REQUEST_URI "/index\.php\?(c|mark)=*\'" -SecRule REQUEST_URI "/portal\.php\?article=*\'" -SecRule REQUEST_URI "/viewforum.php?f=.*sid=\'" -SecRule REQUEST_URI "/viewtopic.php?p=.*sid=\'" -SecRule REQUEST_URI "/album_search\.php\?mode=\'" -SecRule REQUEST_URI "/album_cat\.php\?cat_id=.*sid=\'" -SecRule REQUEST_URI "/album_comment\.php\?pic_id=.*sid=\'" -SecRule REQUEST_URI "calendar_scheduler\.php\?d=.*&mode=&start=\'\">" - -#EasyPHPCalendar XSS -SecRule REQUEST_URI "/index\.php\?mo=.*&yr=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#CalendarScript path discolsure and XSS -SecRule REQUEST_URI "/calendar\.pl\?calendar=.*&template=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/calendar\.pl\?calendar=.*&command=login&username=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - -#SPHPBlog Search.PHP Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/search\.php\?q=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" - - -#All4WWW-Homepagecreator -SecRule REQUEST_URI "/index.php?site=(http|https|ftp)\:/" - -#zOOM Media Gallery SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php\?option=com_zoom&Itemid=.*&catid=*(AND|OR|INSERT|UNION|DELETE)" - -#caught in honeypot -SecRule REQUEST_URI ".*\.php\?(do=.*&template=\{\$\{|inc=(http|https|ftp)\:/)" - -#phpMyAdmin path vln -SecRule REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc" - -#PHP-Nuke Web_Links Multiple Variable SQL Injection -SecRule SCRIPT_FILENAME "modules\.php" chain -SecRule ARGS:email|ARGS:ratenum|ARGS:min|ARGS:show|ARGS:orderby|ARGS:url "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" - -#phpCOIN SQL injection -SecRule SCRIPT_FILENAME "mod\.php" chain -SecRule ARGS:faq_id|ARGS:id|ARGS:topic_id|ARGS:ord_id|ARGS:dom_id|ARGS:invd_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" - -#NukeBookmarks SQL injection -SecRule SCRIPT_FILENAME "modules\.php" chain -SecRule ARGS:category "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#e107 SQL injection -SecRule SCRIPT_FILENAME "news\.php" chain -SecRule ARGS:list "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" - -#squirrelcart SQL injection -SecRule SCRIPT_FILENAME "index\.php" chain -SecRule ARGS:crn "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" - -#PHP-Nuke HTTP Response Splitting vuln -SecRule REQUEST_URI "modules\.php\?name=Surveys&pollID=.*&forwarder=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#AzDGDatingPlatinum view.php id Variable XSS -SecRule REQUEST_URI "/view\.php\?l=.*&id=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -# AzDGDatingPlatinum index.php from Variable SQL Injection -SecRule REQUEST_URI "/members/index\.php\?l=.*&a=.*&from=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" - -# AzDGDatingPlatinum view.php id Variable SQL Injection -SecRule REQUEST_URI "/view.php\?l=.*&id=.*\'" - -#PHPBB Remote Mod.PHP SQL Injection Vulnerability -SecRule REQUEST_URI "/moddb/mod\.php\?id=\'" - -#CityPost PHP LNKX Input Validation Hole Permits Cross-Site Scripting Attacks -SecRule REQUEST_URI "/lnkx/message\.php\?msg=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#Coppermine Photo Gallery Multiple XSS -SecRule REQUEST_URI "/index\.php\?lang=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#PHP-Nuke Blind SQL Injection -SecRule REQUEST_URI "/modules\.php\?name=Downloads&d_op=.*&title=.*&url=.*&description=.*&email=\'\,*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/modules\.php\?name=Downloads&d_op=.*&url=\'\,*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/modules\.php\?name=Downloads&d_op=viewsdownload&min=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|\*]+(from|into|table|database|index|view)" -SecRule REQUEST_URI "/modules\.php\?name=Downloads&d_op=search&min=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" - -#UBB Thread /ubbthreads/printthread.php SQL Injection Yes\No vulnerability -SecRule REQUEST_URI "/printthread\.php*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" - -#coppermine remote file inclusion -SecRule REQUEST_URI "/theme\.php\?THEME_DIR=(http|https|ftp)/:/" - -#E-Cart Mod remote command execution -SecRule REQUEST_URI "/index\.cgi\?action=.*&cat=.*&art=.*\|" - -#phpBB Auction Mod SQL injection -SecRule REQUEST_URI "/auction_rating\.php\?mode=.*&u=.*\'" -SecRule REQUEST_URI "/auction_offer\.php\?mode=.*&ar=.*\'" - -#kali's tagboard remote command execution -SecRule REQUEST_URI "/admin/banned\.php\?&cmd=" - -#PHPBB Profile.PHP Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/profile\.php\?mode=viewprofile&u=.*((script|script|about|applet|activex|chrome)\>|html|(http|https|ftp)\:/)" - -#PHPBB Viewtopic.PHP Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/viewtopic\.php\?p=.*&highlight=.*((script|script|about|applet|activex|chrome)\>|html|(http|https|ftp)\:/)" - -#Netref Remote Arbitrary File Creation Vulnerability -SecRule REQUEST_URI "script/cat_for_gen\.php" - -# eGroupWare index.php cats_app Variable SQL Injection -SecRule REQUEST_URI "/index\.php\?menuaction=preferences\.uicategories\.index\&cats_app=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -# eGroupWare tts/index.php filter Variable SQL Injection -SecRule REQUEST_URI "/tts/index\.php\?filter=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -# eGroupWare sitemgr-site/index.php category_id Variable XSS -SecRule REQUEST_URI "/sitemgr/sitemgr-site/\?category_id=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -# eGroupWare wiki/index.php Multiple Variable XSS -SecRule REQUEST_URI "/index\.php\?page=RecentChanges.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/index\.php\?action=history&page=.*&lang=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -# eGroupWare index.php Multiple Variable XSS -SecRule REQUEST_URI "/index\.php\?menuaction=addressbook\.uiaddressbook\.edit\&ab_id=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/index\.php\?menuaction=manual\.uimanual\.view\&page=ManualAddressbook.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/index\.php\?menuaction=forum\.uiforum\.post\&type=new.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/index\.php\?menuaction=wiki\.uiwiki\.edit\&page=setup.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#SQL Injections in MetaBid Auctions -SecRule REQUEST_URI "/item\.asp\?intAuctionID=\'" - -#honeypot catch -SecRule REQUEST_URI "tiki-print\.php\?page=(http|https|ftp)\:/" - -# phpBB Notes Mod SQL Injection Vulnerability -SecRule REQUEST_URI "/posting_notes\.php\?mode=editpost\&*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#phpCOIN SQL injection attacks -SecRule REQUEST_URI "/index\.php\?title=.*&search=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/login\.php\?w=.*&o=.*&phpcoinsessid=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)*\'" -SecRule REQUEST_URI "/mod\.php\?mod=siteinfo&id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)*\'&phpcoinsessid=" -SecRule REQUEST_URI "/mod\.php\?mod=pages&mode=list&(dcat_id|topic_id)=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)*\'\&phpcoinsessid=" - -#honeypot catch -SecRule REQUEST_URI "/index\.php\?page=(http|https|ftp)\:/" - -#honeypot catch -#ideabox code injection -SecRule REQUEST_URI "/ideabox/include\.php" chain -SecRule REQUEST_URI "(Dir=(http|https|ftp)\:/|\?\&(cmd|id|inc|name)=)" - -#12Planet Chat Server Path Disclosure -# CVE: "CVE-MAP-NOMATCH" -SecRule REQUEST_URI "/qwe/qwe/index\.html" - -#Agora CGI Cross Site Scripting -# CVE: "CVE-2001-1199" -SecRule REQUEST_URI "/store/agora\.cgi\?cart_id=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#Apache Remote Command Execution via .bat files -# CVE: "CVE-2002-0061" -SecRule REQUEST_URI "/test-cgi\.bat\?\|" - -#cpanel remote command execution -SecRule REQUEST_URI "/cgi-sys/guestbook\.cgi\?user=cpanel&template=\|" - -#Oracle 9iAS mod_plsql directory traversal -# CVE: "CAN-2001-1217" -SecRule REQUEST_URI "/pls/sample/admin_/help/\.\." - -#Zeus Admin Interface XSS -SecRule REQUEST_URI "/apps/web/vs_diag\.cgi\?server=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#Oracle 9iAS iSQLplus XSS -SecRule REQUEST_URI|REQUEST_BODY "/isqlplus\?action=logon&username=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -# main.cgi directory traversal and file access -SecRule REQUEST_URI "/main\.cgi\?next_file=*/" - -#TorrentTrader SQL Injection -SecRule REQUEST_URI "/download\.php\?id=\'" - -#OpenCA HTML Injection -# CVE: "CAN-2004-0787" -SecRule REQUEST_URI "/cgi-bin/pub/pki\?cmd=serverInfo" - -#pdesk directory traversal and file theft -SecRule REQUEST_URI "/cgi-bin/pdesk\.cgi\?lang=\.\./\.\./" - -#ShowCenter XSS -SecRule REQUEST_URI "/ShowCenter/SettingsBase\.php\?Skin=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#honeypot XSS attack -SecRule REQUEST_URI "/page\.php\?action=view&id=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#i-mall remote command execution attack -SecRule REQUEST_URI "/i-mall/i-mall\.cgi\?p=\|" - -#PArser XSS -SecRule REQUEST_URI "/parser/parser\.php\?file=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#caught in honeypot -SecRule REQUEST_URI "/check_user_id\.php\?user_id=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#formmail probe -#SecRule REQUEST_URI|REQUEST_BODY "/formmail\.pl HTTP\/(0\.9|1\.0|1\.1)$" -SecRule REQUEST_URI|REQUEST_BODY "GET .*/formmail\.pl HTTP\/(0\.9|1\.0|1\.1)$" -SecRule REQUEST_URI|REQUEST_BODY "HEAD .*/formmail\.pl HTTP\/(0\.9|1\.0|1\.1)$" -SecRule REQUEST_URI|REQUEST_BODY "POST .*/formmail\.pl HTTP\/(0\.9|1\.0|1\.1)$" - -#JGS-Portal ID Variable SQL Injection Vulnerability -SecRule REQUEST_URI "/jgs_portal\.php\?id=\'" - -#SitePanel 2 command exec, file access -SecRule REQUEST_URI "/users/index\.php\?lang=en\.inc/\.\./\.\./" -SecRule REQUEST_URI "/users/main.php?p=(http|https|ftp)\:/" -SecRule REQUEST_URI "/admin/5\.php\?do=rmattach&rm=yes&id=\.\./" - -#osTicket directory traversal -SecRule REQUEST_URI "/attachments\.php\?file=\.\./\.\." - -#osticket remote file inclusion -SecRule REQUEST_URI "/include/main\.php\?config.*=.*&include_dir=(http|https|ftp)\:/" - -#osticket SQL injection -SecRule REQUEST_URI "/admin\.php\?a=view&id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]]+(from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/view\.php\?s=.*&query=*&cat=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#Woltlab Burning Board JGS-Portal "id" SQL Injection -SecRule REQUEST_URI "/jgs_portal\.php" chain -SecRule REQUEST_URI "id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#eSKUeL "ConfLangCookie" and "lang_config" Local File Inclusion -SecRule REQUEST_URI "include/functions\.inc\.php" chain -SecRule REQUEST_URI "(ConfLangCookie|lang_config)=*\.\./" - -#FishCart Cross-Site Scripting and SQL Injection Vulnerabilities -SecRule REQUEST_URI "display\.php" chain -SecRule REQUEST_URI "nlst=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -SecRule REQUEST_URI "upstracking\.php" chain -SecRule REQUEST_URI "(eqagree|m|trackingnum)=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -SecRule REQUEST_URI "display\.php" chain -SecRule REQUEST_URI "psku=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -SecRule REQUEST_URI "upstnt\.php" chain -SecRule REQUEST_URI "cartid=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -# vBulletin calendar.php comma Parameter Arbitrary Command Execution -SecRule REQUEST_URI "calendar\.php\?calbirthdays=.*&action=.*&day=.*&comma=*(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(r|s)sh|(s|r)cp|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)" -SecRule REQUEST_URI "/calendar\.php\?calbirthdays=.*&action=getday&day=.*&comma=\x22;" - -#FishCart SQL injection -SecRule REQUEST_URI "/display\.php\?cartid=.*&zid=*&lid=*&nlst=*&olimit=*&cat=*&key*=&psku=\'" -SecRule REQUEST_URI "/upstnt\.php\?zid=.*&lid=.*&cartid=\'" - -#PHP-Nuke "phpbb_root_path" Arbitrary File Inclusion -SecRule REQUEST_URI "/admin_styles\.php\?phpbb_root_path=(http|https|ftp)\:/" - -# Apache Jakarta-Tomcat? /admin Context Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "/admin/\?op=\xc0" - -#generic Common HTTP vulnerability -SecRule REQUEST_URI|REQUEST_BODY "/\?cwd=/" - -#XSS in phpBB -SecRule REQUEST_URI|REQUEST_BODY "/(viewtopic|privmsg|bbcode)\.php\?" chain -SecRule REQUEST_URI "\[url=(script|javascript|about|applet|activex|chrome)\:/" - -#phbb admin forums XSS -SecRule REQUEST_URI "/admin_forums\.php\?" chain -SecRule REQUEST_URI|REQUEST_BODY "\<[[:space:]]*(script|about|applet|activex|chrome)" - -#HTMLJunction EZGuestbook Remote Database Disclosure Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "/datastores/guestbook\.mdb" - -#phpbb XSS -SecRule REQUEST_URI "/admin/admin_forums\.php\?sid=.*" chain -SecRule REQUEST_URI|REQUEST_BODY "(forumname|forumdesc)=*\<[[:space:]]*(script|about|applet|activex|chrome)" - -#DirectTopics Topic.PHP SQL Injection Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "/topic\.php\?topic=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#honeypot -SecRule REQUEST_URI "tiki-index\.php\?page=(http|https|ftp)\:/" - -#Help Center Live Multiple Input Validation Vulnerabilities -SecRule REQUEST_URI "/faq/index\.php\?x=.*&id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/tt/view\.php\?tid=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/tt/download\.php\?fid=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/lh/icon\.php\?status=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/lh/chat_download\.php\?fid=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#WBB Portal - JGS-Portal <= 3.0.2 - Multiple Vulnerabilities -SecRule REQUEST_URI "/jgs_portal\.php\?anzahl_beitraege=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/jgs_portal_statistik\.php\?meinaction=mitglieder&month=.*&year=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/jgs_portal_statistik\.php\?meinaction=themen&month=.*&year=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/jgs_portal_statistik\.php\?meinaction=beitrag&month=.*&year=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/jgs_portal_beitraggraf\.php\?month=.*&year=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/jgs_portal_viewsgraf\.php\?jahr=.*&monat=.*&tag=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+(from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/jgs_portal_themengraf\.php\?month=.*&year=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/jgs_portal_mitgraf\.php\?month=.*&year=.*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/jgs_portal_sponsor\.php\?id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/jgs_portal_box\.php\?id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#NPDS "comments.php" and "pollcomments.php" Remote SQL Injection Vulnerabilities -SecRule REQUEST_URI "/npds/comments\.php\?thold=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/npds/pollcomments\.php\?thold=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/npds/pollcomments\.php\?op=results&pollID=2&mode=&order=&thold=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#Gurgens Guest Book Remote Database Disclosure Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "/db/Genit\.dat" - -#PhotoPost Arbitrary Data vuln -SecRule REQUEST_URI "/member\.php\?ppaction=.*&verifykey=.*&uid=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#OpenBB SQL Injection Vulnerabilities -SecRule REQUEST_URI "/read\.php" chain -SecRule ARGS:TID "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#PostNuke "func" Local File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php.*func=*(\.\./|(http|https|ftp)\:/)" - -#Bug Report Script Insertion Vulnerability -SecRule SCRIPT_FILENAME "bug_report\.php" chain -SecRule ARGS:name|ARGS:sujet|ARGS:commentaries|ARGS:os|ARGS:navig|ARGS:url "<[[:space:]]*(script|about|applet|activex|chrome)" - -#NPDS SQL Injection and XSS Vulnerabilities -SecRule REQUEST_URI "/(pollcomments|comments)\.php" chain -SecRule ARGS:thold "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" -SecRule REQUEST_URI "/faq\.php" chain -SecRule ARGS:categories "<[[:space:]]*(script|about|applet|activex|chrome)" - -#Post tiki Wiki install rules -SecRule REQUEST_URI "/tiki-install\.php" -SecRule REQUEST_URI "/tiki-edit_templates\.php" - -#phpATM Arbitrary Remote File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php\?include_location=(http|https|ftp)\:/" - -#TOPo XSS vuln -SecRule REQUEST_URI "/index\.php\?m=(top|members)*<[[:space:]]*(script|about|applet|activex|chrome)" - -#honeypot -SecRule REQUEST_URI "/news\.php\?tpath=(http|https|ftp)\:/" - -#honeypot -SecRule REQUEST_URI "tiki-(index|print)\.php\?page=.*\?include_location=(http|https|ftp)\:/" -SecRule REQUEST_URI "tiki-.*\?include_location=(http|https|ftp)\:/" -SecRule REQUEST_URI "tiki-editpage\.php\?page=(http|https|ftp)\:/" -SecRule REQUEST_URI "tiki-export_wiki_pages\.php\?page=(http|https|ftp)\:/" - -#sawmill remote file access -SecRule REQUEST_URI|REQUEST_BODY "/cgi-bin/sawmill5\?.*\x22" - -#mailview CGI remote file access` -SecRule REQUEST_URI "mailview\.cgi\?cmd=view&fldrname=.*&select=.*&html=\.\./\.\." - -#Javamail info disclosure -SecRule REQUEST_URI "/Download\?/.*/web/WEB-INF/web\.xml" - -#javamail file access -SecRule REQUEST_URI|REQUEST_BODY "/Download\?(\.\./|/\.\./|/etc/|/home/|/tmp/|/usr/|/backup/|/dev/|/proc/|/var/(cache|spool|mail|adm|log|tmp)/)" - -#Gforge "viewFile.php" Remote Arbitrary Command Execution Vulnerability -SecRule REQUEST_URI "/viewFile\.php\?group_id=.*&file_name=\x0A" - -#WebAPP v0.9.9.2.1 Remote Command Execution vuln -SecRule REQUEST_URI "/apage\.cgi?f=.*\|" - -#honeypot -SecRule REQUEST_URI "/displayCategory\.php\?basepath=(http|https|ftp)\:/" - -#PHP Poll Creator Include File Error Lets Remote Users Execute Arbitrary Commands -SecRule REQUEST_URI "/poll_vote\.php\?relativer_pfad=(http|https|ftp)\:/" - -#PostNuke version : x=> 0.750 SQL injection -SecRule REQUEST_URI "/modules\.php\?op=modload&name=Messages&file=readpmsg&start=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#SQL Injection Vuln for myBloggie 2.1.1 - 2.1.2 -SecRule REQUEST_URI "index\.php\?month_no=.*&year=.*&mode=viewdate&date_no=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" - -#powerdownload remote file include -SecRule REQUEST_URI "/downloads\.php\?release_id=.*&incdir=(http|https|ftp)\:/" - -#X-Cart SQL inject vulns -SecRule REQUEST_URI "/home\.php\?(cat|printable)=\'" -SecRule REQUEST_URI "/product\.php\?(product|mode)=\'" -SecRule REQUEST_URI "/error_message\.php\?access_denied&id=\'" -SecRule REQUEST_URI "/help\.php\?section=\'" -SecRule REQUEST_URI "/(orders|register|search)\.php\?mode=\'" -SecRule REQUEST_URI "/giftcert\.php\?(gcid|gcindex)=\'" - -#Calendarix Advanced -SecRule REQUEST_URI "/cal_week\.php\?op=week&catview=.*\'" -SecRule REQUEST_URI "/cal_cat\.php\?op=cats&catview=.*\'" -SecRule REQUEST_URI "/cal_day\.php\?op=.*&date=.*&catview=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/cal_pophols\.php\?id=.*\'" - - -#MyBulletinBoard SQL injection -SecRule REQUEST_URI "/online\.php\?pidsql=\)(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/memberlist\.php\?usersearch=\%\'" -SecRule REQUEST_URI "/editpost\.php\?pid=\'" -SecRule REQUEST_URI "/forumdisplay\.php\?fid=\'" -SecRule REQUEST_URI "/newreply\.php\?tid=\'" -SecRule REQUEST_URI "/search\.php\?action=.*&(sid|uid)=*\'" -SecRule REQUEST_URI "/showthread\.php\?(tp)id=\'" -SecRule REQUEST_URI "/usercp2\.php\?tid=\'" -SecRule REQUEST_URI "/printthread\.php\?tid=\'" -SecRule REQUEST_URI "/reputation\.php\?pid=\'" -SecRule REQUEST_URI "/portal\.php\?action=do_login&username=\'" -SecRule REQUEST_URI "/polls\.php\?action=newpoll&tid=\'" -SecRule REQUEST_URI "/ratethread\.php\?tid=\'" - -#MyBulletinBoard XSS -SecRule REQUEST_URI "/misc\.php\?action=syndication&forums.*=*\<[[:space:]]*(script|about|applet|activex|chrome)" -SecRule REQUEST_URI "/misc\.php\?action=syndication&forums.*=.*&version*\<[[:space:]]*(script|about|applet|activex|chrome)" -SecRule REQUEST_URI "/misc\.php\?action=syndication&limit=*\<[[:space:]]*(script|about|applet|activex|chrome)" -SecRule REQUEST_URI "/forumdisplay\.php\?fid=.*&datecut=*\<[[:space:]]*(script|about|applet|activex|chrome)" -SecRule REQUEST_URI "/forumdisplay\.php\?fid=.*&page=*\<[[:space:]]*(script|about|applet|activex|chrome)" -SecRule REQUEST_URI "/member\.php\?agree=.*&username=*\<[[:space:]]*(script|about|applet|activex|chrome)" -SecRule REQUEST_URI "/member\.php\?agree=.*&(email|email2)=*\<[[:space:]]*(script|about|applet|activex|chrome)" -SecRule REQUEST_URI "/memberlist\.php\?(page|usersearch)=*\<[[:space:]]*(script|about|applet|activex|chrome)" -SecRule REQUEST_URI "/showthread\.php\?mode=linear&tid=.*&pid=*\<[[:space:]]*(script|about|applet|activex|chrome)" -SecRule REQUEST_URI "/showthread\.php\?mode=linear&tid=.*\<[[:space:]]*(script|about|applet|activex|chrome)" -SecRule REQUEST_URI "/printthread\.php?tid=.*\<[[:space:]]*(script|about|applet|activex|chrome)" - -#Wordpress SQL injection -SecRule REQUEST_URI "/wp-trackback\.php\?tb_id=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/wp-trackback\.php" chain -SecRule ARGS:tb_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/index\.php\?cat=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#MWChat remote file inclusion vuln -SecRule REQUEST_URI "/libs/start_lobby\.php\?CONFIG.*=(http|https|ftp)\:/" - -#phpCMS "class.layout_phpcms.php" Remote Arbitrary File Inclusion Vulnerability -SecRule REQUEST_URI "/parser\.php\?&phpcmsaction=FILEMANAGER&language=.*(/\.\./|(http|https|ftp)\:/)" - -#Exhibit Engine Remote SQL Injection Vulnerabilities -SecRule REQUEST_URI|REQUEST_BODY "/search_row=ee_photo\.ee_photo_exif_iso.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/list\.php" chain -SecRule ARGS:search_row|ARGS:sort_row|ARGS:order|ARGS:perpage "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" - -#phpCMS "language" Local File Inclusion Vulnerability -SecRule SCRIPT_FILENAME "/parser\.php" chain -SecRule ARGS:laguage "/\.\./" - -#Popper "form" File Inclusion Vulnerability -SecRule REQUEST_URI "/childwindow\.inc\.php" chain -SecRule ARGS:form "(/\.\./|(http|https|ftp)\:/)" - -#phpThumb() "src" Exposure of Sensitive Information -SecRule SCRIPT_FILENAME "/phpThumb\.php" chain -SecRule ARGS:src "/\.\./" - -#General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links) -SecRule REQUEST_URI "\.php\?" chain -SecRule REQUEST_URI|REQUEST_BODY "\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]" - -#e107 eTrace Plugin Shell Command Injection Vulnerability -SecRule SCRIPT_FILENAME "/dotrace\.php" chain -SecRule ARGS:etrace_cmd|ARGS:etrace_host "(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(r|s)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)" - -#WebHints Shell Command Injection Vulnerability -SecRule REQUEST_URI "/hints\.pl.*\|" - -#Invision Gallery SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:comment "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" - -#Ovidentia FX "babInstallPath" File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:babInstallPath "(/\.\./|(http|https|ftp)\:/)" - -#Siteframe "LOCAL_PATH" File Inclusion Vulnerability -SecRule SCRIPT_FILENAME "/siteframe\.php" chain -SecRule ARGS:LOCAL_PATH "(/\.\./|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/siteframe\.php\?LOCAL_PATH=(http|https|ftp)\:/" - -#e107 ePing Plugin Shell Command Injection Vulnerability -SecRule REQUEST_URI "/doping\.php" chain -SecRule ARGS:eping_cmd|ARGS:eping_host|ARGS:eping_count "(cd|\;|(ba|tc|c|z)sh|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(s|r)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)" - -#Invision Community Blog Module SQL injection -SecRule REQUEST_URI "/index.php" chain -SecRule ARGS:mid ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" - -#MWChat "CONFIG[MWCHAT_Libs]" File Inclusion Vulnerability -SecRule REQUEST_URI "CONFIG\[MWCHAT_Libs\]" chain -SecRule REQUEST_URI "(/\.\./|(http|https|ftp)\:/)" - -#YaPiG Multiple Vulnerabilities -SecRule REQUEST_URI "last_gallery\.php" chain -SecRule ARGS:YAPIG_PATH "(/\.\./|(http|https|ftp)\:/)" -SecRule REQUEST_URI "BASE_DIR.*(/\.\./|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/upload\.php" chain -SecRule ARGS:dir "(/\.\./|.*\.\./)" - -#honeypot catch -SecRule REQUEST_URI "/write\.php\?dir=(http|https|ftp)\:/" - -#socialMPN Remote SQL Injection and Path Disclosure Vulnerabilities -SecRule REQUEST_URI "/article\.php\?sid=\x27" -SecRule REQUEST_URI "/user\.php\?uname=\'" -SecRule REQUEST_URI "/viewforum\.php\?forum=.*&siteid=\x2527" -SecRule REQUEST_URI "/newtopic\.php\?username=\'&password=" -SecRule REQUEST_URI "/sections.php\?op=listarticles&secid=(\x27|\x2527)" -SecRule REQUEST_URI "/index\.php\?siteid=\'&op=show&aftersid=" -SecRule REQUEST_URI "/friend\.php\?sid=\x2527&yname=.*&ymail=.*&fname=.*&fmail=.*&op=SendStory" - -#JBOSS Installation Path and Configuration File disclosure -SecRule REQUEST_URI|REQUEST_BODY "^\%\." -SecRule REQUEST_URI|REQUEST_BODY "^\%server\.policy" - -#Mambo 'com_contents' Input Validation Hole in 'user_rating' SQL Injection -SecRule REQUEST_URI "/index\.php\?option=com_content&task=vote&id=.*&Itemid=.*&cid=.*&user_rating=.*\((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+(from|into|table|database|index|view)" - - -#Web Store remote command execution -SecRule REQUEST_URI "web_store\.cgi\?page=.*\|" - -#Mambo "user_rating" SQL Injection Vulnerability -SecRule REQUEST_URI "/content\.php" chain -SecRule ARGS:user_rating ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Cacti remote file inclusion vuln -SecRule REQUEST_URI "/(top_graph_header|config_settings)\.php\?.*=(http|https|ftp)\:/" - -#Claroline E-Learning SQL injection -SecRule REQUEST_URI "/(userInfo|exercises_details)\.php\?(uInfo|exo_id)=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "\?uInfo=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+(from|into|table|database|index|view)" - -#Forum Russian Board 4.2 Full command execution vuln -SecRule REQUEST_URI|REQUEST_BODY "message=.*&form_h=.*&style_edit_ok=\xC8x\E7x\ECx\E5x\EDx\E8x\F2x\FC" - -#SMF Modify SQL Injection vuln -SecRule REQUEST_URI "/index\.php\?action=(login|profile).*msg=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#cpanel XSS vuln -SecRule REQUEST_URI|REQUEST_BODY "/login\?user=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#Cacti command execution vuln -SecRule REQUEST_URI "\.php\?rrdtool=*(cd |\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(s|r)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)" -SecRule REQUEST_URI "/graph_image\.php\?local_graph_id=.*\x0a" - -#honeypot -SecRule REQUEST_URI "/index\.php\?pagina=(http|https|ftp)\:/" - -#PHPNuke spam hole -SecRule REQUEST_URI "/modules\.php\?name=WebMail\&file=nlmail" - -#Community Link Pro "file" Shell Command Injection Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "/login\.cgi\?username=.*command=.*do=.*password=.*file=\|" - -#Pavsta Auto Site "sitepath" File Inclusion Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "user_check\.php" chain -SecRule ARGS:sitepath "((http|https|ftp)\:/|(/\.\./|.*\.\./))" - -#Comdevn eCommerce Form Handler Vulnerabilities -SecRule REQUEST_URI "/index\.php\?homeinclude=catalog&category_id=&parent_id=.*" chain -SecRule REQUEST_URI "<[[:space:]]*(href|script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome|a)[[:space:]]*>" - -#Plans "evt_id" SQL Injection Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "plans\.cgi" chain -SecRule ARGS:evt_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Sukru Alatas Guestbook Exposure of User Credentials -SecRule REQUEST_URI|REQUEST_BODY "db/gbdb\.mdb" - -#CSV_DB / i_DB Arbitrary Command Execution Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "csv_db\.cgi" chain -SecRule ARGS:file "\|" - -#PHP-Fusion database backup file retrieval vuln -SecRule REQUEST_URI|REQUEST_BODY "/(fusion_admin|administration)/db_backups/" - -#PHP-Fusion XSS vuln -SecRule REQUEST_URI|REQUEST_BODY "/submit\.php?.*(news_body|article_description|article_body).*<[[:space:]]*(href|script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome|a)[[:space:]]*>" - -#UBB.threads SQL Injection -SecRule REQUEST_URI|REQUEST_BODY "/download\.php\?Number=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "/calendar\.php\?Cat=.*&month=.*&year=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "/calendar\.php\?Cat=&month=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*year=.*" -SecRule REQUEST_URI|REQUEST_BODY "/modifypost\.phpCat=.*&Username=.*&Number=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*&Board=UBB8" -SecRule REQUEST_URI|REQUEST_BODY "/mailthread\.php\?Cat=.*&Board=.*&Number=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "/viewmessage\.php\?Cat=&message=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "/(addfav\|notifymod|grabnext).php\?Cat=.*&Board=.*&main=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Xoops XML sql injection -SecRule REQUEST_URI "(xmlrpc|xmlrpc_.*)\.php" chain -SecRule REQUEST_BODY "<methodName>blogger\.getUsersBlogs</methodName>" chain -SecRule REQUEST_BODY ".*\' AND ascii\(substring\(pass" - -#Wordpress cat vuln -SecRule REQUEST_URI "/wordpress/" chain -SecRule ARGS:cat "!^[0-9]*$" - -#Atomicboard path recursion -SecRule REQUEST_URI|REQUEST_BODY "/atomicboard/index\.php\?location=\.\./\." - -#basilix path recursion -SecRule REQUEST_URI|REQUEST_BODY "/basilix\.php3\?request_id\[.*\]=\.\./\." - -#bigconf path recursion vuln -SecRule REQUEST_URI|REQUEST_BODY "/bigconf\.cgi\?command=view_textfile&file=/" - -#a1disp3 path recursion vuln -SecRule REQUEST_URI "/a1disp3\.cgi\?/\.\./" - -#contacts remote file inclusion -SecRule REQUEST_URI "/contacts\.php\?cal_dir=(http|https|ftp)\:/" - -#CuteNews Search remote file inclusion -SecRule REQUEST_URI "/cutenews/search\.php\?cutepath=(http|https|ftp)\:/" - -#Dynamic Pages config remote file inclusion -SecRule REQUEST_URI "/config_page\.php\?do=.*&du=site&edp_relative_path=(http|https|ftp)\:/" - -#Edit_image file recursion vuln -SecRule REQUEST_URI "/edit_image\.php\?dn=.*&userfile=/" - -#export.php directory recursion vuln -SecRule REQUEST_URI "/export\.php\?\?what=\.\./\." - -#awol-condensed remote file inclusion -SecRule REQUEST_URI "/awol-condensed\.inc\.php\?path=(http|https|ftp)\:/" - -#config.php remote file inclusion -SecRule REQUEST_URI "/config\.php\?relative_script_path=(http|https|ftp)\:/" - -#hnmain remote file inclusion -SecRule REQUEST_URI "/hnmain\.inc\.php3\?config\[incdir\]=(http|https|ftp)\:/" - -#template remote file inclusion -SecRule REQUEST_URI "/index\.php\?board=.*;action=.*;ext=.*;template=(http|https|ftp)\:/" - -#generic remote file inclusion vulns -SecRule REQUEST_URI "/index\.php\?do=.*&page=(http|https|ftp)\:/" -SecRule REQUEST_URI "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/" -SecRule REQUEST_URI "/index\.php\?libDir=http://xxxxxxxx" -SecRule REQUEST_URI "/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/" - -#Cacti no_http_headers security vuln -SecRule REQUEST_URI "/config\.php\?" chain -SecRule ARGS:no_http_headers ".*" - -#Quick & Dirty PHPSource Printer Directory Traversal Vulnerability -SecRule REQUEST_URI "/source\.php\?" chain -SecRule ARGS:file "\.\." - -#nabopoll "path" File Inclusion Vulnerability -SecRule REQUEST_URI "/survey\.inc\.php\?" chain -SecRule ARGS:path "((\.\.|(http|https|ftp)\:/)|.*(\.\.|(http|https|ftp)\:/))" -SecRule REQUEST_URI "/survey\.inc\.php\?path=(http|https|ftp)\:/" - -#DCP-Portal remote file include -SecRule REQUEST_URI "/editor/editor\.php\?root=(http|https|ftp)\:/" - -#phpBB remote code execution vuln -SecRule REQUEST_URI "/viewtopic\.php\?.*(highlight.*(\'\.|\x2527|\x27)|include\(.*GET\[.*\]\)|=(http|https|ftp)\:/|(printf|system)\()" - -#Unknown Malware -SecRule REQUEST_URI "/mcp/mcp\.cgi" - -# osTicket "t" SQL Injection Vulnerability -SecRule REQUEST_URI "/view\.php" chain -SecRule ARGS:t ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Mark Kronsbein MyGuestbook "lang" File Inclusion Vulnerability -SecRule REQUEST_URI "/form\.inc\.php3" chain -SecRule ARGS:lang "((\.\.|(http|https|ftp)\:/)|.*(\.\.|(http|https|ftp)\:/))" - -#phpPgAdmin "formLanguage" Local File Inclusion Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "/index\.php" chain -SecRule ARGS:formLanguage "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" - -#PPA Include File Bug remote file inclusion -SecRule REQUEST_URI|REQUEST_BODY "/functions\.inc\.php\?config\[ppa_root_path\]=(http|https|ftp)\:/" - -#SPiD Include File Bug remote file inclusion -SecRule REQUEST_URI|REQUEST_BODY "/lang/lang\.php\?lang_path=(http|https|ftp)\:/" - -#Id Board 'tbl_suff' Input Validation Hole SQL injection -SecRule REQUEST_URI|REQUEST_BODY "/index\.php\?site=.*&f=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#DownloadProtect "file" Disclosure of Sensitive Information -SecRule REQUEST_URI|REQUEST_BODY "/download\.php\?" chain -SecRule ARGS:file "\.\./" - -#phpSecurePages "cfgProgDir" File Inclusion Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "phpSecurePages/secure\.php" chain -SecRule ARGS:cfgProgDir "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" - -#PunBB SQL Injection and PHP Code Execution Vulnerabilities -SecRule REQUEST_URI|REQUEST_BODY "/profile\.php" chain -SecRule ARGS:temp "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "redirect_url.*(http|https|ftp)\:/.*cmd=" - -#pngcntrp "kaiseki.cgi" Shell Command Injection Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "/kaiseki\.cgi.*\|" - -#phpWebSite SQL Injection and Disclosure of Sensitive Information -SecRule REQUEST_URI|REQUEST_BODY "index\.php" chain -SecRule ARGS:mod|ARGS:module "(\.\./|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view))" - -#Simple PHP Blog Exposure of User Credentials -SecRule REQUEST_URI|REQUEST_BODY "config/password\.txt" - -#Squito Gallery "photoroot" File Inclusion Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "photolist\.inc\.php" chain -SecRule ARGS:photoroot "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" - -#iPhotoAlbum File Inclusion Vulnerabilities -SecRule REQUEST_URI|REQUEST_BODY "/getpage\.php" chain -SecRule ARGS:docpath|ARGS:path "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" -SecRule REQUEST_URI|REQUEST_BODY "header\.php" chain -SecRule ARGS:set_menu "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" - -#Yawp "_Yawp[conf_path]" File Inclusion Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "_Yawp\[conf_path\]=((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" - -#Phpauction GPL Multiple Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:lan "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" -SecRule REQUEST_URI "/adsearch\.php" chain -SecRule ARGS:category "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#USANet Creations Products Shell Command Injection Vulnerability -SecRule REQUEST_URI "/dispallclosed\.pl.*\|" - -#Web-Portal-System 'wps_shop.cgi' Remote Command Execution -SecRule REQUEST_URI "/wps_shop\.cgi" chain -SecRule ARGS:art "(\[|\;|\<|\>|\*|\||\'|\&|\$|\!|\?|\#|\(|\)|\[|\]|\{|\}|\:|\'|\"|\])" -SecRule REQUEST_URI "/wps_shop\.cgi" chain -SecRule ARGS:cat "(\[|\;|\<|\>|\*|\||\'|\&|\$|\!|\?|\#|\(|\)|\[|\]|\{|\}|\:|\'|\"|\])" -SecRule REQUEST_URI "/wps_shop\.cgi" chain -SecRule ARGS:art "\|.+\|" - -#class-1 Forum Software SQL Injection -SecRule REQUEST_URI "/viewattach\.php" chain -SecRule ARGS:id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/users\.php" chain -SecRule ARGS:viewuser_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/viewforum\.php" chain -SecRule ARGS:forum "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#MooseGallery "type" File Inclusion Vulnerability -SecRule REQUEST_URI "/display\.php" chain -SecRule ARGS:type "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" - -#honetpot catch -SecRule REQUEST_URI "\x03\x03\x03\x03\x18\x18\x18\x18\x1a\x1c\x1a\x1c\x1c4r43tr" - -#CaLogic "CLPATH" Arbitrary File Inclusion Vulnerability -SecRule REQUEST_URI "(clmcpreload|mcconfig)\.php" chain -SecRule ARGS:CLPATH "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" - -#OpenBB sql injection -SecRule REQUEST_URI "/index\.php\?CID=.*\+union\+select\+.*\,.*\,password.*from\+profiles\+where" - -#ReviewPost PHP Pro "sort" SQL Injection Vulnerability -SecRule REQUEST_URI "/showproduct\.php" chain -SecRule ARGS:sort "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#PHPNews "user" and "password" SQL Injection Vulnerability -SecRule REQUEST_URI "/auth\.php" chain -SecRule ARGS:user|ARGS:password "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#PHP Surveyor Remote SQL Injection -SecRule REQUEST_URI "/admin/" chain -SecRule ARGS:sid|ARGS:start|ARGS:id|ARGS:lid "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Invision PowerBoard 1.3.x - 2.0 SQL injection -SecRule REQUEST_URI "/index\.php\?act=Login&CODE=autologin.*((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|user\+AND\+MID\(password)" - -#sendcard "id" SQL Injection Vulnerability -SecRule REQUEST_URI "/sendcard\.php" chain -SecRule ARGS:id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Report from user -SecRule REQUEST_URI "/functions_admin\.php\?phpbb_root_path=(http|https|ftp)\:/" - -#SQL injection vuln in Contrexx -SecRule REQUEST_URI "/index\.php\?section=gallery&cmd=.*&cid*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#PHP FirstPost remote file include -SecRule REQUEST_URI "/block\.php\?Include=(http|https|ftp)\:/" - -#DCForum remote file viewing -SecRule REQUEST_URI "/dcforum\.cgi\?az=.*&forum=*\.\./\.\." - -#Atomic Photo Album "apa_module_basedir" File Inclusion -SecRule REQUEST_URI "/apa_phpinclude\.inc\.php" chain -SecRule ARGS:apa_module_basedir "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" - -#VBZooM "SubjectID" SQL Injection Vulnerability -SecRule REQUEST_URI "/show\.php" chain -SecRule ARGS:SubjectID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Phorm remote file inclusion protections -SecRule REQUEST_URI "/phorm\.php" chain -SecRule ARGS:PHORM_* "(http|https|ftp)\:/" - -#Athena Web Registration Remote Command Execution Vuln -SecRule REQUEST_URI "/athenareg\.php\?pass=\x20\;" - -#wowBB view_user.php SQL Injection -SecRule REQUEST_URI "/wowbb/view_user\.php\?" chain -SecRule REQUEST_URI|REQUEST_BODY "sort_by=\'" chain -SecRule REQUEST_URI|REQUEST_BODY "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Simplicity oF Upload remote command exec and remote file inclusion -SecRule REQUEST_URI "/download\.php\?language=(upload\.php|(http|https|ftp)\:/)" - -#uguestbook exploit -SecRule REQUEST_URI "/mdb-database/guestbook\.mdb" - -#FtpLocate remote command execution -SecRule REQUEST_URI "/flsearch\.pl" chain -SecRule ARGs:query "\|" - -#PHPmyGallery "confdir" File Inclusion Vulnerability -SecRule REQUEST_URI "/common-tpl-vars\.php" chain -SecRule ARGS:confdir "((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" - -#Netquery 3.1 Remote Command Execution vuln -SecRule REQUEST_BODY "op=modload*&name=Net.*&file=*&query=ping&host=*\|" - -#MySQL Eventum SQL Injection Vulnerabilities -SecRule REQUEST_URI|REQUEST_BODY "/includes/class\.auth\.php" chain -SecRule ARGS:email "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Kayako LiveResponse SQL injection -SecRule REQUEST_URI|REQUEST_BODY "/index\.php\?date=.*\x20.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#PHPlist SQL injection -SecRule REQUEST_URI|REQUEST_BODY "lists/admin/\?page=admin&id=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#ChurchInfo SQL injection vulns -SecRule REQUEST_URI|REQUEST_BODY "/(PersonView|MemberRoleChange|PropertyAssign|WhyCameEditor|GroupPropsEditor|Reports/PDFLabel|UserDelete)\.php" chain -SecRule ARGS:PersonID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "/DepositSlipEditor\.php" chain -SecRule ARGS:DepositSlipID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "/QueryView\.php" chain -SecRule ARGS:QueryID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "/(GroupView|GroupMemberList|MemberRoleChange|GroupDelete|/Reports/ClassAttendance|/Reports/GroupReport)\.php" chain -SecRule ARGS:GroupID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "/PropertyEditor\.php" chain -SecRule ARGS:PropertyID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "/PledgeDetails\.php" chain -SecRule ARGS:PledgeID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI|REQUEST_BODY "/(AutoPaymentEditor|Canvas05Editor|CanvassEditor)\.php" chain -SecRule ARGS:FamilyID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#denial of service attack on Flex PHPNews 0.0.4 -SecRule REQUEST_URI "/news\.php?(prenumber|nextnumber)=[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]+" - -#SQL admin bypass for Flex PHPNews 0.0.4 -SecRule REQUEST_URI "/admin/" chain -SecRule REQUEST_URI "\' OR \'a\'='a*\' OR \'a\'=\'a" - -#Naxtor Shopping Cart SQL Injection -SecRule REQUEST_URI "/(lost_passowrd|lost_password)\.php" chain -SecRule ARGS:email "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/shop_display_products\.php\?cat_id=\'" - -#OpenBook "admin.php" Remote SQL Injection Vulnerability -SecRule REQUEST_URI "/admin\.php" chain -SecRule ARGS:userid "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|no\'\) or [0-9]/\*)" -SecRule REQUEST_URI "/admin\.php" chain -SecRule ARGS:password "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|no\'\) or [0-9]/\*)" - -#'web content management'Add admin user bypass vuln -SecRule REQUEST_URI "/Admin/Users/AddModifyInput\.php" - -#Silvernews 2.0.3 command injection backdoor -SecRule REQUEST_URI "/templates/tpl_global\.php\?command=" -SecRule REQUEST_URI "/templates/tpl_global\.php\?" - -#PortailPHP Index.PHP SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php\?affiche=Forum-read_mess&id=\'" - -#python namespace exposure with karrigell services -SecRule REQUEST_URI|REQUEST_BODY ".*\.ks/.*\?\x22" -SecRule REQUEST_URI|REQUEST_BODY ".*\.ks/(file|input|open|raw_input|reload|((s|g)et|del|has)attr|import|callable|compile|execfile|exec|globals)" - -#Flatnuke remote command vuln -SecRule REQUEST_URI "/forum/users/.*\.php\?command=" - -#Forum Russian Board (FRB) SQL injection vulns -SecRule REQUEST_URI "/reply_in.php?subject_reply=.*&name_reply=.*\'" -SecRule REQUEST_URI "(search_msg_us|view_profile.php)\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|\')" -SecRule REQUEST_URI "/send_mail_user\.php" chain -SecRule ARGS:id_mail "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|\')" -SecRule REQUEST_URI "/(set|new|reply)\.php" chain -SecRule ARGS:name_ig_array "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|\')" -SecRule REQUEST_URI "/menu_header\.php" chain -SecRule ARGS:table_sql "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|\')" -SecRule REQUEST_URI "/registr_1\.php" chain -SecRule ARGS:telephone "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|\')" - -#Owl Intranet Engine SQL injection -SecRule REQUEST_URI "/browse\.php\?sess=.*parent=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#PHP-Fusion Messages.PHP SQL Injection Vulnerability -SecRule REQUEST_URI "/messages\.php\?msg_view=\'" - -#MySQL Eventum SQL injection -SecRule REQUEST_URI "/login\.php" chain -SecRule REQUEST_URI "cat=login&url=&email=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#phpIncludes News System SQL Injection Vulnerability -SecRule REQUEST_URI "/news_change_category\.php" chain -SecRule ARGS:category "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Comdev eCommerce File Inclusion Vulnerability -SecRule REQUEST_URI "/config\.php\?path\[docroot\]=((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" - -#honeypot -SecRule REQUEST_URI "/write.php" chain -SecRule ARGS:dir "(http|https|ftp)\:/" - -#Gravity Board X SQL injection vuln -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:email "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -#Gravity Board X command injection vulnerability -SecRule REQUEST_URI "/editcss\.php\?" chain -SecRule ARGS:csscontent "\</style\>\<\?php" - -#Open Bulletin Board SQL Injection Vulnerabilities -SecRule REQUEST_URI "/(board|read|member)\.php" chain -SecRule ARGS:FID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/(board|read|member)\.php" chain -SecRule ARGS:TID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "/(board|read|member)\.php" chain -SecRule ARGS:UID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#XMB Forum 1.9.1 sql injection -SecRule REQUEST_URI "/xmb\.php" chain -SecRule ARGS:in "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Funkboard command injection vuln -SecRule REQUEST_URI "/info\.php\?command=" - -#honeypot catch -SecRule REQUEST_URI "/forum/users/jimyhendrix\.php\?command=" - -#XMB Forum sql injection -SecRule REQUEST_URI "include/u2u\.inc\.php" chain -SecRule ARGS:u2u_select "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#WordPress "cache_lastpostdate" PHP Code Insertion -SecRule ARGS:cache_lastpostdate "<\?php" - -#honeypot -SecRule REQUEST_URI "/lib\.php\?root=(http|https|ftp)\:/" - -#honeypot -SecRule REQUEST_URI "/index\.php\?(content|menu)=(http|https|ftp)\:/" - -#PHPTB Topic Boards 2.0 sql injection vulnerability -SecRule REQUEST_URI "/index\.php\?act=emailvalidate&mid=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#FreznoShop product_details.php id Variable SQL Injection -SecRule REQUEST_URI "/product_details\.php" chain -SecRule ARGS:id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#ECW Shop SQL injection -SecRule REQUEST_URI "/index\.php\?c=.*&ctg=.*&id=.*&key=.*&comp=.*&min.*\'" - -#Mig Remote Cross-Site Scripting vuln -SecRule REQUEST_URI "/index\.php\?currDir=.*[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#ezupload remote file inclusion vuln -SecRule REQUEST_URI "(customize|initialize|form|index)\.php\?path=(http|https|ftp)\:/" - -#Dokeos Multiple Directory Traversal Vulnerabilities -SecRule REQUEST_URI "/scorm/scormdocument\.php" chain -SecRule REQUEST_URI "\.\." -SecRule REQUEST_URI "/claroline/document/document\.php" chain -SecRule ARGS:move_file "\.\." -SecRule REQUEST_URI "/claroline/document/document\.php" chain -SecRule ARGS:move_to "\.\." - -#PHPOpenChat Script Insertion Vulnerabilities -SecRule REQUEST_URI "/(profile|profile_misc|mail)\.php" chain -SecRule ARGS:title|ARGS:content|ARGS:motto|ARGS:subject "[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -# FunkBoard mysql_install.php Email Field Arbitrary PHP Code Injection -SecRule REQUEST_URI "/mysql_install\.php" chain -SecRule ARGS:Email "\<.*php" - -#phpPgAds SQL injection -SecRule REQUEST_URI "/lib-view-direct\.inc\.php" chain -SecRule ARGS:clientid "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Honeypot catch -SecRule REQUEST_URI "/guest\.php\?page=(http|https|ftp)\:/" - -#PHPTB "absolutepath" Arbitrary File Inclusion Vulnerability -SecRule REQUEST_URI ".*\.php\?absolutepath=(http|https|ftp)\:/" - -#PHPFreeNews SQL Injection and Cross-Site Scripting -SecRule REQUEST_URI "/SearchResults\.php" chain -SecRule ARGS:Match|ARGS:CatID "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#w-Agora "site" Local File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php\?site=.*\x00" - -#Zorum prod.php Arbitrary Command Execution Vulnerability -SecRule REQUEST_URI "/prod\.php\?argv\[.*\]=\|" - -#Zorum path disclosure -SecRule REQUEST_URI "/gorum/(notification|trace|badwords|flood)\.php" -SecRule REQUEST_URI "/zorum/(user|attach|blacklist|forum|globalstat)\.php" - -#Land Down Under SQL injection vulns -SecRule REQUEST_URI "/forums\.php\?m=topics&s=\'" -SecRule REQUEST_URI "/list\.php\?c=.*&s=.*&.*\'" -SecRule REQUEST_URI "/list\.php\?c=.*&s=\'" -SecRule REQUEST_URI "/links\.php\?c=.*&s=.*&w=\'" -SecRule REQUEST_URI "/journal\.php?m=.*\'" -SecRule REQUEST_URI "/forums\.php?filter=forums.*x='" -SecRule REQUEST_URI "/forums\.php?m=.*\'" -SecRule REQUEST_URI "/forums\.php?m=\'" - -#Woltlab Burning Board ModCP.PHP SQL Injection Vulnerability -SecRule REQUEST_URI "/modcp\.php\?action=post_del&x=\'" -SecRule REQUEST_URI "/modcp\.php\?action=post_del&x.*\'" - -#Cacti graph_image.php Remote Command Execution -SecRule REQUEST_URI "/graph_image\.php" chain -SecRule ARGS:graph_start "x0a.+x0a" - -#AreaEdit SpellChecker Plugin Code Execution Vulnerability -SecRule REQUEST_URI "/aspell_setup\.php" chain -SecRule ARGS:dictionary "(\;|\|)" - -#WebCalendar "includedir" Arbitrary File Inclusion Vulnerability -SecRule REQUEST_URI "/send_reminders\.php" chain -SecRule ARGS:includedir "(\.\./|(http|https|ftp)\:/)" - -#PHPKit SQL Injection Vulnerabilities -SecRule REQUEST_URI "login/imcenter\.php" chain -SecRule ARGS:im_receiver "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "login/member\.php" chain -SecRule ARGS:letter "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -#Netquery "host" Parameter Arbitrary Command Execution -SecRule REQUEST_URI "/nquser\.php" chain -SecRule ARGS:host "\|" - -#SaveWebPortal include PHP scripts vuln -SecRule REQUEST_URI "admin/PhpMyExplorer/editerfichier\.php\?chemin=\.&fichier=header\.php&type=Source" - -#SaveWebPortal remote/local file inclusion vuln -SecRule REQUEST_URI "menu_dx\.php" chain -SecRule ARGS:SITE_Path "(\.\./|(http|https|ftp)\:/)" -SecRule REQUEST_URI "menu_sx\.php" chain -SecRule ARGS:CONTENTS_Dir "(\.\./|(http|https|ftp)\:/)" - -#RunCMS SQL Injection Vulnerabilities -SecRule REQUEST_URI "newbb_plus/newtopic\.php\?forum=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" -SecRule REQUEST_URI "newbb_plus/print\.php\?msgid=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*&op=" -SecRule REQUEST_URI "newbb_plus/(edit|reply)\.php\?forum=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*post_id=.*&topic_id=.*&viewmode=.*&order=.*" - -#honeypot catch -SecRule REQUEST_URI "/index\.php\?page=(http|https|ftp)\:/" - -#PostNuke "show" Parameter SQL Injection Vulnerability -SecRule REQUEST_URI "modules/Downloads/dl-viewdownload\.php" chain -SecRule ARGS:show "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" - -# PaFileDB cookie SQL injection -SecRule REQUEST_URI "/pafiledb\.php\?action=admin" chain -SecRule REQUEST_COOKIES:pafiledbcookie ".*((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)|union.*select.*[0-9]+\,[0-9]+\,\'.*pass)" - -#Looking Glass v20040427 arbitrary commands execution -SecRule REQUEST_URI "/lg\.php" chain -SecRule REQUEST_URI "func=.*&ipv=.*&target.*\|" -SecRule REQUEST_URI "/lg\.php" chain -SecRule ARGS:target "\|" - -#probe.cgi remote file inclusion and command execution -SecRule REQUEST_URI "/probe\.cgi\?olddat=(\||(http|https|ftp)\:/)" - -# phpMyAdmin XSS vulns -SecRule REQUEST_URI "libraries/auth/cookie\.auth\.lib\.php" chain -SecRule REQUEST_URI "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/error\.php" chain -SecRule ARGS:error "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#Looking Glass v20040427 XSS vulns -SecRule REQUEST_URI "/(footer|header)\.php\?version\[.*\]=" chain -SecRule REQUEST_URI "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#phpLDAPadmin welcome.php Arbitrary File Inclusion -SecRule REQUEST_URI "/welcome\.php\?custom_welcome_page=(http|https|ftp)\:/" - -#Simple PHP Blog comment_delete_cgi.php Arbitrary File Deletion -SecRule REQUEST_URI "/comment_delete_cgi\.php" chain -SecRule ARGS:comment "(/|\.\.|config/password\.txt)" - -#nested URL tags exploit for some BBcode implementations -SecRule REQUEST_URI ".*\.php" chain -SecRule REQUEST_BODY|ARGS "\[url=\[url=" - -#AutoLinks Pro "alpath" File Inclusion Vulnerability -SecRule REQUEST_URI "/al_initialize\.php" chain -SecRule ARGS:alpath "(ftp|http|https)\:/" - -#Simple PHP Blog Image File Upload Vulnerability -SecRule REQUEST_URI "/upload_img_cgi\.php" chain -SecRule REQUEST_BODY|ARGS "\.php" - -#phpWebNotes Include File Error in 'php_api.php' -SecRule REQUEST_URI "/api\.php\?t_path_core=(http|https|ftp)\:/" - -#FlatNuke "id" Local File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:id "(http|https|.ftp)\:/" - -#CMS Made Simple File Inclusion -SecRule REQUEST_URI "admin/lang\.php.*nls\[file\]\[vx\]\[vxsfx\].*(http|https|.ftp)\:/" - -#Phorum "Username" Script Insertion Vulnerability -SecRule REQUEST_URI "register\.php" chain -SecRule ARGS:Username "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#Test CGI probe -SecRule REQUEST_URI|REQUEST_BODY "/test-cgi HTTP\/(0\.9|1\.0|1\.1)$" - -#Annoying Cisco IOS HTTP configuration probe attempts -SecRule REQUEST_URI "/level/[0-9]+/exec/-/+pwd" - -#myBloggie "username" SQL Injection Vulnerability -SecRule REQUEST_URI "/login\.php" chain -SecRule ARGS:username "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#PBLang <= 4.65 remote commands exec exploit sig -SecRule REQUEST_URI|REQUEST_BODY "Content-Length:.*user=.*pass=.*pass2=.*oldpass=.*loc.*(\x22|system)" - -#man2web cgi-scripts remote command spawn -SecRule REQUEST_URI "/(man-cgi|man2web|man2html)" chain -SecRule REQUEST_URI "\x20" -SecRule REQUEST_URI "/(man-cgi|man2web|man2html)" chain -SecRule REQUEST_URI "\|" - -#SimplePHPBplog vulns -SecRule REQUEST_URI "/comment_delete_cgi\.php\?y=.*&m=.*&comment.*(/|\.\.)" -SecRule REQUEST_URI "/comment_delete_cgi\.php\?.*/config/password\.txt" -SecRule REQUEST_URI "/images/reset\.php" -SecRule REQUEST_URI "/images/cmd\.php\?cmd=" -SecRule REQUEST_URI "/upload_img_cgi.php" chain -SecRule REQUEST_BODY "(Content.*\.php|cmd\.php|reset\.php)" -SecRule REQUEST_URI "/install03_cgi\.php\?blog_language=english.*[A-Z|a-z|0-9]" -SecRule REQUEST_URI|REQUEST_BODY "<hr+><pre>.*Command\: [A-Z|a-z|0-9|\w].*pre><hr" - -#aMember Pro "config['root_dir']" Remote File Inclusion Vulnerabilities -SecRule REQUEST_URI "(/db/mysql/mysql|payment|/efsnet/efsnet|theinternetcommerce/theinternetcommerce|/cdg/cdg|compuworld/compuworld|directone/directone|authorize_aim/authorize_aim|beanstream/beanstream|echo/config|/eprocessingnetwork/eprocessingnetwork|eway/eway|linkpoint/linkpoint|logiccommerce/logiccommerce|netbilling/netbilling|payflow_pro/payflow_pro|paymentsgateway/paymentsgateway|payos/payos|payready/payready|plugnplay/plugnplay)\.inc\.php\?config\[root_dir\]=(http|https|ftp):/" -SecRule REQUEST_URI "(/db/mysql/mysql|payment|/efsnet/efsnet|theinternetcommerce/theinternetcommerce|/cdg/cdg|compuworld/compuworld|directone/directone|authorize_aim/authorize_aim|beanstream/beanstream|echo/config|/eprocessingnetwork/eprocessingnetwork|eway/eway|linkpoint/linkpoint|logiccommerce/logiccommerce|netbilling/netbilling|payflow_pro/payflow_pro|paymentsgateway/paymentsgateway|payos/payos|payready/payready|plugnplay/plugnplay)\.inc\.php" chain -SecRule REQUEST_URI "(http|https|ftp):/" -SecRule REQUEST_URI "\.inc\.php\?config\[root_dir\]=(http|https|ftp):/" - -#CuteNews Input Validation Hole -SecRule REQUEST_URI "/cute/data/flood\.db\.php" - -#DeluxeBB SQL injection -SecRule REQUEST_URI "community/index\.php\?limit=\'" - - -#honeypoit -SecRule REQUEST_URI "/admin_module_deldir\.php\?config\[.*\]=(http|https|ftp)\:/" - -#honeypot catch -SecRule REQUEST_URI "/view\.php\?inc=(http|https|ftp)\:/" - -#Alkalay contribute "template" Shell Command Injection Vulnerability -SecRule REQUEST_URI "/contribute\.pl" chain -SecRule ARGS:template "\|" -SecRule REQUEST_URI "/contribute\.pl.*\|" - -#Alkalay man-cgi "topic" Shell Command Injection Vulnerability -SecRule REQUEST_URI "/man-cgi\.cgi" -SecRule ARGS:topic "\|" -SecRule REQUEST_URI "/man-cgi\.cgi.*\|" - -#Alkalay notify "from" Shell Command Injection Vulnerability -SecRule REQUEST_URI "/notify\.cgi" chain -SecRule ARGS:from "\|" -SecRule REQUEST_URI "/notify\.cgi.*\|" - -#Alkalay nslookup Shell Command Injection Vulnerabilities -SecRule REQUEST_URI "/nslookup\.cgi" chain -SecRule ARGS:type|ARGS:queryARGS:ns "\|" -SecRule REQUEST_URI "/nslookup\.cgi.*\|" - -#Simplog SQL Injection Vulnerabilities -SecRule REQUEST_URI "/archive\.php" chain -SecRule ARGS:pid|ARGS:blogid|ARGS:cid|ARGS:m "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/blogadmin\.php" chain -SecRule ARGS:blogid "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#vbulletin vulnerabilities, SQL injection -SecRule REQUEST_URI "/joinrequests\.php" chain -SecRule REQUEST_URI "do=processjoinrequests&usergroupid=.*&request.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/admincp/user\.php" chain -SecRule REQUEST_URI "do=find&orderby=username&limit.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/admincp/(usertitle|usertools)\.php" chain -SecRule REQUEST_URI "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/modcp/announcement\.php" chain -SecRule REQUEST_URI "do=update&announcementid=.*&start=.*&end=.*&announcement.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/admincp/admincalendar\.php" chain -SecRule REQUEST_URI "do=update&calendarid=.*&calendar\[.*\]=.*&calendar.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/admincp/email\.php" chain -SecRule REQUEST_URI "do=makelist&user\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/admincp/help\.php" chain -SecRule REQUEST_URI "do=doedit&help\[.*\]=.*&help\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "admincp/language\.php" chain -SecRule REQUEST_URI "do=update&rvt\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/admincp/phrase\.php" chain -SecRule REQUEST_URI "do=completeorphans&keep\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#PHP Advanced Transfer Manager Multiple Vulnerabilities -SecRule REQUEST_URI "/(txt|htm|html|zip)\.php" chain -SecRule ARGS:current_dir|ARGS:filename "\.\." -SecRule REQUEST_URI "/txt\.php" chain -SecRule ARGS:font|ARGS:normalfontcolor|ARGS:mess\[31\] "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#phpCommunityCalendar SQJ injection Vulnerabilities -SecRule REQUEST_URI "/webadmin/login\.php" chain -SecRule ARGS:Username "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/week\.php" chain -SecRule ARGS:LocationID "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#MyBulletinBoard SQL Injection Vulnerabilities -SecRule REQUEST_URI "/misc\.php" chain -SecRule ARGS:fid "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/newreply\.php" chain -SecRule ARGS:icon "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#WEB//NEWS SQL Injection Vulnerabilities -SecRule REQUEST_URI "/modules/startup\.php" chain -SecRule ARGS:wn_userpw "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "include_this/news\.php" chain -SecRule ARGS:cat|ARGS:id|ARGS:stof "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/print\.php" chain -SecRule ARGS:id "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#PBLang Local File Inclusion and PHP Code Injection -SecRule REQUEST_URI "/setcookie.php" chain -SecRule ARGS:u "\.\." -SecRule REQUEST_URI "/ucp\.php" chain -SecRule REQUEST_URI "\"" - -#mimicboard2 Exposure of User Credentials -SecRule REQUEST_URI "/mimic2\.dat" - -#Mall23 eCommerce "idPage" SQL Injection Vulnerability -SecRule ARGS:idPage "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#PHP-Nuke SQL Injection Vulnerabilities -SecRule REQUEST_URI "/modules\.php" chain -SecRule ARGS:name|ARGS:sid|ARGS:pid "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#Subscribe Me Pro "l" Parameter Directory Traversal Vulnerability -SecRule REQUEST_URI "/s\.pl" chain -SecRule ARGS:l "\.\." - -#TWiki "rev" Shell Command Injection Vulnerability -SecRule REQUEST_URI "/TWikiUsers" chain -SecRule ARGS:rev "![0-9]+" -SecRule REQUEST_URI "/TWikiUsers\?rev=.*(\'|\|)" - -#DeluxeBB SQL Injection Vulnerabilities -SecRule REQUEST_URI "/topic\.php\?tid.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/misc\.php\?sub=profile&uid.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/forums\.php\?fid=.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/pm\.php\?sub=newpm&uid=.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/newpost\.php\]?sub=newthread&fid=.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#Noah's Classified SQL Injection and Cross-Site Scripting -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:rollid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>)" - -#AzDGDatingLite "l" Local File Inclusion Vulnerability -SecRule REQUEST_URI "/include/security\.inc\.php" chain -SecRule ARGS:l "(\.\.|/)" - -#ATutor Password Reminder SQL Injection Vulnerability -SecRule REQUEST_URI "/password_reminder\.php" chain -SecRule REQUEST_URI "email.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/password_reminder\.php.*form_email=.+UNION\s+SELECT" - -#Digital Scribe "username" SQL Injection -SecRule REQUEST_URI "/login\.php" chain -SecRule ARGS:username "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#aeDating "Country[]" SQL Injection Vulnerability -SecRule REQUEST_URI "/search_result.php" chain -SecRule ARGS:Country\[\] "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#NooToplist "o" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:o "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#HTTP header PHP code injection attacks -SecRule HTTP_CLIENT_IP|HTTP_USER_AGENT|HTTP_Referer "(<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)" - -#phpWebSite SQL-injection -SecRule REQUEST_URI "/index\.php\?module=\x27\+union\+select\+username\,password\+from\+mod_users\+where\+username=" - -#HP-Nuke <=7.8 SQL injection exploit -SecRule REQUEST_URI "/modules\.php" chain -SecRule ARGS:name= "\'.*UNION.*SELECT.*FROM.*users.*WHERE.*user_id=.*AND" - -#My Little Forum 1. SQL injection -SecRule REQUEST_URI "/search\.php\?search.*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw).*&ao=phrase" - -#Interchange Catalog Skeleton SQL Injection and ITL Injection Vulnerabilities -SecRule REQUEST_URI "pages/forum/submit.html" chain -SecRule REQUEST_URI "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\[include\])" - -#Ikonboard "st" and "keywords" SQL Injection Vulnerability -SecRule REQUEST_URI "/ikonboard\.cgi" chain -SecRule ARGS:st|ARGS:keywords "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#ikonboard arbitary file access -SecRule REQUEST_URI "/help\.cgi\?helpon=\.\./" - -#Ikonboard remote file includion -SecRule REQUEST_URI "/register\.cgi" chain -SecRule REQUEST_URI|ARGS "(http|https|ftp)\:/" - -#IkonBoard 3.1.1/3.1.2a arbitrary command execution -SecRule REQUEST_URI "/ikonboard\.cgi" chain -SecRule REQUEST_COOKIES:lang "\|" - -#phpMyFAQ vulns -SecRule REQUEST_URI "/index\.php\?LANGCODE=/\.\." -SecRule REQUEST_URI "/admin/password\.php" chain -SecRule REQUEST_URI|ARGS "(user\: \' or isnull\(1/0\)|mail\:)" -SecRule REQUEST_URI "/footer\.php\?PMF_CONF\[version\].*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/admin/header\.php\?PMF_LANG\[metaLanguage\].*(\"|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>)" - -#Riverdark RSS Syndicator XSS attack -SecRule REQUEST_URI "/rss\.php\?(forum|topic).*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#ContentServ "ctsWebsite" Local File Inclusion Vulnerability -SecRule REQUEST_URI "/admin/about\.php" chain -SecRule ARGS:ctsWebsite "\.\." - -#AlstraSoft E-Friends "mode" File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:mode "(\.\.|/|(http|https|ftp)\:/)" - -#SEO-Board SQL Injection Vulnerability -SecRule REQUEST_URI "/(admin|index)\.php" chain -SecRule ARGS:user_pass_sha1 "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#CJ LinkOut "123" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/top\.php" chain -SecRule ARGS:123 "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#jPortal Download Search SQL Injection Vulnerability -SecRule REQUEST_URI "/download\.php" chain -SecRule ARGS:word "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#CJ Tag Board Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "/details\.php" chain -SecRule ARGS:date|ARGS:time|ARGS:name|ARGS:ip|ARGS:agent "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/display\.php" chain -SecRule ARGS:msg "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#CJ Web2Mail Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "/thankyou\.php" chain -SecRule ARGS:message|ARGS:ip|ARGS:name "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/web2mail\.php" chain -SecRule ARGS:emsg "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#postnuke Local file inclusion via GeSHi library -SecRule REQUEST_URI "/modules/pn_bbcode/pnincludes/contrib/example\.php" - -#TWiki "%INCLUDE" Shell Command Injection Vulnerability -SecRule REQUEST_URI|REQUEST_BODY "INCLUDE.*rev=.*\|.*\}" - -#Barracuda Anti-spam firewall IMG.PL Remote Command Execution -SecRule REQUEST_URI "/img\.pl\?f=(\x2e\x2e|\;|\.\.|qq\#|\|)" - -#PHP-Fusion "msg_send" SQL Injection Vulnerability -SecRule REQUEST_URI "/messages\.php" chain -SecRule ARGS:msg_send "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT user_password FROM fusion_users WHERE user_name|\')" - -#SquirrelMail Address Add Plugin "first" Cross-Site Scripting -SecRule REQUEST_URI "/add\.php" chain -SecRule ARGS:first "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#honeypot -SecRule REQUEST_URI "/tiki-view_forum_thread\.php\?forumid.*=(http|https|ftp)\:/" - -#honeypot -SecRule REQUEST_URI "/upgrade_album\.php\?GALLERY_BASEDIR=(http|https|ftp)\:/" - -#honeypot -SecRule REQUEST_URI "/index\.php\?page=\|" - -#MediaWiki Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI|REQUEST_BODY "\<(math|nowiki)\.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#honeypot -SecRule REQUEST_URI "/modules\.php\?op=(http|https|ftp)\:/" -SecRule REQUEST_URI "/modules\.php\?op=.*&name=(http|https|ftp)\:/" -SecRule REQUEST_URI "/modules\.php\?op=.*&name=.*file=(http|https|ftp)\:/" -SecRule REQUEST_URI "/modules\.php\?op=.*&name=.*file=.*sid=(http|https|ftp)\:/" -SecRule REQUEST_URI "/view\.php\?cat=.*(http|https|ftp)\:/" - -#PHP-Fusion "album" and "photo" SQL Injection Vulnerabilities -SecRule REQUEST_URI "/photogallery\.php" chain -SecRule ARGS:album|ARGS:photo "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#honeypot -SecRule REQUEST_URI "/forumpollrenderer\.php\?bbPath\[.*\]=(http|https|ftp)\:/" - -#phorum spam rules -SecRule ARGS:PHORUM_CONFIG "(@|(http|https|ftp)\:/)" - -#osCommerce "products_id" Additional Images Module SQL Injection -SecRule REQUEST_URI "/product_info\.php" chain -SecRule ARGS:products_id "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#PHP-Fusion SQL Injection Vulnerabilities -SecRule REQUEST_URI "/register\.php" chain -SecRule ARGS:activate "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/faq\.php" chain -SecRule ARGS:cat_id "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#Utopia News Pro 1.1.3 SQL injection -SecRule REQUEST_URI "/news\.php\?action=.*&newsid=" chain -SecRule REQUEST_URI|ARGS "(UNION.*SELECT.*username,password,null,email,null|(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,])" -SecRule REQUEST_URI "/news\.php" chain -SecRule ARGS:newsid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION.*SELECT.*username,password,null,email,null)" - -#wormsign -SecRule REQUEST_URI|REQUEST_BODY "THMC\.\$dbhost\.THMC\.\$dbname\.THMC\.\$dbuser\.THMC\.\$dbpasswd\.THMC" - -#Utopia News Pro Cross-Site Scripting -SecRule REQUEST_URI "/header\.php" chain -SecRule ARGS:sitetitle "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/footer\.php" chain -SecRule ARGS:query_count|ARGS:version "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#phpMyAdmin "subform" Local File Inclusion Vulnerability -SecRule REQUEST_URI "/libraries/grab_globals\.lib\.php" chain -SecRule ARGS:subform "(/|\.\.|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/libraries/grab_globals\.lib\.php" chain -SecRule ARGS "(?:/|\.\.|(http|https|ftp)\:/)" - - -#Cyphor Cross-Site Scripting and SQL Injection Vulnerabilities -SecRule REQUEST_URI "/newmsg\.php" chain -SecRule ARGS:fid "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/lostpwd\.php" chain -SecRule ARGS:email|ARGS:nick "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" -SecRule REQUEST_URI "/include/footer\.php" chain -SecRule ARGS:t_login "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#phpbb wormsign -SecRule REQUEST_URI|REQUEST_BODY "echo _GHC/RST_" - -#versatileBulletinBoard 1.00 RC2 sql injection -SecRule REQUEST_URI "/userlistpre\.php\?list=\'" - -#honeypot -SecRule REQUEST_URI "/BlogModel\.php\?path=(http|https|ftp)\:/" - -#YaPiG Multiple Vulnerabilities -SecRule ARGS:Website "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/view\.php" chain -SecRule ARGS:img_size "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule ARGS:title "<.*php .*php*\>" - -#honeypot -SecRule REQUEST_URI "/guest\.php\?name=.*web=.*homepage=.*home=&phone=" - -#W-Agora Remote commands execution -SecRule REQUEST_URI "extras/quicklist\.php\?fake.*(<\?|\;system)" -SecRule REQUEST_URI "avatars/suntzu\.php\?suntzu=" -SecRule REQUEST_URI "extras/quicklist\.php\?suntzu=" -SecRule REQUEST_URI "/browse_avatar\.php" chain -SecRule REQUEST_BODY "Content-Disposition\: form-data\; name=\"avatar\"\;" chain -SecRule REQUEST_BODY "\<\?php" chain -SecRule REQUEST_BODY "\?>" - -#PHPBB remote command execution SQL injection step -SecRule REQUEST_URI "/admin_db_utilities\.php\?sid=.*(ALTER TABLE.*VARCHAR.*NOT NULL|DELETE FROM.*WHERE style_name=|SELECT .*passthru.*FROM.*users LIMIT 1 INTO OUTFILE)" -SecRule REQUEST_URI "/theme_info\.cfg" - -#honeypot -SecRule REQUEST_URI "/item\.php\?pathtoroot=(http|https|ftp)\:/" - -#PunBB "old_searches" SQL Injection Vulnerability -SecRule REQUEST_URI "/search\.php" chain -SecRule ARGS:old_searches "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" - -#W-Agora Local File Inclusion -SecRule REQUEST_URI "/extras/quicklist\.php" chain -SecRule ARGS:site "(/|\.\./\.\.)" - -#Gallery "g2_itemId" Disclosure of Sensitive Information -SecRule REQUEST_URI "/main\.php" chain -SecRule ARGS:g2_itemId "(/|\.\./\.\.)" - -#e107 0.617 resetcore.php SQL Injection -SecRule REQUEST_URI "/resetcore\.php" chain -SecRule REQUEST_BODY|ARGS|REQUEST_URI "(\'or isnull|siteadmin=suntzu&siteadminemail=fakefakefake@suntzu\.com|a_password=d41d8cd98f00b204e9800998ecf8427e)" - -#e107 "a_name" SQL Injection Vulnerability -SecRule REQUEST_URI "/resetcore\.php" chain -SecRule ARGS:a_name "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')" - -#honeypot -SecRule REQUEST_URI "/main\.php\?x=(http|https|ftp)\:/" - -# MySource PEAR_PATH Remote File Inclusion -SecRule REQUEST_URI "/(socket|span|request|mimeDecode|mime|mail|date)\.php" chain -SecRule ARGS:PEAR_PATH "(http|https|ftp)\:/" -SecRule REQUEST_URI "/new_upgrade_functions\.php" chain -SecRule ARGS:INCLUDE_PATH|ARGS:SQUIZLIB_PATH "(http|https|ftp)\:/" -SecRule REQUEST_URI "/init_mysource\.php" chain -SecRule ARGS:INCLUDE_PATH "(http|https|ftp)\:/" - -#MySource XSS -SecRule REQUEST_URI "/upgrade_in_progress_backend.php?target_url=\">" -SecRule REQUEST_URI "/insert_table\.php\?bgcolor=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/edit_table_cell_props\.php\?bgcolor=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/header\.php\?bgcolor=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/edit_table_row_props\.php\?bgcolor=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/edit_table_props\.php\?bgcolor=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/edit_table_cell_type_wysiwyg.php?stylesheet=\">" - -#Chipmunk Topsites "ID" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/recommend\.php" chain -SecRule ARGS:ID|ARGS:entryID "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#Chipmunk Forum "forumID" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/(newtopic|quote|index|reply)\.php" chain -SecRule ARGS:ForumID "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#PHP-Nuke NukeFixes Addon "file" Local File Inclusion Vulnerability -SecRule REQUEST_URI "/modules\.php" chain -SecRule ARGS:files "\.\./" - -#ManageEngine NetFlow Analyzer "grDisp" Cross-Site Scripting -SecRule REQUEST_URI "/index\.jsp" chain -SecRule ARGS:grDisp "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#IBM Lotus Domino XSS attempts -SecRule REQUEST_URI "OpenForm.*/BaseTarget=.*\"" -SecRule REQUEST_URI "OpenFrameSet.*/src=.*\"><\/FRAMESET>.*<script>.*<\/script>" - -#HP OpenView Network Node Manager Remote Command Execution Attempt -SecRule REQUEST_URI "/OvCgi/connectedNodes\.ovpl\?" chain -SecRule ARGS:node "\|" - -# -SecRule REQUEST_URI "/chat\.php" chain -SecRule ARGS:Username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')" - -#Zomplog Cross-Site Scripting and SQL Injection Vulnerabilities -SecRule REQUEST_URI "detail\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')" -SecRule REQUEST_URI "/(get|index)\.php" chain -SecRule ARGS:catid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')" - -#Basic Analysis and Security Engine SQL Injection Vulnerability -SecRule REQUEST_URI "/base_qry_main\.php\?new=.*&sig\[.*\]=\x3D&sig\[.*\]=((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')" - -#TClanPortal "id" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')" -SecRule REQUEST_URI "/index\.php\?action=.*id.*UNION.*SELECT.*id=" - -#SaphpLesson "forumid" SQL Injection Vulnerability -SecRule REQUEST_URI "/(showcat|add)\.php" chain -SecRule ARGS:forumid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\')" - -#PHP-Nuke SQL Injection Vulnerabilities -SecRule REQUEST_URI "/modules\.php\?name=Downloads&d_op=.*&url.*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION SELECT)" -SecRule REQUEST_URI "/modules\.php\?name=Web_Links&d_op=.*title=.*description.*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#PHP-Fusion "news_body" Script Insertion Vulnerability -SecRule REQUEST_URI "/submit\.php" chain -SecRule ARGS:news_body "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#FlatNuke Cross-Site Scripting and Disclosure of Sensitive Information -SecRule REQUEST_URI "/index\.php\?op=profile&user=\.\./" -SecRule REQUEST_URI "/index\.php\?op=newtopic&mode=ris&quale=\.\./.*&page=" -SecRule REQUEST_URI "/index\.php\?op=.*&(user|nome|from)=*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#Mantis File Inclusion -SecRule REQUEST_URI "/bug_sponsorship_list_view_inc\.php\?t_core_path.*((http|https|ftp)\:/|\.\.)" - -#PHP iCalendar File Inclusion Vulnerability and XSS -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:phpicalendar "((http|https|ftp)\:/|\.\.)" -SecRule REQUEST_URI "phpicalendar=.*cookie_view.*(http|https)\:/" - -#RSA ACE/Agent for Web "image" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/webauthentication\?GetPic\?image.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#honeypot -SecRule REQUEST_URI "/tiki-view_cache\.php\?url=\.\./\.\." - -#Woltlab Burning Board Database Module SQL Injection Vulnerabilities -SecRule REQUEST_URI "/info_db\.php" chain -SecRule ARGS:fileid|ARGS:subkatid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#gCards "limit" SQL Injection Vulnerability -SecRule REQUEST_URI "/news\.php" chain -SecRule ARGS:limit "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#ATutor Multiple Vulnerabilities -SecRule REQUEST_URI "/forum\.inc\.php\?addslashes.*(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)&(asc|desc)=" -SecRule REQUEST_URI "/(body_header\.inc|print)\.php\?section.*(/|\.\.)" -SecRule REQUEST_URI "admin/translate\.php" chain -SecRule ARGS:_base_href "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "include/html/editor_tabs/news\.inc\.php" chain -SecRule ARGS:_base_path "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "documentation/add_note\.php" chain -SecRule ARGS:p "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#PHP config recon attack -SecRule REQUEST_URI "/php\.ini$" - -#saphp Lesson add.php forumid Variable SQL Injection -SecRule REQUEST_URI "/(showcat|add)\.php\?forumid.*(UNION.*SELECT|\|)" - -# SaveWebPortal menu_dx.php and menu_sx.php Multiple Variable XSS -SecRule REQUEST_URI "/menu_dx\.ph" chain -SecRule ARGS:L_InsertCorrectly|ARGS:L_MENUDX_Login|ARGS:L_MENUDX_Username|ARGS:L_MENUDX_Password|ARGS:L_Ok|ARGS:IMAGES_Url|ARGS:L_MENUDX_Registration|ARGS:BANNER_Url|ARGS:L_MENUSX_Newsletter|ARGS:L_MENUDX_InsertEMail "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/menu_sx\.php" chain -SecRule ARGS:L_InsertNOK3Char|ARGS:L_MENUSX_Channels|ARGS:L_MENUSX_Home|ARGS:L_MENUSX_Archive|ARGS:L_Search|ARGS:L_Ok|ARGS:IMAGES_Url|ARGS:L_MENUSX_Services|ARGS:L_MENUSX_Links|ARGS:L_MENUSX_Newsletter|ARGS:L_MENUSX_Polls|ARGS:L_MENUSX_ECards|ARGS:L_MENUSX_Downloads|ARGS:L_MENUSX_Community|ARGS:L_MENUSX_Forum|ARGS:L_MENUSX_Chat|ARGS:L_MENUSX_Nicknames|ARGS:L_MENUSX_Membership|ARGS:L_MENUSX_Login|ARGS:L_MENUSX_UserProfile|ARGS:L_MENUSX_PasswordForgot|ARGS:L_MENUSX_Logout|ARGS:L_MENUSX_Contacts|ARGS:L_MENUSX_Guestbook|ARGS:L_MENUSX_ContactUs "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#phpbb xss, sql injection and PHP code injection -SecRule REQUEST_URI "usercp_register\.php" chain -SecRule ARGS:error_msg "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "login\.php" chain -SecRule ARGS:forward_page "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "search\.php" chain -SecRule ARGS:list_cat "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "usercp_register\.php" chain -SecRule ARGS:signature_bbcode_uid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule ARGS:signature_bbcode_uid "(<.*php|<php)" - -#honeypot -SecRule REQUEST_URI "index\.php?x=(http|https|ftp)\:/" -SecRule REQUEST_URI "/classes\.php\?LOCAL_PATH=(http|https|ftp)\:/" - -#News2Net "category" SQL Injection Vulnerability -SecRule REQUEST_URI "index\.php" chain -SecRule ARGS:category "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#eyeOS Script Insertion and Exposure of User Credentials -SecRule REQUEST_URI "desktop\.php" chain -SecRule ARGS:motd "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/usrinfo\.xml" - -#Invision Gallery "st" SQL Injection Vulnerability -SecRule REQUEST_URI "index\.php" chain -SecRule ARGS:st "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#oaboard SQL Injection Vulnerabilities -SecRule REQUEST_URI "forum\.php" chain -SecRule ARGS:channel|ARGS:topic "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#honeypot -SecRule REQUEST_URI "/main\.php\?\*=(http|https|ftp)\:/" - -#CuteNews "template" Local File Inclusion and remote code execution Vulnerabilities -SecRule REQUEST_URI "/show_archives\.php" chain -SecRule ARGS:template "(/|\.\.)" -#cutenews shell injection vuln -SecRule REQUEST_URI "/inc/ipban\.mdu" chain -SecRule ARGS:add_ip "(php|system)" -SecRule REQUEST_URI "/ipban\.db\.php\?cmd=" - - -#phpWebThings "forum" SQL Injection Vulnerability -SecRule REQUEST_URI "/forum\.php" chain -SecRule ARGS:forum "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#PHP Handicapper Multiple Vulnerabilities -SecRule REQUEST_URI "/msg\.php" chain -SecRule ARGS:msg "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/process_signup\.php" chain -SecRule ARGS:login "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/process_signup\.php" chain -SecRule ARGS:serviceid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Simple PHP Blog Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "/preview(_cgi|_static_cgi)\.php" chain -SecRule ARGS:entry "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "preview_cgi\.php" chain -SecRule ARGS:blog_subject|ARGS:blog_text "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/preview_static_cgi\.php" chain -SecRule ARGS:blog_subject|ARGS:blog_text|ARGS:file_name "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" -SecRule REQUEST_URI "/colors_cgi\.php" chain -SecRule ARGS:scheme_name|ARGS:bg_color "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#honeypot -SecRule REQUEST_URI "tiki-pagehistory\.php\?page=(http|https|ftp)\:/" -SecRule REQUEST_URI "/uniq_login\.php\?login.*(http|https|ftp)\:/" -SecRule REQUEST_URI "/viewtopic\.php\?t=.*&highlight=\'" - -#sumthin scan -SecRule REQUEST_URI "/sumthin" - -#PHPKIT XSS Vulnerability -SecRule REQUEST_URI "admin/admin\.php" chain -SecRule ARGS:site_body "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#toendaCMS Disclosure of Sensitive Information -SecRule REQUEST_URI "/admin\.php" chain -SecRule ARGS:id_user "(\.\.|/|(http|https|ftp)\:/)" - -#Phorum "forum_ids[]" SQL Injection Vulnerability -SecRule REQUEST_URI "/search\.php" chain -SecRule ARGS:forums_ids "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Tonio Gallery "galid" SQL Injection Vulnerability -SecRule REQUEST_URI "/showgallery\.php" chain -SecRule ARGS:galid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#ibProArcade Module "user" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:user "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#XMB "username" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/u2u\.php" chain -SecRule ARGS:username "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#tikiwiki XSS -SecRule REQUEST_URI "/tiki-view_forum_thread\.php" chain -SecRule ARGS:topics_sort_mode|ARGS:topics_offset "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" - -#Tikiwiki tiki-user_preferences Command Injection Vulnerability -SecRule REQUEST_URI "/tiki-user_preferences\.php" chain -SecRule ARGS:language "(/|\.\.)" - -#Tikiwiki tiki-editpage Arbitrary File Exposure Vulnerability -SecRule REQUEST_URI "/tiki-editpage\.php" chain -SecRule ARGS:suck_url "(/|\.\.)" - -#phpAdsNew SQL Injection Vulnerability -SecRule REQUEST_URI "/logout\.php" chain -SecRule ARGS:sessiodID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Moodle "datalib.php" Remote SQL Injection Vulnerabilities -SecRule REQUEST_URI "/(datalib|category|info)\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/plot\.php" chain -SecRule ARGS:user "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#honeypot -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:Config_absolute_path|ARGS:configFile "(http|https|ftp)\:/" -SecRule REQUEST_URI "/error\.php\?dir=(http|https|ftp)\:/" -SecRule REQUEST_URI "/common\.php\?pun_root=(http|https|ftp)\:/" -SecRule REQUEST_URI "tiki-wiki_rss\.php\?ver=.*(http|https|ftp)\:/" - -#Winmail Server Multiple Vulnerabilities -SecRule REQUEST_URI "admin/main\.php" chain -SecRule ARGS:sid "\.\./\.\." -SecRule REQUEST_URI "badlogin\.php" chain -SecRule ARGS:retid "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" - -#Pearl Forums SQL Injection and Local File Inclusion Vulnerabilities -SecRule REQUEST_URI "index\.php" chain -SecRule ARGS:forumsid|ARGS:topicid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "index\.php" chain -SecRule ARGS:mode "(\.\./\.\.|/)" - -#Peel "rubid" SQL Injection Vulnerability -SecRule REQUEST_URI "index\.php" chain -SecRule ARGS:rubid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#CodeGrrl Products "siteurl" File Inclusion Vulnerability -SecRule REQUEST_URI "protection\.php" chain -SecRule ARGS:siteurl "(\.\./\.\.|/|(http|https|ftp)\:/)" - -#Wizz Forum Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "ForumauthDetails\.php" chain -SecRule ARGS:AuthID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "ForumTopicDetails\.php" chain -SecRule ARGS:TopicID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#iCMS "page" File Inclusion Vulnerability -SecRule REQUEST_URI "ForumauthDetails\.php" chain -SecRule ARGS:page "(\.\./\.\.|/|(http|https|ftp)\:/)" - -#Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability -SecRule REQUEST_URI "editor_registry\.php" chain -SecRule REQUEST_URI "xoopsConfig\[language\].*(\.\./\.\.|/|(http|https|ftp)\:/)" - -#PollVote "pollname" File Inclusion Vulnerability -SecRule REQUEST_URI "pollvote\.php" chain -SecRule ARGS:pollname "(\.\./\.\.|/|(http|https|ftp)\:/)" - -#Xoops WF-Downloads Module "list" SQL Injection Vulnerability -SecRule REQUEST_URI "viewcat\.php" chain -SecRule ARGS:list "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#phpwcms Disclosure of Sensitive Information and Cross-Site Scripting -SecRule REQUEST_URI "login\.php" chain -SecRule ARGS:form_lang "(\.\./\.\.|/|(http|https|ftp)\:/)" -SecRule REQUEST_URI "random_image\.php" chain -SecRule ARGS:imgdir "\.\./\.\." - -#OnContent // CMS "pid" SQL Injection Vulnerability -SecRule REQUEST_URI "index\.php" chain -SecRule ARGS:pid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Mambo "register_globals" Emulation Layer Overwrite Vulnerability -#Mambo <= 4.5.2 Globals overwrite / remote commands execution -SecRule ARGS:mosConfig_absolute_path "(\.\./\.\.|/|(http|https|ftp)\:/)" "id:390075,rev:1,severity:2,msg:'JITP: Generic mosConfig_absolute_path File Inclusion Vulnerability'" -SecRule REQUEST_URI "\.php\?.*mosConfig_absolute_path=(http|https|ftp)\:\/" "id:390076,rev:1,severity:2,msg:'JITP: Generic mosConfig_absolute_path File Inclusion Vulnerability'" - - -#Arki-DB "catid" SQL Injection Vulnerability -SecRule REQUEST_URI "index\.php" chain -SecRule ARGS:catid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#EkinBoard 1.0.3 config.php SQL Injection through cookie -SecRule REQUEST_COOKIES:username "or isnull\(1" -SecRule REQUEST_URI "&activate=1&allow_attch=1&attch_exts=.*php&.*attch_max_size=" -SecRule REQUEST_URI "attachments/suntzu.*\?cmd=" - -#HPWebThings 1.4 "msg" and "forum" SQL injection -SecRule REQUEST_URI "forum\.php\?act=.*&msg.*UNION.*SELECT.*(name|password|outfile).*forum=" -SecRule REQUEST_URI "forum\.php\?forum=.*UNION.*SELECT.*(name|password|outfile)" -SecRule REQUEST_URI "forum\.php\?act=.*&forum.*UNION.*SELECT.*ORD" - -#phpnuke query sql injection -SecRule REQUEST_URI "modules\.php" chain -SecRule ARGS:query "(\'|UNION.*SELECT)" - -#Cyphor Forum SQL Injection Exploit -SecRule REQUEST_URI "show\.php" chain -SecRule ARGS:id|ARGS:fid "(\'|UNION.*SELECT)" - -#OTRS vulnerabilities, SQL injection and XSS -SecRule REQUEST_URI "/index\.pl\?Action=(Login&User|AgentTicketPlain&(ArticleID|TicketID))=.*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/index\.pl\?(QueueID|Action)=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#Omnistar Live SQL Injection Vulnerabilities -SecRule REQUEST_URI "/kb\.php" chain -SecRule ARGS:id|ARGS:category_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Ezyhelpdesk Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/\?mid=.*&m2id=.*page=.*(faq_id|c_id).*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/\?edit=spec_view&edit_id.*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#1-2-3 Music Store "AlbumID" SQL Injection Vulnerability -SecRule REQUEST_URI "/process\.php" chain -SecRule ARGS:AlbumID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#PHP Labs Top Auction SQL Injection Vulnerabilities -SecRule REQUEST_URI "/viewcat\.php" chain -SecRule ARGS:category|ARGS:type "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#PHP Labs Survey Wizard "sid" SQL Injection Vulnerability -SecRule REQUEST_URI "/survey\.php" chain -SecRule ARGS:sid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#AFFCommerce Shopping Cart Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/subcategory\.php" chain -SecRule ARGS:cl "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/(iteminfo|itemreview)\.php" chain -SecRule ARGS:item_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#WSN Forum "id" SQL Injection Vulnerability -SecRule REQUEST_URI "/memberlist\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Tunez SQL Injection and Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "/songinfo\.php" chain -SecRule ARGS:songid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/search\.php" chain -SecRule ARGS:searchfor "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -# PmWiki 2.0.12 Cross Site Scripting -SecRule REQUEST_URI "/Search\?action=search.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#PHP-Post Cross-Site Scripting -SecRule REQUEST_URI "/(profile|mail)\.php" chain -SecRule ARGS:user "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#CommodityRentals "user_id" SQL Injection Vulnerability -SecRule REQUEST_URI "/usersession" chain -SecRule ARGS:userid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Joomla! mod_poll SQL Injection -SecRule REQUEST_URI "/mod_poll" chain -SecRule ARGS:itemid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Advanced Poll "popup.php" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/popup\.php" chain -SecRule ARGS:poll_ident "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#PHP-Fusion SQL Injection Vulnerabilities -SecRule REQUEST_URI "/options\.php" chain -SecRule ARGS:forum_id|ARGS:thread_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/(viewforum|index)\.php" chain -SecRule ARGS:lastvisted "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#phpComasy "id" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#honeypot -SecRule REQUEST_URI "_head\.php\?_zb_path=(http|https|ftp)\:/" - -#vTiger code inclusion attack -SecRule REQUEST_URI "/vtigercrm\.log" - -#Comdev Vote Caster "campaign_id" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:campaign_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Softbiz Web Host Directory Script SQL Injection Vulnerabilities -SecRule REQUEST_URI "/(search_result|browsecats)\.php" chain -SecRule ARGS:cid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/review\.php" chain -SecRule ARGS:sbres_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/email\.php" chain -SecRule ARGS:h_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Nicecoder iDesk "cat_id" SQL Injection Vulnerability -SecRule REQUEST_URI "/faq\.php" chain -SecRule ARGS:cat_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#IsolSoft Support Center SQL Injection Vulnerabilities -SecRule REQUEST_URI "/search\.php" chain -SecRule ARGS:field|ARGS:lorder "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#AgileBill "id" SQL Injection Vulnerability -SecRule REQUEST_URI "/\?_page=product_cat\:t_" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#ActiveCampaign SupportTrio "page" Local File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:page "(\.\./\.\.|/(etc|tmp|var)|(http|https|ftp)\:/)" - -#sNews "index.php" SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:id|ARGS:category "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Online Work Order Suite Lite Edition SQL Injection Vulnerability -SecRule REQUEST_URI "/search\.php" chain -SecRule ARGS:keyword "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#phpWordPress SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:poll|ARGS:category|ARGS:ctg "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Pdjk-support Suite Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:news_id|ARGS:faq_id|ARGS:rowstart "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -# freeForum 1.x "cat" and "thread" SQL inj. -SecRule REQUEST_URI "/forum\.php" chain -SecRule ARGS:cat|ARGS:thread "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#ActiveCampaign KnowledgeBuilder SQL Injection -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:article "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Helpdesk Issue Manager SQL Injection Vulnerabilities -SecRule REQUEST_URI "/issue\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/find\.php" chain -SecRule ARGS:orderdir|ARGS:orderby "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/find\.php" chain -SecRule REQUEST_URI "detail\[\].*((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Q-News "id" File Inclusion Vulnerability -SecRule REQUEST_URI "/q-news\.php" chain -SecRule ARGS:id "(\.\./\.\.|/|(http|https|ftp)\:/)" - -#ADC2000 NG Pro "cat" SQL Injection Vulnerability -SecRule REQUEST_URI "/adcbrowres\.php" chain -SecRule ARGS:cat "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Enterprise Connector "messageid" SQL Injection Vulnerabilities -SecRule REQUEST_URI "/send\.php" chain -SecRule ARGS:messageid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Softbiz Resource Repository Script SQL Injection Vulnerabilities -SecRule REQUEST_URI "/showcats\.php" chain -SecRule ARGS:sbcat_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/(details_res|refer_friend|report_link)\.php" chain -SecRule ARGS:sbres_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#PHP Doc System Local File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:show "(\.\./\.\.|/)" - -#Netzbrett "p_entry" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:pentry "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#ShockBoard "offset" SQL Injection Vulnerability -SecRule REQUEST_URI "/topic\.php" chain -SecRule ARGS:offset "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#K-Search SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:id|ARGS:stat|ARGS:source "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#AllWeb Search "search" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:search "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Simple Document Management System SQL Injection Vulnerability -SecRule REQUEST_URI "/message\.php" chain -SecRule ARGS:mid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/list\.php" chain -SecRule ARGS:folder_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -# edmoBBS SQL inj. vuln. -SecRule REQUEST_URI "/edmobbs9r\.php" chain -SecRule ARGS:table|ARGS:messageID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Joels Bulletin Board SQL Injection Vulnerabilities -SecRule REQUEST_URI "/topiczeigen\.php" chain -SecRule ARGS:nr "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/(showforum|newtopic)\.php" chain -SecRule ARGS:forum "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/showforum\.php" chain -SecRule ARGS:zeigeseite "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/neuerbeitrag\.php" chain -SecRule ARGS:tidnr "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#UGroup Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/forum\.php" chain -SecRule ARGS:FORUM_ID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/topic\.php" chain -SecRule ARGS:TOPIC_ID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Fantastic News "category" SQL Injection Vulnerability -SecRule REQUEST_URI "/news\.php" chain -SecRule ARGS:category "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#ClientExec Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:billshowid|ARGS:billdetailid|ARGS:frmClientID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Entergal MX SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:idcat|ARGS:action "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#GuppY PHP Code Injection and Local File Inclusion Vulnerabilities -SecRule REQUEST_URI "/error\.php" chain -SecRule REQUEST_URI "_SERVER\[REMOTE_ADDR\].*(php|system\()" -SecRule REQUEST_URI "/editorTypetool\.php" chain -SecRule ARGS:meskin "(\.\./\.\.|/|(http|https|ftp)\:/)" -SecRule REQUEST_URI "/(archbatch|nwlmail)\.php" chain -SecRule ARGS:lng "(\.\./\.\.|/|(http|https|ftp)\:/)" - -#DMANews Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:id|ARGS:sortorder|ARGS:display_num "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#BosDates SQL Injection Vulnerabilities -SecRule REQUEST_URI "/calendar\.php" chain -SecRule ARGS:year|ARGS:category "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#Post Affiliate Pro "sortorder" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:sortorder "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#BedengPSP Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/(index|download)\.php" chain -SecRule ARGS:cwhere "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/baca\.php" chain -SecRule ARGS:ckode "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#randshop SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:kategorieid|ARGS:katid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#SourceWell "cnt" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:cnt "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#phpGreetz Include File Bug -SecRule REQUEST_URI "/content\.php" chain -SecRule ARGS:content "(\.\./\.\.|/|(http|https|ftp)\:/)" - -#Athena Include File Bug -SecRule REQUEST_URI "/athena\.php" chain -SecRule ARGS:athena_dir "(\.\./\.\.|/|(http|https|ftp)\:/)" - -#Athena Include File Bug vulns -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:module "\.\./" -SecRule REQUEST_URI "/index\.php" chain -SecRule REQUEST_URI "Users\&Action.*templatename.*/" -SecRule REQUEST_URI "/index\.php\?module=uploads&action=add2db" chain -SecRule REQUEST_URI|REQUEST_BODY "\.php" - -#Fake gif file shell attacvk -SecRule HTTP_Content-Type "image/gif" -SecRule REQUEST_BODY "chr\(" - -#bogus graphics file -SecRule HTTP_Content-Disposition "\.php" chain -SecRule HTTP_Content-Type "(image/gif|image/jpg|image/png|image/bmp)" - -#Post Affiliate Pro "sortorder" Remote SQL Injection and Arbitrary File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:md "(\.\./\.\.|/)" -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:sortorder "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" - -#EkinBoard 1.0.3 (config.php) SQL Injection / Command Execution -SecRule REQUEST_URI "/(index|viewforum|newtopic)\.php" chain -SecRule REQUEST_COOKIES:username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" -SecRule REQUEST_URI "/newtopic\.php" chain -SecRule HTTP_Content-Disposition "topic_title" chain -SecRule REQUEST_BODY "php.*system\(" - -#Unclassified NewsBoard 1.5.3 patch level 3 "Datefrom" blind SQL injection -SecRule REQUEST_URI "/forum\.php" chain -SecRule ARGS:DateFrom "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#PHPNuke <= 7.8 sql injection -SecRule REQUEST_URI "/forum\.php" chain -SecRule ARGS:query "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Moodle <= 1.6dev get record() SQL injection -SecRule REQUEST_URI "/plot\.php" chain -SecRule ARGS:user "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/info\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#interesting new pattern -SecRule REQUEST_URI "/ThisFileMustNotExist" - -#honeypot -SecRule REQUEST_URI "/tiki-backlinks\.php\?page=(http|https|ftp)\:/" - -# SocketKB 1.1.x file include Vuln -SecRule REQUEST_URI "\?__f=(http|https|ftp)\:/" -SecRule REQUEST_URI "\?__f=rating_add&" -SecRule ARGS:art_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "\?__f=category&" -SecRule ARGS:node "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Xaraya "module" Local File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:module "(\.\./\.\.|/)" - -#N-13 News "id" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Softbiz B2B Trading Marketplace Script "cid" SQL Injection -SecRule REQUEST_URI "/(selloffers|buyoffers|products|profiles)\.php" chain -SecRule ARGS:cid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -# WEB-MISC mod_gzip_status access -SecRule REQUEST_URI "/mod_gzip_status" log,pass - -#honeypot -SecRule REQUEST_URI "/index\.php\?main=/" - -#PHP Fusion CMS SQL injection Vulnerabilities -SecRule REQUEST_URI "/viewforum\.php\?" chain -SecRule ARGS:lastvisited "\'" - -#Saxon XSLT command execution attacks -SecRule REQUEST_URI|REQUEST_BODY "xsl\:value-of select=\"run\:exec\(" -SecRule REQUEST_URI|REQUEST_BODY "xsl.*run\:getRuntime\(\)\, \'\"" - -#Lore Article.PHP SQL Injection Vulnerability -SecRule REQUEST_URI "/article\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#honeypoy -SecRule REQUEST_URI "/imageviewer\.php\?filename=" - -#PhpX <= 3.5.9 SQL Injection -> login bypass -> remote command/code execution -SecRule REQUEST_URI "/admin/" chain -SecRule ARGS:username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM|or user_id=2)" -SecRule REQUEST_URI "files/.*\.php\.menu\?cmd=" - -#NetClassifieds Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/(ViewCat|gallery)\.php" chain -SecRule ARGS:Catid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/ViewItem\.php" chain -SecRule ARGS:ItemNum "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Coppermine Photo Gallery "relocate_server.php" Exposure of Configuration -SecRule REQUEST_URI "/relocate_server\.php" - -#WebCalendar HTTP Response Splitting and SQL Injection Vulnerabilities -SecRule REQUEST_URI "/edit_report_handler\.php" chain -SecRule ARGS:time_range "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/layers_toggle\.php" chain -SecRule ARGS:ret "HTTP" - -#Instant Photo Gallery SQL Injection Vulnerabilities -SecRule REQUEST_URI "/portfolio\.php" chain -SecRule ARGS:cat_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/content\.php" chain -SecRule ARGS:cid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Lore "id" SQL Injection Vulnerability -SecRule REQUEST_URI "/article\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#DotClear "dc_xd" SQL Injection Vulnerability -SecRule REQUEST_URI "/session\.php" chain -SecRule REQUEST_COOKIES:cd_xd "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#DotClear "dc_xd" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:x "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#O-Kiraku Nikki "day_id" SQL Injection Vulnerability -SecRule REQUEST_URI "/nikki\.php" chain -SecRule ARGS:day_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -# AltantisFAQ SQL inj. vuln. -SecRule REQUEST_URI "/search\.php" chain -SecRule ARGS:searchStr "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#FAQRing "id" SQL Injection Vulnerability -SecRule REQUEST_URI "/answer\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#WSN Knowledge Base SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:catid|ARGS:perpage|ARGS:ascdesc|ARGS:orderlinks "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/(comments|memberlist)\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Softbiz FAQ Script SQL Injection Vulnerabilities -SecRule REQUEST_URI "/(faq_qanda|refer_friend|print_article|add_comment)\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:cid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#OmniStar KBase SQL Injection Vulnerabilities -SecRule REQUEST_URI "/comments\.php" chain -SecRule ARGS:article_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/kb\.php" chain -SecRule ARGS:category_id|ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#FAQ System SQL Injection Vulnerabilities -SecRule REQUEST_URI "/viewFAQ\.php" chain -SecRule ARGS:FAQ_ID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:CATEGORY_ID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#KBase Express SQL Injection Vulnerabilities -SecRule REQUEST_URI "/category\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Orca Knowledgebase "qid" SQL Injection Vulnerability -SecRule REQUEST_URI "/knowledgebase\.php" chain -SecRule ARGS:qid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Survey System "SURVEY_ID" SQL Injection Vulnerability -SecRule REQUEST_URI "/survey\.php" chain -SecRule ARGS:SURVEY_ID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Orca Blog SQL inj. vuln. -SecRule REQUEST_URI "/blog\?msg=((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Orca Ringmaker "start" SQL Injection Vulnerability -SecRule REQUEST_URI "/ringmaker\.php" chain -SecRule ARGS:start "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#ltwCalendar "id" SQL Injection Vulnerability -SecRule REQUEST_URI "/calendar\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Nephp Publisher SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.html" chain -SecRule ARGS:id|ARGS:nnet_catid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Zainu SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:start|ARGS:term "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Babe Logger "gal" and "id" SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:gal "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/comments\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Zen Cart Input Validation Hole in 'password_forgotten.php' sql injection -SecRule REQUEST_URI "admin/password_forgotten\.php" chain -SecRule ARGS:admin_email "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO)" - -#Sugar Suite "beanFiles[1]" File Inclusion Vulnerability -SecRule REQUEST_URI "acceptDecline\.php" chain -SecRule REQUEST_URI "beanFiles\[1\].*(http|https|ftp)\:/" - -#phpMyAdmin register_globals Emulation "import_blacklist" Manipulation -SecRule REQUEST_URI "/grab_globals\.php" chain -SecRule ARGS:import_blacklist "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|(http|https|ftp)\:/)" - -#Magic Forum Personal Cross-Site Scripting and SQL Injection -SecRule REQUEST_URI "/view_forum\.cfm" chain -SecRule ARGS:ForumID|ARGS:Thread|ARGS:ThreadID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO)" -SecRule REQUEST_URI "/search_forums\.cfm" chain -SecRule ARGS:Words "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" - -#Magic List Pro "ListID" SQL Injection Vulnerability -SecRule REQUEST_URI "/view_archive\.cfm" chain -SecRule ARGS:ListID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO)" - -#CF_Nuke Directory Traversal and Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "/index\.cfm" chain -SecRule ARGS:sector|ARGS:page "\.cfm" - -#phpForumPro SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:parent|ARGS:day "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Cars Portal SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:page|ARGS:car "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#PluggedOut Blog "index.php" SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:categoryid|ARGS:entryid|ARGS:year|ARGS:month|ARGS:day "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#PluggedOut Nexus SQL Injection and Cross-Site Scripting -SecRule REQUEST_URI "/search\.php" chain -SecRule ARGS:firstname|ARGS:lastname|ARGS:location "(((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>)" -SecRule REQUEST_URI "/search_forums\.cfm" chain -SecRule ARGS:Words "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#honeypot -SecRule REQUEST_URI "/tiki-view_forum_thread\.php" "chain,id:390083,rev:1,severity:2,msg:'JITP: tikiwiki XSS Vulnerability'" -SecRule ARGS:comments_parentId|ARGS:forumId|ARGS:topics_offset "(<+(script|about|applet|activex|chrome)|onmouseover=\'javascript)" -SecRule REQUEST_URI "/tiki-view_forum_thread\.php" "chain,id:390082,rev:1,severity:2,msg:'JITP: tikiwiki Remote File Inclusion Vulnerability'" -SecRule ARGS:comments_parentId|ARGS:forumId|ARGS:topics_offset "(ht|f)tps?\:/" - -#wormsign -SecRule REQUEST_URI "Hacked.*by.*member.*of.*SCC" - -#phpMyAdmin Cross-Site Scripting Vulnerabilities -SecRule ARGS:HTTP_HOST "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" - -#Web4Future eCommerce Products SQL Injection Vulnerabilities -SecRule REQUEST_URI "/view\.php" chain -SecRule ARGS:prod|ARGS:brid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/viewbrands\.php" chain -SecRule ARGS:bid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:grp|ARGS:cat "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#DoceboLMS Information Disclosure -SecRule REQUEST_URI "/connector\.php" chain -SecRule ARGS:Type "\.\." - -#Web4Future Affiliate Manager Pro "pid" SQL Injection Vulnerability -SecRule REQUEST_URI "/functions\.php" chain -SecRule ARGS:pid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#PHP-addressbook "view.php" SQL Injection Vulnerability -SecRule REQUEST_URI "/view\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Blog System SQL Injection Vulnerabilities -SecRule REQUEST_URI "/blog\.php" chain -SecRule ARGS:note "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:cat "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Multiple vendor vulnerability -#Amazon Search Directory "search.cgi" Cross-Site Scripting -#Warm Links "search.cgi" Cross-Site Scripting Vulnerability -#Hot Links SQL "search.cgi" Cross-Site Scripting Vulnerability -#Hot Links Pro "search.cgi" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/search\.cgi" chain -SecRule ARGS:search "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#1-Search "1search.cgi" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/1search\.cgi" chain -SecRule ARGS:q "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#Easy Search System "search.cgi" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/search\.cgi" chain -SecRule ARGS:q "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#phpYellow SQL Injection Vulnerabilities -SecRule REQUEST_URI "/search_result\.php" chain -SecRule ARGS:haystack "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/print_me\.php" chain -SecRule ARGS:ckey "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Relative Real Estate Systems "mls" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:mls "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#LandShop SQL Injection Vulnerabilities -SecRule REQUEST_URI "/ls\.php" chain -SecRule ARGS:search_order|ARGS:search_type|ARGS:search_area|ARGS:keyword "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Widget Imprint "product_id" SQL Injection Vulnerability -SecRule REQUEST_URI "/create\.php" chain -SecRule ARGS:product_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Widget Property SQL Injection Vulnerabilities -SecRule REQUEST_URI "/property\.php" chain -SecRule ARGS:property_id|ARGS:zip_code|ARGS:property_type_id|ARGS:price|ARGS:city_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Web4Future Portal Solutions Information Disclosure and SQL Injection -SecRule REQUEST_URI "/comentarii\.php" chain -SecRule ARGS:idp "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/archiva\.php" chain -SecRule ARGS:dir "\.\." - -#HobSR "view.php" SQL Injection Vulnerability -SecRule REQUEST_URI "/view\.php" chain -SecRule ARGS:arrange "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Web4Future eDating Professional SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:s|ARGS:pg|ARGS:sortb "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/(gift|fq)\.php" chain -SecRule ARGS:cid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/articles\.php" chain -SecRule ARGS:cat "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#FileLister "searchwhat" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "/definesearch\.jsp" chain -SecRule ARGS:searchwhat "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#PHP-Fusion "srch_text" SQL Injection Vulnerability -SecRule REQUEST_URI "/messages\.php" chain -SecRule ARGS:srch_text "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Nortel SSL VPN Web Interface XSS -SecRule REQUEST_URI "/tunnelform\.yaws" chain -SecRule ARGS:a "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#Scout Portal Toolkit Possible Sql Injection..and XSS -SecRule REQUEST_URI "BrowseResources\.php\?ParentId=\'" -SecRule REQUEST_URI "SPT\-\-UserLogin\.php" chain -SecRule ARGS:F_UserName|ARGS:F_Password "(\'|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" -SecRule REQUEST_URI "SPT\-\-FullRecord\.php" chain -SecRule ARGS:ResourceId "(\'|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" -SecRule REQUEST_URI "SPT\-\-BrowseResources\.php" chain -SecRule ARGS:ParentId "(\'|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" -SecRule REQUEST_URI "SPT\-\-Home\.php" chain -SecRule ARGS:ResourceOffset "(\'|<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" -SecRule REQUEST_URI "SPT\-\-QuickSearch\.php" chain -SecRule ARGS:ss|ARGS:F_SearchString "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" -SecRule REQUEST_URI "SPT\-\-BrowseResources\.php" chain -SecRule ARGS:ParentId "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" -SecRule REQUEST_URI "SPT\-\-AdvancedSearch\.php" chain -SecRule ARGS "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#Magic Book v2.0 Professional XSS Vuln -SecRule REQUEST_URI "/book\.cfm\?StartRow.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#flatnuke remote shell -SecRule REQUEST_URI "verify\.php" chain -SecRule REQUEST_URI|REQUEST_BODY "mod=modcont&from=index\.php&body=.*\<\?php.*&file=forum.*users.*\.php" -SecRule REQUEST_URI "forum/users/.*\.php\?cmd=" - -#Netref "cat" SQL Injection Vulnerability -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:cat "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#milliscripts Redirection "domainname" Cross-Site Scripting -SecRule REQUEST_URI "register\.php" chain -SecRule ARGS:domainname "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#phpnuke exploit -SecRule REQUEST_URI "/modules\.php\?name=Search&type=comments&query=.*&instory=.*UNION.*SELECT.*pwd.*FROM.*nuke_authors" - -#limbo exploit -SecRule REQUEST_URI "index2\.php\?cmd.*\&_SERVER\[\]=\&_SERVER\[REMOTE_ADDR\]=" chain -SecRule REQUEST_URI|REQUEST_BODY "system" - -#Plogger '/admin/plog-admin-functions.php' Include File Bug Lets Remote Users Execute -SecRule REQUEST_URI "admin/plog-admin-functions\.php\?config\[basedir\]=(http|https|ftp)\:/" - -#PHPGedView <= 3.3.7 remote commands execution -SecRule REQUEST_URI "help_text_vars\.php\?.*=.*PGV_BASE_DIRECTORY=./index/pgv.*\.log" -SecRule REQUEST_URI "help_text_vars\.php\?suntzu=" - -#AlstraSoft EPay Enterprise Script Insertion Vulnerabilities -SecRule REQUEST_URI "(profile|card|bank|subscriptions|send|request|forgot|escrow|donations|products)\.htm" chain -SecRule ARGS "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#PHP-Fusion Multiple Vulnerabilities -SecRule REQUEST_URI "members\.php" chain -SecRule ARGS:sortby "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" -SecRule REQUEST_URI "ratings_include\.php" chain -SecRule ARGS:rating "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#e-publish Cross-Site Scripting and SQL Injection Vulnerabilities -SecRule REQUEST_URI "printer_friendly\.cfm" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "show\.cfm" chain -SecRule ARGS:obcatid|ARGS:comid "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#eggblog "q" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "search\.php" chain -SecRule ARGS:q "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -# SyntaxCMS XSS vuln. -SecRule REQUEST_URI "/search/\?search_query=*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#SPIP Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "spip_(login|pass)\.php3" chain -SecRule ARGS "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#SiteSage "norelay_highlight_words" Cross-Site Scripting Vulnerability -SecRule ARGS:norelay_highlight_words "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#OpenEdit Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "results\.html" chain -SecRule ARGS:oe-action|ARGS:page "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)" - -#Portfolio NetPublish "template" Disclosure of Sensitive Information -SecRule REQUEST_URI "server\.np\?base&site=\[.*\]&catalog=.*&template=*\.\./" - -#Papoo SQL Injection Vulnerabilities -SecRule REQUEST_URI "(index|guestbook)\.php" chain -SecRule ARGS:menuid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "print\.php" chain -SecRule ARGS:forumid|ARGS:reporeid_print "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#phpSlash "story_id" SQL Injection Vulnerability -SecRule REQUEST_URI "article\.php" chain -SecRule ARGS:story_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#PhpGedView File Inclusion and PHP Code Injection Vulnerabilities -SecRule REQUEST_URI "authenticate\.php" chain -SecRule ARGS:user_language|ARGS:user_email|ARGS:user_gedcomid "\<.*php" - -#Miraserver SQL Injection Vulnerabilities -SecRule REQUEST_URI "index\.php" chain -SecRule ARGS:page "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "newsitem\.php" chain -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "article\.php" chain -SecRule ARGS:cat "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Information Call Center "CallCenterData.mdb" Exposure of User Credentials -SecRule REQUEST_URI "CallCenterData\.mdb" - -#phpBB <= 2.0.17 remote command execution exploit -SecRule REQUEST_URI "profile\.php\?GLOBALS\[signature_bbcode_uid\]=\(\.\x2B\)/e\x00" -SecRule REQUEST_URI|REQUEST_BODY "r57phpBB2017xpl" -SecRule REQUEST_BODY "_bill_gates@microsoft\.com" - -#phpDocumentor File Inclusion Vulnerabilities -SecRule REQUEST_URI "Documentation/tests/bug-559668\.php" chain -SecRule ARGS:FORUM\[LIB\] "(http|https|ftp)\:/" -SecRule REQUEST_URI "docbuilder/file_dialog\.php" chain -SecRule ARGS:root_dir "(http|https|ftp)\:/" - -#honeypot -SecRule REQUEST_URI "/tiki-index\.php\?page=(\||/|\.)" -SecRule REQUEST_URI "/tech_o\.php\?absolute_path=(http|https|ftp)\:/" -SecRule REQUEST_URI "moblog_lib\.php\?basedir=(cmd|(http|https|ftp)\:/)" - -#FlatCMS <=1.01 Remote Command Execution Exploit -SecRule REQUEST_URI "/admin/cijfer\.php\?cij=" -SecRule REQUEST_URI "/admin/file_editor\.php" chain -SecRule REQUEST_URI "\?save_file=cijfer\.php&f_content=" -SecRule REQUEST_URI "/admin/file_editor\.php" chain -SecRule REQUEST_URI "\x3C\x3F\x24" -#the specific payload, if you prefer -#SecRule REQUEST_URI "\x3C\x3F\x24handle\x3Dpopen\x5C\x28\x24_GET\x5Bcij\x5D\x2C\x22r\x22\x29\x3Bwhile\x28\x21feof\x28\x24handle\x29\x29\x7B\x24line\x3Dfgets\x28\x24handle\x29\x3Bif\x28strlen\x28\x24line\x29\x3E\x3D1\x29\x7Becho\x22\x24line\x22\x3B\x7D\x7Dpclose\x28\x24handle\x29\x3B\x3F\x3E" - -#Valdersoft Shopping Cart <=3.0 Remote Command Execution Exploit -SecRule REQUEST_URI "/include/templates/categories/default\.php\?.*\;echo" -SecRule REQUEST_URI "/include/templates/categories/default\.php\?.*<\?passthru\(\$_GET\[cmd\]\)\;\?>" -SecRule ARGS:catalogDocumentRoot "(https|http|ftp)\:/" - -#honeypot -SecRule REQUEST_URI "index\.php\?p=(http|https|ftp)\:/" - -#Phgstats "phgdir" File Inclusion Vulnerability -SecRule REQUEST_URI "phgstats\.inc\.php" chain -SecRule ARGS:phgdir "(http|https|ftp)\:/" - -#VenomBoard SQL Injection Vulnerabilities -SecRule REQUEST_URI "post\.php3" chain -SecRule ARGS:topic_id|ARGS:root|ARGS:parent "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -# PHPNuke EV 7.7 'search' module 'query' variable SQL injection -SecRule REQUEST_URI "/modules\.php\?name=Search" chain -SecRule REQUEST_URI "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#honeypot -SecRule REQUEST_URI "/admin\.php\?op=AddAuthor&add_aid=.*&add_name=.*&add_pwd=.*&add_email=r00t_System@hush\.com" - -#Etomite "cij" shell command backdoor -SecRule REQUEST_URI "manager/includes/todo\.inc\.php" - -#openSRS exploit -SecRule REQUEST_URI "mod_opensrs/mod_config\.php\?this_mod_opensrs_config.*=.*&DIR=(http|https|ftp)\:/" - -#honeypot -SecRule REQUEST_URI "/index\.php" chain -SecRule ARGS:lp "(http|https|ftp)\:/" -SecRule REQUEST_URI "\.php\?forum=.*union.*select.*password,password,null,null" -SecRule REQUEST_URI "/wwForum\.mdb" - -#ImpExData.php?systempath= -SecRule REQUEST_URI "/ImpExData\.php" chain -SecRule ARGS:systempath "(http|https|ftp)\:/" - -#SQuery <= 4.5 Remote File Inclusion Exploit -SecRule REQUEST_URI "lib/(armygame|ase|devi|doom3|et|flashpoint.php|gameSpy|gameSpy2|gore|gsvari|halo|hlife|hlife2|igi2|main.lib|netpanzer|old_hlife|pkill|q[23]a|qworlp|rene|rvbshld|savage|simracer|sof1|sof2|unreal|ut2004|vietcong)\.php" chain -SecRule ARGS:libpath "(http|https|ftp)\:/" - -#MonAlbum Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "index\.php" chain -SecRule ARGS:pc "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "image_agrandir.php" chain -SecRule ARGS:pnom|ARGS:pcourriel "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#PHPNuke-Clan "vwar_root" File Inclusion Vulnerability -#VWar <= 1.5.0 R12 Remote File Inclusion Exploit -SecRule REQUEST_URI "(/includes/functions_(common|install)|/includes/get_header)\.php" "chain,id:390039,rev:2,severity:2,msg:'JITP: vwar_root remote/local file inclusion'" -SecRule ARGS:vwar_root "((http|https|ftp)\:/|\.\./\.\.)" - -#gtd-php Cross-Site Scripting and Script Insertion Vulnerabilities -SecRule REQUEST_URI "new(Project|List|WaitingOn|ChecklistContext|Category.php|Goal)\.php" chain -SecRule ARGS "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "listReport\.php" chain -SecRule ARGS:listTitle "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "projectReport\.php" chain -SecRule ARGS:projectName "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "checklistReport\.php" chain -SecRule ARGS:checklistTitle "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#aWebBB Multiple Vulnerabilities -SecRule REQUEST_URI "post\.php" "chain,id:390001,rev:1,severity:2,msg:'JITP: aWebBB XSS attack on post.php'" -SecRule ARGS:tname|ARGS:fpost "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "editac\.php" "chain,id:390002,rev:1,severity:2,msg:'JITP: aWebBB XSS attack on editac.php'" -SecRule ARGS:fullname|ARGS:emailadd|ARGS:country|ARGS:sig|ARGS:otherav "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "register\.php" "chain,id:390003,rev:1,severity:2,msg:'JITP: aWebBB XSS attack on register.php'" -SecRule ARGS:fullname|ARGS:emailadd|ARGS:country "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "(accounts|changep|editac|feedback|fpass|login|post|reply|reply_log)\.php" "chain,id:390004,rev:1,severity:2,msg:'JITP: aWebBB XSS attack'" -SecRule ARGS:Username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "dpost\.php" "chain,id:390004,rev:1,severity:2,msg:'JITP: aWebBB SQL attack'" -SecRule ARGS:p "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "(ndis|list)\.php" "chain,id:390005,rev:1,severity:2,msg:'JITP: aWebBB SQL attack'" -SecRule ARGS:c "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "search\.php" "chain,id:390005,rev:1,severity:2,msg:'JITP: aWebBB SQL attack'" -SecRule ARGS:q "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#phpBB "cur_password" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "profile\.php" "chain,id:390006,rev:1,severity:2,msg:'JITP: phpBB cur_password XSS attack'" -SecRule ARGS:cur_password "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit -SecRule REQUEST_URI "modules/vWar_Account/includes/functions_(common|front)\.php" "chain,id:390007,rev:2,severity:2,msg:'JITP: PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit'" -SecRule ARGS:vwar_root2 "(http|https|ftp)\:/" - -#Claroline <= 1.7.4 scormExport.inc.php remote command vuln -SecRule REQUEST_URI "scormExport\.inc\.php" "chain,id:390008,rev:1,severity:2,msg:'JITP: Claroline <= 1.7.4 scormExport.inc.php remote command vuln'" -SecRule ARGS:includePath "((http|https|ftp)\:/|\.\./\.\.)" -SecRule REQUEST_URI "scormExport\.inc\.php\?cmd=" "id:390009,rev:1,severity:2,msg:'JITP: Claroline <= 1.7.4 scormExport.inc.php remote command vuln'" - -#Claroline <= 1.7.4 XSS and recursion attack -SecRule REQUEST_URI "rqmkhtml\.php" "chain,id:390010,rev:1,severity:2,msg:'JITP: Claroline <= 1.7.4 XSS attack'" -SecRule ARGS:cmd "(rqEdit|rwEditHtml)" chain -SecRule ARGS:file "(><|\.\./\.\.)" - -#aWebNews Multiple Vulnerabilities -SecRule REQUEST_URI "visview\.php" "chain,id:390011,rev:1,severity:2,msg:'JITP: aWebNews XSS attack'" -SecRule ARGS:yname|ARGS:emailadd|ARGS:subject|ARGS:comment "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" -SecRule REQUEST_URI "(login|fpass)\.php" "chain,id:390012,rev:1,severity:2,msg:'JITP: aWebBBNewsSQL attack'" -SecRule ARGS:user123 "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "visview\.php" "chain,id:390013,rev:1,severity:2,msg:'JITP: aWebBBNewsSQL attack'" -SecRule ARGS:cid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#WebAPP Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "index\.cgi" "chain,id:390014,rev:1,severity:2,msg:'JITP: aWebAPP XSS attack'" -SecRule ARGS:action|ARGS:id|ARGS:num|ARGS:board|ARGS:cat|ARGS:writer|ARGS:viewcat|ARGS:img|ARGS:curcatname|ARGS:vsSD "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#qliteNews "loginprocess.php" SQL Injection Vulnerability -SecRule REQUEST_URI "loginprocess\.php" "chain,id:390015,rev:1,severity:2,msg:'JITP: qliteNEws SQL injection attack'" -SecRule ARGS:username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#RedCMS SQL Injection and Script Insertion Vulnerabilities -SecRule REQUEST_URI "login\.php" "chain,id:390016,rev:1,severity:2,msg:'JITP: RedCMS SQL Injection'" -SecRule ARGS:username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "profile\.php" "chain,id:390017,rev:1,severity:2,msg:'JITP: RedCMS SQL Injection'" -SecRule ARGS:u "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "register\.php" "chain,id:390018,rev:1,severity:2,msg:'JITP: RedCMS XSS attack'" -SecRule ARGS:Email|ARGS:Location|ARGS:Website "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#Oxygen "fid" SQL Injection Vulnerability -SecRule REQUEST_URI "post\.php" "chain,id:390019,rev:1,severity:2,msg:'JITP: Oxygen SQL Injection'" -SecRule ARGS:fid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Mantis Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "view_set_all\.php" "chain,id:390020,rev:1,severity:2,msg:'JITP: Mantis XSS attack'" -SecRule ARGS:start_day|ARGS:start_year|ARGS:start_month "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#vCounter "url" SQL Injection Vulnerability -SecRule REQUEST_URI "vCounter\.php" "chain,id:390021,rev:1,severity:2,msg:'JITP: Oxygen SQL Injection'" -SecRule ARGS:url "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#PHP Classifieds "searchword" Cross-Site Scripting Vulnerability -SecRule REQUEST_URI "search\.php" "chain,id:390022,rev:1,severity:2,msg:'JITP: Mantis XSS attack'" -SecRule ARGS:searchword "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#PHPCollab v2.x / NetOffice v2.x sendpassword.php SQL Injection -SecRule REQUEST_URI "/sendpassword\.php\?action=send" "chain,id:390023,rev:1,severity:2,msg:'JITP: PHPCollab v2.x / NetOffice v2.x sendpassword.php SQL Injection'" -SecRule REQUEST_BODY "UNION SELECT.*concat.*password.*admin\.php" - -#Sourceworkshop newsletter "email" SQL Injection Vulnerability -SecRule REQUEST_URI "/newsletter\.php" "chain,id:390024,rev:1,severity:2,msg:'JITP: Sourceworkshop newsletter SQL Injection Vulnerability'" -SecRule ARGS:newsletteremail "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#X-Changer SQL Injection Vulnerabilities -SecRule REQUEST_URI "/index\.php" "chain,id:390025,rev:1,severity:2,msg:'JITP: X-Changer SQL Injection Vulnerability'" -SecRule ARGS:from|ARGS:into|ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Cholod Mysql based message board Script Insertion and SQL Injection -SecRule REQUEST_URI "/mb\.cgi" "chain,id:390025,rev:1,severity:2,msg:'JITP: X-Changer SQL Injection Vulnerability'" -SecRule ARGS:topicnumber|ARGS:threadnumber "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/mb\.cgi" "chain,id:390026,rev:1,severity:2,msg:'JITP: X-Changer XSS Vulnerability'" -SecRule ARGS:Name|ARGS:Subject|ARGS:Message "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#Null news Multiple SQL Injection Vulnerabilities -SecRule REQUEST_URI "/(sub|unsub)\.php" "chain,id:390027,rev:1,severity:2,msg:'JITP: Null news Multiple SQL Injection Vulnerabilities'" -SecRule ARGS:user_username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "/lostpass\.php" "chain,id:390028,rev:1,severity:2,msg:'JITP: Null news Multiple SQL Injection Vulnerabilities'" -SecRule ARGS:user_email "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#VSNS Lemon SQL injection Vulnerabilities -SecRule REQUEST_URI "/functions/final_functions\.php" "chain,id:390029,rev:1,severity:2,msg:'JITP: Null news Multiple SQL Injection Vulnerabilities'" -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#PHPLiveHelper 1.8 remote command execution Xploit -SecRule REQUEST_URI "initiate\.php" "chain,id:390030,rev:1,severity:2,msg:'JITP: PHPLiveHelper 1.8 remote command execution Xploit'" -SecRule ARGS:abs_path "(http|https|ftp)\:/" - -#Pixel Motion Blog SQL Injection Vulnerabilities -SecRule REQUEST_URI "admin/index\.php" "chain,id:390031,rev:1,severity:2,msg:'JITP: Pixel Motion Blog SQL Injection Vulnerabilities'" -SecRule ARGS:user|ARGS:pass "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "index\.php" "chain,id:390032,rev:1,severity:2,msg:'JITP: Pixel Motion Blog SQL Injection Vulnerabilities'" -SecRule ARGS:date "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Nuked-Klan "m" SQL Injection Vulnerability -SecRule REQUEST_URI "index\.php" "chain,id:390033,rev:1,severity:2,msg:'JITP: Nuked-Klan SQL Injection Vulnerability'" -SecRule ARGS:m "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#TFT Gallery "passwd" Exposure of User Credentials -SecRule REQUEST_URI "admin/passwd$" "id:390035,rev:1,severity:2,msg:'JITP: TFT Gallery passwd Exposure of User Credentials'" - -#PHP Ticket "frm_search_in" SQL Injection Vulnerability -SecRule REQUEST_URI "search\.php" "chain,id:390036,rev:1,severity:2,msg:'JITP: Nuked-Klan SQL Injection Vulnerability'" -SecRule ARGS:frm_search_in "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#WEBalbum Local File Inclusion Vulnerability -SecRule REQUEST_COOKIES:skin2 "\.\." "id:390037,rev:1,severity:2,msg:'JITP: WEBalbum Local File Inclusion Vulnerability'" - -#G-Book "g_message" Script Insertion Vulnerability -SecRule REQUEST_URI "/guestbook\.php" "chain,id:390038,rev:1,severity:2,msg:'JITP: G-Book g_message Script Insertion Vulnerability'" -SecRule ARGS:g_message "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" - -#PHPMyChat exploit -SecRule REQUEST_URI "messagesL\.php.?\?L=.*R=.*N=.*&T=.*cmd=" "id:390039,rev:1,severity:2,msg:'JITP: PHPMyChat exploit'" - -#Horde Help Module Remote Execution -SecRule REQUEST_URI "/services/help/\?show=.*&module=;\"" "id:390040,rev:1,severity:2,msg:'JITP: Horde Help Module Remote Execution'" - -#Internet PhotoShow Remote File Inclusion Exploit -SecRule REQUEST_URI "index\.php?page=(ht|f)tps?:/.*\?&[a-z]+=[a-z]" "id:390041,rev:1,severity:2,msg:'JITP: Internet PhotoShow Remote File Inclusion Exploit'" - -#Censtore.cgi exploit -SecRule REQUEST_URI "/censtore\.cgi\?page=\|" "id:390042,rev:1,severity:2,msg:'JITP: Censtore.cgi exploit'" - -#quizz.pl exploit -SecRule REQUEST_URI "quizz\.pl/ask/\;" "id:390043,rev:1,severity:2,msg:'JITP: quizz.pl exploit'" - -#phpinfo.cgi command execution -SecRule REQUEST_URI "/phpinfo\.php\?cmd=" "id:390044,rev:1,severity:2,msg:'JITP: phpinfo.cgi command execution'" - -#phpRaid "phpbb_root_path" File Inclusion Vulnerability -SecRule REQUEST_URI "auth/auth_phpbb\.php" "chain,id:390045,rev:1,severity:2,msg:'JITP: phpRaid phpbb_root_path File Inclusion Vulnerability'" -SecRule ARGS:phpbb_root_path "((ht|f)tps?:/|\.\./\.\.)" - -#openEngine "template" Parameter Local File Inclusion Vulnerability -SecRule REQUEST_URI "website\.php" "chain,id:390046,rev:1,severity:2,msg:'JITP: openEngine template Parameter Local File Inclusion Vulnerability'" -SecRule ARGS:template "\.\./\.\." - -#ISPConfig "go_info[server][classes_root]" File Inclusion -SecRule REQUEST_URI "lib/session\.inc\.php" "chain,id:390047,rev:1,severity:2,msg:'JITP: ISPConfig go_info[server][classes_root] File Inclusion'" -SecRule REQUEST_URI "go_info\[server\]\[classes_root\].*((ht|f)tps?:/|\.\./\.\.)" - -#ManageEngine OpManager "searchTerm" Cross-Site Scripting -SecRule REQUEST_URI "search\.do" "chain,id:390048,rev:1,severity:2,msg:'JITP: ManageEngine OpManager searchTerm Cross-Site Scripting'" -SecRule ARGS:searchTerm "(javascript|script|about|applet|activex|chrome)*\>" - -#AliPAGER "ubild" Cross-Site Scripting and SQL Injection -SecRule REQUEST_URI "inc/elementz\.php" "chain,id:390049,rev:1,severity:2,msg:'JITP: AliPAGER ubild Cross-Site Scripting and SQL Injection'" -SecRule ARGS:ubild "((javascript|script|about|applet|activex|chrome)*\>|((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM))" - -#MxBB Portal pafileDB Module "module_root_path" File Inclusion -SecRule REQUEST_URI "includes/pafiledb_constants\.php" "chain,id:390050,rev:1,severity:2,msg:'JITP: MxBB Portal pafileDB Module module_root_path File Inclusion'" -SecRule ARGS:module_root_path "((ht|f)tps?:/|\.\./\.\.)" - -#Jadu CMS "register.php" Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "site/scripts/register\.php" "chain,id:390051,rev:1,severity:2,msg:'JITP: Jadu CMS register.php Cross-Site Scripting Vulnerabilities'" -SecRule ARGS:forename|ARGS:surname|ARGS:reg_email|ARGS:email_conf|ARGS:company|ARGS:city|ARGS:postcode|ARGS:telephone "(javascript|script|about|applet|activex|chrome|php)*\>" - -#OpenFAQ "q" Parameter Script Insertion Vulnerability -SecRule REQUEST_URI "search\.php" "chain,id:390052,rev:1,severity:2,msg:'JITP: OpenFAQ q Parameter Script Insertion Vulnerability'" -SecRule ARGS:q "(javascript|script|about|applet|activex|chrome)*\>" - -#phpBB foing Module "phpbb_root_path" File Inclusion -SecRule REQUEST_URI "(index|faq|song|list|gen_m3u|playlist)\.php" "chain,id:390053,rev:1,severity:2,msg:'JITP: phpBB foing Module phpbb_root_path File Inclusion'" -SecRule ARGS:phpbb_root_path "((ht|f)tps?:/|\.\./\.\.)" - -#Sugar Suite "sugarEntry" Parameter Security Bypass -SecRule REQUEST_URI "/modules/.*/.*\.php\?GLOBALS\[sugarEntry\].*((ht|f)tps?:/|\.\./\.\.)" "id:390054,rev:1,severity:2,msg:'JITP: Sugar Suite sugarEntry Parameter Security Bypass'" -SecRule REQUEST_URI "/modules/.*/.*\.php\?cmd=.*GLOBALS\[sugarEntry\].*((ht|f)tps?:/|\.\./\.\.)" "id:390055,rev:1,severity:2,msg:'JITP: Sugar Suite sugarEntry Parameter Security Bypass'" -SecRule REQUEST_URI "/modules/.*/.*\.php" "chain,id:390056,rev:1,severity:2,msg:'JITP: Sugar Suite sugarEntry Parameter Security Bypass'" -SecRule REQUEST_BODY|REQUEST_URI "\?GLOBALS\[sugarEntry\].*((ht|f)tps?:/|\.\./\.\.)" - -#Sugar Suite exploit -SecRule REQUEST_URI "modules/Administration/RebuildAudit\.php\?cmd=" "id:390057,rev:1,severity:2,msg:'JITP: Sugar Suite exploit'" - -#TikiWiki Multiple Cross-Site Scripting Vulnerabilities -SecRule REQUEST_URI "tiki-lastchanges\.php" "chain,id:390058,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" -SecRule ARGS:days|ARGS:offset "(javascript|script|about|applet|activex|chrome)+.?\>" -SecRule REQUEST_URI "tiki-orphan_pages\.php" "chain,id:390059,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" -SecRule ARGS:find "(javascript|script|about|applet|activex|chrome)+.?\>" -SecRule REQUEST_URI "tiki-listpages\.php" "chain,id:390060,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" -SecRule ARGS:offset|ARGS:initial "(javascript|script|about|applet|activex|chrome)+.?\>" -SecRule REQUEST_URI "tiki-remind_password\.php" "chain,id:390061,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" -SecRule ARGS:username "(javascript|script|about|applet|activex|chrome)+.?\>" -SecRule REQUEST_URI "tiki-(admin_(rssmodules|notifications|content_templates|chat)|syslog)\.php" "chain,id:390062,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" -SecRule ARGS:offset "(javascript|script|about|applet|activex|chrome)+.?\>" -SecRule REQUEST_URI "tiki-adminusers\.php" "chain,id:390063,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" -SecRule ARGS:numrows "(javascript|script|about|applet|activex|chrome)+.?\>" -SecRule REQUEST_URI "tiki-searchindex\.php" "chain,id:390095,rev:1,severity:2,msg:'JITP: TikiWiki Multiple Cross-Site Scripting Vulnerabilities'" -SecRule ARGS:highlist "(javascript|script|about|applet|activex|chrome)+.?\>" - -#Wordpress shell injection Vulnerability -SecRule REQUEST_URI "/cache/user.*/.*\.php\?cmd=" "id:390064,rev:1,severity:2,msg:'JITP: Wordpress shell injection Vulnerability'" - -#Nucleus <= 3.22 arbitrary remote inclusion exploit -SecRule REQUEST_URI "PLUGINADMIN\.php\?GLOBALS\[DIR_LIBS\]=((ht|f)tps?\:/|/tmp|/opt|/etc|/export|/var|/home|/usr|\.\.)" "id:390065,rev:1,severity:2,msg:'JITP: Nucleus arbitrary remote inclusion exploit'" - -#Horde passthru protection -SecRule REQUEST_URI "/services/help(/)?\?(.*)?\&module=.*passthru\(.*\)" "id:390066,rev:1,severity:2,msg:'JITP: Horde passthru exploit'" - -#CMS-Bandits "spaw_root" File Inclusion Vulnerabilities -SecRule REQUEST_URI "dialogs/(img|td|table)\.php" "chain,id:390067,rev:2,severity:2,msg:'JITP: CMS-Bandits spaw_root File Inclusion Vulnerability'" -SecRule ARGS:spaw_root "(ht|f)tps?\:/" - -#phpBB Blend Portal System Module "phpbb_root_path" File Inclusion -SecRule REQUEST_URI "dialogs/(img|td)\.php" "chain,id:390068,rev:1,severity:2,msg:'JITP: phpBB Blend Portal System Module phpbb_root_path File Inclusion'" -SecRule ARGS:phpbb_root_path "(ht|f)tps?\:/" - -#Admanager Pro exploit -SecRule REQUEST_URI "common\.php" "chain,id:390069,rev:1,severity:2,msg:'JITP: Admanager Pro exploit'" -SecRule ARGS:ipath "((ht|f)tps?\:/|\.\./)" - -#Bible Portal Project destination File Inclusion Vulnerability' -SecRule REQUEST_URI "Admin/rtf_parser\.php" "chain,id:390071,rev:1,severity:2,msg:'JITP: Bible Portal Project destination File Inclusion Vulnerability'" -SecRule ARGS:destination "((ht|f)tps?\:/|\.\./)" - -#Flipper Poll "root_path" File Inclusion Vulnerability -SecRule REQUEST_URI "poll\.php" "chain,id:390072,rev:1,severity:2,msg:'JITP: Flipper Poll root_path File Inclusion Vulnerability'" -SecRule ARGS:root_path "((ht|f)tps?\:/|\.\./)" - -#PictureDis Products "lang" Parameter File Inclusion Vulnerability -SecRule REQUEST_URI "(thumstbl|wpfiles|wallpapr)\.php" "chain,id:390073,rev:1,severity:2,msg:'JITP: PictureDis Products lang Parameter File Inclusion Vulnerability'" -SecRule ARGS:lang "((ht|f)tps?\:/|\.\./)" - -#Joomla and Mambo 'Weblinks' blind SQL injection / admin credentials EXPLOIT -SecRule REQUEST_URI "index\.php" "chain,id:390074,rev:1,severity:2,msg:'JITP: Joomla/Mambo Weblinks blind SQL injection'" -SecRule ARGS:title "(users[[:space:]]+WHERE[[:space:]]+usertype|UNION[[:space:]]+SELECT[[:space:]]+IF|insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)" chain -SecRule ARGS:task "save" - -#new pattern -SecRule REQUEST_URI "index\.php\?mod=files&action=view&where=-1+UNION+SELECT+users_nick,0,users_pwd" - -#phpBB Mail2Forum Module "m2f_root_path" File Inclusion -SecRule ARGS:m2f_root_path "((ht|f)tps?\:/|\.\./)" "id:390076,rev:1,severity:2,msg:'JITP: Generic m2f_root_path File Inclusion Vulnerability'" - -# -SecRule REQUEST_URI "downloads\.php" "chain,id:390077,rev:1,severity:2,msg:'JITP: Generic PHP download incddir File Inclusion Vulnerability'" -SecRule ARGS:incdir "((ht|f)tps?\:/|\.\./)" - -#SiteDepth CMS "SD_DIR" Parameter Handling Remote File Inclusion Vulnerability -SecRule REQUEST_URI "constants\.php" "chain,id:390078,rev:1,severity:2,msg:'JITP: SiteDepth CMS SD_DIR Parameter Handling Remote File Inclusion Vulnerability'" -SecRule ARGS:SD_DIR "((ht|f)tps?\:/|\.\./)" - -#PhpLinkExchange "page" Parameter Handling Remote File Inclusion Vulnerability -SecRule REQUEST_URI "index\.php" "chain,id:390079,rev:1,severity:2,msg:'JITP: PhpLinkExchange page Parameter Handling Remote File Inclusion Vulnerability'" -SecRule ARGS:page "((ht|f)tps?\:/|\.\./)" - -#test for valid X-forearded header -SecRule HTTP_X_FORWARDED_FOR "!^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|)|unknown),?(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|)|unknown)?" "id:390080,rev:1,severity:2,msg:'Test: Checking for valid X-Forwarded header',log,pass" - -#authldap -SecRule REQUEST_URI "authldap\.php" "chain,id:390081,rev:1,severity:2,msg:'JITP: authldap Remote File Inclusion Vulnerability'" -SecRule ARGS:includePath "((ht|f)tps?\:/|\.\./)" - -#honeypot -SecRule REQUEST_URI "global_header\.php" "chain,id:390082,rev:1,severity:2,msg:'JITP: globalheader domain variable Remote File Inclusion Vulnerability'" -SecRule ARGS:domain "((ht|f)tps?\:/|\.\./)" - -#Generic phpbb_root_path inclusion -SecRule ARGS:phpbb_root_path "((ht|f)tps?:/|\.\./\.\.)" "id:390083,rev:1,severity:2,msg:'JITP: Generic phpbb_root_path variable Remote File Inclusion Vulnerability'" - -#Generic BBCodeFile variable remote file include -SecRule ARGS:BBCodeFile "((ht|f)tps?:/|\.\./\.\.)" "id:390084,rev:1,severity:2,msg:'JITP: Generic BBCodeFile variable Remote File Inclusion Vulnerability'" - -#Generic wb_class_dir variable remote file include -SecRule ARGS:wb_class_dir "((ht|f)tps?:/|\.\./\.\.)" "id:390085,rev:1,severity:2,msg:'JITP: Generic wb_class_dir variable Remote File Inclusion Vulnerability'" - -#Generic component_dir variable remote file include -SecRule ARGS:component_dir "((ht|f)tps?:/|\.\./\.\.)" "id:390086,rev:1,severity:2,msg:'JITP: Generic component_dir variable Remote File Inclusion Vulnerability'" - -#Generic da_path variable remote file include -SecRule ARGS:da_path "((ht|f)tps?:/|\.\./\.\.)" "id:390087,rev:1,severity:2,msg:'JITP: Generic da_path variable Remote File Inclusion Vulnerability'" - -#Generic spaw_root variable remote file include -SecRule ARGS:spaw_root "((ht|f)tps?:/|\.\./\.\.)" "id:390088,rev:1,severity:2,msg:'JITP: Generic spaw_root variable Remote File Inclusion Vulnerability'" - -#Generic sitee variable remote file include -SecRule ARGS:sitee "((ht|f)tps?:/|\.\./\.\.)" "id:390089,rev:1,severity:2,msg:'JITP: Generic sitee variable Remote File Inclusion Vulnerability'" - -#Generic default_path variable remote file include -SecRule REQUEST_URI "\.php" "chain,id:390092,rev:1,severity:2,msg:'JITP: PHP default_path variable Remote File Inclusion Vulnerability'" -SecRule ARGS:default_path "((ht|f)tps?:/|\.\./\.\.)" - -#file_upload sbp remote file inclusion vuln -SecRule REQUEST_URI "file_upload\.php" "chain,id:390090,rev:1,severity:2,msg:'JITP: file_upload sbp variable Remote File Inclusion Vulnerability'" -SecRule ARGS:sbp "((ht|f)tps?\:/|\.\./)" - -#viewtopic sid remote file inclusion vuln -SecRule REQUEST_URI "viewtopic\.php" "chain,id:390091,rev:1,severity:2,msg:'JITP: viewtopic sid variable Remote File Inclusion Vulnerability'" -SecRule ARGS:sid "((ht|f)tps?\:/|\.\./)" - -#get_infochannel root_path remote file inclusion vuln -SecRule REQUEST_URI "get_infochannel\.inc\.php" "chain,id:390093,rev:1,severity:2,msg:'JITP: get_infochannel root_path variable Remote File Inclusion Vulnerability'" -SecRule ARGS:root_path "((ht|f)tps?\:/|\.\./)" - -#Generic root_path variable remote file include -SecRule ARGS:root_path "((ht|f)tps?:/|\.\./\.\.)" "id:390094,rev:1,severity:2,msg:'JITP: Generic root_path variable Remote File Inclusion Vulnerability'" - -#Generic default_path variable remote file include -SecRule REQUEST_URI "\.php" "chain,id:390096,rev:1,severity:2,msg:'JITP: PHP glConf variable Remote File Inclusion Vulnerability'" -SecRule REQUEST_URI "glConf\[path_library\].*((ht|f)tps?:/|\.\./\.\.)" - -#MyNewsGroups :) "myng_root" File Inclusion Vulnerability -SecRule REQUEST_URI "layersmenu\.inc\.php" "chain,id:390097,rev:1,severity:2,msg:'JITP: MyNewsGroups myng_root Remote File Inclusion Vulnerability'" -SecRule ARGS:myng_root "((ht|f)tps?:/|\.\./\.\.)" - -#Joomla invalid arguments check -#SecRule "joomla/" "chain,id:390098,rev:1,severity:2,msg:'JITP: Joomla invalid character Vulnerability'" -#SecRule ARGS:from|ARGS:fromname|ARGS:subject "[\x00-\x1F\x7F]" - -#TikiWiki jhot.php upload exploit -SecRule REQUEST_URI "img/wiki/" "chain,id:390099,rev:1,severity:2,msg:'JITP: TikiWiki non-image upload exploit'" -SecRule REQUEST_URI "\.!(jpe?g|gif|png|bmp)" - -#pageheaderdefault sysSessionPath upload exploit -SecRule REQUEST_URI "pageheaderdefault\.inc\.php\?" "chain,id:390100,rev:1,severity:2,msg:'JITP: pageheaderdefault sysSessionPath upload exploit'" -SecRule REQUEST_URI "_sysSessionPath=((ht|f)tps?:/|\.\./\.\.)" - -#new pattern -SecRule REQUEST_URI "\.php\?" "chain,id:390101,rev:1,severity:2,msg:'JITP: possible vulnscan6 exploit'" -SecRule REQUEST_URI "(CONFIG_EXT\[LANGUAGES_DIR\]|dir\[inc\])=((ht|f)tps?:/|\.\./\.\.)" - -#Socketwiz Bookmarks "root_dir" File Inclusion Vulnerability -SecRule REQUEST_URI "smarty_config\.php" "chain,id:390102,rev:1,severity:2,msg:'JITP: Socketwiz Bookmarks root_dir File Inclusion Vulnerability'" -SecRule ARGS:root_dir "((ht|f)tps?:/|\.\./\.\.)" - -#MyABraCaDaWeb "base" File Inclusion Vulnerabilities -SecRule REQUEST_URI "(index|pop)\.php" "chain,id:390103,rev:1,severity:2,msg:'JITP: MyABraCaDaWeb base File Inclusion Vulnerabilities'" -SecRule ARGS:base "((ht|f)tps?:/|\.\./\.\.)" - -#Vivvo Article Management CMS SQL Injection and File Inclusion -SecRule REQUEST_URI "pdf_version\.php" "chain,id:390104,rev:1,severity:2,msg:'JITP: Vivvo Article Management CMS SQL Injection'" -SecRule ARGS:id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#Vivvo Article Management classified_path file inclusion -SecRule ARGS:classified_path "((ht|f)tps?:/|\.\./\.\.)" "id:390105,rev:1,severity:2,msg:'JITP: Vivvo Article Management CMS File Inclusion'" - -#RaidenHTTPD "SoftParserFileXml" File Inclusion Vulnerability -SecRule REQUEST_URI "raidenhttpd-admin/slice/check\.php" "chain,id:390106,rev:1,severity:2,msg:'JITP: RaidenHTTPD SoftParserFileXml File Inclusion Vulnerability'" -SecRule ARGS:SoftParserFileXml "((ht|f)tps?:/|\.\./\.\.)" - -#mcGalleryPRO "path_to_folder" File Inclusion Vulnerability -SecRule REQUEST_URI "random2\.php" "chain,id:390107,rev:1,severity:2,msg:'JITP: mcGalleryPRO path_to_folder File Inclusion Vulnerability'" -SecRule ARGS:path_to_folder "((ht|f)tps?:/|\.\./\.\.)" - -#Timesheet PHP "username" Parameter SQL Injection -SecRule REQUEST_URI "username\.php" "chain,id:390108,rev:1,severity:2,msg:'JITP: Timesheet PHP username Parameter SQL Injection'" -SecRule ARGS:username "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" - -#CCleague Pro "language" Parameter Local File Inclusion -SecRule ARGS:language "((ht|f)tps?:/|\.\./\.\.)" "id:390109,rev:1,severity:2,msg:'JITP: CCleague Pro language Parameter Local File Inclusion'" - -#TWiki "filename" Parameter Disclosure of Sensitive Information -SecRule REQUEST_URI "/TWiki/" "chain,id:390110,rev:1,severity:2,msg:'JITP: TWiki filename Parameter Disclosure of Sensitive Information'" -SecRule ARGS:filename "\.\./\.\." - -#photokorn "dir_path" File Inclusion Vulnerabilities -SecRule REQUEST_URI "(includes/cart\.inc\.php|extras/ext_cat\.php)" "chain,id:390111,rev:1,severity:2,msg:'JITP: photokorn dir_path File Inclusion Vulnerabilities'" -SecRule ARGS:dir_path "((ht|f)tps?:/|\.\./\.\.)" - -#Somery "skindir" File Inclusion Vulnerability -SecRule REQUEST_URI "admin/system/include\.php" "chain,id:390112,rev:1,severity:2,msg:'JITP: Somery skindir File Inclusion Vulnerability'" -SecRule ARGS:skindir "((ht|f)tps?:/|\.\./\.\.)" - -#DokuWiki "TARGET_FN" Directory Traversal Vulnerability -SecRule REQUEST_URI "bin/dwpage\.php" "chain,id:390113,rev:1,severity:2,msg:'JITP: DokuWiki TARGET_FN Directory Traversal Vulnerability'" -SecRule ARGS:TARGET_FN "((ht|f)tps?:/|\.\./\.\.)" - -#Fantastic News "CONFIG[script_path]" File Inclusion Vulnerabilities -SecRule REQUEST_URI "(archive|headlines)\.php" "chain,id:390114,rev:1,severity:2,msg:'JITP: Fantastic News CONFIG[script_path] File Inclusion Vulnerabilities'" -SecRule REQUEST_URI "CONFIG\[script_path\]=((ht|f)tps?:/|\.\./\.\.)" - -#BP News "bnrep" File Inclusion Vulnerability -SecRule REQUEST_URI "bp_ncom\.php" "chain,id:390115,rev:1,severity:2,msg:'JITP: BP News bnrep File Inclusion Vulnerability'" -SecRule ARGS:bnrep "((ht|f)tps?:/|\.\./\.\.)" - -#Akarru Social BookMarking Engine "bm_content" File Inclusion -SecRule REQUEST_URI "akarru\.gui/main_content\.php" "chain,id:390116,rev:1,severity:2,msg:'JITP: Akarru Social BookMarking Engine bm_content File Inclusion'" -SecRule ARGS:bm_content "((ht|f)tps?:/|\.\./\.\.)" - -#Beautifier "BEAUT_PATH" Parameter File Inclusion Vulnerability -#phpCodeGenie "BEAUT_PATH" File Inclusion Vulnerability -SecRule REQUEST_URI "Beautifier/Core\.php" "chain,id:390117,rev:1,severity:2,msg:'JITP: Beautifier BEAUT_PATH Parameter File Inclusion Vulnerability'" -SecRule ARGS:BEAUT_PATH "((ht|f)tps?:/|\.\./\.\.)" - -#phpFullAnnu "repmod" File Inclusion Vulnerability -SecRule REQUEST_URI "modules/home\.module\.php" "chain,id:390118,rev:1,severity:2,msg:'JITP: phpFullAnnu repmod File Inclusion Vulnerability'" -SecRule ARGS:repmod "((ht|f)tps?:/|\.\./\.\.)" - -#Sponge News "sndir" File Inclusion Vulnerability -SecRule REQUEST_URI "news\.php" "chain,id:390119,rev:1,severity:2,msg:'JITP: Sponge News sndir File Inclusion Vulnerability'" -SecRule ARGS:sndir "((ht|f)tps?:/|\.\./\.\.)" - -#ACGV News "PathNews" File Inclusion Vulnerabilities -SecRule REQUEST_URI "\.php\?" "chain,id:390120,rev:1,severity:2,msg:'JITP: ACGV News PathNews File Inclusion Vulnerabilities'" -SecRule ARGS:PathNews "((ht|f)tps?:/|\.\./\.\.)" - -#MySpeach "my_ms[root]" Parameter File Inclusion Vulnerability -SecRule REQUEST_URI "jscript\.php\?" "chain,id:390121,rev:1,severity:2,msg:'JITP: MySpeach my_ms[root] Parameter File Inclusion Vulnerability'" -SecRule REQUEST_URI "my_ms\[root\]=((ht|f)tps?:/|\.\./\.\.)" - -#annoncesV "page" Parameter File Inclusion Vulnerability -SecRule REQUEST_URI "annonce\.php\?" "chain,id:390122,rev:1,severity:2,msg:'JITP: annoncesV page Parameter File Inclusion Vulnerability'" -SecRule ARGS:page "((ht|f)tps?:/|\.\./\.\.)" - -#GrapAgenda "page" File Inclusion Vulnerability -SecRule REQUEST_URI "index\.php\?" "chain,id:390123,rev:1,severity:2,msg:'JITP: GrapAgenda page File Inclusion Vulnerability'" -SecRule ARGS:page "((ht|f)tps?:/|\.\./\.\.)" - -#C-News "path" File Inclusion Vulnerabilities -SecRule REQUEST_URI "/affichage/.*\.php\?" "chain,id:390124,rev:1,severity:2,msg:'JITP: C-News path File Inclusion Vulnerabilities'" -SecRule ARGS:path "((ht|f)tps?:/|\.\./\.\.)" - -#PhpCommander "Directory" Local File Inclusion Vulnerability -SecRule REQUEST_URI "download\.php\?" "chain,id:390125,rev:1,severity:2,msg:'JITP: PhpCommander Directory Local File Inclusion Vulnerability'" -SecRule ARGS:Directory "((ht|f)tps?:/|\.\./\.\.)" - -#dyncms "x_admindir" File Inclusion Vulnerability -SecRule REQUEST_URI "0_admin/modules/Wochenkarte/frontend/index\.php" "chain,id:390126,rev:1,severity:2,msg:'JITP: dyncms x_admindir File Inclusion Vulnerability'" -SecRule ARGS:x_admindir "((ht|f)tps?:/|\.\./\.\.)" - -#MyBace Light Skript File Inclusion Vulnerabilities -SecRule REQUEST_URI "includes/login_check\.php" "chain,id:390127,rev:1,severity:2,msg:'JITP: MyBace Light Skript File Inclusion Vulnerabilities'" -SecRule ARGS:hauptverzeichniss "((ht|f)tps?:/|\.\./\.\.)" -SecRule REQUEST_URI "dmin/login/content/user_daten\.php" "chain,id:390128,rev:1,severity:2,msg:'JITP: MyBace Light Skript File Inclusion Vulnerabilities'" -SecRule ARGS:template_back "((ht|f)tps?:/|\.\./\.\.)" - -#YACS "context[path_to_root]" File Inclusion Vulnerabilities -SecRule REQUEST_URI "\.php" "chain,id:390129,rev:1,severity:2,msg:'JITP: YACS context[path_to_root] File Inclusion Vulnerabilities'" -SecRule REQUEST_URI "context\[path_to_root\]=((ht|f)tps?:/|\.\./\.\.)" - -#Pheap "lpref" File Inclusion Vulnerability -SecRule REQUEST_URI "lib/config\.php" "chain,id:390130,rev:1,severity:2,msg:'JITP: Pheap lpref File Inclusion Vulnerability'" -SecRule ARGS:lpref "((ht|f)tps?:/|\.\./\.\.)" - -#phpECard "include_path" File Inclusion Vulnerabilities -SecRule REQUEST_URI "functions\.php" "chain,id:390131,rev:1,severity:2,msg:'JITP: phpECard include_path File Inclusion Vulnerabilities'" -SecRule ARGS:include_path "((ht|f)tps?:/|\.\./\.\.)" - -#MiniBill "config[include_dir]" Parameter File Inclusion -SecRule REQUEST_URI "actions/ipn\.php" "chain,id:390132,rev:1,severity:2,msg:'JITP: MiniBill config[include_dir] File Inclusion Vulnerabilities'" -SecRule REQUEST_URI "config\[include_dir\]=((ht|f)tps?:/|\.\./\.\.)" - -#phpGroupWare Local File Inclusion Vulnerability -SecRule REQUEST_URI "alendar/inc/class.holidaycalc\.inc\.php" "chain,id:390133,rev:1,severity:2,msg:'JITP: phpGroupWare Local File Inclusion Vulnerabilities'" -SecRule REQUEST_URI "phpgw_info\[user\]\[preferences\]\[common\]\[country\]=\.\./\.\." - -#ExBB Italia "exbb[home_path]" File Inclusion Vulnerability -SecRule REQUEST_URI "modules/userstop/userstop\.php" "chain,id:390134,rev:1,severity:2,msg:'JITP: ExBB Italia exbb[home_path] File Inclusion Vulnerability'" -SecRule REQUEST_URI "exbb\[home_path\]=((ht|f)tps?:/|\.\./\.\.)" - -#Web3news "PHPSECURITYADMIN_PATH" File Inclusion -SecRule REQUEST_URI "security/include/_class\.security\.php" "chain,id:390135,rev:1,severity:2,msg:'JITP: Web3news PHPSECURITYADMIN_PATH File Inclusion Vulnerabilities'" -SecRule ARGS:PHPSECURITYADMIN_PATH "((ht|f)tps?:/|\.\./\.\.)" - -#phpCOIN "_CCFG[_PKG_PATH_INCL]" File Inclusion -SecRule REQUEST_URI "\.php\?" "chain,id:390136,rev:1,severity:2,msg:'JITP: phpCOIN _CCFG[_PKG_PATH_INCL] File Inclusion'" -SecRule REQUEST_URI "_CCFG\[_PKG_PATH_INCL\]=((ht|f)tps?:/|\.\./\.\.)" - -#Wikepage "lng" Local File Inclusion Vulnerability -SecRule REQUEST_URI "index\.php" "chain,id:390137,rev:1,severity:2,msg:'JITP: Wikepage lng Local File Inclusion Vulnerability'" -SecRule ARGS:lng "((ht|f)tps?:/|\.\./\.\.)" - -#Empire CMS "check_path" File Inclusion Vulnerability -SecRule REQUEST_URI "e/class/CheckLevel\.php" "chain,id:390138,rev:1,severity:2,msg:'JITP: Empire CMS check_path File Inclusion Vulnerability'" -SecRule ARGS:check_path "((ht|f)tps?:/|\.\./\.\.)" - -#Dolphin "dir[inc]" File Inclusion Vulnerability -SecRule REQUEST_URI "templates/tmpl_dfl/scripts/index.php" "chain,id:390139,rev:1,severity:2,msg:'JITP: Dolphin dir[inc] File Inclusion Vulnerability'" -SecRule REQUEST_URI "dir\[inc\]=((ht|f)tps?:/|\.\./\.\.)" - -#SportsPHool "mainnav" File Inclusion Vulnerability -SecRule REQUEST_URI "includes/layout/plain\.footer\.php" "chain,id:390140,rev:1,severity:2,msg:'JITP: SportsPHool mainnav File Inclusion Vulnerability'" -SecRule ARGS:mainnav "((ht|f)tps?:/|\.\./\.\.)" - -#NES Game & NES System "phphtmllib" File Inclusion -SecRule REQUEST_URI "\.php\?" "chain,id:390141,rev:1,severity:2,msg:'JITP: NES Game & NES System phphtmllib File Inclusion'" -SecRule ARGS:phphtmllib "((ht|f)tps?:/|\.\./\.\.)" - -#PHlyMail Lite "_PM_[path][handler]" File Inclusion Vulnerability -SecRule REQUEST_URI "handlers/email/mod.listmail.php" "chain,id:390142,rev:1,severity:2,msg:'JITP: PHlyMail Lite _PM_[path][handler] File Inclusion Vulnerability'" -SecRule REQUEST_URI "_PM_\[path\]\[handler\]=((ht|f)tps?:/|\.\./\.\.)" - -#Sonium Enterprise Adressbook "folder" File Inclusion Vulnerabilities -SecRule REQUEST_URI "/plugins/(1_Adressbuch/new|2_Branchen/edit|3_Typ/delete)\.php\?" "chain,id:390143,rev:1,severity:2,msg:'JITP: Sonium Enterprise Adressbook folder File Inclusion Vulnerabilities'" -SecRule ARGS:folder "((ht|f)tps?:/|\.\./\.\.)" - -#ff_compath remote file inclusion -SecRule ARGS:ff_compath "((ht|f)tps?:/|\.\./\.\.)" "id:390150,rev:1,severity:2,msg:'JITP: ff_compath File Inclusion Vulnerabilities'" - -#phpBB "avatar_path" PHP Code Execution Vulnerability -SecRule REQUEST_URI "/admin/admin_board\.php\?" "chain,id:390151,rev:1,severity:2,msg:'JITP: phpBB avatar_path PHP Code Execution Vulnerability'" -SecRule ARGS:avatar_path "((ht|f)tps?:/|\.\./\.\.)" - -#phpMyProfiler "pmp_rel_path" File Inclusion Vulnerability -SecRule REQUEST_URI "/functions\.php\?" "chain,id:390152,rev:1,severity:2,msg:'JITP: phpMyProfiler pmp_rel_path File Inclusion Vulnerability'" -SecRule ARGS:pmp_rel_path "((ht|f)tps?:/|\.\./\.\.)" - -#Servlet auth attack -SecRule REQUEST_URI "/servlet/admin\?category=server\&method=listAll\&Authorization" "id:390153,rev:1,severity:2,msg:'JITP: Servlet Auth exposure Vulnerability'" - -#Eazy Cart Multiple Vulnerabilities -SecRule REQUEST_URI "easycart\.php" "chain,id:390154,rev:1,severity:2,msg:'JITP: Eazy Cart SQL injection'" -SecRule ARGS:price "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM)" -SecRule REQUEST_URI "admin/config/customer\.dat" "id:390155,rev:1,severity:2,msg:'JITP: Eazy Cart Customer Data Access'" -SecRule REQUEST_URI "easycart\.php" "chain,id:390156,rev:1,severity:2,msg:'JITP: Eazy Cart XSS ATTACK'" -SecRule ARGS "<[[:space:]]*(script|about|applet|activex|chrome).*(script|about|applet|activex|chrome)[[:space:]]*>" - -#WebYep "webyep_sIncludePath" File Inclusion Vulnerabilities -SecRule REQUEST_URI "webyep-system/program/((lib|elements)/|webyep\.php)" "chain,id:390157,rev:1,severity:2,msg:'JITP: WebYep webyep_sIncludePath File Inclusion Vulnerabilities'" -SecRule ARGS:webyep_sIncludePath "((ht|f)tps?:/|\.\./\.\.)" - -#Travelsized CMS "setup_folder" File Inclusion Vulnerability -SecRule REQUEST_URI "frontpage\.php" "chain,id:390158,rev:1,severity:2,msg:'JITP: Travelsized CMS setup_folder File Inclusion Vulnerabilities'" -SecRule ARGS:setup_folder "((ht|f)tps?:/|\.\./\.\.)" - -#VideoDB "config[pdf_module]" File Inclusion Vulnerability -SecRule REQUEST_URI "core/pdf\.php" "chain,id:390159,rev:1,severity:2,msg:'JITP: VideoDB File Inclusion Vulnerabilities'" -SecRule REQUEST_URI "config\[pdf_module\].*((ht|f)tps?:/|\.\./\.\.)" - -#AllMyGuests "_AMGconfig[cfg_serverpath]" File Inclusion -SecRule REQUEST_URI "signin\.php" "chain,id:390160,rev:1,severity:2,msg:'JITP: AllMyGuests File Inclusion Vulnerabilities'" -SecRule REQUEST_URI "_AMGconfig\[cfg_serverpath\].*((ht|f)tps?:/|\.\./\.\.)" - -#OpenBiblio Local File Inclusion and SQL Injection -SecRule REQUEST_URI "shared/(header|help)\.php" "chain,id:390161,rev:1,severity:2,msg:'JITP: OpenBiblio File Inclusion Vulnerabilities'" -SecRule ARGS "(((ht|f)tps?:/|\.\./\.\.)|((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*FROM))" - -#BasiliX "BSX_LIBDIR" File Inclusion Vulnerabilities -SecRule REQUEST_URI "\.php" "chain,id:390162,rev:1,severity:2,msg:'JITP: BasiliX BSX_LIBDIR File Inclusion Vulnerabilities'" -SecRule ARGS:BSX_LIBDIR "((ht|f)tps?:/|\.\./\.\.)" - -#PowerPortal "file_name[]" File Inclusion Vulnerability -SecRule REQUEST_URI "index\.php" "chain,id:390163,rev:1,severity:2,msg:'JITP: Powerportal File Inclusion Vulnerabilities'" -SecRule REQUEST_URI "file_name\[\].*((ht|f)tps?:/|\.\./\.\.)" - -#DeluxeBB "templatefolder" File Inclusion Vulnerability -SecRule REQUEST_URI "/templates/.*/.*/.*\.php" "chain,id:390164,rev:1,severity:2,msg:'JITP: DeluxeBB teplatefolder File Inclusion Vulnerabilities'" -SecRule ARGS:templatefolder "((ht|f)tps?:/|\.\./\.\.)" - -#TagIt! Tagboard "page" File Inclusion Vulnerability -SecRule REQUEST_URI "/index\.php" "chain,id:390165,rev:1,severity:2,msg:'JITP: Tagit page File Inclusion Vulnerabilities'" -SecRule ARGS:page "(ht|f)tps?:/" |