1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
#http://www.gotroot.com/mod_security+rules
# Special Application Security Rules for Apache 2.x
# For ModSecurity 2.x
#
# Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2-rules.conf
#
# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com)
# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Version: N-20061022-01
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#NOTE: These rules will only work for systems running Apache 2.x.
#phpbb Session Cookie
SecRule REQUEST_COOKIES:sessionid "phpbb2mysql_data=a\x3A2\x3A\x7Bs\x3A11\x3A\x22autologinid\x22\x3Bb\x3A1\x3Bs\x3A6\x3A\x22userid\x22\x3Bs\x3A1\x3A\x222\x22\x3B\x7D"
SecRule REQUEST_URI|ARGS|REQUEST_BODY "phpbb2mysql_data=a\x3A2\x3A\x7Bs\x3A11\x3A\x22autologinid\x22\x3Bb\x3A1\x3Bs\x3A6\x3A\x22userid\x22\x3Bs\x3A1\x3A\x222\x22\x3B\x7D"
#schema overflow attempt
SecRule REQUEST_URI|ARGS|REQUEST_BODY "\|3A\|///^[^\/]{14,}?\x3a\/\//U"
#HappyMall Command Execution member_html.cgi
SecRule REQUEST_URI "/member_html\.cgi\x3F.*file\x3D(\x3B|\x7C)"
#HappyMall Command Execution normal_html.cgi
SecRule REQUEST_URI "/normal_html\.cgi\x3F.*file\x3D(\x3B|\x7C)"
#phpBB Remote Code Execution Attempt
SecRule REQUEST_URI "/viewtopic\.php\?" chain
SecRule REQUEST_URI|ARGS|REQUEST_BODY "highlight=.*(\'|\%[a-f0-9]{4})(\.|\/|\\|\%[a-f0-9]{4}).+?(\'|\%[a-f0-9]{4})"
#XSS generic sig
SecRule REQUEST_URI|ARGS|REQUEST_BODY "/(\x3D|=)[^\n]*(\x3C|<)[^\n]+(\x3E|>)"
#generic SQL injection sigs using PCRE
SecRule REQUEST_URI|ARGS|REQUEST_BODY "/\w*(\x27|\’)(\x6F|o|\x4F)(\x72|r|\x52)/ix"
##TWiki "rev" Shell Command Injection Vulnerability
SecRule REQUEST_URI "/TWikiUsers\?rev=\x20\x7C"
##ATutor Multiple Vulnerabilities
SecRule REQUEST_URI "/(body_header\.inc|print)\.php\?section.*\x00"
#faqmanager.cgi arbitrary file access attempt
SecRule REQUEST_URI "/faqmanager.cgi?toc=.*(\|00\||\x00)"
|
