# http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Just In Time Patches for Vulnerable Applications Rules for modsec 2.x # # Created by the Prometheus Group (http://www.prometheus-group.com) # Copyright 2005,2006 and 2007 by the Prometheus Group, all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. #-------------------------------- # notes #-------------------------------- # Rules work with modsecurity 2.x and above only #-------------------------------- #start rules #-------------------------------- # Phase 2 rules # SecDefaultAction "log,deny,auditlog,phase:2,status:403,t:lowercase" # Rule 310000: WEB-CGI formmail SecRule REQUEST_URI "/(?:formmail|mailform)(?:\x0a|\.pl\x0a)" \ "id:310000,rev:1,severity:2,msg:'JITP: web-cgi formmail'" # Rule 310001: pals-cgi arbitrary file access attempt SecRule REQUEST_URI "/pals-cgi.*documentName=" \ "id:310001,rev:1,severity:2,msg:'JITP: pals-cgi arbitary file access attempt'" # Rule 310002: WEB-CGI phf arbitrary command execution attempt SecRule REQUEST_URI "/phf" \ "id:310002,rev:1,severity:2,msg:'JITP: phf arbitrary command execution attempt',chain" SecRule REQUEST_URI "\x0a/" # Rule 310003: WEB-CGI phf access SecRule REQUEST_URI "/phf\?" \ "id:310003,rev:1,severity:2,msg:'JITP: phf access'" # Rule 310004: WEB-CGI htsearch arbitrary file read attempt SecRule REQUEST_URI "/htsearch\?exclude=\`" \ "id:310004,rev:1,severity:2,msg:'JITP: tsearch arbitrary file read attempt'" # Rule 310005: WEB-CGI csSearch.cgi arbitrary command execution attempt SecRule REQUEST_URI "/csSearch\.cgi\?" \ "id:310005,rev:1,severity:2,msg:'JITP: csSearch.cgi arbitrary command execution attempt',chain" SecRule REQUEST_URI "\`" # Rule 310006: WEB-CGI FormHandler.cgi directory traversal attempt attempt SecRule REQUEST_URI "/FormHandler\.cgi" \ "id:310006,rev:1,severity:2,msg:'JITP: FormHandler.cgi directory traversal attempt attempt',,chain" SecRule REQUEST_URI "/\.\./" # Rule 310007: WEB-CGI FormHandler.cgi external site redirection attempt SecRule REQUEST_URI "/FormHandler\.cgi" \ "id:310007,rev:1,severity:2,msg:'JITP: FormHandler.cgi external site redirection attempt',chain" SecRule REQUEST_URI "redirect=http" # Rule 310008: WEB-PHP squirrel mail spell-check arbitrary command attempt SecRule REQUEST_URI "/squirrelspell/modules/check_me\.mod\.php" \ "id:310008,rev:1,severity:2,msg:'JITP: squirrel mail spell-check arbitrary command attempt',,chain" SecRule REQUEST_URI "SQSPELL_APP\[" # Rule 310009: WEB-PHP squirrel mail theme arbitrary command attempt SecRule REQUEST_URI "/left_main\.php" \ "id:310009,rev:1,severity:2,msg:'JITP: squirrel mail theme arbitrary command attempt',chain" SecRule REQUEST_URI "cmdd=" # Rule 310010: WEB-PHP directory.php arbitrary command attempt SecRule REQUEST_URI "/directory\.php\?" \ "id:310010,rev:1,severity:2,msg:'JITP: directory.php arbitrary command attempt',chain" SecRule REQUEST_URI "\;" # Rule 310011: WEB-PHP PHPLIB remote commanSelective REQUEST_URI|REQUEST_BODY # attempt SecRule REQUEST_URI|REQUEST_BODY "_PHPLIB\[libdir\]" \ "id:310011,rev:1,severity:2,msg:'JITP: PHPLIB remote commanSelective REQUEST_URI|REQUEST_BODYd attempt'" # Rule 310012: WEB-PHP PHPLIB remote command attempt SecRule REQUEST_URI "/db_mysql\.inc" \ "id:310012,rev:1,severity:2,msg:'JITP: PHPLIB remote command attempt'" # Rule 310013: Exploit phpBB Highlighting Code Execution Attempt SecRule REQUEST_URI|REQUEST_BODY "(?:\;|\&)highlight=\'\.system\(" \ "id:310013,rev:1,severity:2,msg:'JITP: phpBB Highlighting Code Execution Attempt'" # Rule 310014: Exploit phpBB Highlighting SQL Injection SecRule REQUEST_URI|REQUEST_BODY "&highlight=\'\.mysql_query\(" \ "id:310014,rev:1,severity:2,msg:'JITP: phpBB Highlighting SQL Injection'" # Rule 310015: Exploit phpBB Highlighting Code Execution - Santy.A Worm SecRule REQUEST_URI|REQUEST_BODY "&highlight=\'\.fwrite\(fopen\(" \ "id:310015,rev:1,severity:2,msg:'JITP: phpBB Highlighting SQL Injection - Santy.A Worm'" # Rule 310016: Exploit phpBB Highlight Exploit Attempt SecRule REQUEST_URI|REQUEST_BODY "&highlight=\x2527\x252Esystem\(" \ "id:310016,rev:1,severity:2,msg:'JITP: phpBB Highlight Exploit Attempt'" # Rule 310017: WEB-CGI dcforum.cgi directory traversal attempt SecRule REQUEST_URI "/dcforum\.cgi" \ "id:310017,rev:1,severity:2,msg:'JITP: dcforum.cgi directory traversal attempt',chain" SecRule REQUEST_URI "forum=\.\./\.\." # Rule 310018: WEB-CGI dcboard.cgi invalid user addition attempt SecRule REQUEST_URI "/dcboard\.cgi.*\|admin" \ "id:310018,rev:1,severity:2,msg:'JITP: dcboard.cgi invalid user addition attempt'" # Rule 310019: WEB-CGI alchemy http server PRN arbitrary command execution # attempt SecRule REQUEST_URI|REQUEST_BODY "/PRN/\.\./\.\./" \ "id:310019,rev:1,severity:2,msg:'JITP: alchemy http server PRN arbitrary command execution attempt'" # Rule 310020: PHP Doc System Local File Inclusion Vulnerability SecRule REQUEST_URI "/index\.php" \ "id:310020,rev:1,severity:2,msg:'JITP: Doc System Local File Inclusion Vulnerability',chain" SecRule ARGS:show "(?:\.\./\.\.|/)" # Rule 310021: WEB-CGI alchemy http server NUL arbitrary command execution # attempt SecRule REQUEST_URI|REQUEST_BODY "/NUL/\.\./\.\./" \ "id:310021,rev:1,severity:2,msg:'JITP: alchemy http server NUL arbitrary command execution attempt'" # Rule 310022: WEB-CGI AltaVista Intranet Search directory traversal attempt SecRule REQUEST_URI "/query\?mss=\.\." \ "id:310022,rev:1,severity:2,msg:'JITP: AltaVista Intranet Search directory traversal attempt'" # Rule 310023: WEB-CGI hello.bat arbitrary command execution attempt SecRule REQUEST_URI "/hello\.bat" \ "id:310023,rev:1,severity:2,msg:'JITP: hello.bat arbitrary command execution attempt',chain" SecRule REQUEST_URI "\&" # Rule 310024: WEB-CGI Home Free search.cgi directory traversal attempt SecRule REQUEST_URI "/search\.cgi" \ "id:310024,rev:1,severity:2,msg:'JITP: Home Free search.cgi directory traversal attempt',chain" SecRule REQUEST_URI "letter=\.\./\.\." # Rule 310025:campus attempt SecRule REQUEST_URI "/campus\?\|0A\|" \ "id:310025,rev:1,severity:2,msg:'JITP: campus attempt',chain" SecRule REQUEST_URI "letter=\.\./\.\." # Rule 310026: WEB-CGI pfdispaly.cgi arbitrary command execution attempt SecRule REQUEST_URI "/pfdispaly\.cgi\?\'" \ "id:310026,rev:1,severity:2,msg:'JITP: pfdispaly.cgi arbitrary command execution attempt'" # Rule 310027: WEB-CGI talkback.cgi directory traversal attempt SecRule REQUEST_URI "/talkbalk\.cgi" \ "id:310027,rev:1,severity:2,msg:'JITP: talkback.cgi directory traversal attempt',chain" SecRule REQUEST_URI "article=\.\./\.\./" # Rule 310028: WEB-CGI technote main.cgi file directory traversal attempt SecRule REQUEST_URI "/technote/main\.cgi" \ "id:310028,rev:1,severity:2,msg:'JITP: technote main.cgi file directory traversal attempt',chain" SecRule REQUEST_URI "\.\./\.\./" # Rule 310029: WEB-CGI technote print.cgi directory traversal attempt SecRule REQUEST_URI "/technote/print\.cgi.*\x00" \ "id:310029,rev:1,severity:2,msg:'JITP: technote print.cgi directory traversal attempt'" # Rule 310030: WEB-CGI eXtropia webstore directory traversal SecRule REQUEST_URI "/web_store\.cgi" \ "id:310030,rev:1,severity:2,msg:'JITP: eXtropia webstore directory traversal',chain" SecRule REQUEST_URI "page=\.\./" # Rule 310031: WEB-CGI shopping cart directory traversal SecRule REQUEST_URI "/shop\.cgi" \ "id:310031,rev:1,severity:2,msg:'JITP: shopping cart directory traversal',chain" SecRule REQUEST_URI "page=\.\./" # Rule 310032: WEB-CGI Allaire Pro Web Shell attempt SecRule REQUEST_URI "/authenticate\.cgi\?PASSWORD" \ "id:310032,rev:1,severity:2,msg:'JITP: Allaire Pro Web Shell attempt',chain" SecRule REQUEST_URI "config\.ini" # Rule 310033: WEB-CGI Armada Style Master Index directory traversal SecRule REQUEST_URI "/search\.cgi\?keys" \ "id:310033,rev:1,severity:2,msg:'JITP: Armada Style Master Index directory traversal',chain" SecRule REQUEST_URI "catigory=\.\./" # Rule 310034: WEB-CGI cached_feed.cgi moreover shopping cart directory # traversal SecRule REQUEST_URI "/cached_feed\.cgi" \ "id:310034,rev:1,severity:2,msg:'JITP: cached_feed.cgi moreover shopping cart directory traversal',chain" SecRule REQUEST_URI "\.\./" # Rule 310035: WEB-CGI Talentsoft Web+ exploit attempt SecRule REQUEST_URI "/webplus\.cgi\?Script=/webplus/webping/webping\.wml" \ "id:310035,rev:1,severity:2,msg:'JITP: Talentsoft Web+ exploit attempt'" # Rule 310036: WEB-CGI txt2html.cgi directory traversal attempt SecRule REQUEST_URI "/txt2html\.cgi" \ "id:310036,rev:1,severity:2,msg:'JITP: txt2html.cgi directory traversal attempt',chain" SecRule REQUEST_URI "/\.\./\.\./\.\./\.\./" # Rule 310037: WEB-CGI store.cgi directory traversal attempt SecRule REQUEST_URI "/store\.cgi" \ "id:310037,rev:1,severity:2,msg:'JITP: store.cgi directory traversal attempt',chain" SecRule REQUEST_URI "\.\./" # Rule 310038: WEB-CGI mrtg.cgi directory traversal attempt SecRule REQUEST_URI "/mrtg\.cgi" \ "id:310038,rev:1,severity:2,msg:'JITP: mrtg.cgi directory traversal attempt',chain" SecRule REQUEST_URI "cfg=/\.\./" # Rule 310039: WEB-CGI CCBill whereami.cgi arbitrary command execution attempt SecRule REQUEST_URI "/whereami\.cgi\?g=" \ "id:310039,rev:1,severity:2,msg:'JITP: CCBill whereami.cgi arbitrary command execution attempt'" # Rule 310040: WEB-CGI WhatsUpGold instancename overflow attempt SecRule REQUEST_URI "/_maincfgret\.cgi" \ "id:310040,rev:1,severity:2,msg:'JITP: WhatsUpGold instancename overflow attempt'" # Rule 310041:Demarc SQL injection attempt SecRule REQUEST_URI "/dm/demarc.*s_key=.*\'" \ "id:310041,rev:1,severity:2,msg:'JITP: Demarc SQL injection attempt'" # Rule 310042: WEB-MISC apache directory disclosure attempt SecRule REQUEST_URI|REQUEST_BODY "////////" \ "id:310042,rev:1,severity:2,msg:'JITP: apache directory disclosure attempt'" # Rule 310043: WEB-MISC htgrep attempt SecRule REQUEST_URI "/htgrep" \ "id:310043,rev:1,severity:2,msg:'JITP: htgrep attempt',chain" SecRule REQUEST_URI "hdr=/" # Rule 310044:musicat empower attempt SecRule REQUEST_URI "/empower\?DB=" \ "id:310044,rev:1,severity:2,msg:'JITP: musicat empower attempt'" # Rule 310045: WEB-PHP DNSTools administrator authentication bypass attempt SecRule REQUEST_URI "/dnstools\.php" \ "id:310045,rev:1,severity:2,msg:'JITP: DNSTools administrator authentication bypass attempt',chain" SecRule REQUEST_URI "user_dnstools_administrator=true" # Rule 310046: WEB-PHP DNSTools authentication bypass attempt SecRule REQUEST_URI "/dnstools\.php" \ "id:310046,rev:1,severity:2,msg:'JITP: DNSTools authentication bypass attempt',chain" SecRule REQUEST_URI "user_logged_in=true" # Rule 310047:General phpbb_root_path vulnerabilities SecRule ARGS:phpbb_root_path "(?:(?:ht|f)tps?\:/|\.\./)" \ "id:310047,rev:1,severity:2,msg:'JITP: Generic phpbb_root_path exploit'" # Rule 310048: WEB-PHP phpbb quick-reply.php arbitrary command attempt SecRule REQUEST_URI "/quick-reply\.php" \ "id:310048,rev:1,severity:2,msg:'JITP: phpbb quick-reply.php arbitrary command attempt',chain" SecRule REQUEST_URI "phpbb_root_path=" # Rule 310049: WEB-PHP Blahz-DNS dostuff.php modify user attempt SecRule REQUEST_URI "/dostuff\.php\?action=modify_user" \ "id:310049,rev:1,severity:2,msg:'JITP: Blahz-DNS dostuff.php modify user attempt'" # Rule 310050: WEB-PHP PHP-Wiki cross site scripting attempt SecRule REQUEST_URI "/modules\.php\?*name=Wiki*\<*(script|about|applet|activex|chrome)*\>" \ "id:310050,rev:1,severity:2,msg:'JITP: PHP-Wiki cross site scripting attemptt'" # Rule 310051: WEB-MISC *%0a.pl access SecRule REQUEST_URI "/*\x0a\.pl" \ "id:310051,rev:1,severity:2,msg:'JITP: *%0a.pl access'" # Rule 310052: WEB-PHP strings overflow SecRule REQUEST_URI|REQUEST_BODY "\?STRENGUR" \ "id:310052,rev:1,severity:2,msg:'JITP: strings overflow'" # Rule 310053: WEB-PHP shoutbox.php directory traversal attempt SecRule REQUEST_URI "/shoutbox\.php" \ "id:310053,rev:1,severity:2,msg:'JITP: shoutbox.php directory traversal attempt',chain" SecRule REQUEST_URI "\.\./" # Rule 310054: WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt SecRule REQUEST_URI "/gm-2-b2\.php" \ "id:310054,rev:1,severity:2,msg:'JITP: b2 cafelog gm-2-b2.php remote file include attempt',chain" SecRule REQUEST_URI "b2inc=(?:http|https|ftp)\:/" # Rule 310055: WEB-PHP BLNews objects.inc.php4 remote file include attempt SecRule REQUEST_URI "/objects\.inc\.php*" \ "id:310055,rev:1,severity:2,msg:'JITP: BLNews objects.inc.php4 remote file include attempt',chain" SecRule REQUEST_URI "Server\[path\]=(?:http|https|ftp)\:/" # Rule 310056: WEB-PHP ttCMS header.php remote file include attempt SecRule REQUEST_URI "/admin/templates/header\.php" \ "id:310056,rev:1,severity:2,msg:'JITP: ttCMS header.php remote file include attempt'" SecRule REQUEST_URI "admin_root=(?:http|https|ftp)\:/" # Rule 310057: WEB-PHP autohtml.php directory traversal attempt SecRule REQUEST_URI "/autohtml\.php" \ "id:310057,rev:1,severity:2,msg:'JITP: autohtml.php directory traversal attempt',chain" SecRule REQUEST_URI "\.\./\.\./" # Rule 310058: WEB-PHP ttforum remote file include attempt SecRule REQUEST_URI "forum/index\.php" \ "id:310058,rev:1,severity:2,msg:'JITP: ttforum remote file include attempt',chain" SecRule REQUEST_URI "template=" # Rule 310059: WEB-PHP pmachine remote file include attempt SecRule REQUEST_URI "lib\.inc\.php" \ "id:310059,rev:1,severity:2,msg:'JITP: pmachine remote file include attempt',chain" SecRule REQUEST_URI "pm_path=(?:http|https|ftp)\:/" # Rule 310060: WEB-PHP pmachine remote file include attempt SecRule REQUEST_URI "lib\.inc\.php.*pm_path.*(?:http|https|ftp)\:/" \ "id:310060,rev:1,severity:2,msg:'JITP: pmachine remote file include attempt'" # Rule 310061:rolis guestbook remote file include attempt SecRule REQUEST_URI "/insert\.inc\.php*path=" \ "id:310061,rev:1,severity:2,msg:'JITP: guestbook remote file include attempt'" # Rule 310062: IdeaBox cord.php file include SecRule REQUEST_URI "/index\.php*ideaDir*cord\.php" \ "id:310062,rev:1,severity:2,msg:'JITP: IdeaBox cord.php file include'" # Rule 310063:IdeaBox notification.php file include SecRule REQUEST_URI "/index\.php*gorumDir*notification\.php" \ "id:310063,rev:1,severity:2,msg:'JITP: IdeaBox notification.php file include'" # Rule 310064: WEB-PHP DCP-Portal remote file include attempt SecRule REQUEST_URI "/library/lib\.php" \ "id:310064,rev:1,severity:2,msg:'DCP-Portal remote file include attempt',chain" SecRule REQUEST_URI "root=" # Rule 310065: WEB-PHP IdeaBox cord.php file include SecRule REQUEST_URI "/index\.php" \ "id:310065,rev:1,severity:2,msg:'JITP: IdeaBox cord.php file include',chain" SecRule REQUEST_URI "cord\.php" # Rule 310066: WEB-PHP IdeaBox notification.php file include SecRule REQUEST_URI "/index\.php" \ "id:310066,rev:1,severity:2,msg:'JITP: IdeaBox notification.php file include',chain" SecRule REQUEST_URI "notification\.php" # Rule 310067: WEB-PHP Invision Board emailer.php file include SecRule REQUEST_URI "/ad_member\.php" \ "id:310067,rev:1,severity:2,msg:'JITP: Invision Board emailer.php file include',chain" SecRule REQUEST_URI "emailer\.php" # Rule 310068: WEB-PHP WebChat db_mysql.php file include SecRule REQUEST_URI "/defines\.php" \ "id:310068,rev:1,severity:2,msg:'JITP: WebChat db_mysql.php file include',chain" SecRule REQUEST_URI "db_mysql\.php" # Rule 310069: WEB-PHP WebChat english.php file include SecRule REQUEST_URI "/defines\.php" \ "id:310069,rev:1,severity:2,msg:'JITP: WebChat english.php file include',chain" SecRule REQUEST_URI "english\.php" # Rule 310070: WEB-PHP Typo3 translations.php file include SecRule REQUEST_URI "/translations\.php" \ "id:310070,rev:1,severity:2,msg:'JITP: Typo3 translations.php file include',chain" SecRule REQUEST_URI "ONLY=\x2e" # Rule 310071: WEB-PHP news.php file include SecRule REQUEST_URI "/news\.php" \ "id:310071,rev:1,severity:2,msg:'JITP: news.php file include',chain" SecRule REQUEST_URI "template" # Rule 310072: WEB-PHP YaBB SE packages.php file include SecRule REQUEST_URI "/packages\.php" \ "id:310072,rev:1,severity:2,msg:'JITP: YaBB SE packages.php file include',chain" SecRule REQUEST_URI "packer\.php" # Rule 310073: WEB-PHP newsPHP Language file include attempt SecRule REQUEST_URI "/nphpd\.php" \ "id:310073,rev:1,severity:2,msg:'JITP: newsPHP Language file include attempt',chain" SecRule REQUEST_URI "LangFile" # Rule 310074:myphpPagetool pt_config.inc file include SecRule REQUEST_URI "/doc/admin*ptinclude*pt_config\.inc" \ "id:310074,rev:1,severity:2,msg:'JITP: myphpPagetool pt_config.inc file include'" # Rule 310075:Invision Board ipchat.php file include SecRule REQUEST_URI "/ipchat\.php*root_path*conf_global\.php" \ "id:310075,rev:1,severity:2,msg:'JITP: Invision Board ipchat.php file include'" # Rule 310076: WEB-PHP PhpGedView PGV authentication_index.php base directory # manipulation attempt SecRule REQUEST_URI "/authentication_index\.php" \ "id:310076,rev:1,severity:2,msg:'JITP: PhpGedView PGV authentication_index.php base directory manipulation attempt',chain" SecRule REQUEST_URI "PGV_BASE_DIRECTORY=(?:http|https|ftp)\:/" # Rule 310077: WEB-PHP PhpGedView PGV functions.php base directory manipulation # attempt SecRule REQUEST_URI "/functions\.php" \ "id:310077,rev:1,severity:2,msg:'JITP: PhpGedView PGV functions.php base directory manipulation attempt',chain" SecRule REQUEST_URI "PGV_BASE_DIRECTORY" # Rule 310078: WEB-PHP TUTOS path disclosure attempt SecRule REQUEST_URI "/note_overview\.php" \ "id:310078,rev:1,severity:2,msg:'JITP: TUTOS path disclosure attempt',chain" SecRule REQUEST_URI "id=" # Rule 310079: WEB-PHP PhpGedView PGV base directory manipulation SecRule REQUEST_URI "_conf\.php" \ "id:310079,rev:1,severity:2,msg:'JITP: PhpGedView PGV base directory manipulation',chain" SecRule REQUEST_URI "PGV_BASE_DIRECTORY" # Rule 310080:PHPBB worm sigs SecRule ARGS:highlight "(?:\x27|%27|\x2527|%2527)" \ "id:310080,rev:1,severity:2,msg:'JITP: PHPBB worm'" # Rule 310081:Mailto domain search possible MyDoom.M,O SecRule REQUEST_URI "/search\?hl=en&ie=UTF-8&oe=UTF-8&q=mailto\+" \ "id:310081,rev:1,severity:2,msg:'JITP: Mailto domain search possible MyDoom.M,O',chain" SecRule REQUEST_URI "Host\: www\.google\.com" # Rule 310082:WEB-PHP EasyDynamicPages exploit SecRule REQUEST_URI "edp_relative_path=" \ "id:310082,rev:1,severity:2,msg:'JITP: phf access'" # Rule 310083:Calendar XSS SecRule REQUEST_URI "/(?:calendar|setup).php\?phpc_root_path=(?:(?:http|https|ftp)\:/|<[[:space:]]*(?:script|about|applet|activex|chrome)*>.*(?:script|about|applet|activex|chrome)[[:space:]]*>)" \ "id:310083,rev:1,severity:2,msg:'JITP: Calendar XSS'" # Rule 310084:phpMyAdmin Export.PHP File Disclosure Vulnerability SecRule SCRIPT_FILENAME "export\.php$" \ "id:310084,rev:1,severity:2,msg:'JITP: phpMyAdmin Export.PHP File Disclosure Vulnerability',chain" SecRule ARGS:what "\.\." # Rule 310085:nmap version request SecRule REQUEST_URI|REQUEST_BODY "^(?:HELP|default|\||TNMP|DmdT|\:)$" \ "id:310085,rev:1,severity:2,msg:'JITP: nmap version request'" # Rule 310086:More PHPBB worms SecRule REQUEST_URI "/viewtopic\.php\?" \ "id:310086,rev:1,severity:2,msg:'JITP: PHPBB worm',chain" SecRule ARGS "(?:chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(?:(?:[0-9a-fA-Fx]{1,3})\)" # Rule 310087: TIKIWIKI SecRule REQUEST_URI "/tiki-map.phtml\?mapfile=\.\./\.\./" \ "id:310087,rev:1,severity:2,msg:'JITP: TikiWiki directory traversal'" # Rule 310088: WEB-MISC BitKeeper arbitrary command attempt SecRule REQUEST_URI "/diffs/" \ "id:310088,rev:1,severity:2,msg:'JITP: BitKeeper arbitrary command attempt',chain" SecRule REQUEST_URI "\'" # Rule 310089:awstats probe SecRule REQUEST_URI|REQUEST_BODY "/awstats\.pl HTTP\/(?:0\.9|1\.0|1\.1)$" \ "id:310089,rev:1,severity:2,msg:'JITP: Awstats.pl probe'" # Rule 310090:/forum/viewtopic.php?x=http:// SecRule REQUEST_URI "/forum/viewtopic\.php\?x=(?:http|https|ftp)\:/" \ "id:310090,rev:1,severity:2,msg:'JITP: Forum remote include attempt'" # Rule 310091: WEB-MISC Crystal Reports crystalImageHandler.aspx directory # traversal attempt SecRule REQUEST_URI "/crystalimagehandler\.aspx" \ "id:310091,rev:1,severity:2,msg:'JITP: Crystal Reports crystalImageHandler.aspx directory traversal attempt',chain" SecRule REQUEST_URI "dynamicimage=\.\./" # Rule 310092:mailman 2.x path recursion attack SecRule REQUEST_URI|REQUEST_BODY "mailman/private/.*\.\.\./\.\.\.\.///" \ "id:310092,rev:1,severity:2,msg:'JITP: mailman 2.x path recursion attack',chain" SecRule REQUEST_URI|REQUEST_BODY "/mailman/.*\.\.\./" # Rule 310093:ftp.pl attempt SecRule REQUEST_URI "/ftp\.pl\?dir=\.\./\.\." \ "id:310093,rev:1,severity:2,msg:'JITP: ftp.pl directory traversal attempt'" # Rule 310094:Tomcat server snoop access SecRule REQUEST_URI "/jsp/snp/.*\.snp" \ "id:310094,rev:1,severity:2,msg:'JITP: Tomcat server snoop access'" # Rule 310095: WEB-CGI HyperSeek hsx.cgi directory traversal attempt SecRule REQUEST_URI "/hsx\.cgi.*\x00" \ "id:310095,rev:1,severity:2,msg:'JITP: HyperSeek hsx.cgi directory traversal attempt'" # Rule 310096: WEB-CGI SWSoft ASPSeek Overflow attempt SecRule REQUEST_URI "/s\.cgi" \ "id:310096,rev:2,severity:2,msg:'JITP: SWSoft ASPSeek Overflow attempt',chain" SecRule REQUEST_URI "tmpl=" # Rule 310097: WEB-CGI /wwwboard/passwd.txt access SecRule REQUEST_URI "/wwwboard/passwd\.txt" \ "id:310097,rev:1,severity:2,msg:'JITP: /wwwboard/passwd.txt access'" # Rule 310098: WEB-CGI webplus directory traversal SecRule REQUEST_URI "/webplus\?script" \ "id:310098,rev:2,severity:2,msg:'JITP: webplus directory traversal',chain" SecRule REQUEST_URI "\.\./" # Rule 310099: WEB-CGI websendmail access SecRule REQUEST_URI "/websendmail" \ "id:310099,rev:1,severity:2,msg:'JITP: websendmail access'" # Rule 310100: WEB-CGI anaconda directory transversal attempt SecRule REQUEST_URI "/(?:apexec|anacondaclip)\.pl" \ "id:310100,rev:1,severity:2,msg:'JITP: anaconda directory transversal attempt', chain" SecRule REQUEST_URI "template=\.\./" # Rule 310101: WEB-CGI imagemap.exe overflow attempt SecRule REQUEST_URI "/imagemap\.exe\?" \ "id:310101,rev:1,severity:2,msg:'imagemap.exe overflow attempt'" # Rule 310102: WEB-CGI htmlscript attempt SecRule REQUEST_URI "/htmlscript\?\.\./\.\." \ "id:310102,rev:1,severity:2,msg:'JITP: htmlscript directory traversal attempt'" # Rule 310103: WEB-CGI nph-test-cgi access SecRule REQUEST_URI "/nph-test-cgi" \ "id:310103,rev:1,severity:2,msg:'JITP: nph-test-cgi access'" # Rule 310104: WEB-CGI rwwwshell.pl access SecRule REQUEST_URI "/rwwwshell\.pl" \ "id:310104,rev:1,severity:2,msg:'JITP: rwwwshell.pl access'" # Rule 310105: WEB-CGI view-source directory traversal SecRule REQUEST_URI "/view-source" \ "id:310105,rev:1,severity:2,msg:'JITP: view-source directory traversal',chain" SecRule REQUEST_URI "\.\./" # Rule 310106: WEB-CGI calendar_admin.pl arbitrary command execution attempt SecRule REQUEST_URI "/calendar_admin.pl\?config=\|7C\|" \ "id:310106,rev:1,severity:2,msg:'JITP: calendar_admin.pl arbitrary command execution attempt'" # Rule 310107: WEB-CGI bb-hist.sh attempt SecRule REQUEST_URI "/bb-hist\.sh\?HISTFILE=\.\./\.\." \ "id:310107,rev:1,severity:2,msg:'JITP: bb-hist.sh directory traversal attempt'" # Rule 310108: WEB-CGI bb-hostscv.sh attempt SecRule REQUEST_URI "/bb-hostsvc\.sh\?HOSTSVC\?\.\./\.\." \ "id:310108,rev:1,severity:2,msg:'JITP: bb-hostscv.sh attempt'" # Rule 310109: WEB-CGI wayboard attempt SecRule REQUEST_URI "/way-board/way-board\.cgi" \ "id:310109,rev:1,severity:2,msg:'JITP: wayboard attempt',chain" SecRule REQUEST_URI "\.\./\.\." # Rule 310110: WEB-CGI commerce.cgi arbitrary file access attempt SecRule REQUEST_URI "/commerce\.cgi" \ "id:310110,rev:1,severity:2,msg:'JITP: commerce.cgi arbitrary file access attempt',chain" SecRule REQUEST_URI "/\.\./" # Rule 310111: WEB-CGI Amaya templates sendtemp.pl directory traversal attempt SecRule REQUEST_URI "/sendtemp\.pl" \ "id:310111,rev:1,severity:2,msg:'JITP: Amaya templates sendtemp.pl directory traversal attempt',chain" SecRule REQUEST_URI "templ=" # Rule 310112: WEB-CGI webspirs.cgi directory traversal attempt SecRule REQUEST_URI "/webspirs\.cgi" \ "id:310112,rev:1,severity:2,msg:'JITP: webspirs.cgi directory traversal attempt',chain" SecRule REQUEST_URI "\.\./\.\./" # Rule 310113: WEB-CGI auktion.cgi directory traversal attempt SecRule REQUEST_URI "/auktion\.cgi" \ "id:310113,rev:1,severity:2,msg:'JITP: auktion.cgi directory traversal attempt',chain" SecRule REQUEST_URI "menue=\.\./\.\./" # Rule 310114: WEB-CGI cgiforum.pl attempt SecRule REQUEST_URI "/cgiforum\.pl\?thesection=\.\./\.\." \ "id:310114,rev:1,severity:2,msg:'JITP: cgiforum.pl attempt'" # Rule 310115: WEB-CGI directorypro.cgi attempt SecRule REQUEST_URI "/directorypro\.cgi" \ "id:310115,rev:1,severity:2,msg:'JITP: directorypro.cgi attempt',chain" SecRule REQUEST_URI "\.\./\.\." # Rule 310116: WEB-CGI Web Shopper shopper.cgi attempt SecRule REQUEST_URI "/shopper\.cgi" \ "id:310116,rev:1,severity:2,msg:'JITP: Web Shopper shopper.cgi attempt',chain" SecRule REQUEST_URI "newpage=\.\./" # Rule 310117: WEB-CGI cal_make.pl directory traversal attempt SecRule REQUEST_URI "/cal_make\.pl" \ "id:310117,rev:1,severity:2,msg:'JITP: cal_make.pl directory traversal attempt',chain" SecRule REQUEST_URI "p0=\.\./\.\./" # Rule 310118: WEB-CGI ttawebtop.cgi arbitrary file attempt SecRule REQUEST_URI "/ttawebtop\.cgi" \ "id:310118,rev:1,severity:2,msg:'JITP: ttawebtop.cgi arbitrary file attempt',chain" SecRule REQUEST_URI "pg=\.\./" # Rule 310119: WEB-CGI ustorekeeper.pl directory traversal attempt SecRule REQUEST_URI "/ustorekeeper\.pl" \ "id:310119,rev:1,severity:2,msg:'JITP: ustorekeeper.pl directory traversal attempt',chain" SecRule REQUEST_URI "file=\.\./\.\./" # Rule 310120: WEB-CGI htsearch arbitrary configuration file attempt SecRule REQUEST_URI "/htsearch\?\-c" \ "id:310120,rev:1,severity:2,msg:'JITP: WEB-CGI htsearch arbitrary configuration file attempt'" # Rule 310121: WEB-CGI alibaba.pl arbitrary command execution attempt SecRule REQUEST_URI "/alibaba\.pl(?:\|7C\||\x7C)" \ "id:310121,rev:1,severity:2,msg:'JITP: alibaba.pl arbitrary command execution attempt'" # Rule 310122: WEB-CGI AltaVista Intranet Search directory traversal attempt SecRule REQUEST_URI "/query\?mss=\.\." \ "id:310122,rev:1,severity:2,msg:'JITP: AltaVista Intranet Search directory traversal attempt'" # Rule 310123: WEB-CGI test.bat arbitrary command execution attempt SecRule REQUEST_URI "/test.bat(?:\|7C\||\x7C)" \ "id:310123,rev:1,severity:2,msg:'JITP: test.bat arbitrary command execution attempt'" # Rule 310124: WEB-CGI input.bat arbitrary command execution attempt SecRule REQUEST_URI "/input.bat(?:\|7C\||\x7C)" \ "id:310124,rev:1,severity:2,msg:'JITP: input.bat arbitrary command execution attempt'" # Rule 310125: WEB-CGI envout.bat arbitrary command execution attempt SecRule REQUEST_URI "/envout.bat(?:\|7C\||\x7C)" \ "id:310125,rev:1,severity:2,msg:'JITP: envout.bat arbitrary command execution attempt'" # Rule 310126: WEB-CGI hello.bat arbitrary command execution attempt SecRule REQUEST_URI "/hello\.bat" \ "id:310126,rev:1,severity:2,msg:'JITP: hello.bat arbitrary command execution attempt',chain" SecRule REQUEST_URI "\&" # Rule 310127: WEB-CGI csSearch.cgi arbitrary command execution attempt SecRule REQUEST_URI "/csSearch\.cgi" \ "id:310127,rev:1,severity:2,msg:'JITP: WEB-CGI csSearch.cgi arbitrary command execution attempt',chain" SecRule REQUEST_URI "\`" # Rule 310128: WEB-CGI eshop.pl arbitrary command execution attempt SecRule REQUEST_URI "/eshop\.pl\?seite=(?:\|3B\|\x3B)" \ "id:310128,rev:1,severity:2,msg:'JITP: WEB-CGI eshop.pl arbitrary command execution attempt'" # Rule 310129: WEB-CGI loadpage.cgi directory traversal attempt SecRule REQUEST_URI "/loadpage\.cgi" \ "id:310129,rev:1,severity:2,msg:'JITP: WEB-CGI loadpage.cgi directory traversal attempt',chain" SecRule REQUEST_URI "file=\.\./" # Rule 310130: faqmanager.cgi arbitrary file access attempt SecRule REQUEST_URI "/faqmanager\.cgi\?toc=*/" \ "id:310130,rev:1,severity:1,msg:'JITP: faqmanager.cgi arbitrary file attempt',chain" SecRule REQUEST_URI "/faqmanager\.cgi\?(?:cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(?:download|request|mirror|rget)|id|uname|cvs|svn|(?:s|r)(?:cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)" # Rule 310131: WEB-CGI Home Free search.cgi directory traversal attempt SecRule REQUEST_URI "/search\.cgi" \ "id:310131,rev:1,severity:2,msg:'JITP: WEB-CGI Home Free search.cgi directory traversal attempt',chain" SecRule REQUEST_URI "letter=\.\./\.\." # Rule 310132: WEB-CGI pfdisplay.cgi arbitrary command execution attempt SecRule REQUEST_URI "/pfdisplay\.cgi\?'" \ "id:310132,rev:1,severity:1,msg:'JITP: WEB-CGI pfdisplay.cgi arbitrary command execution attempt'" # Rule 310133: WEB-CGI pagelog.cgi directory traversal attempt SecRule REQUEST_URI "/pagelog\.cgi" \ "id:310133,rev:1,severity:2,msg:'JITP: WEB-CGI pagelog.cgi directory traversal attempt',chain" SecRule REQUEST_URI "name=\.\./" # Rule 310134: WEB-CGI talkback.cgi directory traversal attempt SecRule REQUEST_URI "/talkbalk\.cgi" \ "id:310134,rev:1,severity:2,msg:'JITP: WEB-CGI pagelog.cgi directory traversal attempt',chain" SecRule REQUEST_URI "article=\.\./\.\./" # Rule 310135: WEB-CGI emumail.cgi NULL attempt SecRule REQUEST_URI "/emumail\.cgi.*\x00" \ "id:310135,rev:1,severity:2,msg:'JITP: WEB-CGI emumail.cgi NULL attempt'" # Rule 310136: WEB-CGI technote main.cgi directory traversal attempt SecRule REQUEST_URI "/technote/main\.cgi" \ "id:310136,rev:1,severity:2,msg:'JITP: WEB-CGI technote main.cgi directory traversal attempt',chain" SecRule REQUEST_URI "\.\./\.\./" # Rule 310137: WEB-CGI technote print.cgi directory traversal attempt SecRule REQUEST_URI "/technote/print\.cgi.*\x00" \ "id:310137,rev:1,severity:2,msg:'JITP: WEB-CGI technote print.cgi directory traversal attempt'" # Rule 310138: WEB-CGI Allaire Pro Web Shell attempt SecRule REQUEST_URI "/authenticate.cgi\?PASSWORD" \ "id:310138,rev:1,severity:1,msg:'JITP: WEB-CGI Allaire Pro authenticate.cgi shell attempt',chain" SecRule REQUEST_URI "config\.ini" # Rule 310139: WEB-CGI Armada Style Master Index directory traversal SecRule REQUEST_URI "/search\.cgi\?keys" \ "id:310139,rev:1,severity:2,msg:'JITP: WEB-CGI Armada Style Master search.cgi directory traversal attempt',chain" SecRule REQUEST_URI "catigory=\.\./" # Rule 310140: WEB-CGI cached_feed.cgi moreover shopping cart directory # traversal SecRule REQUEST_URI "/cached_feed\.cgi" \ "id:310140,rev:1,severity:2,msg:'JITP: WEB-CGI Moreover cached_feed.cgi directory traversal attempt',chain" SecRule REQUEST_URI "\.\./" # Rule 310141: WEB-CGI Talentsoft Web+ exploit attempt SecRule REQUEST_URI "/webplus.cgi\?Script=/webplus/webping/webping\.wml" \ "id:310141,rev:1,severity:2,msg:'JITP: WEB-CGI Talentsoft Web+ exploit attempt'" # Rule 310142: WEB-CGI bizdbsearch attempt SecRule REQUEST_URI "/bizdb1-search\.cgi" \ "id:310142,rev:1,severity:3,msg:'JITP: WEB-CGI Bizdbsearch bizdb1-search.cgi mail attempt',chain" SecRule REQUEST_URI "mail" # Rule 310143: WEB-CGI sojourn.cgi File access attempt SecRule REQUEST_URI "/sojourn\.cgi\?cat=.*\x00" \ "id:310143,rev:1,severity:2,msg:'JITP: WEB-CGI sojourn.cgi file access attempt'" # Rule 310144: WEB-CGI SGI InfoSearch fname attempt SecRule REQUEST_URI "/infosrch\.cgi\?" \ "id:310144,rev:1,severity:2,msg:'JITP: WEB-CGI infosrch.cgi fname attempt',chain" SecRule REQUEST_URI "fname=" # Rule 310145: WEB-CGI store.cgi directory traversal attempt SecRule REQUEST_URI "/store\.cgi" \ "id:310145,rev:1,severity:2,msg:'JITP: WEB-CGI store.cgi directory traversal attempt',chain" SecRule REQUEST_URI "\.\./" # Rule 310146: WEB-CGI SIX webboard generate.cgi file access attempt SecRule REQUEST_URI "/generate\.cgi" \ "id:310146,rev:1,severity:1,msg:'JITP: WEB-CGI generate.cgi file access attempt',chain" SecRule REQUEST_URI "content=\.\./" # Rule 310147: WEB-CGI story.pl arbitrary file read attempt SecRule REQUEST_URI "/story\.pl" \ "id:310147,rev:1,severity:1,msg:'JITP: WEB-CGI story.pl file access attempt',chain" SecRule REQUEST_URI "next=\.\./" # Rule 310148: WEB-CGI mrtg.cgi directory traversal attempt SecRule REQUEST_URI "/mrtg\.cgi" \ "id:310148,rev:1,severity:2,msg:'JITP: WEB-CGI mrtg.cgi directory traversal attempt',chain" SecRule REQUEST_URI "cfg=/\.\./" # Rule 310149:alienform.cgi directory traversal attempt SecRule REQUEST_URI "/alienform\.cgi.*\.\|7C\|\./\.\|7C\|\." \ "id:310149,rev:1,severity:2,msg:'JITP: WEB-CGI alienform.cgi directory traversal attempt',chain" SecRule REQUEST_URI "/af\.cgi.*\.\|7C\|\./\.\|7C\|\." # Rule 310150: WEB-CGI CCBill whereami.cgi arbitrary command execution attempt SecRule REQUEST_URI "/whereami\.cgi\?g=" \ "id:310150,rev:1,severity:1,msg:'JITP: WEB-CGI CCbill whereami.cgi command execution attempt'" # Rule 310151: WEB-CGI MDaemon form2raw.cgi overflow attempt SecRule REQUEST_URI "/form2raw\.cgi" \ "id:310151,rev:1,severity:1,msg:'JITP: WEB-CGI MDaemon form2raw.cgi overflow attempt'" # Rule 310152: WEB-CGI WhatsUpGold instancename overflow attempt SecRule REQUEST_URI "/_maincfgret\.cgi" \ "id:310152,rev:1,severity:1,msg:'JITP: WEB-CGI WhatsUpGold _maincfgret.cgi overflow attempt'" # Rule 310153: Honeypot signature. SecRule REQUEST_URI|REQUEST_BODY "clamav-partial " \ "id:310153,rev:1,severity:2,msg:'JITP: WEB-CGI clamav-patial recovery file access attempt',chain" SecRule REQUEST_URI|REQUEST_BODY "vi\.recover " # Rule 310154: WEB-COLDFUSION cfcache.map access SecRule REQUEST_URI "/cfcache\.map" \ "id:310154,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion cfcache.map file access attempt'" # Rule 310155: WEB-COLDFUSION exampleapp application.cfm SecRule REQUEST_URI "/cfdocs/exampleapp/email/application\.cfm" \ "id:310155,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion exampleapp e-mail application.cfm access attempt'" # Rule 310156: WEB-COLDFUSION application.cfm access SecRule REQUEST_URI "/cfdocs/exampleapp/publish/admin/application\.cfm" \ "id:310156,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion exampleapp publisher application.cfm access attempt'" # Rule 310157: WEB-COLDFUSION getfile.cfm access SecRule REQUEST_URI "/cfdocs/exampleapp/email/getfile\.cfm" \ "id:310157,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion exampleapp e-mail getfile.cfm access attempt'" # Rule 310158: WEB-COLDFUSION addcontent.cfm access SecRule REQUEST_URI "/cfdocs/exampleapp/publish/admin/addcontent\.cfm" \ "id:310158,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion exampleapp addcontent.cfm access attempt'" # Rule 310159: WEB-COLDFUSION administrator access SecRule REQUEST_URI "/cfide/administrator/index\.cfm" \ "id:310159,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion administrator access attempt'" # Rule 310160: WEB-COLDFUSION fileexists.cfm access SecRule REQUEST_URI "/cfdocs/snippets/fileexists\.cfm" \ "id:310160,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion fileexists.cfm access attempt'" # Rule 310161: WEB-COLDFUSION exprcalc access SecRule REQUEST_URI "/cfdocs/expeval/exprcalc\.cfm" \ "id:310161,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion expercalc.cfm access attempt'" # Rule 310162: WEB-COLDFUSION parks access SecRule REQUEST_URI "/cfdocs/examples/parks/detail\.cfm" \ "id:310162,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion parks detail.cfm access attempt'" # Rule 310163: WEB-COLDFUSION cfappman access SecRule REQUEST_URI "/cfappman/index\.cfm" \ "id:310163,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion cfappman index.cfm access attempt'" # Rule 310164: WEB-COLDFUSION beaninfo access SecRule REQUEST_URI "/cfdocs/examples/cvbeans/beaninfo\.cfm" \ "id:310164,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion beaninfo.cfm access attempt'" # Rule 310165: WEB-COLDFUSION evaluate.cfm access SecRule REQUEST_URI "/cfdocs/snippets/evaluate\.cfm" \ "id:310165,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion evaluate.cfm access attempt'" # Rule 310166: WEB-COLDFUSION expeval access SecRule REQUEST_URI "/cfdocs/expeval/" \ "id:310166,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion expeval access attempt'" # Rule 310167: WEB-COLDFUSION displayfile access SecRule REQUEST_URI "/cfdocs/expeval/displayopenedfile\.cfm" \ "id:310167,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion displayfile access attempt'" # Rule 310168: WEB-COLDFUSION mainframeset access SecRule REQUEST_URI "/cfdocs/examples/mainframeset\.cfm" \ "id:310168,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion mainframeset.cfm access attempt'" # Rule 310169: WEB-COLDFUSION exampleapp access SecRule REQUEST_URI "/cfdocs/exampleapp/" \ "id:310169,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion exampleapp access attempt'" # Rule 310170: WEB-COLDFUSION snippets attempt SecRule REQUEST_URI "/cfdocs/snippets/" \ "id:310170,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion snippers access attempt'" # Rule 310171: WEB-COLDFUSION cfmlsyntaxcheck.cfm access SecRule REQUEST_URI "/cfdocs/cfmlsyntaxcheck\.cfm" \ "id:310171,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion cfmlsyntaxcheck.cfm access attempt'" # Rule 310172: WEB-COLDFUSION application.cfm access SecRule REQUEST_URI "/application\.cfm" \ "id:310172,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion application.cfm direct access attempt'" # Rule 310173: WEB-COLDFUSION onrequestend.cfm access SecRule REQUEST_URI "/onrequestend\.cfm" \ "id:310173,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion onrequestend.cfm direct access attempt'" # Rule 310174: WEB-COLDFUSION startstop.cfm DoS access attempt SecRule REQUEST_URI "/cfide/administrator/startstop\.html" \ "id:310174,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion startstop.cfm DoS attempt'" # Rule 310175: WEB-COLDFUSION gettempdirectory.cfm access SecRule REQUEST_URI "/cfdocs/snippets/gettempdirectory\.cfm" \ "id:310175,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion gettempdirectory.cfm direct access attempt'" # Rule 310176: WEB-COLDFUSION sendmail.cfm access SecRule REQUEST_URI "/sendmail\.cfm" \ "id:310176,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion sendmail.cfm direct access attempt'" # Rule 310177: WEB-COLDFUSION ?Mode=debug attempt #SecRule REQUEST_URI "Mode=debug" \ "id:310177,rev:1,severity:2,msg:'JITP: WEB-COLDFUSION Coldfusion debug mode access attempt'" # Rule 310178: WEB-MISC Tomcat view source attempt SecRule REQUEST_URI|REQUEST_BODY "\x252ejsp" \ "id:310178,rev:1,severity:2,msg:'JITP: WEB-MISC Tomcat .jsp source display attempt'" # Rule 310179: WEB-MISC Unify eWave ServletExec upload SecRule REQUEST_URI|REQUEST_BODY "/servlet/com\.unify\.servletexec\.UploadServlet" \ "id:310179,rev:1,severity:2,msg:'JITP: WEB-MISC Unify eWave UploadServlet abuse attempt'" # Rule 310180: WEB-MISC Talentsoft Web+ Source Code view access SecRule REQUEST_URI "/webplus\.exe\?script=test\.wml" \ "id:310180,rev:1,severity:2,msg:'JITP: WEB-MISC Talentsoft Web+ source code access attempt'" # Rule 310181: WEB-MISC ftp.pl attempt SecRule REQUEST_URI "/ftp\.pl\?dir=\.\./\.\." \ "id:310181,rev:1,severity:2,msg:'JITP: WEB-MISC Talentsoft Web+ source code access attempt'" # Rule 310182: WEB-MISC apache source.asp file access SecRule REQUEST_URI "/site/eg/source\.asp" \ "id:310182,rev:1,severity:2,msg:'JITP: WEB-MISC Apache source.asp source code access attempt'" # Rule 310183: WEB-MISC Tomcat server exploit access SecRule REQUEST_URI "/contextAdmin/contextAdmin\.html" \ "id:310183,rev:1,severity:2,msg:'JITP: WEB-MISC tomcat contextAdmin exploit attempt'" # Rule 310184: WEB-MISC Ecommerce import.txt access SecRule REQUEST_URI "/orders/import\.txt" \ "id:310184,rev:1,severity:2,msg:'JITP: WEB-MISC eCommerce import.txt access attempt'" # Rule 310185: WEB-MISC Domino catalog.nsf access SecRule REQUEST_URI "/catalog\.nsf" \ "id:310185,rev:1,severity:2,msg:'JITP: WEB-MISC Domino catalog.nsf access attempt'" # Rule 310186: WEB-MISC Domino domcfg.nsf access SecRule REQUEST_URI "/domcfg\.nsf" \ "id:310186,rev:1,severity:2,msg:'JITP: WEB-MISC Domino domcfg.nsf access attempt'" # Rule 310187: WEB-MISC Domino domlog.nsf access SecRule REQUEST_URI "/domlog\.nsf" \ "id:310187,rev:1,severity:2,msg:'JITP: WEB-MISC Domino domlog.nsf access attempt'" # Rule 310188: WEB-MISC Domino log.nsf access SecRule REQUEST_URI "/log\.nsf" \ "id:310188,rev:1,severity:2,msg:'JITP: WEB-MISC Domino log.nsf access attempt'" # Rule 310189: WEB-MISC Domino names.nsf access SecRule REQUEST_URI "/names\.nsf" \ "id:310189,rev:1,severity:2,msg:'JITP: WEB-MISC Domino names.nsf access attempt'" # Rule 310190: WEB-MISC Domino mab.nsf access SecRule REQUEST_URI "/mab\.nsf" \ "id:310190,rev:1,severity:2,msg:'JITP: WEB-MISC Domino mab.nsf access attempt'" # Rule 310191: WEB-MISC Domino cersvr.nsf access SecRule REQUEST_URI "/cersvr\.nsf" \ "id:310191,rev:1,severity:2,msg:'JITP: WEB-MISC Domino cersvr.nsf access attempt'" # Rule 310192: WEB-MISC Domino setup.nsf access SecRule REQUEST_URI "/setup\.nsf" \ "id:310192,rev:1,severity:2,msg:'JITP: WEB-MISC Domino setup.nsf access attempt'" # Rule 310193: WEB-MISC Domino statrep.nsf access SecRule REQUEST_URI "/statrep\.nsf" \ "id:310193,rev:1,severity:2,msg:'JITP: WEB-MISC Domino statrep.nsf access attempt'" # Rule 310194: WEB-MISC Domino webadmin.nsf access SecRule REQUEST_URI "/webadmin\.nsf" \ "id:310194,rev:1,severity:2,msg:'JITP: WEB-MISC Domino webadmin.nsf access attempt'" # Rule 310195: WEB-MISC Domino events4.nsf access SecRule REQUEST_URI "/events4\.nsf" \ "id:310195,rev:1,severity:2,msg:'JITP: WEB-MISC Domino events4.nsf access attempt'" # Rule 310196: WEB-MISC Domino ntsync4.nsf access SecRule REQUEST_URI "/ntsync4\.nsf" \ "id:310196,rev:1,severity:2,msg:'JITP: WEB-MISC Domino ntsync4.nsf access attempt'" # Rule 310197: WEB-MISC Domino collect4.nsf access SecRule REQUEST_URI "/collect4\.nsf" \ "id:310197,rev:1,severity:2,msg:'JITP: WEB-MISC Domino collect4.nsf access attempt'" # Rule 310198: WEB-MISC Domino mailw46.nsf access SecRule REQUEST_URI "/mailw46\.nsf" \ "id:310198,rev:1,severity:2,msg:'JITP: WEB-MISC Domino mailw46.nsf access attempt'" # Rule 310199: WEB-MISC Domino bookmark.nsf access SecRule REQUEST_URI "/bookmark\.nsf" \ "id:310199,rev:1,severity:2,msg:'JITP: WEB-MISC Domino bookmark.nsf access attempt'" # Rule 310200: WEB-MISC Domino agentrunner.nsf access SecRule REQUEST_URI "/agentrunner\.nsf" \ "id:310200,rev:1,severity:2,msg:'JITP: WEB-MISC Domino agentrunner.nsf access attempt'" # Rule 310201: WEB-MISC Domino mail.box access #SecRule REQUEST_URI "/mail.box" \ "id:310201,rev:1,severity:2,msg:'JITP: WEB-MISC Domino mail.box access attempt'" # Rule 310202: WEB-MISC Ecommerce checks.txt access SecRule REQUEST_URI "/orders/checks\.txt" \ "id:310202,rev:1,severity:2,msg:'JITP: WEB-MISC Ecommerce checks.txt access attempt'" # Rule 310203: WEB-MISC mall log order access SecRule REQUEST_URI "/mall_log_files/order\.log" \ "id:310203,rev:1,severity:2,msg:'JITP: WEB-MISC Mall Log order access attempt'" # Rule 310204: WEB-MISC ROADS search.pl attempt SecRule REQUEST_URI "/ROADS/cgi-bin/search\.pl" \ "id:310204,rev:1,severity:2,msg:'JITP: WEB-MISC ROADS search.pl access attempt',chain" SecRule REQUEST_URI "form=" # Rule 310205: WEB-MISC SWEditServlet directory traversal attempt SecRule REQUEST_URI "/SWEditServlet" \ "id:310205,rev:1,severity:2,msg:'JITP: WEB-MISC SWEditServlet directory traversal attempt',chain" SecRule REQUEST_URI "template=\.\./\.\./\.\./" # Rule 310206: WEB-MISC RBS ISP /newuser directory traversal attempt SecRule REQUEST_URI "/newuser\?Image=\.\./\.\." \ "id:310206,rev:1,severity:2,msg:'JITP: WEB-MISC RBS ISP /newuser directory traversal attempt'" # Rule 310207: WEB-MISC PCCS mysql database admin tool access SecRule REQUEST_URI "pccsmysqladm/incs/dbconnect\.inc" \ "id:310207,rev:1,severity:2,msg:'JITP: WEB-MISC PCCS MySQL database admin tool access attempt'" # Rule 310208: WEB-MISC ans.pl attempt SecRule REQUEST_URI "/ans.pl\?p=\.\./\.\./" \ "id:310208,rev:1,severity:1,msg:'JITP: WEB-MISC ans.pl file access attempt'" # Rule 310209: WEB-MISC Demarc SQL injection attempt SecRule REQUEST_URI "/dm/demarc" \ "id:310209,rev:1,severity:2,msg:'JITP: WEB-MISC Demarc SQL injection attempt',chain" SecRule REQUEST_URI "\'" # Rule 310210: WEB-MISC philboard_admin.asp authentication bypass attempt SecRule REQUEST_URI "/philboard_admin\.asp" \ "id:310210,rev:1,severity:2,msg:'JITP: WEB-MISC philboard_admin.asp authentication bypass attempt',chain" SecRule REQUEST_URI "philboard_admin=True" # Rule 310211: WEB-PHP Phorum /support/common.php access SecRule REQUEST_URI "/support/common\.php" \ "id:310211,rev:1,severity:2,msg:'JITP: WEB-PHP Phorum common.php direct access attempt'" # Rule 310212: WEB-PHP rolis guestbook remote file include attempt SecRule REQUEST_URI "/insert\.inc\.php" \ "id:310212,rev:1,severity:2,msg:'JITP: WEB-PHP Rolis guestbook insert.inc.php remote file inclusion attempt',chain" SecRule REQUEST_URI "path=" # Rule 310213: book.cgi arbitrary command execution attempt SecRule REQUEST_URI "/book\.cgi.*current=\|7C\|" \ "id:310213,rev:1,severity:1,msg:'JITP: book.cgi arbitrary command execution attempt'" # Rule 310214: WEB-PHP gallery remote file include attempt SecRule REQUEST_URI "/setup/" \ "id:310214,rev:1,severity:2,msg:'JITP: WEB-PHP Gallery /setup remote file inclusion attempt',chain" SecRule REQUEST_URI "GALLERY_BASEDIR=(?:http|https|ftp)\:/" # Rule 310215:Needinit remote file include attempt SecRule REQUEST_URI "/needinit\.php\?" \ "id:310215,rev:1,severity:2,msg:'JITP: Needinit needinit.php remote file inclusion attempt',chain" SecRule REQUEST_URI "GALLERY_BASEDIR=(?:http|https|ftp)\:/" # Rule 310216: WEB-PHP IdeaBox cord.php file include SecRule REQUEST_URI "/index\.php" \ "id:310216,rev:1,severity:2,msg:'JITP: WEB-PHP: IdeaBox cord.php file inclusion attempt',chain" SecRule REQUEST_URI "cord\.php" # Rule 310217: WEB-PHP Invision Board ipchat.php file include SecRule REQUEST_URI "/ipchat\.php" \ "id:310217,rev:1,severity:2,msg:'JITP: WEB-PHP: Invision Board ipchat.php file inclusion attempt',chain" SecRule REQUEST_URI "conf_global\.php" # Rule 310218: WEB-PHP myphpPagetool pt_config.inc file include SecRule REQUEST_URI "/doc/admin" \ "id:310218,rev:1,severity:2,msg:'JITP: WEB-PHP: myphpPagetool pt_config.inc file inclusion attempt',chain" SecRule REQUEST_URI "pt_config\.inc" # Rule 310219: WEB-PHP YaBB SE packages.php file include SecRule REQUEST_URI "/packages\.php" \ "id:310219,rev:1,severity:2,msg:'JITP: WEB-PHP: YaBB SE packages.php file inclusion attempt',chain" SecRule REQUEST_URI "packer\.php" # Rule 310220: WEB-PHP PhpGedView PGV authentication_index.php base directory # manipulation attempt SecRule REQUEST_URI "/authentication_index\.php" \ "id:310220,rev:1,severity:2,msg:'JITP: WEB-PHP: PhpGedView PGV authentication_index.php base directory manipulation attempt',chain" SecRule REQUEST_URI "PGV_BASE_DIRECTORY" # Rule 310221: WEB-PHP PhpGedView PGV functions.php base directory manipulation # attempt SecRule REQUEST_URI "/functions\.php" \ "id:310221,rev:1,severity:2,msg:'JITP: WEB-PHP: PhpGedView PGV functions.php base directory manipulation attempt',chain" SecRule REQUEST_URI "PGV_BASE_DIRECTORY" # Rule 310222: WEB-PHP PhpGedView PGV config_gedcom.php base directory # manipulation attempt SecRule REQUEST_URI "/config_gedcom\.php" \ "id:310222,rev:1,severity:2,msg:'JITP: WEB-PHP: PhpGedView PGV config_gedcom.php base directory manipulation attempt',chain" SecRule REQUEST_URI "PGV_BASE_DIRECTORY" # Rule 310223: WEB-PHP PhpGedView PGV base directory manipulation SecRule REQUEST_URI "_conf\.php" \ "id:310223,rev:1,severity:2,msg:'JITP: WEB-PHP: PhpGedView PGV _conf.php base directory manipulation attempt',chain" SecRule REQUEST_URI "PGV_BASE_DIRECTORY" # Rule 310224: WEB-PHP WAnewsletter newsletter.php file inclusion attempt SecRule REQUEST_URI "newsletter\.php" \ "id:310224,rev:1,severity:2,msg:'JITP: WEB-PHP: WAnewsletter newsletter.php file inclusion attempt',chain" SecRule REQUEST_URI "start\.php" # Rule 310225: WEB-PHP Opt-X header.php remote file include attempt SecRule REQUEST_URI "/header\.php" \ "id:310225,rev:1,severity:2,msg:'JITP: WEB-PHP: Opt-X header.php remote file inclusion attempt',chain" SecRule REQUEST_URI "systempath=" # Rule 310226:webdav search attack SecRule REQUEST_URI "/_vti_bin/_vti_aut/fp30reg\.dll" \ "id:310226,rev:1,severity:2,msg:'JITP: webdav fp30reg.dll search exploit attempt'" # Rule 310227:/auth.php?path=http://[attacker]/ SecRule REQUEST_URI "/auth.php\?path=(?:http|https|ftp)\:/" \ "id:310227,rev:1,severity:2,msg:'JITP: auth.php remote file inclusion attempt'" # Rule 310228: Dforum executable code injection attempt SecRule REQUEST_URI "/dforum/nav\.php3\?page=<[[:space:]]*(?:script|about|applet|activex|chrome)+.*(?:script|about|applet|activex|chrome)[[:space:]]*>" \ "id:310228,rev:1,severity:2,msg:'JITP: Dforum nav.php3 executable code injection attempt'" # Rule 310229: phpMyAdmin path vln SecRule REQUEST_URI "/phpMyAdmin/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=(?:/|.*\.\./)" \ "id:310229,rev:1,severity:2,msg:'JITP: phpMyAdmin phpmyadmin.css.php file inclusion attempt'" # Rule 310230: PHPBB full path disclosure SecRule REQUEST_URI "phpBB/db/oracle\.php" \ "id:310230,rev:1,severity:2,msg:'JITP: PHPBB oracle.php full path disclosure attempt'" # Rule 310231: PHPBB full path disclosure SecRule REQUEST_URI "forum/db/oracle\.php" \ "id:310231,rev:1,severity:2,msg:'JITP: PHPBB oracle.php full path disclosure attempt'" # Rule 310232: PHPBB full path disclosure SecRule REQUEST_URI "forums/db/oracle\.php" \ "id:310232,rev:1,severity:2,msg:'JITP: PHPBB oracle.php full path disclosure attempt'" # Rule 310233: PHP Form Mail Script File Incusion vuln SecRule REQUEST_URI "/inc/formmail\.inc\.php\?script_root=(?:http|https|ftp)\:/" \ "id:310233,rev:1,severity:2,msg:'JITP: PHP formmail.inc.php file inclusion attempt'" # Rule 310234: Download Center Lite command execution vuln SecRule REQUEST_URI "/inc/download_center_lite\.inc\.php\?script_root=(?:http|https|ftp)\:/" \ "id:310234,rev:1,severity:1,msg:'JITP: Download Center Lite download_center_lite.inc.php command execution attempt'" # Rule 310235: /modules/mod_mainmenu.php?mosConfig_absolute_path=http:// SecRule REQUEST_URI "/modules/mod_mainmenu\.php\?mosConfig_absolute_path=(?:http|https|ftp)\:/" \ "id:310235,rev:1,severity:1,msg:'JITP: mod_mainmenu.php command execution attempt'" # Rule 310236: phpWebLog command execution SecRule REQUEST_URI "/init\.inc\.php\?G_PATH=(?:http|https|ftp)\:/" \ "id:310236,rev:1,severity:1,msg:'JITP: phpWebLog init.inc.php command execution attempt'" # Rule 310237: phpWebLog command execution SecRule REQUEST_URI "/backend/addons/links/index\.php\?PATH=(?:http|https|ftp)\:/" \ "id:310237,rev:1,severity:1,msg:'JITP: phpWebLog backend index.php command execution attempt'" # Rule 310238: mcNews command execution SecRule REQUEST_URI "/mcNews/admin/header\.php\?skinfile=(?:http|https|ftp)\:/" \ "id:310238,rev:1,severity:1,msg:'JITP: mcNews header.php command execution attempt'" # Rule 310239: phpbb SecRule REQUEST_URI "admin/admin_styles\.php\?mode=addnew\&install_to=\.\./\.\./" \ "id:310239,rev:1,severity:2,msg:'JITP: phpBB admin_styles.php directory traversal attempt'" # Rule 310240: votebox SecRule REQUEST_URI "/votebox\.php\?VoteBoxPath=(?:http|https|ftp)\:/" \ "id:310240,rev:1,severity:1,msg:'JITP: votebox.php command execution attempt'" # Rule 310241: phpAdsNew path disclosure SecRule REQUEST_URI "/libraries/lib-xmlrpcs.inc\.php" \ "id:310241,rev:1,severity:2,msg:'JITP: phpAdsNew lib-xmlrpcs.inc.php path disclosure attempt'" # Rule 310242: phpAdsNew path disclosure SecRule REQUEST_URI "/maintenance/maintenance-activation\.php" \ "id:310242,rev:1,severity:2,msg:'JITP: phpAdsNew maintenance-activation.php path disclosure attempt'" # Rule 310243: phpAdsNew path disclosure SecRule REQUEST_URI "/maintenance/maintenance-cleantables\.php" \ "id:310243,rev:1,severity:2,msg:'JITP: phpAdsNew maintenance-cleantables.php path disclosure attempt'" # Rule 310244: phpAdsNew path disclosure SecRule REQUEST_URI "/maintenance/maintenance-autotargeting\.php" \ "id:310244,rev:1,severity:2,msg:'JITP: phpAdsNew maintenance-autotargeting.php path disclosure attempt'" # Rule 310245: phpAdsNew path disclosure SecRule REQUEST_URI "/maintenance/maintenance-reports\.php" \ "id:310245,rev:1,severity:2,msg:'JITP: phpAdsNew maintenance-reports.php path disclosure attempt'" # Rule 310246: phpAdsNew path disclosure SecRule REQUEST_URI "/misc/backwards\x20compatibility/phpads\.php" \ "id:310246,rev:1,severity:2,msg:'JITP: phpAdsNew backwards compatibility phpads.php path disclosure attempt'" # Rule 310247: phpAdsNew path disclosure SecRule REQUEST_URI "/misc/backwards\x20compatibility/remotehtmlview\.php" \ "id:310247,rev:1,severity:2,msg:'JITP: phpAdsNew backwards compatibility remotehtmlview.php path disclosure attempt'" # Rule 310248: phpAdsNew path disclosure SecRule REQUEST_URI "/misc/backwards\x20compatibility/click\.php" \ "id:310248,rev:1,severity:2,msg:'JITP: phpAdsNew backwards compatibility click.php path disclosure attempt'" # Rule 310249: phpAdsNew path disclosure SecRule REQUEST_URI "/adframe\.php\?refresh=securityreason\.com\'\>" \ "id:310249,rev:1,severity:2,msg:'JITP: phpAdsNew adframe.php path disclosure attempt'" # Rule 310250: include cgi command exec SecRule REQUEST_URI "/includer\.cgi\?=\|" \ "id:310250,rev:1,severity:1,msg:'JITP: includer.cgi command execution attempt'" # Rule 310251: citrusDB directory traversal #adjust these to your system, you might need to upload SecRule REQUEST_URI "tools/index\.php\?load=\.\./\.\./" \ "id:310251,rev:1,severity:2,msg:'JITP: citrusDB tools/index.php directory traversal attempt'" # Rule 310252: citrusDB upload authorization bypass (CAN-2005-0409) SecRule REQUEST_URI "citrusdb/tools/index\.php\?load=importcc\&submit=on" \ "id:310252,rev:1,severity:1,msg:'JITP: citrusDB tools/index.php upload authorization bypass attempt'" # Rule 310253: citrusDB SecRule REQUEST_URI "/citrusdb/tools/uploadcc\.php" \ "id:310253,rev:1,severity:1,msg:'JITP: citrusDB tools/uploadcc.php credit card data upload attempt'" # Rule 310254: awstats - local command execution SecRule REQUEST_URI "/awstats\.pl\?(?:configdir|update|pluginmode|cgi)=(?:\||echo|\:system\()" \ "id:310254,rev:1,severity:1,msg:'JITP: awstats.pl command execution attempt'" # Rule 310255: awstats - local file alteration SecRule REQUEST_URI "/awstats\.pl\?(?:debug=1|pluginmode=rawlog\&loadplugin=rawlog|update=1\&logfile=\|)" \ "id:310255,rev:1,severity:1,msg:'JITP: awstats.pl local file access attempt'" # Rule 310256: awstats vulns SecRule REQUEST_URI "/awstats\.pl\?[^\r\n]*logfile=\|" \ "id:310256,rev:1,severity:1,msg:'JITP: awstats.pl local file access attempt'" # Rule 310257: awstats vulns SecRule REQUEST_URI "/awstats\.pl\?configdir=" \ "id:310257,rev:1,severity:2,msg:'JITP: awstats.pl directory traversal attempt'" # Rule 310259: awstats vulns SecRule REQUEST_URI "awstats\.pl\?" \ "chain,id:310259,rev:2,severity:2,msg:'JITP: awstats local file system access monkey business attempt'" SecRule ARGS "(?:debug|configdir|perl|chmod|exec|print|cgi)" \ # Rule 310260: yabb SecRule REQUEST_URI "/YaBB\.pl\?action=usersrecentposts\;username=\|(?:http|https|ftp)\:/)" \ "id:310263,rev:1,severity:2,msg:'JITP: phpBB posting.php cross-site-scripting attempt'" # Rule 310264: phpbb XSS SecRule REQUEST_URI|REQUEST_BODY "/privmsg\.php" \ "id:310264,rev:1,severity:2,msg:'JITP: phpBB privmsg.php cross-site-scripting attempt',chain" SecRule REQUEST_URI|REQUEST_BODY "\|(?:http|https|ftp)\:/)" \ "id:310266,rev:1,severity:2,msg:'JITP: mail_autocheck.php cross-site-scripting attempt'" # Rule 310267: Remote File Inclusion Vulnerability in phpWebLog SecRule REQUEST_URI "/include/init\.inc\.php\?G_PATH=(?:http|https|ftp)\:/" \ "id:310267,rev:1,severity:2,msg:'JITP: phpWebLog init.inc.php remote file inclusion attempt'" # Rule 310268: Remote File Inclusion Vulnerability in phpWebLog SecRule REQUEST_URI "addons/links/index\.php\?PATH=(?:http|https|ftp)\:/" \ "id:310268,rev:1,severity:2,msg:'JITP: phpWebLog links/index.php remote file inclusion attempt'" # Rule 310269: Multiple Vulnerabilities in ProjectBB SecRule REQUEST_URI "/divers\.php\?action=liste\&liste=\&desc=\&pages=(?:\<(?:javascript|script|about|applet|activex|chrome)*\>|(?:http|https|ftp)\:/)" \ "id:310269,rev:1,severity:2,msg:'JITP: ProjectBB divers.php cross-site-scripting attempt'" # Rule 310270: Multiple Vulnerabilities in ProjectBB SecRule REQUEST_URI "/divers\.php\?action=liste\&liste=(?:\<(?:javascript|script|about|applet|activex|chrome)*\>|(?:http|https|ftp)\:/)" \ "id:310270,rev:1,severity:2,msg:'JITP: ProjectBB divers.php cross-site-scripting attempt'" # Rule 310271: Multiple Vulnerabilities in ProjectBB SecRule REQUEST_URI "/Zip/divers\.php\?action =liste&liste=email&desc=.*\'" \ "id:310271,rev:1,severity:2,msg:'JITP: ProjectBB Zip/divers.php SQL injection attempt'" # Rule 310272: WebChat english.php or db_mysql.php file include SecRule REQUEST_URI "/defines\.php*WEBCHATPATH*(?:db_mysql\.php|english\.php)" \ "id:310272,rev:1,severity:2,msg:'JITP: WebChat defines.php local file inclusion attempt'" # Rule 310273: Cross-Site Scripting Vulnerability in D-Forum SecRule REQUEST_URI "/nav\.php3\?page=(?:\<(?:javascript|script|about|applet|activex|chrome)*\>|(?:http|https|ftp)\:/)" \ "id:310273,rev:1,severity:2,msg:'JITP: D-Forum nav.php3 cross-site-scripting attempt'" # Rule 310274: Multiple Vulnerabilities in auraCMS SecRule REQUEST_URI "/index\.php\?query=(?:\<(?:javascript|script|about|applet|activex|chrome)*\>|(?:http|https|ftp)\:/).*\&pilih=search" \ "id:310274,rev:1,severity:2,msg:'JITP: auraCMA index.php cross-site-scripting attempt'" # Rule 310275: Multiple Vulnerabilities in auraCMS SecRule REQUEST_URI "/hits\.php\?hits=(?:\<(?:javascript|script|about|applet|activex|chrome)*\>|(?:http|https|ftp)\:/)" \ "id:310275,rev:1,severity:2,msg:'JITP: auraCMA hits.php cross-site-scripting attempt'" # Rule 310276: Multiple Vulnerabilities in auraCMS SecRule REQUEST_URI "/counter\.php\?theCount=(?:\<(?:javascript|script|about|applet|activex|chrome)*\>|(?:http|https|ftp)\:/)" \ "id:310276,rev:1,severity:2,msg:'JITP: auraCMA counter.php cross-site-scripting attempt'" # Rule 310277: vBulletin Remote Command Execution Attempt SecRule REQUEST_URI "/forumdisplay\.php?[^\r\n]*comma=[^\r\n\x26]*system\x28.*\x29/Ui" \ "id:310277,rev:1,severity:1,msg:'JITP: vBulletin forumdisplay.php local command execution attempt'" # Rule 310278: vBulletin Remote Command Execution Attempt SecRule REQUEST_URI "/forumdisplay\.php\?" \ "id:310278,rev:1,severity:1,msg:'JITP: vBulletin forumdisplay.php local command execution attempt',chain" SecRule REQUEST_URI|REQUEST_BODY "\.system\(.+\)\." # Rule 310279: vBulletin Remote Command Execution Attempt SecRule REQUEST_URI "/forumdisplay\.php\?*comma=" \ "id:310279,rev:1,severity:1,msg:'JITP: vBulletin forumdisplay.php local command execution attempt'" # Rule 310280: PHPNuke general XSS attempt #/modules.php?name=News&file=article&sid=1&optionbox= SecRule REQUEST_URI "/modules\.php\?*name=*\<*(?:script|about|applet|activex|chrome)*\>" \ "id:310280,rev:1,severity:2,msg:'JITP: PHPnuke modules.php cross-site-scripting attempt'" # Rule 310281: PHPNuke general XSS attempt SecRule REQUEST_URI "/modules\.php\?op=modload&name=News&file=article&sid=*\<*(?:script|about|applet|activex|chrome)*\>" \ "id:310281,rev:1,severity:2,msg:'JITP: PHPnuke modules.php cross-site-scripting attempt'" # Rule 310282: PHPNuke SQL injection attempt SecRule REQUEST_URI "/modules\.php\?*name=Search*instory=" \ "id:310282,rev:1,severity:2,msg:'JITP: PHPnuke modules.php SQL injection attempt'" # Rule 310283: PHPNuke SQL injection attempt SecRule REQUEST_URI "/modules\.php\?*name=(?:Search|Web_Links).*\'" \ "id:310283,rev:1,severity:2,msg:'JITP: PHPnuke modules.php SQL injection attempt'" # Rule 310284: EasyDynamicPages exploit SecRule REQUEST_URI|REQUEST_BODY "edp_relative_path=" \ "id:310284,rev:1,severity:2,msg:'JITP: EasyDynamicPages edp_relative_path exploitation attempt'" # Rule 310285: Readfile.tcl Access SecRule REQUEST_URI "/readfile\.tcl\?file=" \ "id:310285,rev:1,severity:1,msg:'JITP: readfile.tcl local file access attempt'" # Rule 310286: phpnuke sql insertion # When will people learn that running *nuke is one step shy of posting the # admin passwords to their sites on the frontpage? SecRule REQUEST_URI "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\'/" \ "id:310286,rev:1,severity:2,msg:'JITP: PHPnuke modules.php SQL injection attempt'" # Rule 310287: WAnewsletter newsletter.php file include attempt SecRule REQUEST_URI "newsletter\.php*waroot*start\.php" \ "id:310287,rev:1,severity:1,msg:'JITP: WAnewsletter newsletter.php local file inclusion attempt'" # Rule 310288: Typo3 translations.php file include SecRule REQUEST_URI "/translations\.php*ONLY" \ "id:310288,rev:1,severity:1,msg:'JITP: Typo3 translations.php local file inclusion attempt'" # Rule 310289: PHP-Nuke remote file include attempt SecRule REQUEST_URI "/index\.php*file=*(?:http|https|ftp)\:/" \ "id:310289,rev:1,severity:2,msg:'JITP: PHPnuke index.php remote file inclusion attempt'" # Rule 310290: PayPal Storefront remote file include attempt SecRule REQUEST_URI "do=ext*/page=(?:http|https|ftp)\:/" \ "id:310290,rev:1,severity:2,msg:'JITP: PayPal storefront remote file inclusion attempt'" # Rule 310291: PHPOpenChat SecRule REQUEST_URI "/poc_loginform\.php\?phpbb_root_path=(?:http|https|ftp)\:/" \ "id:310291,rev:1,severity:2,msg:'JITP: PHPOpenChat poc_loginform.php remote file inclusion attempt'" # Rule 310292: PHPOpenChat SecRule REQUEST_URI "/poc\.php\?phpbb_root_path=(?:http|https|ftp)\:/" \ "id:310292,rev:1,severity:2,msg:'JITP: PHPOpenChat poc.php remote file inclusion attempt'" # Rule 310293: PHPOpenChat SecRule REQUEST_URI "/poc\.php\?poc_root_path=(?:http|https|ftp)\:/" \ "id:310293,rev:1,severity:2,msg:'JITP: PHPOpenChat poc.php remote file inclusion attempt'" # Rule 310294: PHPOpenChat SecRule REQUEST_URI "/ENGLISH_poc\.php\?poc_root_path=(?:http|https|ftp)\:/" \ "id:310294,rev:1,severity:2,msg:'JITP: PHPOpenChat ENGLISH_poc.php remote file inclusion attempt'" # Rule 310295: PHPOpenChat SecRule REQUEST_URI "/poc\.php\?sourcedir=(?:http|https|ftp)\:/" \ "id:310295,rev:1,severity:2,msg:'JITP: PHPOpenChat poc.php remote file inclusion attempt'" # Rule 310296: ACS Blog Search.ASP Cross-Site Scripting Vulnerability SecRule REQUEST_URI "/search\.asp\?search=.*iframe\+src.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|http|https|ftp)\:/" \ "id:310296,rev:1,severity:2,msg:'JITP: ACS Blog search.asp cross-site-scripting attempt'" # Rule 310297: mcNews Remote command execution SecRule REQUEST_URI "/admin/install\.php\?l=(?:http|https|ftp)\:/" \ "id:310297,rev:1,severity:1,msg:'JITP: mcNews install.php remote command execution attempt'" # Rule 310298: mailman XSS SecRule REQUEST_URI|REQUEST_BODY "/mailman/.*\?.*info=*<[[:space:]]*(?:script|about|applet|activex|chrome)*>.*(?:script|about|applet|activex|chrome)[[:space:]]*>" \ "id:310298,rev:1,severity:2,msg:'JITP: Mailman cross-site-scripting attempt'" # Rule 310299: Macromedia SiteSpring XSS SecRule REQUEST_URI|REQUEST_BODY "/error/500error\.jsp.*et=*<[[:space:]]*(?:script|about|applet|activex|chrome)*>.*(?:script|about|applet|activex|chrome)[[:space:]]*>" \ "id:310299,rev:1,severity:2,msg:'JITP: Macromedia SiteSpring 500error.jsp cross-site-scripting attempt'" # Rule 310300: OWA phishing redirect SecRule REQUEST_URI "/exchweb/bin/auth/owalogon\.asp\?url=(?:http|https)\:/" \ "id:310300,rev:1,severity:2,msg:'JITP: Outlook Web Access owalogon.asp phishing redirect attempt'" # Rule 310301: ads.cgi command execution attempt SecRule REQUEST_URI "/ads\.cgi.*file=.*\.\./\.\./" \ "id:310301,rev:1,severity:1,msg:'JITP: ads.cgi local command execution attempt'" # Rule 310302: webdist.cgi arbitrary command attemp SecRule REQUEST_URI "/webdist\.cgi.*distloc=(?:\|3B\||\x3B)" \ "id:310302,rev:1,severity:1,msg:'JITP: webdist.cgi local command execution attempt'" # Rule 310303: enter_bug.cgi arbitrary command attempt SecRule REQUEST_URI "/enter_bug\.cgi.*who.*(?:\|3B\||\x3B)" \ "id:310303,rev:1,severity:1,msg:'JITP: enter_bug.cgi local command execution attempt'" # Rule 310304: cross site scripting HTML Image tag set to javascript attempt SecRule REQUEST_URI|REQUEST_BODY "img src=javascript" \ "id:310304,rev:1,severity:2,msg:'JITP: Generic Javascript-through-image tag cross-site-scripting attempt'" # Rule 310305: b2 arbitrary command execution attempt SecRule REQUEST_URI "/b2-include/.*b2inc.*http(?:\|3A\|//|\x3A)" \ "id:310305,rev:1,severity:1,msg:'JITP: b2-include local command execution attempt'" # Rule 310306: tomcat servlet mapping XSS SecRule REQUEST_URI|REQUEST_BODY "/servlet/.*/org\.apache\." \ "id:310306,rev:1,severity:2,msg:'JITP: b2-include local command execution attempt'" # Rule 310307: RUNCMS,Exoops,CIAMOS highlight file access hole SecRule REQUEST_URI "/class/debug/highlight\.php\?file=(?:/|\.\./)" \ "id:310307,rev:1,severity:1,msg:'JITP: RUNCMS.Exoops.CIAMOS highlight.php file access attempt'" # Rule 310308: TRG/CzarNews News Script Include File Hole Lets Remote Users # Execute Arbitrary Commands SecRule REQUEST_URI "/install/(?:article|authorall|comment|display|displayall.)\.php\?dir=(?:http|https|ftp):/" \ "id:310308,rev:1,severity:1,msg:'JITP: TRG/CzarNews /install/* local command execution attempt'" # Rule 310309: zpanel XSS SecRule REQUEST_URI "/zpanel\.php\?page=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|(?:http|https|ftp)\:/)" \ "id:310309,rev:1,severity:2,msg:'JITP: zPanel zpanel.php cross-site-scripting attempt'" # Rule 310310: zpanel SQL injection SecRule REQUEST_URI "/zpanel\.php\?page=.*\'" \ "id:310310,rev:1,severity:2,msg:'JITP: zPanel zpanel.php SQL injection attempt'" # Rule 310311: Phorum HTTP Response Splitting Vulnerability SecRule REQUEST_URI "/search\.php\?forum_id=.*\&search=.*\&body=.*Content-Length\:.*HTTP/1\.0.*Content-Type\:.*Content-Length\:" \ "id:310311,rev:1,severity:2,msg:'JITP: Phorum search.php HTTP response splitting attempt'" # Rule 310312: Subdreamer Light Global Variables SQL Injection Vulnerability SecRule REQUEST_URI "/index\.php\?categoryid=.*\&.*_sectionid=.*\&.*_imageid=.*\'" \ "id:310312,rev:1,severity:2,msg:'JITP: Subdreamer index.php SQL injection attempt'" # Rule 310313: PhotoPost Pro SecRule REQUEST_URI "/showgallery\.php\?cat=[0-9].*\&page=(?:http|https|ftp)\:/" \ "id:310313,rev:1,severity:2,msg:'JITP: PhotoPost showgallery.php cross-site-scripting attempt'" # Rule 310314: PhotoPost Pro SecRule REQUEST_URI "/showgallery\.php\?si=(?:http|https|ftp)\:/" \ "id:310314,rev:1,severity:2,msg:'JITP: PhotoPost showgallery.php cross-site-scripting attempt'" # Rule 310315: PhotoPost Pro SecRule REQUEST_URI "/showgallery\.php\?ppuser=[0-9].*\&cat=(?:http|https|ftp)\:/" \ "id:310315,rev:1,severity:2,msg:'JITP: PhotoPost showgallery.php cross-site-scripting attempt'" # Rule 310316: PhotoPost Pro SecRule REQUEST_URI "/showgallery\.php\?cat=[0-9].*\'" \ "id:310316,rev:1,severity:2,msg:'JITP: PhotoPost showgallery.php SQL injection attempt'" # Rule 310317: PhotoPost Pro SecRule REQUEST_URI "/showgallery\.php\?ppuser=[0-9].*\'.*\&cat=" \ "id:310317,rev:1,severity:2,msg:'JITP: PhotoPost showgallery.php SQL injection attempt'" # Rule 310318: betaparticle blog Discloses Database to Remote Users # and Lets Remote Users Upload/Delete Arbitrary Files SecRule REQUEST_URI "/bp/database/dbBlogMX\.mdb" \ "id:310318,rev:1,severity:2,msg:'JITP: Betaparticle Blog dbBlogMX.mdb database access attempt'" # Rule 310319: betaparticle blog Discloses Database to Remote Users SecRule REQUEST_URI "/Blog\.mdb" \ "id:310319,rev:1,severity:2,msg:'JITP: Betaparticle Blog Blog.mdb database access attempt'" # Rule 310320: Kayako eSupport Cross Site Scripting Vulnerability SecRule REQUEST_URI "/eSupport/index.php\?_a=knowledgebase\&_j=questiondetails\&_i=[0-9].*(?:(?:javascript|script|about|applet|activex|chrome)*\>|(?:http|https|ftp)\:/)" \ "id:310320,rev:1,severity:2,msg:'JITP: Kayako eSupport index.php cross-site-scripting attempt'" # Rule 310321: Kayako eSupport Cross Site Scripting Vulnerability SecRule REQUEST_URI "/eSupport/index.php\?_a=knowledgebase\&_j=questionprint\&_i=[0-9].*(?:(?:javascript|script|about|applet|activex|chrome)*\>|(?:http|https|ftp)\:/)" \ "id:310321,rev:1,severity:2,msg:'JITP: Kayako eSupport index.php cross-site-scripting attempt'" # Rule 310322: Kayako eSupport Remote Cross Site Scripting Vulnerability SecRule REQUEST_URI "/eSupport/index.php\?_a=troubleshooter\&_c=[0-9].*(?:(?:javascript|script|about|applet|activex|chrome)*\>|(?:http|https|ftp)\:/)" \ "id:310322,rev:1,severity:2,msg:'JITP: Kayako eSupport index.php cross-site-scripting attempt'" # Rule 310323: Kayako eSupport Remote Cross Site Scripting Vulnerability SecRule REQUEST_URI "/eSupport/index.php\?_a=knowledgebase\&_j=subcat\&_i=[0-9].*(?:(?:javascript|script|about|applet|activex|chrome)*\>|(?:http|https|ftp)\:/)" \ "id:310323,rev:1,severity:2,msg:'JITP: Kayako eSupport index.php cross-site-scripting attempt'" # Rule 310324: phpSysInfo XSS vulns SecRule REQUEST_URI "/index\.php\?sensor_program=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|(?:http|https|ftp)\:/)" \ "id:310324,rev:1,severity:2,msg:'JITP: phpSysInfo index.php cross-site-scripting attempt'" # Rule 310325: phpSysInfo XSS vulns SecRule REQUEST_URI "/includes/system_footer\.php\?text[template]=\"\>.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|(?:http|https|ftp)\:/)" \ "id:310325,rev:1,severity:2,msg:'JITP: phpSysInfo system_footer.php cross-site-scripting attempt'" # Rule 310326: phpSysInfo XSS vulns SecRule REQUEST_URI "/includes/system_footer\.php\?hide_picklist=.*\&VERSION=\|(?:http|https|ftp)\:/)" \ "id:310326,rev:1,severity:2,msg:'JITP: phpSysInfo system_footer.php cross-site-scripting attempt'" # Rule 310327: DigitalHive Remote Unathenticated Software Re-install and # Cross-Site Scripting Vulnerabilities SecRule REQUEST_URI "/base\.php\?page=forum/msg\.php-afs-1-\"/\>\" \ "id:310327,rev:1,severity:2,msg:'JITP: DigitalHive base.php cross-site-scripting attempt'" # Rule 310328: DigitalHive Remote Unathenticated Software Re-install and # Cross-Site Scripting Vulnerabilities SecRule REQUEST_URI "/hive/base\.php\?page=membres\.php\&mt=\"/\>\" \ "id:310328,rev:1,severity:2,msg:'JITP: DigitalHive base.php cross-site-scripting attempt'" # Rule 310329: Topic Calendar Mod for phpBB Cross-Site Scripting Attack SecRule REQUEST_URI "/calendar_scheduler\.php\?start=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|(?:http|https|ftp)\:/)" \ "id:310329,rev:1,severity:2,msg:'JITP: phpBB Topic Calendar calendar_scheduler.php cross-site-scripting attempt'" # Rule 310330: phpSysInfo Cross-Site Scripting Vulnerabilities SecRule REQUEST_URI "/index\.php\?sensor_program=.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|(?:http|https|ftp)\:/)" \ "id:310330,rev:1,severity:2,msg:'JITP: phpSysInfo index.php cross-site-scripting attempt'" # Rule 310331: phpSysInfo Cross-Site Scripting Vulnerabilities SecRule REQUEST_URI "/includes/system_footer\.php\?text.*=\"\>.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|(?:http|https|ftp)\:/)" \ "id:310331,rev:1,severity:2,msg:'JITP: phpSysInfo system_footer.php cross-site-scripting attempt'" # Rule 310332: phpSysInfo Cross-Site Scripting Vulnerabilities SecRule REQUEST_URI "/includes/system_footer\.php\?text[template]=\"\>.*(?:(?:javascript|script|about|applet|activex|chrome)*\>|(?:http|https|ftp)\:/)" \ "id:310332,rev:1,severity:2,msg:'JITP: phpSysInfo system_footer.php cross-site-scripting attempt'" # Rule 310333: phpSysInfo Cross-Site Scripting Vulnerabilities SecRule REQUEST_URI "/includes/system_footer\.php\?hide_picklist=.*=\