Re: [mod-security-users] REQUEST_COOKIES Regexp
Brought to you by:
victorhora,
zimmerletw
From: Nicholas V. <nvu...@ya...> - 2007-02-02 17:25:13
|
Sorry left out the $, should be !REQUEST_COOKIES_NAMES:/\.cookie$/ below.= =0A=0A----- Original Message ----=0AFrom: Nicholas Vulgrinski <nvulgrinski@= yahoo.com>=0ATo: Ofer Shezaf <OferS@Breach.com>=0ACc: mod-security-users@li= sts.sourceforge.net=0ASent: Friday, February 2, 2007 11:23:26 AM=0ASubject:= REQUEST_COOKIES Regexp=0A=0AOfer,=0A=0AStill having problems with using a = regular expression with REQUEST_COOKIES and REQUEST_COOKIES_NAMES.=0A=0ASec= Rule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|=0A!REQUEST_HEADERS:R= eferer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES_NAMES|=0A!REQUEST_COOKIES_NA= MES:/\.cookie/|REQUEST_COOKIES|!REQUEST_COOKIES:/^fc/ \=0A "(?:\b(?:= on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:h= ange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=3D= |abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:hre= f|url)\b\W*?\b(?:(?:java|vb)script|shell)|mocha):|type\b\W*?\b(?:text\b(?:\= W*?\b(?:j(?:ava)?|ecma)script\b|=0A [vbscript])|application\b\W*?\bx-(?:jav= a|vb)script\b)|s(?:(?:tyle\b\W*=3D.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc= \b\W*?\b(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetext= range)|get(?:special|parent)folder|background-image:)\b|a(?:ctivexobject\b|= lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W= *?\bimage)\b|!\[CDATA\[|script|meta)|\.(?:(?:execscrip|addimpor)t|(?:fromch= arcod|cooki)e|innerhtml)\b)" \=0A "redirect:/error.jsp,log,id:1,seve= rity:2,msg:'Cross-site Scripting (XSS) Attack'"=0A=0AI looked at the 2.0.4 = source code and can see logic to handle regular expressions. Is the syntax = above correct? I think we may still be using v2.0.3, was this working in th= at version?=0A=0AThanks.=0A=0A=0A=0A=0A=0AWe won't tell. Get more on shows = you hate to love=0A(and love to hate): Yahoo! TV's Guilty Pleasures list.= =0A=0A=0A=0A=0A=0A =0A_____________________________________________________= _______________________________=0AThe fish are biting. =0AGet more visitors= on your site using Yahoo! Search Marketing.=0Ahttp://searchmarketing.yahoo= .com/arp/sponsoredsearch_v2.php |