[mod-security-users] (no subject)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

The referer often contains the URL and parameters from another site, such a=
s a web search page, when someone navigates to our site via a search. We ha=
ve found the Time Warner's websearch contains an onClick parameter that set=
s of the XSS rule.=0A=0AThis fix was suggest to exclude scanning the refere=
r.=0A=0AREQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:R=
eferer=0A=0AThis almost worked for me, but our FireClick implementation sto=
res the referer in the session cookie, so I still get a match (see below). =
=0A=0ASorry about the old version (rule id 50004).=0A=0AI had already remov=
e the ".cookie" part of the rule because our site has cookies named somethi=
ng.cookie.=0A=0AI don't want to exclude an XSS on the cookies because we ha=
ve observed other XSS attack attempt in the cookie.=0A=0AAny suggestions?=
=0A=0A--674ddd71-A--=0A[16/Jan/2007:14:18:34 --0600] EPbcZKwQIh8AAATnGgcAAA=
Aa 172.16.32.102 55719 172.16.34.31 80=0A--674ddd71-B--=0AGET /processSearc=
h.do?allPropertyTypesSelected=3Dtrue&usertypedcity=3D&destination=3D4fded4f=
f-af4a-41b7-976b-bd5bd436f135%7Cb68f06c3-77a8-49f1-9ba2-c9e779fdad9d%7CLas+=
Vegas%2C+NV%2C+USA%7C1&inout=3D&CIMonth=3D3&CIDay=3D2&CIYear=3D2007&COMonth=
=3D3&CODay=3D5&COYear=3D2007&dateless=3D&numrooms=3D1&adults%5B0%5D=3D2&chi=
ld%5B0%5D=3D0 HTTP/1.1=0AAccept: */*=0AReferer: http://www.aaaa.com/index.j=
sp?PSRC=3DG21&displayAd=3Dfalse&googlekw=3Daaaa.com_-_exact_match&js=3D1&zz=
=3D1168978561781=0AAccept-Language: en-us=0AUA-CPU: x86=0AUser-Agent: Mozil=
la/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1=
)=0ACookie: JSESSIONID=3DUMHAKCHLXFI35LAQEZBSCOVMCATDOH20; ABTest.4=3D3; si=
d=3D{AC102643-14D7-7459-1102-2C2C8ACB9E1F}; visitCounter=3D1; PSRC=3DG21; V=
SRC=3DHRN MRKT; SSRC=3D; MSRC=3D; TSRC=3D1; fcC=3DX=3DC1854576&Y=3D11689786=
30937&FV=3D8&H=3D1168978630921&Z=3D1&vis=3Dg409650#e409650zaaaa.com_-_exact=
_match#m54z0#m56z0#m11z0#m42z0#l39#m52z1#m53z1#l17#e125482z-#m54z1#g440958#=
m40z0&D=3DG409651#E409651zaaaa.com_-_exact_match&F=3D0&I=3D1168978713171&E=
=3D5041538; fcP=3DC=3D0&T=3D1168978568750&DTO=3D1168978568671&V=3D116897863=
0921&fcV.1=3DG409651`1171570570406&fcV.2=3DE409651zaaaa.com_-_exact_match`1=
171570570421; fcR=3Dhttp%3A//websearch.timewarnercable.com/websearch/%3Fdiv=
_id%3D30%26FUIComponentClass%3D%255Btype+Function%255D%26FRadioButtonClass%=
3D%255Btype+Function%255D%26FRadioButtonGroupClass%3D%255Btype+Function%255=
D%26FPushButtonClass%3D%255Btype+Function%255D%26searches%3D%255Bobject+Obj=
ect%255D%26getValue%3D%255Btype+Function%255D%26onClick%3D%255Btype+Functio=
n%255D%26query%3Daaaa%252Ecom=0ATE: chunked;q=3D1.0=0AConnection: TE, keep-=
alive=0AAccept-Encoding: gzip=0AAkamai-Origin-Hop: 1=0AVia: 1.1 akamai.net(=
ghost) (AkamaiGHost)=0AX-Forwarded-For: 71.79.187.187, 72.247.29.86=0AHost:=
 www.aaaa.com=0APragma: no-cache=0ACache-Control: no-cache, max-age=3D0=0A=
=0A--674ddd71-F--=0AHTTP/1.1 200 OK=0ASet-Cookie: sid=3D{AC102643-14D7-7459=
-1102-2C2C8ACB9E1F}; domain=3D.aaaa.com; expires=3DFri, 29-Oct-2021 20:18:3=
3 GMT; path=3D/=0ASet-Cookie: PSRC=3DG21; domain=3D.aaaa.com; expires=3DFri=
, 29-Oct-2021 20:18:33 GMT; path=3D/=0ASet-Cookie: VSRC=3DHRN MRKT; domain=
=3D.aaaa.com; expires=3DFri, 29-Oct-2021 20:18:33 GMT; path=3D/=0ASet-Cooki=
e: SSRC=3D; domain=3D.aaaa.com; expires=3DFri, 29-Oct-2021 20:18:33 GMT; pa=
th=3D/=0ASet-Cookie: MSRC=3D; domain=3D.aaaa.com; expires=3DFri, 29-Oct-202=
1 20:18:33 GMT; path=3D/=0ASet-Cookie: TSRC=3D1; domain=3D.aaaa.com; expire=
s=3DFri, 29-Oct-2021 20:18:33 GMT; path=3D/=0AKeep-Alive: timeout=3D3, max=
=3D59=0AConnection: Keep-Alive=0ATransfer-Encoding: chunked=0AContent-Type:=
 text/html=0A=0A--674ddd71-H--=0AMessage: Warning. Pattern match "(?:\\b(?:=
on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:h=
ange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\\b\\W*?=
=3D|abort\\b)|(?:l(?:owsrc\\b\\W*?\\b(?:(?:java|vb)script|shell)|ivescript)=
|(?:href|url)\\b\\W*?\\b(?:(?:java|vb)script|shell)|mocha):|type\\b\\W*?\\b=
(?:text\\b(?:\\W*?\\b(?:j(?:ava)?|ecma)script\\b|[vbscript])|application\\b=
\\W*?\\bx-(?:java|vb)script\\b)|s(?:(?:tyle\\b\\W*=3D.*\\bexpression\\b\\W*=
|ettimeout\\b\\W*?)\\(|rc\\b\\W*?\\b(?:(?:java|vb)script|shell|http):)|(?:c=
(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|background-i=
mage:)\\b|a(?:ctivexobject\\b|lert\\b\\W*?\\())|<(?:(?:body\\b.*?\\b(?:back=
groun|onloa)d|input\\b.*?\\btype\\b\\W*?\\bimage)\\b|!\\[CDATA\\[|script|me=
ta)|(?:\\.(?:(?:execscrip|addimpor)t|fromcharcode|innerhtml)|\\B@import)\\b=
)" at REQUEST_HEADERS:Cookie. [id "50004"] [msg "Cross-site Scripting (XSS)=
 Attack"] [severity "WARNING"]=0AStopwatch: 1168978713435236 735698 (233 25=
39 -)=0AProducer: ModSecurity v2.0.3 (Apache 2.x)=0AServer: Apache/2.0.52 (=
CentOS)=0A=0A--674ddd71-Z--=0A=0A=0A=0A=0A=0A=0A=0A =0A____________________=
________________________________________________________________=0AExpectin=
g? Get great news right away with email Auto-Check. =0ATry the Yahoo! Mail =
Beta.=0Ahttp://advision.webevents.yahoo.com/mailbeta/newmail_tools.html