Re: [mod-security-users] LocationMatch and SecRuleRemoveById
Brought to you by:
victorhora,
zimmerletw
From: <bl...@ko...> - 2007-07-25 23:01:38
|
Hi, sorry =96 still no luck. So far it only works, if i set the SecRuleRemoveById in the VirtualHost definition. We have a few customers with the content management system Joomla. Many = of them extend Joomla with components. One compontent is JoomXplorer, which = is blocked by the core rule 950922. And the component can be identified by this substing "com_joomlaxplorer" = in the URL. Thomas Von: Bunyamin DEMIR [mailto:bun...@gm...]=20 Gesendet: Mittwoch, 25. Juli 2007 19:48 An: bl...@ko... Betreff: Re: [mod-security-users] LocationMatch and SecRuleRemoveById Hi, please try it. <files "/administrator/index2.php"> =A0=A0=A0=A0=A0=A0=A0 SecRuleRemoveById 950922 </files> :) really it is so weird. but i dont understand what do you want to do?=20 2007/7/25, bl...@ko... <bl...@ko...>: Thanks for reply, but the request still gets blocked: <LocationMatch "/administrator/index2.php?option=3Dcom_joomlaxplorer.*"> =A0=A0=A0=A0=A0=A0=A0=A0SecRuleRemoveById 950922 </LocationMatch> ID/Rev Severity Message 1 950922 CRIT (2) Backdoor access Access denied with code 404 (phase 4). Pattern match "(?:<title>[^<]*?(?:\\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis=20 klasvayv|zehir)\\b|\\.::(?:news remote php shell injection::\\.| rhtools\\b)|ph(?:p(?:(?: commander|-terminal)\\b|remot ..." at RESPONSE_BODY. Request Details GET/administrator/index2.php?option=3Dcom_joomlaxplorerHTTP/1.1Accept:=20 image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,application/vnd.ms-e \ xcel,application/vnd.ms-powerpoint,application/msword,application/x-shock= wave- \ flash,*/* Accept-Language: de UA-CPU: x86 Accept-Encoding: gzip,deflate=20 User-Agent: Mozilla/4.0(compatible;MSIE7.0b;WindowsNT6.0) Host: wechsellandcup.devcon.cc Connection: Keep-Alive Cookie: __utma=3D83474435.1264346196.1181486807.1183397705.1184867617.10 = ;__utmz=3D83 \ 474435.1181486807.1.1.utmccn=3D(direct)|utmcsr=3D(direct)|utmcmd=3D(none)= ;style=3Dw ide; \ my_colorS=3D006699;2480e6c95b3f1ae0caccee2dc9406a5b=3D-;039cff8efae13f59f= 4da6c dd690 \ fa450=3Dihj977nn03jv5ljh5a4l8cdni4=20 Response Details HTTP/1.1404NotFoundConnection: close Transfer-Encoding: chunked Content-Type: text/html;charset=3Diso-8859-1 <?xmlversion=3D"1.0"encoding=3D"iso-8859-1"?><!DOCTYPEhtmlPUBLIC"-//W3C//= DT=20 DXH \ TML1.0Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transition= al.d \ td"> <htmlxmlns=3D" http://www.w3.org/1999/xhtml"> <head> <title>Wechsellandcup-Administration Von: Bunyamin DEMIR [mailto:bun...@gm...] Gesendet: Mittwoch, 25. Juli 2007 16:32=20 An: bl...@ko... Cc: mod...@li... Betreff: Re: [mod-security-users] LocationMatch and SecRuleRemoveById=20 Hi, Please try it. <LocatationMatch = "/administrator/index2.php?option=3Dcom_joomlaxplorer.*"> SecRuleRemoveByID 950922 </LocatationMatch> 2007/7/25, bl...@ko... <bl...@ko...>: Hello, I try to disable Rule 950922 with LocationMatch <LocationMatch .*joomlaxplorer.*>=20 SecRuleRemoveById 950922 </LocationMatch> But I still get blocking that URL. Any help is highly welcome, Thanks, Thomas GET /administrator/index2.php? option=3Dcom_joomlaxplorer&action=3Dlist&dir=3Dcomponents&order=3Dna \=20 me&srt=3Dyes HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, = application/x- shockw \ ave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/m \ sword, application/ag-plugin, */*=20 Referer: http://wechsellandcup.devcon.cc/administrator/index2.php ? option=3Dcom_joom \ laxplorer Accept-Language: de UA-CPU: x86 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; = InfoPath.1; .NET C \ LR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727 ) Host: wechsellandcup.devcon.cc Cookie: __utma=3D83474435.1654292677.1182956354.1185351352.1185364402.10 = ; __utmz=3D83 \ 474435.1182956354.1.1.utmccn=3D(direct)|utmcsr=3D(direct)|utmcmd=3D(none)= ; __utmc=3D83474 \ 435; 2480e6c95b3f1ae0caccee2dc9406a5b=3D-; 039cff8efae13f59f4da6cdd690fa450=3D107q5tg \ cgnstef0j5goustc8q5 Via: 1.0 innkdi95v:8080 (IWSS) Connection: Keep-Alive ID/Rev Severity Message 1 950922CRIT (2) Backdoor accessAccess denied with code 404 (phase 4). Pattern match = "(?:<title>[^<]*?(?:\\b(?:(?:c(?:ehennemden|gi-telnet)|gamma=20 web shell)\\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\\b|\\.::(?:news remote php shell injection::\\.| rhtools\\b)|ph (?:p(?:(?: commander|-terminal)\\b|remot ..." at RESPONSE_BODY.=20 -------------------------------------------------------------------------= This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems?Stop. Now Search log events and configuration files using AJAX and a browser.=20 Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users -- Bunyamin Demir=20 OWASP-Turkey Chair http://www.webguvenligi.org --=20 Bunyamin Demir OWASP-Turkey Chair http://www.webguvenligi.org=20 |