mod-security-users

[mod-security-users] Sanity.A - phpbb worm

[Michael H. <gno...@al...>]

First off, let me say thanks for making such a great product and maintainin=
g
this mailing list so the newbies like me can get some answers on things.  M=
y
question, obviously, relates to the sanity worm.  I saw on the main page th=
e
post from Dec 22 regarding this rule:

SecFilterSelective ARG_highlight %27

I=B9m wondering how effective this is and if there are any new strains I need
to be aware of or any other advice from the community about dealing with
this worm.

Re: [mod-security-users] Sanity.A - phpbb worm

[Gerwin K. <ge...@di...>]

Well this will help to protect against the bug in phpbb2. But I would=20
also advice you to use the following rules:

SecFilterSelective ARGS "wget\x20"
SecFilterSelective ARGS "perl\x20"
SecFilterSelective ARGS "curl\x20"
SecFilterSelective ARGS "fwrite"
SecFilterSelective ARGS "fopen"
SecFilterSelective ARGS "chr\("
SecFilterSelective ARGS "echr\("
SecFilterSelective ARGS "system\("

these will protect you big time for other buggy php code too! I hope=20
this will help you a little.

Michael Hochradel wrote:

> First off, let me say thanks for making such a great product and=20
> maintaining this mailing list so the newbies like me can get some=20
> answers on things. My question, obviously, relates to the sanity worm.=20
> I saw on the main page the post from Dec 22 regarding this rule:
>
> SecFilterSelective ARG_highlight %27
>
> I=92m wondering how effective this is and if there are any new strains =
I=20
> need to be aware of or any other advice from the community about=20
> dealing with this worm.

Re: [mod-security-users] Sanity.A - phpbb worm

[Ivan R. <iv...@we...>]

Michael Hochradel wrote:
> First off, let me say thanks for making such a great product and=20
> maintaining this mailing list so the newbies like me can get some=20
> answers on things.  My question, obviously, relates to the sanity worm.=
=20
>  I saw on the main page the post from Dec 22 regarding this rule:
>=20
> SecFilterSelective ARG_highlight %27
>=20
> I=92m wondering how effective this is and if there are any new strains =
I=20
> need to be aware of or any other advice from the community about dealin=
g=20
> with this worm.

   The rule should work for new strains but haven't examined the
   vulnerability in great detail to determine if there are other ways
   to break PHPBB. You should upgrade to the latest PHPBB version -
   that's the best advice anyone can give you.

--=20
Ivan Ristic (http://www.modsecurity.org)

Re: [mod-security-users] Sanity.A - phpbb worm

[Michael H. <gno...@al...>]

Thanks for all the good tips so far.  The environments involved are shared
hosting servers and, unfortunately, it seems not everyone got the email :)
We continue to see the sanity worm getting uploaded and are having some
trouble tracking down the culprits, so we're looking to other measures whil=
e
we sort out the real problem.


On 1/31/05 11:25 AM, "Ivan Ristic" <iv...@we...> wrote:

> Michael Hochradel wrote:
>> First off, let me say thanks for making such a great product and
>> maintaining this mailing list so the newbies like me can get some
>> answers on things.  My question, obviously, relates to the sanity worm.
>>  I saw on the main page the post from Dec 22 regarding this rule:
>>=20
>> SecFilterSelective ARG_highlight %27
>>=20
>> I=B9m wondering how effective this is and if there are any new strains I
>> need to be aware of or any other advice from the community about dealing
>> with this worm.
>=20
>    The rule should work for new strains but haven't examined the
>    vulnerability in great detail to determine if there are other ways
>    to break PHPBB. You should upgrade to the latest PHPBB version -
>    that's the best advice anyone can give you.



--Gnomercy
AlphaOmegaHosting.Com, Inc.
Customer Support Supervisor