Thread: [mod-security-users] XSS Rule
Brought to you by:
victorhora,
zimmerletw
From: Clayton D. <cla...@gm...> - 2008-08-20 17:01:54
|
Folks, Looking for some guidance on how to address this alert, which is for legitimate traffic, without disabling XSS detection all together. ## Alert Messages ## Cross-site Scripting (XSS) Attack Warning. Pattern match "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at ARGS:edocs.request.paper.link. Cross-site Scripting (XSS) Attack Warning. Pattern match "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at ARGS:edocs.stylesheet. ## Request Details ## POST /mic/request HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockw \ ave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/m \ sword, */* Referer: http://www.voterboxonline.com/mic/request Accept-Language: en-us Content-Type: application/x-www-form-urlencoded UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; \ .NET CLR 2.0.50727) Host: www.voterboxonline.com Content-Length: 4916 Connection: Keep-Alive Cache-Control: no-cache Cookie: com.voterbox.web.mgmt.logincookie=userid:mdi...@vo...&passwo \ rd:m5c4mi9D&remember:1&; com.voterbox.web.mgmt.authenticationcookie=db07f6884d3dff \ feb3c193c9d88f8a1b; B100Serverpoolcookie=100856330.1.3631926272.294997057; JSESSI \ ONID=7446D17F008ECA06BBD1493359366F3E edocs.active.voting=%3Cp%3E%3Cstrong%3E%3Cfont+size%3D%222%22%3EYour+vote+is+IMP \ ORTANT.+To+vote+your+proxy+online+NOW%2C+click+%3C%2Ffont%3E%3Ca+target%3D%22_bl \ ank%22+href%3D%22https%3A%2F%2Fwww.proxypush.com%2Fmu%22%3E%3Cstrong%3E%3Cfont+s \ ize%3D%222%22%3Ehere%3C%2Ffont%3E%3C%2Fstrong%3E%3C%2Fa%3E%3Cfont+size%3D%222%22 \ %3E.+Or%2C+you+may+vote+by+phone+by+dialing+1+866+XXX+XXXX.%3C%2Ffont%3E++%3C%2F \ strong%3E%3C%2Fp%3E&edocs.custom.issuer.content=%3Cp%3E+%3Cfont+size%3D%221%22%3 \ E%3Cstrong%3E%3Cimg+class%3D%22%22+height%3D%2270%22+alt%3D%22%22+width%3D%2288% \ 22+src%3D%22%2Fbranding%2F962304%2Fen%2FUS%2Fimages%2Fmicronbuilding.jpg%22+%2F% \ 3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3C%2Fstrong%3E%3C%2Ffont%3EMicron+is+one+of+the+world \ %27s+leading+providers+of+advanced+semiconductor+solutions.+Micron%92s+DRAM+and+ \ Flash+components+are+used+in+today%92s+most+advanced+computing%2C+networking%2C+ \ and+communications+products%2C+including+computers%2C+workstations%2C+servers%2C \ +cell+phones%2C+wireless+devices%2C+digital+cameras%2C+and+gaming+systems.+%0D%0 \ A%0D%0A&edocs.custom.issuer.title=About+Micron&edocs.request.paper.content=%3Cp% \ 3ETo+receive+a+paper+copy+of+the+proxy+material%2C+you+may+make+your+election+by \ +phone%2C+email+or+internet%3A%3C%2Fp%3E%3Cp%3EInternet%3A+%3Ca+target%3D%22blan \ k%22+href%3D%22https%3A%2F%2Fwww.investorelections.com%2Fmu%22%3Ewww.investorele \ ctions.com%2Fmu%3C%2Fa%3E%3Cbr+%2F%3EEmail%3A++%3Ca+href%3D%22mailto%3Apaper@inv \ estorelections.com%22%3E...@in...%3C%2Fa%3E%3Cbr+%2F%3ETelepho \ ne%3A+866+XXX+XXXX%3C%2Fp%3E&edocs.request.paper.link=%3Cp%3EClick+%3Ca+href%3D% \ 22javascript%3AopenPopup%28%27request%3Fb%3DMU%26cid%3D962304%26page%3Drequest_p \ aper%27%2C%27cpaper%27%2C350%2C275%29%3B%22%3Ehere%3C%2Fa%3E+to+learn+how+to+req \ uest+paper+material.&edocs.stylesheet=body+%7B%0D%0A%09background-image%3A+url%2 \ 8..%2Fimages%2Fbgrd_body.jpg%29%3B%0D%0A%09background-repeat%3A+repeat-x%3B%0D%0 \ A%09background-position%3A+top%3B%0D%0A%09background-color%3A+%239A9A9A%3B%0D%0A \ %09font-family%3A+Verdana%2C+Arial%2C+Helvetica%2C+sans-serif%3B%0D%0A%09font-si \ ze%3A+10px%3B%0D%0A%7D%0D%0A.vendorheader+%7B%0D%0A%09font-family%3A+%22Arial+Na \ rrow%22%2C+Arial%2C+verdana%3B%0D%0A%09font-size%3A+24px%3B%0D%0A%09font-weight% \ 3A+normal%3B%0D%0A%09color%3A+%24%21vendorheader_color%3B%0D%0A%7D%0D%0A%0D%0Ap% \ 2C+table%2C+td%2C+form%2C+input%2C+select+%7B%0D%0A%09font-family%3A+Verdana%2C+ \ Arial%2C+Helvetica%2C+sans-serif%3B%0D%0A%09font-size%3A+10px%3B%0D%0A%7D%0D%0A. \ pageshell+%7B%0D%0A%09background-color%3A+%23FFFFFF%3B%0D%0A%09padding%3A+10px%3 \ B%0D%0A%09border%3A+1px+solid+%24%21pageshell_color%3B%0D%0A%7D%0D%0A.custom_con \ tent+%7B%0D%0A%09font-family%3A+Verdana%3B%0D%0A%09font-size%3A+10px%3B%0D%0A+++ \ background-color%3A+%23DDDDDD%3B%0D%0A%7D%0D%0A%0D%0A.table_title+%7B%0D%0A%09fo \ nt-family%3A+Verdana%3B%0D%0A%09font-size%3A+11pt%3B%0D%0A%09font-weight%3A+bold \ %3B%0D%0A+++border%3A+1+px+solid+black%3B%0D%0A+++background-color%3A+%2300377E% \ 3B%0D%0A+++color%3A+white%3B%0D%0A%0D%0A%7D%0D%0A.table_header+%7B%0D%0A%09font- \ size%3A+10pt%3B%0D%0A%09font-weight%3A+bold%3B%0D%0A+++border%3A+1+px+solid+blac \ k%3B%0D%0A+++background-color%3A+%23DDDDDD%3B%0D%0A+++color%3A+black%3B%0D%0A%7D \ %0D%0A%0D%0A.table_group+%7B%0D%0A%09font-size%3A+9pt%3B%0D%0A%09font-weight%3A+ \ bold%3B%0D%0A+++color%3A+%2300377E%3B%0D%0A%7D%0D%0A%0D%0A.table_col1%2C+.table_ \ col2%2C+a.table_col2%2C+.table_col3%2C+.table_col4%0D%0A%7B%0D%0A%09font-size%3A \ +8pt%3B%0D%0A%09font-weight%3A+normal%3B%0D%0A+++color%3A+%23AA0031%3B%0D%0A%7D% \ 0D%0A%0D%0A.subheader+%7B%0D%0A%09font-family%3A+Arial%2C+Helvetica%2C+sans-seri \ f%3B%0D%0A%09font-size%3A+18px%3B%0D%0A%7D%0D%0A%0D%0Aa%3Alink%2C+a%3Aactive%2C+ \ a%3Avisited+%7B%0D%0A%09text-decoration%3A+none%3B%0D%0A%09color%3A+%24%21a_colo \ r%3B%0D%0A%7D%0D%0Aa%3Ahover+%7B%0D%0A%09color%3A+%24%21a_color%3B%0D%0A%09text- \ decoration%3A+underline%3B%0D%0A%7D%0D%0A.subheader2+%7B%0D%0A%09font-family%3A+ \ Arial%2C+Helvetica%2C+sans-serif%3B%0D%0A%09font-size%3A+14px%3B%0D%0A%09font-we \ ight%3A+bold%3B%0D%0A%09color%3A+%24%21subheader2_color%3B%0D%0A%7D%0D%0A.subsec \ tion+%7B%0D%0A%09border%3A+1px+double+%24%21subsection_color%3B%0D%0A%7D%0D%0A.r \ edalert+%7B%0D%0A%09font-weight%3A+bold%3B%0D%0A%09color%3A+%23FF0000%3B%0D%0A%7 \ D%0D%0A.active_voting+%0D%0A%7B%0D%0A%09font-family%3A+Arial%2C+Helvetica%2C+san \ s-serif%3B%0D%0A%09font-size%3A+14px%3B%0D%0A%09font-weight%3A+normal%3B%09%0D%0 \ A%09color%3A+red%3B%0D%0A%09border%3A+2px+double+red%3B%0D%0A+++border-style%3A+ \ outset%3B%0D%0A%09padding%3A+8px%3B%0D%0A%7D&edocs.banner.line.break=1&edocs.log \ o.filename=client_logo.jpg&edocs.table.title=Investor+Packet&site.disabled.messa \ ge=Site+disabled+-+please+try+again+later&site.enabled=1&edocs.broker.active.vot \ ing=&edocs.broker.request.paper.content=&edocs.broker.request.paper.link=&edocs. \ custom.copyright=&edocs.custom.footer=&SECTION=ADM&PAGE=BrandingMGMT&clientid=96 \ 2304&action=save&propertygroup=edocs -- Clayton Taylor Dillard Network Security Enthusiast Aim for the truth - it works! |