--------------------------------------------------------------------------- # Bu dosya mod_security kurallarini iceren conf dosyasidir. --------------------------------------------------------------------------- SecFilterEngine On SecFilterCheckURLEncoding Off SecFilterCheckUnicodeEncoding Off SecFilterForceByteRange 0 255 SecAuditEngine RelevantOnly SecAuditLog logs/audit_log SecFilterDebugLog logs/modsec_debug_log SecFilterDebugLevel 0 SecFilterDefaultAction "deny,log,status:406" SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow Secfilter "sbin/" SecFilter "eggz" SecFilter "eggdrop" SecFilter "psybnc" SecFilter "udp.pl" SecFilter "bindtty" SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$" SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$" SecFilterSelective THE_REQUEST "dc.pl " SecFilterSelective THE_REQUEST "wget " SecFilterSelective THE_REQUEST "act=ls" SecFilterSelective THE_REQUEST "act=f" SecFilterSelective THE_REQUEST "root=" SecFilterSelective THE_REQUEST "phpshell.php " SecFilterSelective THE_REQUEST "r57.php " SecFilterSelective THE_REQUEST "c99.php " SecFilterSelective THE_REQUEST "cc.php" SecFilterSelective THE_REQUEST "r57" SecFilterSelective THE_REQUEST "c99" SecFilterSelective THE_REQUEST "bypass" SecFilterSelective THE_REQUEST "lynx " SecFilterSelective THE_REQUEST "scp " SecFilterSelective THE_REQUEST "ftp " SecFilterSelective THE_REQUEST "cvs " SecFilterSelective THE_REQUEST "rcp " SecFilterSelective THE_REQUEST "curl " SecFilterSelective THE_REQUEST "telnet " SecFilterSelective THE_REQUEST "perl " SecFilterSelective THE_REQUEST "b0t.tmp " SecFilterSelective THE_REQUEST "bt.pl " SecFilterSelective THE_REQUEST "fetch " SecFilterSelective THE_REQUEST "ssh " SecFilterSelective THE_REQUEST "echo " SecFilterSelective THE_REQUEST "links -dump " SecFilterSelective THE_REQUEST "links -dump-charset " SecFilterSelective THE_REQUEST "links -dump-width " SecFilterSelective THE_REQUEST "links http:// " SecFilterSelective THE_REQUEST "links ftp:// " SecFilterSelective THE_REQUEST "links -source " SecFilterSelective THE_REQUEST "mkdir " SecFilterSelective THE_REQUEST "cd /tmp " SecFilterSelective THE_REQUEST "cd /var/tmp " SecFilterSelective THE_REQUEST "cd /tmp/ " SecFilterSelective THE_REQUEST "cd /var/tmp/ " SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy " SecFilterSelective THE_REQUEST "/config.php?v=1&DIR " SecFilterSelective THE_REQUEST "&highlight=%2527%252E " SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php " SecFilterSelective THE_REQUEST "arta\.zip " SecFilterSelective THE_REQUEST "cmd=cd\x20/var " SecFilterSelective THE_REQUEST "cmd=cd\x20/tmp " SecFilterSelective THE_REQUEST "cmd=cd\x20/var/tmp " SecFilterSelective THE_REQUEST "cmd=cd\x20/tmp/ " SecFilterSelective THE_REQUEST "cmd=cd\x20/var/tmp/ " SecFilterSelective THE_REQUEST "HCL_path=http " SecFilterSelective THE_REQUEST "clamav-partial " SecFilterSelective THE_REQUEST "vi\.recover " SecFilterSelective THE_REQUEST "netenberg " SecFilterSelective THE_REQUEST "psybnc " SecFilterSelective THE_REQUEST "fantastico_de_luxe " SecFilterSelective THE_REQUEST "tool.gif?cmd " SecFilterSelective THE_REQUEST "rm -rf " SecFilterSelective THE_REQUEST "\.htaccess" SecFilterSelective THE_REQUEST "cd\.\." SecFilterSelective THE_REQUEST "///cgi-bin" SecFilterSelective THE_REQUEST "/cgi-bin///" SecFilterSelective THE_REQUEST "/~root" SecFilterSelective THE_REQUEST "/~ftp" SecFilterSelective THE_REQUEST "/htgrep" chain SecFilterSelective THE_REQUEST "/htgrep" log,pass SecFilterSelective THE_REQUEST "/\.history" SecFilterSelective THE_REQUEST "/\.bash_history" SecFilterSelective THE_REQUEST "/~nobody" SecFilterSelective THE_REQUEST " SecFilterSelective THE_REQUEST "psybnc" SecFilterSelective THE_REQUEST "cmd=cd\x20/var" SecFilterSelective THE_REQUEST "dir=http" SecFilterSelective THE_REQUEST "\?STRENGUR" SecFilterSelective THE_REQUEST "/etc/motd" SecFilterSelective THE_REQUEST "/etc/passwd" SecFilterSelective THE_REQUEST "conf/httpd\.conf" SecFilterSelective THE_REQUEST "/bin/ps" SecFilterSelective THE_REQUEST "bin/tclsh" SecFilterSelective THE_REQUEST "tclsh8\x20" SecFilterSelective THE_REQUEST "udp\.pl" SecFilterSelective THE_REQUEST "linuxdaybot\.txt" SecFilterSelective THE_REQUEST "wget\x20" SecFilterSelective THE_REQUEST "bin/nasm" SecFilterSelective THE_REQUEST "nasm\x20" SecFilterSelective THE_REQUEST "/usr/bin/perl" SecFilterSelective THE_REQUEST "links -dump " SecFilterSelective THE_REQUEST "links -dump-(charset|width) " SecFilterSelective THE_REQUEST "links (http|https|ftp)\:/" SecFilterSelective THE_REQUEST "links -source " SecFilterSelective THE_REQUEST "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)" SecFilterSelective THE_REQUEST "cd\.\." SecFilterSelective THE_REQUEST "///cgi-bin" SecFilterSelective THE_REQUEST "/cgi-bin///" SecFilterSelective THE_REQUEST "/~named(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecFilterSelective THE_REQUEST "/~guest(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecFilterSelective THE_REQUEST "/~logs(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecFilterSelective THE_REQUEST "/~sshd(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecFilterSelective THE_REQUEST "/~ftp(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecFilterSelective THE_REQUEST "/~bin(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecFilterSelective THE_REQUEST "/~nobody(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecFilterSelective THE_REQUEST "/\.history HTTP\/(0\.9|1\.0|1\.1)$" SecFilterSelective THE_REQUEST "/\.bash_history HTTP\/(0\.9|1\.0|1\.1)$" SecFilterSelective REQUEST_URI "/nessus_is_probing_you_" SecFilterSelective REQUEST_URI "/NessusTest" SecFilter "javascript\://" SecFilter "img src=javascript" SecFilter "_PHPLIB\[libdir\]" SecFilter "hdr=/" SecFilter '$path."*"' SecFilterSelective THE_REQUEST "\ SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/javascript/i" SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]application\/x-javascript/i" SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/jscript/i" SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/vbscript/i" SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]application\/x-vbscript/i" SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/ecmascript/i" SecFilterSelective THE_REQUEST "STYLE[\s]*=[\s]*[^>]expression[\s]*\(/i" SecFilterSelective THE_REQUEST "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>/i" SecFilterSelective THE_REQUEST "SCRIPT" SecFilterSelective THE_REQUEST "Content-Type\:.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" SecFilterSelective HTTP_Transfer-Encoding "!^$" SecFilter "(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" SecFilterSelective REQUEST_URI "\.php\?" chain SecFilter "(http|https|ftp)\:/" chain SecFilter "(cmd|command)=.*(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain SecFilter "(\<.*xml)" chain SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain SecFilter ".*.*.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>" SecFilterSelective REQUEST_URI "/index\.php\?option=com_content&task=vote&id=.*&Itemid=.*&cid=.*&user_rating=.*\((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+(from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "/content\.php" chain SecFilterSelective ARG_user_rating ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective ARG_mosConfig_absolute_path "(\.\./\.\.|/|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/index(2?)\.php\?.*mosConfig_absolute_path=(http|https|ftp)\:\/" SecFilterSelective REQUEST_URI "/emailfriend/(emailarticle|emailfaq|emailnews)\.php\?id=\"(\ SecFilterSelective REQUEST_URI "/posting\.php\?mode=reply\&t=.*userid.*phpbb2mysql_t=(<[[:space:]]*script|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/posting\.php\\?.*(<[[:space:]]*script|(http|https|ftp)\:/)" SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php" SecFilter "^/viewtopic\.php\?" chain SecFilter "chr\(([0-9]{1,3})\)" SecFilterSelective THE_REQUEST "viewtopic\.php" chain SecFilterSelective "THE_REQUEST|ARG_VALUES" "(passthru|cmd|fopen|exit|fwrite)" SecFilter "phpbb_root_path=" SecFilterSelective THE_REQUEST "/calendar_scheduler\.php\?start=(<[[:space:]]*script|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/groupcp\.php\?g=.*sid=\'" SecFilterSelective REQUEST_URI "/index\.php\?(c|mark)=*\'" SecFilterSelective REQUEST_URI "/portal\.php\?article=*\'" SecFilterSelective REQUEST_URI "/viewforum.php?f=.*sid=\'" SecFilterSelective REQUEST_URI "/viewtopic.php?p=.*sid=\'" SecFilterSelective REQUEST_URI "/album_search\.php\?mode=\'" SecFilterSelective REQUEST_URI "/album_cat\.php\?cat_id=.*sid=\'" SecFilterSelective REQUEST_URI "/album_comment\.php\?pic_id=.*sid=\'" SecFilterSelective REQUEST_URI "calendar_scheduler\.php\?d=.*&mode=&start=\'\">" SecFilterSelective REQUEST_URI "/profile\.php\?mode=viewprofile&u=.*((script|script|about|applet|activex|chrome)\>|html|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/viewtopic\.php\?p=.*&highlight=.*((script|script|about|applet|activex|chrome)\>|html|(http|https|ftp)\:/)" SecFilterSelective COOKIE_sessionid "phpbb2mysql_data=a\x3A2\x3A\x7Bs\x3A11\x3A\x22autologinid\x22\x3Bb\x3A1\x3Bs\x3A6\x3A\x22userid\x22\x3Bs\x3A1\x3A\x222\x22\x3B\x7D" SecFilter "phpbb2mysql_data=a\x3A2\x3A\x7Bs\x3A11\x3A\x22autologinid\x22\x3Bb\x3A1\x3Bs\x3A6\x3A\x22userid\x22\x3Bs\x3A1\x3A\x222\x22\x3B\x7D" SecFilterSelective SCRIPT_FILENAME "viewtopic\.php$" chain SecFilterSelective ARG_highlight "%27" SecFilter "&highlight=\'\.fwrite\(fopen\(" SecFilter "&highlight=\x2527\x252Esystem\(" SecFilter "&highlight=\'\.mysql_query\(" SecFilterSelective THE_REQUEST "/quick-reply\.php" chain SecFilterSelective THE_REQUEST "(\;|\&)highlight=\'\.system\(" SecFilterSelective THE_REQUEST "&highlight=\'\.mysql_query\(" SecFilterSelective THE_REQUEST "&highlight=\'\.fwrite\(fopen\(" SecFilterSelective THE_REQUEST "&highlight=%2527%252E" SecFilterSelective THE_REQUEST "&highlight=\x2527\x252Esystem\(" SecFilterSelective THE_REQUEST "/viewtopic\.php\?.*(highlight.*(\'\.|\x2527|\x27)|include\(.*GET\[.*\]\)|=(http|https|ftp)\:/|(printf|system)\()" SecFilterSelective REQUEST_URI "profile\.php\?GLOBALS\[signature_bbcode_uid\]=\(\.\x2B\)/e\x00" SecFilterSelective REQUEST_URI|POST_PAYLOAD "r57phpBB2017xpl" SecFilterSelective POST_PAYLOAD "_bill_gates@microsoft\.com" SecFilterSelective THE_REQUEST "/admin/admin_forums\.php\?sid=.*" chain SecFilter "(forumname|forumdesc)=*\<[[:space:]]*(script|about|applet|activex|chrome)" SecFilterSelective REQUEST_URI "usercp_register\.php" chain SecFilterSelective ARG_error_msg "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" SecFilterSelective REQUEST_URI "login\.php" chain SecFilterSelective ARG_forward_page "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" SecFilterSelective REQUEST_URI "search\.php" chain SecFilterSelective ARG_list_cat "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" SecFilterSelective REQUEST_URI "usercp_register\.php" chain SecFilterSelective ARG_signature_bbcode_uid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" SecFilterSelective ARG_signature_bbcode_uid "(<.*php| SecFilterSelective REQUEST_URI "/downloads\.php\?cat=.*(UNION|SELECT|delete|insert)*user_password.*phpbb_users" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_email "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_ratenum "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_min "(dselect|grant|elete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_show "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_orderby "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_url "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_email "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_ratenum "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_min "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_show "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_orderby "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" SecFilterSelective SCRIPT_FILENAME "modules\.php$" chain SecFilterSelective ARG_url "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+(from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "/modules\.php\?*name=*\<*(script|about|applet|activex|chrome)*\>" SecFilterSelective REQUEST_URI "/modules\.php\?op=modload&name=News&file=article&sid=*\<*(script|about|applet|activex|chrome)*\>" SecFilterSelective REQUEST_URI "/modules\.php\?name=Search&type=comments&query=.*&instory=.*UNION.*SELECT.*pwd.*FROM.*nuke_authors" SecFilterSelective REQUEST_URI "/modules\.php\?*name=Search*instory=" SecFilterSelective REQUEST_URI "/modules\.php\?*name=(Search|Web_Links).*\'" SecFilterSelective THE_REQUEST "/modules\.php\?*name=<[[:space:]]*script" SecFilterSelective THE_REQUEST "/modules\.php\?name=Bookmarks\&file=(del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=(<[[:space:]]*script|(http|https|ftp)\:/)" SecFilterSelective THE_REQUEST "modules\.php\?name=Bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(union|select|delete|insert)" SecFilterSelective THE_REQUEST "/index\.php*file=*(http|https|ftp)" SecFilterSelective THE_REQUEST "/modules\.php\?*name=Search*instory=" SecFilterSelective THE_REQUEST "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\'/" SecFilterSelective REQUEST_URI "/banners\.php\?op=EmailStats&name=.*&bid=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/modules\.php\?name=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/modules\.php\?name=Search&author=.*&topic=.*&min.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/modules\.php\?name=FAQ&.*=.*&id_cat=.*&categories=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/modules\.php\?op=EmailStats&login=.*&cid=.*&bid=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/modules\.php\?name=Encyclopedia&file=.*&op=.*&eid.*1<r=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/joinrequests\.php" chain SecFilter "do=processjoinrequests&usergroupid=.*&request.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" SecFilterSelective REQUEST_URI "/admincp/user\.php" chain SecFilter "do=find&orderby=username&limit.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" SecFilterSelective REQUEST_URI "/admincp/(usertitle|usertools)\.php" chain SecFilter "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" SecFilterSelective REQUEST_URI "/modcp/announcement\.php" chain SecFilter "do=update&announcementid=.*&start=.*&end=.*&announcement.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" SecFilterSelective REQUEST_URI "/admincp/admincalendar\.php" chain SecFilter "do=update&calendarid=.*&calendar\[.*\]=.*&calendar.*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" SecFilterSelective REQUEST_URI "/admincp/email\.php" chain SecFilter "do=makelist&user\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" SecFilterSelective REQUEST_URI "/admincp/help\.php" chain SecFilter "do=doedit&help\[.*\]=.*&help\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" SecFilterSelective REQUEST_URI "admincp/language\.php" chain SecFilter "do=update&rvt\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" SecFilterSelective REQUEST_URI "/admincp/phrase\.php" chain SecFilter "do=completeorphans&keep\[.*\].*(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" SecFilterSelective REQUEST_URI "calendar\.php\?calbirthdays=.*&action=.*&day=.*&comma=*(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(r|s)sh|(s|r)cp|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)" SecFilterSelective REQUEST_URI "/calendar\.php\?calbirthdays=.*&action=getday&day=.*&comma=\x22;" SecFilterSelective REQUEST_URI "/forumdisplay\.php?[^\r\n]*comma=[^\r\n\x26]*system\x28.*\x29/Ui" SecFilterSelective REQUEST_URI "/forumdisplay\.php\?" chain SecFilter "\.system\(.+\)\." SecFilterSelective REQUEST_URI "/forumdisplay\.php\?*comma=" SecFilterSelective REQUEST_URI "/ad_member\.php" chain SecFilter "emailer\.php" SecFilterSelective REQUEST_URI "/ipchat\.php*root_path*conf_global\.php" SecFilterSelective REQUEST_URI "/ipchat\.php" chain SecFilter "conf_global\.php" SecFilterSelective REQUEST_URI "/forums/index\.php\?act=.*&max_results=.*&filter=.*&sort_order=.*&sort_key=.*&st=*(UNION|SELECT|DELETE|INSERT)" SecFilterSelective REQUEST_URI "/jportal/banner\.php*(UNION|SELECT|DELETE|INSERT)" SecFilterSelective REQUEST_URI "/index\.php" chain SecFilterSelective ARG_comment "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "/index.php" chain SecFilterSelective ARG_mid ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/index\.php\?act=Login&CODE=autologin.*((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|user\+AND\+MID\(password)" SecFilterSelective REQUEST_URI "index\.php" chain SecFilterSelective ARG_st "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" SecFilterSelective REQUEST_URI "calendar\.php\?calbirthdays=.*&action=.*&day=.*&comma=*(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(r|s)sh|(s|r)cp|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)" SecFilterSelective REQUEST_URI "/calendar\.php\?calbirthdays=.*&action=getday&day=.*&comma=\x22;" SecFilterSelective SCRIPT_FILENAME "export\.php$" chain SecFilterSelective ARG_what "\.\." SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc" SecFilterSelective REQUEST_URI "/phpmyadmin/index\.php\?pma_username=*&pma_password=*&server=.*<=.*&convcharset=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/default\.php\?(error_message|info_message)=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/product_info\.php" chain SecFilterSelective ARG_products_id "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" SecFilterSelective REQUEST_URI "/relocate_server\.php" SecFilterSelective REQUEST_URI "/theme\.php\?THEME_DIR=(http|https|ftp)/:/" SecFilterSelective REQUEST_URI "/index\.php\?lang=.*((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" SecFilterSelective THE_REQUEST "awstats" chain SecFilterSelective ARGS "(pluginmode|loadplugin|debug|configdir|perl|cgi|chmod|exec|print)" SecFilterSelective REQUEST_URI "/awstats\.pl\?(configdir|update|pluginmode|cgi)=(\||echo|\:system\()" SecFilterSelective REQUEST_URI "/awstats\.pl\?(debug=1|pluginmode=rawlog\&loadplugin=rawlog|update=1\&logfile=\|)" SecFilterSelective REQUEST_URI "/awstats\.pl\?[^\r\n]*logfile=\|" SecFilterSelective REQUEST_URI "/awstats\.pl\?configdir=" SecFilterSelective REQUEST_URI "awstats\.pl\?" chain SecFilterSelective ARGS "(debug|configdir|perl|chmod|exec|print|cgi)" SecFilterSelective THE_REQUEST "/awstats\.pl HTTP\/(0\.9|1\.0|1\.1)$" SecFilterSelective REQUEST_URI "/attachments\.php\?file=\.\./\.\." SecFilterSelective REQUEST_URI "/include/main\.php\?config.*=.*&include_dir=(http|https|ftp)\:/" SecFilterSelective REQUEST_URI "/admin\.php\?a=view&id=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]]+(from|into|table|database|index|view|select)" SecFilterSelective REQUEST_URI "/view\.php\?s=.*&query=*&cat=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" SecFilterSelective THE_REQUEST "/view\.php" chain SecFilterSelective ARG_t ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "/index\.php.*func=*(\.\./|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/modules\.php\?op=modload&name=Messages&file=readpmsg&start=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select|union)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view|select)" SecFilterSelective REQUEST_URI "modules/Downloads/dl-viewdownload\.php" chain SecFilterSelective ARG_show "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "/modules/pn_bbcode/pnincludes/contrib/example\.php" SecFilterSelective REQUEST_URI "/samples/news\.php\?DIR=(http|https|ftp)\:/" SecFilterSelective THE_REQUEST "/order/orderwiz\.php\?v=.*&aid=.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|(http|https|ftp)\:/)" SecFilterSelective REQUEST_URI "/wp-trackback\.php\?tb_id=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "/wp-trackback\.php" chain SecFilterSelective ARG_tb_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "/index\.php\?cat=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "/wordpress/" chain SecFilterSelective ARG_cat "!^[0-9]*$" SecFilterSelective ARG_cache_lastpostdate "<\?php" SecFilterSelective REQUEST_URI "/index\.php" chain SecFilterSelective ARG_poll|ARG_category|ARG_ctg "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" SecFilterSelective REQUEST_URI "/index\.php\?&PHPSESSID=\'" SecFilterSelective REQUEST_URI "/tellafriend\.php\?&product=\'" SecFilterSelective REQUEST_URI "/view_cart\.php\?add=\'" SecFilterSelective REQUEST_URI "/view_product\.php\?product=\'" SecFilterSelective REQUEST_URI "/libraries/lib-xmlrpcs.inc\.php" SecFilterSelective REQUEST_URI "/maintenance/maintenance-activation\.php" SecFilterSelective REQUEST_URI "/maintenance/maintenance-cleantables\.php" SecFilterSelective REQUEST_URI "/maintenance/maintenance-autotargeting\.php" SecFilterSelective REQUEST_URI "/maintenance/maintenance-reports\.php" SecFilterSelective REQUEST_URI "/misc/backwards\x20compatibility/phpads\.php" SecFilterSelective REQUEST_URI "/misc/backwards\x20compatibility/remotehtmlview\.php" SecFilterSelective REQUEST_URI "/misc/backwards\x20compatibility/click\.php" SecFilterSelective REQUEST_URI "/adframe\.php\?refresh=securityreason\.com\'\>" SecFilterSelective REQUEST_URI "/logout\.php" chain SecFilterSelective ARG_sessiodID "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain SecFilterSelective POST_PAYLOAD "blogger\.getUsersBlogs" chain SecFilter ".*\' AND ascii\(substring\(pass" SecFilter "\<.*php .*\(.*\)\;system\(.*\).*php*\>" #Slightly stronger version of the above SecFilter "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>" SecFilterSelective REQUEST_URI "exit\.php\?entry_id=.*&url_id=.*\x20UNION\x20SELECT\x20(password|username)\x20FROM" SecFilterSelective REQUEST_URI "/config\.php\?path\[docroot\]=((\.\./|(http|https|ftp)\:/)|.*(\.\./|(http|https|ftp)\:/))" SecFilterSelective THE_REQUEST "/index\.php\?homeinclude=catalog&category_id=&parent_id=.*" chain SecFilter "<[[:space:]]*(href|script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome|a)[[:space:]]*>" SecFilterSelective REQUEST_URI "/index\.php" chain SecFilterSelective ARG_campaign_id "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)" # SON