/
etc
/
apache2
/
conf.d
/
modsec2
/
File Upload :
llllll
Current File: //etc/apache2/conf.d/modsec2/lw_virtual_patches.conf
##generic recursion signatures # This signature protects several vulnerabiliteis in various outdated wordpress plugins. It's not advisable to disable it globally. SecRule REQUEST_URI "!(alt_mod_frameset\.php)" "chain,id:300004,rev:2,severity:2,msg:'Generic Path Recursion denied',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING" SecRule REQUEST_URI "/\.\./" "t:urldecode" # xmlrpc with both no UA and no referrer. Also bogus. This can be whitelisted but it will remove some DoS protections. # It's Better to have the customer POST to xmlrpc with a referrer or user agent. # Even dummy characters in one of those HTTP headers will get them past this rule. SecRule REQUEST_URI "xmlrpc.php" "deny,status:411,id:5000228,chain,msg:'xmlrpc DoS or brute force attempt',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING" SecRule &HTTP_REFERER "@eq 0" "chain" SecRule &HTTP_User-Agent "@eq 0" #flashchat vulnerability SecRule REQUEST_URI "\.php\?dir\[inc\]=http\:/" "id:5000204,msg:'flashchat vuln. patch',tag:'lw_custom',severity:WARNING" #Joomla rules SecRule REQUEST_URI "controller=" "chain,id:5000205,msg:'Joomla plugin exploit attempt'tag:'joomla',tag:'lw_custom',severity:CRITICAL" SecRule REQUEST_URI "(/tmp|/proc|/dev)" #Eval code in HTTP user agent or referring URL SecRule HTTP_REFERER "eval\(base64.*" "id:5000206,t:lowercase,msg:'eval(base64 code in HTTP Referer',tag:'lw_custom',severity:CRITICAL" SecRule HTTP_User-Agent "eval\(base64.*" "id:5000207,t:lowercase,msg:'eval(base64 code in user agent field',tag:'lw_custom',severity:CRITICAL" #Timthumb! SecRule REQUEST_URI "/(timthumb|thumb|_tbs)\.php\?src=.*(flickr|staticflickr|picasa|img\.youtube|upload\.wikimedia|photobucket|imgur|imageshack|tinypic)\.(com|org|us)\..*\.(com|ca|com\.au|org|net|jp|gov|info|us|co\.uk)/.*\.(txt|php|php3|php4|php5)" "id:5000200,t:lowercase,msg:'Timthumb Exlpoit Attempt Detected',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING" #Symlinks SecRule REQUEST_URI "/sym/(root|.*txt)" "id:5000201,msg:'Symlink Exlpoit Attempt Detected',tag:'lw_custom',severity:CRITICAL" SecRule REQUEST_URI "/sym/.*/home/" "id:5000202,msg:'Symlink Exlpoit Attempt Detected',tag:'lw_custom',severity:CRITICAL" #zencart SecRule REQUEST_URI "/admin/record_company.php/password_forgotten.php\?action=insert.*" "id:5000203,msg:'Zencart Exlpoit Attempt Detected',tag:'lw_custom',severity:CRITICAL" # Fix duo sec WP logins SecRule REQUEST_BODY "duo_wordpress|sig_response" "t:lowercase,id:5100214,pass,phase:2,skip:2" # Fix onelogin.com WP logins SecRule REQUEST_HEADERS:Referer "onelogin.com" "t:lowercase,id:5200214,pass,phase:2,skip:1" # Reject WP logins when wp-submit and action are both null. SecRule REQUEST_FILENAME "wp-login\.php" "phase:2,deny,log,status:402,t:lowercase,chain,id:5000214,msg:'wordpress login missing action and or wp-submit arguments.'tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING" SecRule REQUEST_METHOD "^post$" chain,t:lowercase SecRule &ARGS:wp-submit "@eq 0" chain,t:urlDecodeUni,t:lowercase SecRule &ARGS:action "@eq 0" t:urlDecodeUni,t:lowercase #Block WP logins with no referring URL <Locationmatch "/wp-login.php"> SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING" SecRule &HTTP_REFERER "@eq 0" </Locationmatch> <IfModule !ruid2_module> <IfModule !mpm_itk_module> # Put DBM rules here (ones that use initcol/collections and setvar/counter functions). # Wordpress Brute Force detection SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134 <Locationmatch "/wp-login.php"> # Setup brute force detection. # React if block flag has been set. SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING" # Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed. SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136" SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137" SecRule REQUEST_METHOD "POST" "chain" SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0" </locationmatch> </IfModule> </IfModule> # End DBM rules #Block WP theme edits with no referring URL <Locationmatch "/theme-editor.php"> SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:5000140,chain,msg:'No UA, No referer',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING" SecRule &HTTP_User-Agent "@eq 0" </Locationmatch> <Locationmatch "/plugin-editor.php"> SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:5000141,chain,msg:'No UA, No referer',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING" SecRule &HTTP_User-Agent "@eq 0" </Locationmatch> #Joomla malicous code execution. Dvmessages should not have a c_id parameter. <Locationmatch "/dvmessages.php"> SecRule QUERY_STRING "c_id" "deny,status:500,id:5000217,msg:'dvmessages code exec',tag:'joomla',tag:'lw_custom',severity:CRITICAL" </Locationmatch> #Joomla com_jce exploit SecRule HTTP_User-Agent "BOT for JCE" "deny,status:500,id:5000218,msg:'Joomla com_jce code exec',tag:'joomla',tag:'lw_custom',severity:CRITICAL" #Joomla com_jce exploit SecRule REQUEST_URI "/images/stories/.+\.php" "deny,status:500,id:5000219,msg:'Joomla com_jce code exec',tag:'joomla',tag:'lw_custom',severity:WARNING" #http://blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html SecRule REQUEST_URI "/images_(comingsoon|lncthumbs|optbuttons)/.+\.php" "deny,status:500,id:5000220,msg:'optimizepress vuln',tag:'critical_wordpress_protection',tag:'lw_custom',severity:CRITICAL" #Fix for Joomla com_jnews, http://www.securityfocus.com/bid/37314/exploit SecRule REQUEST_URI "ofc_upload_image.php" "id:5000221,chain,msg:'Joomla com_jnews exploit attempt detected',tag:'joomla',tag:'lw_custom',severity:CRITICAL" SecRule QUERY_STRING "name=.*\.php" "t:lowercase" #Deny POST to / with no referrer, safe for cust use. OK to whitelist if needed, but whitelisting this will remove certain DoS protections. #Revised to allow PayPal IPN user agent. SecRule REQUEST_URI "^\/$" "deny,status:401,id:5000222,chain,msg:'POST request with no file path was blocked due to no HTTP referer',tag:'lw_custom',severity:WARNING" SecRule REQUEST_METHOD "POST" "chain" SecRule &HTTP_REFERER "@eq 0" "chain" SecRule HTTP_User-Agent "!paypal ipn" "t:lowercase" # Block Joomla scans that are looking for sites to target; frequently they lack both UA and Referer fields SecRule REQUEST_URI "/administrator/index.php" "deny,status:411,id:5000223,chain,msg:'Joomla admin access blocked due to No UA and No referer',tag:'joomla',tag:'lw_custom',severity:WARNING" SecRule &HTTP_REFERER "@eq 0" "chain" SecRule &HTTP_User-Agent "@eq 0" # Block Joomla logins with no referring URL SecRule REQUEST_URI "/administrator/index.php" "deny,status:411,id:5000224,chain,msg:'Joomla login request blocked, no referer',tag:'joomla',tag:'lw_custom',severity:CRITICAL" SecRule REQUEST_METHOD "POST" "chain" SecRule &HTTP_REFERER "@eq 0" # Fake Joomla Plugin, stop scans / DoS attacks SecRule REQUEST_URI "mod_araticlhess" "deny,id:5000225,t:lowercase,msg:'Access to fake plugin, if this plugin actually exists the site is hacked.',tag:'joomla',tag:'lw_custom',severity:CRITICAL" # JOOMLA Virtual patch for: # trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/ SecRule QUERY_STRING "com_contenthistory" "t:lowercase,t:urldecode,deny,status:406,id:5001225,chain,msg:'Joomla SQL injection attempt',tag:'joomla',tag:'lw_custom',severity:CRITICAL" SecRule QUERY_STRING "(select.+from|list.select)" "t:lowercase,t:urldecode" # Additional Joomla patch based on https://blog.sucuri.net/2015/10/joomla-sql-injection-attacks-in-the-wild.html SecRule REQUEST_BODY "com_contenthistory" "chain,t:lowercase,deny,status:406,id:5001226,msg:'Joomla SQL injection attempt',tag:'joomla',tag:'lw_custom',severity:CRITICAL" SecRule REQUEST_BODY "(select.+from|list.select)" "t:lowercase" # CGI-BIN PHP code exec scans SecRule QUERY_STRING "safe_mode=off" "deny,id:5000226,t:urldecode,msg:'blocked generic PHP code exec scans',tag:'lw_custom',severity:WARNING" # Bogus UA for xmlrpc SecRule REQUEST_URI "xmlrpc.php" "deny,status:411,id:5000227,chain,msg:'xmlrpc DoS attempt',tag:'critical_wordpress_protection',tag:'lw_custom',severity:CRITICAL" SecRule HTTP_User-Agent "WinHttp.WinHttpRequest.5" # Fix for wysija newsletters (Mail Poet). # Please inform akwiecinski immediately and verbosely if there are any false positives with this rule. SecRule REQUEST_URI "wp-admin/admin-post\.php\?page=wysija_campaigns&action=themes" "deny,id:5000229,msg:'mailpoet WP exploit attempt',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING" # Stop-gap Fix for custom-contact-forms hacks # Please inform akwiecinski immediately and verbosely if there are any false positives with this rule. SecRule REQUEST_URI "custom-contact-forms/import/.*\.sql\.php" "deny,t:lowercase,t:normalisePath,id:5000230,msg:'WP custom contact forms exploit attempt blocked',tag:'critical_wordpress_protection',tag:'lw_custom',severity:CRITICAL" # Fix for revslider http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html SecRule QUERY_STRING "revslider_show_image.*&img=.*(\.php|\.my.cnf|\.bash|wp-config)" "deny,t:lowercase,id:5000231,msg:'revslider WP plugin hack attempt',tag:'critical_wordpress_protection',tag:'lw_custom',severity:CRITICAL" SecRule REQUEST_URI "noid-mailpolet\.php" "deny,id:5001000,msg:'revslider WP plugin hack attempt',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING" SecRule REQUEST_URI "resvlide.php" "deny,id:5001001,msg:'revslider WP plugin hack attempt',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING" # RevSlider rules for new shell upload vuln. This will still allow the inital malware uploads into # wp-content/plugins/revslider/temp/update_extract/revslider/ but will deny access to the malicious files # this should stop actual compromise of the site, rendering the uploaded malware useless to code inject the site # Please inform secteam if this stops any legitimate updates, as it should not inhibit them. SecRule REQUEST_URI "/temp/update_extract/revslider/.+\.php" "deny,t:lowercase,id:5000232,msg:'RevSlider shell upload attempt',tag:'critical_wordpress_protection',tag:'lw_custom',severity:CRITICAL" SecRule REQUEST_URI "/revslider/temp/update_extract/.+\.php" "deny,t:lowercase,id:5001232,msg:'RevSlider shell upload attempt',tag:'critical_wordpress_protection',tag:'lw_custom',severity:CRITICAL" # Fix for Gravity Forms shell upload. SecRule REQUEST_URI "wp-content" "chain,deny,id:5001002,msg:'gravity forms shell upload attempt',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING" SecRule REQUEST_URI "_input_.*p(hp|html)" "t:lowercase" # Fix for https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss.html SecRule REQUEST_URI "genericons/example.html" "deny,id:5001003,msg:'jetpack XSS fix',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING" # Fix for https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-jetpack.html SecRule ARGS:action "grunion-contact-form" "t:urldecode,t:lowercase,id:5001004,deny,status:411,chain,msg:'jetpack XSS fix',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING" SecRule ARGS "\/\*\*\/|\&\#" "t:urldecode" # Fixes for script kiddy Drupal injections # Please inform secteam of any false positives. SecRule REQUEST_URI "/user/login/" "deny,t:lowercase,id:5000233,chain,msg:'drupal exploit attempt',tag:'drupal',tag:'lw_custom',severity:CRITICAL" SecRule REQUEST_BODY "name.0.update users set name" "t:urldecode" SecRule QUERY_STRING "q=node" "deny,t:lowercase,t:urldecode,id:5000234,chain,msg:'drupal exploit attempt',tag:'drupal',tag:'lw_custom',severity:CRITICAL" SecRule REQUEST_BODY "name.0.update users set name" "t:urldecode" # Block malicious CN user agent SecRule HTTP_User-Agent "Mozilla/5\.0 \(Windows; U; Windows NT 5\.1; zh-CN; rv:1\.7\.6\)" "deny,id:5000235,msg:'malicious user-agent',tag:'lw_custom',severity:WARNING" # Block HEAD requests from Typhoeus SecRule REQUEST_METHOD "HEAD" "id:5000236,chain,msg:'Blocking bad Typhoeus UA',tag:'lw_custom',severity:CRITICAL" SecRule HTTP_User-Agent "Typhoeus" # Ongoing fixes for bash issue, CVE-2014-6271. Please inform akwiecinski of any suspected false positives. # Request Header values: SecRule REQUEST_HEADERS "^\(\) {" "phase:1,deny,id:5000300,t:urlDecode,status:400,log,msg:'CVE-2014-6271 - Bash Attack',tag:'shellshock_bash_vuln',tag:'lw_custom',severity:WARNING" # SERVER_PROTOCOL values: SecRule REQUEST_LINE "\(\) {" "phase:1,deny,id:5000301,status:400,log,msg:'CVE-2014-6271 - Bash Attack',tag:'shellshock_bash_vuln',tag:'lw_custom',severity:WARNING" # GET/POST values: SecRule ARGS "^\(\) {" "phase:2,deny,id:5000303,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack',tag:'shellshock_bash_vuln',tag:'lw_custom',severity:WARNING" # Botnet posing as Googlebot Nov 18 2015 SecRule QUERY_STRING "cookie=1" "deny,t:lowercase,id:5000305,chain,msg:'base64 encoded eval statement from fake googlebot',tag:'lw_custom',severity:CRITICAL" SecRule HTTP_User-Agent "googlebot" "t:lowercase,chain" SecRule ARGS "eval\(" "t:none,t:base64Decode" # Joomla 0day Dec 14 https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html SecRule HTTP_User-Agent "jdatabasedrivermysql" "t:lowercase,t:urldecode,id:5000306,msg:'Joomla RCE patch',tag:'joomla',tag:'lw_custom',severity:CRITICAL" SecRule HTTP_User-Agent "{s:" "t:urldecode,id:5000307,msg:'Joomla RCE patch',tag:'joomla',tag:'lw_custom',severity:CRITICAL" # New LFI WP protection SecRule REQUEST_BODY "mysite_download_skin" "t:lowercase,id:5000308,chain,msg:'WP LFI protection',tag:'critical_wordpress_protection',tag:'lw_custom',severity:WARNING" SecRule REQUEST_BODY "wp-config\.php" # Protections for JOOMLA CVE-2016-8870 and CVE-2016-8869 SecRule ARGS:name "\.pht$" "deny,id:5000309,t:urldecode,t:lowercase,msg:'.pht file disallowed by security policy due to joomla vulnerabilites.',tag:'joomla',tag:'lw_custom',severity:WARNING" SecRule ARGS:filename "\.pht$" "deny,id:5000310,t:urldecode,t:lowercase,msg:'.pht file disallowed by security policy due to joomla vulnerabilites.',tag:'joomla',tag:'lw_custom',severity:WARNING" SecRule FILES "\.pht$" "deny,id:5000311,t:urldecode,t:lowercase,msg:'.pht file disallowed by security policy due to joomla vulnerabilites.',tag:'joomla',tag:'lw_custom',severity:WARNING" # Protections for wp-mobile-detector # See https://blog.sucuri.net/2016/06/wp-mobile-detector-vulnerability-being-exploited-in-the-wild.html SecRule REQUEST_URI "wp-mobile-detector/cache/.+\.php" "deny,id:5000312,t:lowercase,msg:'wp-mobile-detector vulnerability',tag:'critical_wordpress_protection',tag:'lw_custom',severity:CRITICAL" SecRule REQUEST_URI "wp-mobile-detector/resize.php" "deny,chain,id:5000313,msg:'wp-mobile-detector vulnerability',tag:'critical_wordpress_protection',tag:'lw_custom',severity:CRITICAL" SecRule REQUEST_BODY "src=.+\.php" "t:urldecode,t:lowercase" # Protections for 'realstatistics' hack # See https://blog.sucuri.net/2016/07/new-realstatistics-attack-vector-compromising-joomla-sites.html SecRule QUERY_STRING "option=com_tags" "deny,chain,msg:'Joomla realstatistics hack attempt',id:5000314,tag:'joomla',tag:'lw_custom',severity:CRITICAL" SecRule REQUEST_BODY "(JDatabaseDriverMysql|base64_decode)" SecRule REQUEST_URI "/modules/cache\.uniq.+\.php" "deny,chain,msg:'Joomla realstatistics hack attempt',id:5000315,tag:'joomla',tag:'lw_custom',severity:CRITICAL" SecRule REQUEST_METHOD "POST" # Detection for https://blog.sucuri.net/2018/08/massive-wordpress-redirect-campaign-targets-vulnerable-tagdiv-themes-and-ultimate-member-plugins.html SecRule REQUEST_URI "wp-content/uploads/ultimatemember/temp/.+\.php" "deny,id:5000316,msg:'ultimatemember plugin attack',t:lowercase" # Mitigate vBulletin 5.x command injection. See: # SOS-1344 # https://seclists.org/fulldisclosure/2019/Sep/31 # https://securityaffairs.co/wordpress/91689/hacking/unpatched-critical-0-day-vbulletin.html SecRule ARGS:routestring "ajax/render/widget_php" "phase:2,id:4044036,t:none,auditlog,deny,chain" SecRule ARGS_NAMES "widgetConfig\[code\]" # Low risk of false positive SecRule REQUEST_URI "/ajax/render/widget_tabbedcontainer_tab_panel" "t:lowercase,chain,deny,id:5000320" SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo|file_get_contents|file_put_contents)" "t:lowercase" # Some possibility of false positive; whitelist if needed. SecRule REQUEST_URI "/ajax/render/widget_tabbedcontainer_tab_panel" "t:lowercase,chain,deny,id:5000321" SecRule ARGS:/subwidgets[\d+][template]/ "widget_php" "t:lowercase,chain" SecRule ARGS_NAMES "subwidgets\[\d+]\[config\]\[code\]" "t:lowercase" # POC 2 - low risk of false positive https://packetstormsecurity.com/files/154648/vBulletin-5.x-Pre-Auth-Remote-Code-Execution.html SecRule QUERY_STRING "routestring=ajax/render/widget_php" "t:lowercase,chain,deny,id:5000322" SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo|file_get_contents|file_put_contents)" "t:lowercase" # Some possibility of false positive; whitelist if needed. SecRule QUERY_STRING "routestring=ajax/render/widget_php" "t:lowercase,chain,deny,id:5000323" SecRule ARGS_NAMES "widgetconfig\[code\]" "t:lowercase" # Mitigate CVE-2020-12720 via stricter SQLi threshold SecRule REQUEST_URI "ajax/api/content_infraction/getIndexableContent" "phase:2,id:'4044043',auditlog,t:none,t:urlDecode,deny,chain" SecRule ARGS_NAMES "nodeId\[nodeid\]" # Block probable backdoor attempts in vBulletin backend SecRule REQUEST_URI "ajax/api/widget/saveAdminConfig" "phase:2,id:'4044044',t:none,auditlog,deny,chain" SecRule ARGS:data[code] "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)"
Copyright ©2k19 -
Hexid
|
Tex7ure