# gotroot.com mod_security signatures and rules # http://www.gotroot.com/mod_security+rules # Windows only rules # # Download from: http://www.gotroot.com/downloads/ftp/mod_security/windows-rules.conf # # Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com) # Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # modsecurity is a trademark of Thinking Stone, Ltd. # # Version: N-20061009-01 # # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # MSAccess SecFilterSelective ARGS "MSys(ACEs|Objects|Queries|Relationships)" # WEB-IIS repost.asp access SecFilterSelective THE_REQUEST "/scripts/repost\.asp" log,pass # WEB-IIS .htr chunked Transfer-Encoding SecFilterSelective THE_REQUEST "\.htr" chain SecFilter "chunked" # WEB-IIS .asp chunked Transfer-Encoding SecFilterSelective THE_REQUEST "\.asp" chain SecFilter "chunked" # WEB-IIS /StoreCSVS/InstantOrder.asmx request SecFilterSelective REQUEST_URI "/StoreCSVS/InstantOrder\.asmx" log,pass # WEB-IIS users.xml access SecFilterSelective REQUEST_URI "/users\.xml" log,pass # WEB-IIS as_web.exe access SecFilterSelective REQUEST_URI "/as_web\.exe" log,pass # WEB-IIS as_web4.exe access SecFilterSelective REQUEST_URI "/as_web4\.exe" log,pass # WEB-IIS NewsPro administration authentication attempt SecFilter "logged,true" log,pass # WEB-IIS pbserver access SecFilterSelective REQUEST_URI "/pbserver/pbserver\.dll" log,pass # WEB-IIS trace.axd access SecFilterSelective REQUEST_URI "/trace\.axd" log,pass # WEB-IIS /isapi/tstisapi.dll access SecFilterSelective REQUEST_URI "/isapi/tstisapi\.dll" log,pass # WEB-IIS mkilog.exe access SecFilterSelective REQUEST_URI "/mkilog\.exe" log,pass # WEB-IIS ctss.idc access SecFilterSelective REQUEST_URI "/ctss\.idc" log,pass # WEB-IIS /iisadmpwd/aexp2.htr access SecFilterSelective REQUEST_URI "/iisadmpwd/aexp2\.htr" log,pass # WEB-IIS WebDAV file lock attempt #SecFilter "LOCK " log,pass # WEB-IIS ISAPI .printer access SecFilterSelective REQUEST_URI "\.printer" log,pass # WEB-IIS ISAPI .ida attempt SecFilterSelective REQUEST_URI "\.ida\?" # WEB-IIS ISAPI .ida access SecFilterSelective REQUEST_URI "\.ida" log,pass # WEB-IIS ISAPI .idq attempt SecFilterSelective REQUEST_URI "\.idq\?" # WEB-IIS ISAPI .idq access SecFilterSelective REQUEST_URI "\.idq" log,pass # WEB-IIS %2E-asp access # Some people don't want asp on their servers, some do, adjust accordingly for your system #SecFilterSelective REQUEST_URI "\x2easp" log,pass # WEB-IIS *.idc attempt SecFilterSelective REQUEST_URI "/*\.idc" # WEB-IIS .bat? access SecFilterSelective REQUEST_URI "\.bat\?" log,pass # WEB-IIS .cnf access SecFilterSelective REQUEST_URI "\.cnf" log,pass # WEB-IIS ASP contents view SecFilter "&CiHiliteType=Full" # WEB-IIS ASP contents view SecFilterSelective REQUEST_URI "\.htw\?CiWebHitsFile" # WEB-IIS CGImail.exe access SecFilterSelective REQUEST_URI "/scripts/CGImail\.exe" log,pass # WEB-IIS MSProxy access SecFilterSelective REQUEST_URI "/scripts/proxy/w3proxy\.dll" log,pass # WEB-IIS +.htr code fragment attempt SecFilterSelective REQUEST_URI "\+\.htr" # WEB-IIS .htr access SecFilterSelective REQUEST_URI "\.htr" log,pass # WEB-IIS SAM Attempt SecFilter "sam\._" # WEB-IIS achg.htr access SecFilterSelective REQUEST_URI "/iisadmpwd/achg\.htr" log,pass # WEB-IIS /scripts/iisadmin/default.htm access SecFilterSelective REQUEST_URI "/scripts/iisadmin/default\.htm" # WEB-IIS ism.dll access SecFilterSelective REQUEST_URI "/scripts/iisadmin/ism\.dll\?http/dir" # WEB-IIS anot.htr access SecFilterSelective REQUEST_URI "/iisadmpwd/anot" log,pass # WEB-IIS asp-dot attempt SecFilterSelective REQUEST_URI "\.asp\." # WEB-IIS bdir.htr access SecFilterSelective REQUEST_URI "/bdir\.htr" log,pass # WEB-IIS cmd32.exe access SecFilterSelective REQUEST_URI "/cmd32\.exe" # WEB-IIS cmd.exe access SecFilterSelective REQUEST_URI "/cmd\.exe" # WEB-IIS cmd? access SecFilter "\.cmd\?&" # WEB-IIS cross-site scripting attempt SecFilterSelective REQUEST_URI "/Form_JScript\.asp" # WEB-IIS cross-site scripting attempt SecFilterSelective REQUEST_URI "/Form_VBScript\.asp" # WEB-IIS directory listing SecFilterSelective REQUEST_URI "/ServerVariables_Jscript\.asp" # WEB-IIS encoding access SecFilter "%1u" log,pass # WEB-IIS fpcount attempt SecFilterSelective THE_REQUEST "/fpcount\.exe" chain SecFilter "Digits=" # WEB-IIS fpcount access SecFilterSelective THE_REQUEST "/fpcount\.exe" log,pass # WEB-IIS getdrvs.exe access SecFilterSelective REQUEST_URI "/scripts/tools/getdrvs\.exe" log,pass # WEB-IIS global.asa access SecFilterSelective REQUEST_URI "/global\.asa" log,pass # WEB-IIS iisadmpwd attempt SecFilterSelective REQUEST_URI "/iisadmpwd/aexp" # WEB-IIS index server file source code attempt SecFilterSelective THE_REQUEST "\?CiWebHitsFile=/" chain SecFilter "&CiRestriction=none&CiHiliteType=Full" # WEB-IIS ism.dll attempt SecFilterSelective THE_REQUEST " \.htr" # WEB-IIS jet vba access SecFilterSelective THE_REQUEST "/advworks/equipment/catalog_type\.asp" log,pass # WEB-IIS msadcs.dll access SecFilterSelective THE_REQUEST "/msadcs\.dll" log,pass # WEB-IIS newdsn.exe access SecFilterSelective THE_REQUEST "/scripts/tools/newdsn\.exe" log,pass # WEB-IIS perl access SecFilterSelective THE_REQUEST "/scripts/perl" log,pass # WEB-IIS perl-browse space attempt SecFilterSelective THE_REQUEST " \.pl" # WEB-IIS scripts-browse access SecFilterSelective THE_REQUEST "/scripts/ " # WEB-IIS search97.vts access SecFilterSelective THE_REQUEST "/search97\.vts" log,pass # WEB-IIS showcode.asp access SecFilterSelective THE_REQUEST "/showcode\.asp" log,pass # WEB-IIS site server config access SecFilterSelective THE_REQUEST "/adsamples/config/site\.csc" log,pass # WEB-IIS srch.htm access SecFilterSelective THE_REQUEST "/samples/isapi/srch\.htm" log,pass # WEB-IIS srchadm access SecFilterSelective THE_REQUEST "/srchadm" log,pass # WEB-IIS uploadn.asp access SecFilterSelective THE_REQUEST "/scripts/uploadn\.asp" log,pass # WEB-IIS viewcode.asp access SecFilterSelective THE_REQUEST "/viewcode\.asp" log,pass # WEB-IIS webhits access SecFilterSelective THE_REQUEST "\.htw" log,pass # WEB-IIS doctodep.btr access SecFilterSelective THE_REQUEST "doctodep\.btr" log,pass # WEB-IIS site/iisamples access SecFilterSelective THE_REQUEST "/site/iisamples" log,pass # WEB-IIS CodeRed v2 root.exe access SecFilterSelective THE_REQUEST "/root\.exe" # WEB-IIS outlook web dos SecFilterSelective THE_REQUEST "/exchange/LogonFrm\.asp\?" chain SecFilter "%%%" # WEB-IIS /scripts/samples/ access SecFilterSelective THE_REQUEST "/scripts/samples/" # WEB-IIS /msadc/samples/ access SecFilterSelective THE_REQUEST "/msadc/samples/" # WEB-IIS iissamples access SecFilterSelective THE_REQUEST "/iissamples/" # WEB-IIS iisadmin access SecFilterSelective THE_REQUEST "/iisadmin" # WEB-IIS msdac access SecFilterSelective THE_REQUEST "/msdac/" log,pass # WEB-IIS _mem_bin access SecFilterSelective THE_REQUEST "/_mem_bin/" log,pass # WEB-IIS htimage.exe access SecFilterSelective THE_REQUEST "/htimage\.exe" log,pass # WEB-IIS MS Site Server default login attempt SecFilterSelective THE_REQUEST "/SiteServer/Admin/knowledge/persmbr/" # WEB-IIS MS Site Server admin attempt SecFilterSelective THE_REQUEST "/Site Server/Admin/knowledge/persmbr/" # WEB-IIS postinfo.asp access SecFilterSelective THE_REQUEST "/scripts/postinfo\.asp" log,pass # WEB-IIS /exchange/root.asp attempt SecFilterSelective THE_REQUEST "/exchange/root\.asp\?acs=anon" # WEB-IIS /exchange/root.asp access SecFilterSelective THE_REQUEST "/exchange/root\.asp" log,pass # WEB-IIS Battleaxe Forum login.asp access SecFilterSelective THE_REQUEST "myaccount/login\.asp" log,pass # WEB-IIS nsiislog.dll access SecFilterSelective THE_REQUEST "/nsiislog\.dll" log,pass # WEB-IIS IISProtect siteadmin.asp access SecFilterSelective THE_REQUEST "/iisprotect/admin/SiteAdmin\.asp" log,pass # WEB-IIS IISProtect globaladmin.asp access SecFilterSelective THE_REQUEST "/iisprotect/admin/GlobalAdmin\.asp" log,pass # WEB-IIS IISProtect access SecFilterSelective THE_REQUEST "/iisprotect/admin/" log,pass # WEB-IIS Synchrologic Email Accelerator userid list access attempt SecFilterSelective THE_REQUEST "/en/admin/aggregate\.asp" log,pass # WEB-IIS MS BizTalk server access SecFilterSelective THE_REQUEST "/biztalkhttpreceive\.dll" log,pass # WEB-IIS register.asp access SecFilterSelective THE_REQUEST "/register\.asp" log,pass # WEB-IIS UploadScript11.asp access SecFilterSelective THE_REQUEST "/UploadScript11\.asp" log,pass # WEB-IIS DirectoryListing.asp access SecFilterSelective THE_REQUEST "/DirectoryListing\.asp" log,pass # WEB-IIS /pcadmin/login.asp access SecFilterSelective THE_REQUEST "/pcadmin/login\.asp" log,pass # WEB-IIS foxweb.exe access SecFilterSelective THE_REQUEST "/foxweb\.exe" log,pass # WEB-IIS foxweb.dll access SecFilterSelective THE_REQUEST "/foxweb\.dll" log,pass # WEB-IIS VP-ASP shopsearch.asp access SecFilterSelective THE_REQUEST "/shopsearch\.asp" log,pass # WEB-IIS VP-ASP ShopDisplayProducts.asp access SecFilterSelective THE_REQUEST "/ShopDisplayProducts\.asp" log,pass # WEB-IIS sgdynamo.exe access SecFilterSelective THE_REQUEST "/sgdynamo\.exe" log,pass # WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access SecFilterSelective THE_REQUEST "/frmGetAttachment\.aspx" log,pass # WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt SecFilterSelective THE_REQUEST "/login\.aspx" chain SecFilter "txtusername=" # WEB-IIS SmarterTools SmarterMail frmCompose.asp access SecFilterSelective THE_REQUEST "/frmCompose\.aspx" log,pass # WEB-IIS ping.asp access SecFilterSelective THE_REQUEST "/ping\.asp" log,pass # WEB-IIS w3who.dll buffer overflow attempt SecFilterSelective THE_REQUEST "/w3who\.dll\?" # WEB-IIS httpodbc.dll access - nimda SecFilterSelective THE_REQUEST "/httpodbc\.dll" log,pass # WEB-IIS SQLXML content type overflow SecFilterSelective THE_REQUEST "contenttype=" #Naxtor e-directory SQL injection SecFilterSelective THE_REQUEST "(admin/default\.asp|\.signin\.asp)" chain SecFilter "\' or \'=\'" #Thomson NETg Web Skill Vantage Manager Login SQL Injection SecFilterSelective THE_REQUEST "login\.asp" chain SecFilterSelective ARG_svmPassword "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" #DUware SQL injection attacks SecFilterSelective THE_REQUEST "/DUclassmate/default\.asp\?iState=(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)&nState=" SecFilterSelective THE_REQUEST "/DUamazon/type\.asp\?iType=.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/DUamazonPro/admin/catDelete\.asp\?iCat=[0-9].*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/DUamazonPro/shops/detail\.asp\?iPro=34&iSub=[0-9].*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/DUamazonPro/admin/productDelete\.asp\?iPro=.*&iCat=[0-9].*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/DUamazonPro/shops/review\.asp\?iSub=.*&iPro=[0-9].*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/DUamazonPro/admin/productEdit\.asp\?iPro=.*&iCat=[0-9].*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/DUforum/post\.asp\?iFor=[0-9].*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" #MidiCart ASP Shopping Cart SQL Injection Vulnerability SecFilterSelective REQUEST_URI "/item_show\.asp" chain SecFilterSelective ARG_code_no "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" #mssql attacks #SecFilterSelective ARGS "@@[[:alnum:]]+" SecFilterSelective ARGS ";--" SecFilterSelective ARGS "load[[:space:]]+data" SecFilterSelective ARGS "sys(objects|columns|logins|xlogins)" SecFilterSelective ARGS "exec.+(x|s)p_" SecFilterSelective ARGS "(open(query|rowset)|msdasql|sqloledb)" SecFilterSelective ARGS "exec[[:space:]]*\(" #Less specific rule, in case the above is to generic SecFilterSelective THE_REQUEST "xp_(enumdsn|filelist|availablemedia|cmdshell|reg(read|write|deletekey))" #Common windows extensions that could be bad, comment out what you can use #SecFilterSelective REQUEST_URI "(\.cmd|\.bat|\.htw|\.ida|\.idq|\.htr|\.idc|\.printer|\.ini|\.pol|\.dat|\.cfg|\.idx|\.dll|\.inf|\.mdb|\.mde|\.msi|\.reg|\.scr|\.exe)" #SecFilterSelective REQUEST_URI "(\.cmd|\.bat|\.htw|\.ida|\.idq|\.htr|\.idc|\.printer|\.ini|\.pol|\.dat|\.cfg|\.idx|\.dll|\.mdb|\.mde|\.msi|\.reg|\.scr|\.exe)" #SecFilterSelective REQUEST_URI "(\.cmd|\.bat|\.htw|\.ida|\.idq|\.htr|\.idc|\.printer|\.ini|\.pol|\.dat|\.cfg|\.idx|\.dll|\.mdb|\.mde|\.msi|\.reg|\.scr)" SecFilterSelective THE_REQUEST "(\.cmd|\.bat|\.htw|\.ida|\.idq|\.htr|\.idc|\.printer|\.ini|\.pol|\.dat|\.cfg|\.idx|\.dll|\.mdb|\.mde|\.msi|\.reg|\.scr) HTTP\/(0\.9|1\.0|1\.1)$" SecFilterSelective REQUEST_URI "(\.cmd|\.bat|\.htw|\.ida|\.idq|\.htr|\.idc|\.printer|\.ini|\.pol|\.dat|\.cfg|\.idx|\.dll|\.mdb|\.mde|\.msi|\.reg|\.scr)\?" #Bad Windows paths SecFilterSelective REQUEST_URI|POST_PAYLOAD "([cdefg]\:/|/_vti_(bin|cnf|pvt)/|/IISSAMPLES/|/MSOffice/|/system32/|/msadc/|/inetpub/|/winnt)" "id:360001,rev:1,severity:2,msg:'Windows Rules: Bad Windows Paths'" #TAC Vista directory traversal SecFilterSelective THE_REQUEST "/ISALogin\.dll\?ShowLogin\?Url=/Template=\.\./\.\." SecFilterSelective THE_REQUEST "projects/project-edit\.asp" chain SecFilterSelective ARG_project_id "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" #Mall23 eCommerce "idOption_Dropdown_2" SQL Injection Vulnerability SecFilterSelective THE_REQUEST "/AddItem\.asp" chain SecFilterSelective ARG_idOption_Dropdown_2 "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" #WhatsUp Gold "map.asp" Cross-Site Scripting Vulnerability SecFilterSelective THE_REQUEST "/map.asp" chain SecFilterSelective ARG_map "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #TAC Vista "Template" Disclosure of Sensitive Information SecFilterSelective REQUEST_URI "/vistawebstation/scriptsLogin/ISALogin\.dll\?ShowLogin\?Url=/Template.*(\:|\\|/|\.\.)" #aeNovo Cross-Site Scripting and SQL Injection Vulnerabilities SecFilterSelective THE_REQUEST "/search\.asp\?strSQL=" chain SecFilter "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective THE_REQUEST "/search\.asp\?strSQL=SELECT.*FROM pages where.*union" SecFilterSelective THE_REQUEST "user/control\.asp" chain SecFilterSelective ARG_password "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" #Comersus Power Pack Premium Cross-Site Scripting Vulnerabilities SecFilterSelective THE_REQUEST "comersus_backoffice_searchItemForm\.asp" chain SecFilterSelective ARG_forwardTo1|ARG_forwardTo2|ARG_nameFT1|ARG_nameFT2 "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #WEB RSA Web Auth Exploit Attempt SecFilterSelective THE_REQUEST "/WebID/IISWebAgentIF\.dll.*\?Redirect.*url=.{8000}" #TAC Attack Directory Traversal SecFilterSelective REQUEST_URI "/ISALogin\.dll?.*Template=.*\.\./" #Miva Merchant VSS SecFilterSelective THE_REQUEST "merchant\.mv" chain SecFilter "/customer_login.*\">" #Novell ZENworks Patch Management SQL Injection Vulnerability SecFilterSelective REQUEST_URI "computers/default\.asp" chain SecFilterSelective ARG_Direction "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "reports/default\.asp" chain SecFilterSelective ARG_SearchText|ARG_StatusFilter|ARG_computerFilter "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" #Techno Dreams Products "login.asp" SQL Injection Vulnerability SecFilterSelective REQUEST_URI "login\.asp" chain SecFilterSelective ARG_userid "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" #ASP Fast Forum "error" Cross-Site Scripting Vulnerability SecFilterSelective REQUEST_URI "error\.asp" chain SecFilterSelective ARG_error "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #Snitz Forums 2000 "post.asp" Cross-Site Scripting Vulnerability SecFilterSelective REQUEST_URI "post\.asp" chain SecFilterSelective ARG_type "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #webdav attack SecFilterSelective REQUEST_URI "/_vti_bin/_vti_aut/fp30reg\.dll" #AudienceView "TSerrorMessage" Cross-Site Scripting Vulnerability SecFilterSelective REQUEST_URI "error\.asp" chain SecFilterSelective ARG_TSerrorMessage "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #VP-ASP Shopping Cart "UserName" Cross-Site Scripting Vulnerability SecFilterSelective REQUEST_URI "shopadmin\.asp" chain SecFilterSelective ARG_UserName "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #e-Quick Cart SQL Injection Vulnerabilities SecFilterSelective REQUEST_URI "/shopaddtocart\.asp" chain SecFilterSelective ARG_productid "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "/shopprojectlogin\.asp" chain SecFilterSelective ARG_strpemail "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "/shoptellafriend\.asp" chain SecFilterSelective ARG_id "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" #ASP-rider "referer" Header SQL Injection Vulnerability SecFilterSelective THE_REQUEST "/default\.asp" chain SecFilterSelective HTTP_Referer "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" #DUware Products "iType" SQL Injection Vulnerability SecFilterSelective REQUEST_URI "/type\.asp" chain SecFilterSelective ARG_iType "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" #MaxWebPortal Multiple SQL Injection Vulnerabilities SecFilterSelective REQUEST_URI "/(article_popular|dl_popular|links_popular|pic_popular|article_rate|dl_rate|links_rate|pic_rates|article_toprated|dl_toprated|links_toprated|pic_toprated|custom_link)\.asp" chain SecFilter "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" #XcPhotoAlbum "SearchFor" Cross-Site Scripting Vulnerability SecFilterSelective REQUEST_URI "PAsearch\.asp" chain SecFilterSelective ARG_SearchFor "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #rwAuction Pro "searchtxt" Cross-Site Scripting Vulnerability SecFilterSelective REQUEST_URI "search\.asp" chain SecFilterSelective ARG_searchtxt "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #NetAuctionHelp Auction Software Cross-Site Scripting Vulnerabilities SecFilterSelective REQUEST_URI "search\.asp" chain SecFilterSelective ARG_L|ARG_sort|ARG_category|ARG_categoryname "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #DUware DUportal Pro "result" Cross-Site Scripting Vulnerability SecFilterSelective REQUEST_URI "password\.asp" chain SecFilterSelective ARG_result "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #A-FAQ SQL Injection Vulnerabilities SecFilterSelective REQUEST_URI "faqDspItem\.asp" chain SecFilterSelective ARG_faqid "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" SecFilterSelective REQUEST_URI "faqDsp\.asp" chain SecFilterSelective ARG_catcode "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #IISWorks ASPKnowledgeBase "a" Cross-Site Scripting Vulnerability SecFilterSelective REQUEST_URI "kb\.asp" chain SecFilterSelective ARG_a "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #XcClassified "SearchFor" Cross-Site Scripting Vulnerability SecFilterSelective REQUEST_URI "CPSearch\.asp" chain SecFilterSelective ARG_SearchFor "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #Solupress News "search.asp" Cross-Site Scripting Vulnerability SecFilterSelective REQUEST_URI "search\.asp" chain SecFilterSelective ARG_keywords "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #MyTemplateSite "search.asp" Cross-Site Scripting Vulnerability SecFilterSelective REQUEST_URI "search\.asp" chain SecFilterSelective ARG_q "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #SiteBeater News System "Archive.asp" Cross-Site Scripting Vulnerability SecFilterSelective REQUEST_URI "archive\.asp" chain SecFilterSelective ARG_sKeywords "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #SiteBeater MP3 Catalog "Search.asp" Cross-Site Scripting Vulnerability SecFilterSelective REQUEST_URI "Search\.asp" chain SecFilterSelective ARG_sSearchText "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #LocazoList Classifieds "searchdb.asp" Cross-Site Scripting vuln SecFilterSelective REQUEST_URI "Searchdb\.asp" chain SecFilterSelective ARG_q "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #ShopEngine "EXPS" Cross-Site Scripting Vulnerability SecFilterSelective REQUEST_URI "search\.asp" chain SecFilterSelective ARG_EXPS "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #Tangora Portal CMS Cross-Site Scripting Vulnerabilities SecFilterSelective REQUEST_URI "page(1361|496)\.aspx" chain SecFilterSelective ARG_action "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #DevHound v2.24 and earlier password file disclosure SecFilterSelective REQUEST_URI "data\devhound\.tdbd" #pTools "docID" SQL Injection Vulnerability SecFilterSelective REQUEST_URI "index\.asp" chain SecFilterSelective ARG_docID "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" #news_paper.asp back door attack SecFilterSelective REQUEST_URI "news_paper\.asp" chain SecFilter "theAction=.*script\.shell" #generic windows backdoor SecFilterSelective THE_REQUEST "server\.createObject.*Shell\.Application" #new windows attack, unknown SecFilterSelective REQUEST_URI "/imgLib/admin/login.asp" chain SecFilter "select.+from" #SiteMan "txtpassword" SQL Injection Vulnerability SecFilterSelective REQUEST_URI "admin_login\.aspx" chain SecFilterSelective ARG_txtpassword "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" #Metisware Instructor Task Script Insertion Vulnerability SecFilterSelective REQUEST_URI "/MyTasks/PersonalTaskCreate\.asp" "chain,id:390034,rev:1,severity:2,msg:'JITP: Metisware Instructor Task Script Insertion Vulnerability'" SecFilterSelective ARG_vchTaskHeader "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)" #OzzyWork Galeri Multiple Vulnerabilities SecFilterSelective REQUEST_URI "admin_default\.asp" "chain,id:395000,rev:1,severity:2,msg:'JITP: OzzyWork Galeri SQL injection'" SecFilterSelective ARG_id|ARG_password "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" #SecFilterSelective REQUEST_URI "add\.asp" "id:395001,rev:1,severity:2,msg:'JITP: OzzyWork Galeri File upload Vulnerability'" #MultiCalendars "calsids" Parameter SQL Injection Vulnerability SecFilterSelective REQUEST_URI "all_calendars\.asp" "chain,id:395001,rev:1,severity:2,msg:'JITP: MultiCalendars calsids Parameter SQL Injection Vulnerability'" SecFilterSelective ARG_calsids "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" #EPublisherPro "title" Cross-Site Scripting Vulnerability SecFilterSelective REQUEST_URI "moreinfo\.asp" "chain,id:395002,rev:1,severity:2,msg:'JITP: MultiCalendars calsids Parameter SQL Injection Vulnerability'" SecFilterSelective ARG_title "(javascript|script|about|applet|activex|chrome)*\>" #EImagePro SQL Injection Vulnerabilities SecFilterSelective REQUEST_URI "(SubList|ImageList|view)\.asp" "chain,id:395003,rev:1,severity:2,msg:'JITP: EImagePro SQL Injection Vulnerabilities'" SecFilterSelective ARG_CatID|ARG_SubjectID|ARG_Pic "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" #EDirectoryPro "keyword" Parameter SQL Injection SecFilterSelective REQUEST_URI "search_result\.asp" "chain,id:395004,rev:1,severity:2,msg:'JITP: EDirectoryPro keyword Parameter SQL Injection'" SecFilterSelective ARG_keyword "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" #IA-Calendar Cross-Site Scripting and SQL Injection Vulnerabilities` SecFilterSelective REQUEST_URI "(calendar_new|default)\.asp" "chain,id:395005,rev:1,severity:2,msg:'JITP: IA-Calendar SQL Injection'" SecFilterSelective ARG_type "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "calendar_detail\.asp" "chain,id:395006,rev:1,severity:2,msg:'JITP: IA-Calendar SQL Injection'" SecFilterSelective ARG_ID "(@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)|(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)" SecFilterSelective REQUEST_URI "calendar_new\.asp" "chain,id:395007,rev:1,severity:2,msg:'JITP: IA-Calendar XSS'" SecFilterSelective ARG_TypeName1 "(javascript|script|about|applet|activex|chrome)*\>" #Meta character SQL injection SecFilterSelective REQUEST_URI "\'.*(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from|@@[[:alnum:]]+|load[[:space:]]+data|exec.+(x|s)p_)" "id:380016,rev:1,severity:2,msg:'Generic SQL metacharacter URI injection protection'"