Archive for June, 2008

List all the loaded modules :: apache

June 12, 2008

You can use the following command to list all the loaded modules in apache (both DSO and Static)
———-

apachectl -t -D DUMP_MODULES

———-

The output will be something like
———
dir_module (static)
actions_module (static)
userdir_module (static)
alias_module (static)
rewrite_module (static)
so_module (static)
auth_passthrough_module (shared)
bwlimited_module (shared)
php5_module (shared)
fcgid_module (shared)
proxy_module (shared)
———

Advertisements

Mod Security 2 Default Rules and IDs

June 8, 2008

Here is the Mod Security 2 Default Rules and IDs. May be useful if you want to deactivate any specific rule.
————————————–
marketing.conf

10005 – Marketing Default Action
10006 – Google robot activity
10007 – Yahoo robot activity
10008 – MSN robot activity

http_policy.conf

60031 – HTTP Policy Default Action
60032 – Allow only POST,GET,HEAD Requests
60033 – Block CONNECT / TRACE Requests
60010 – Restrict Content Types For Posts
60034 – Restrict HTTP Protocol Versions
60035 – File extension request restrictions
60036 – Allow Only Certain Extensions

generic_attacks.conf

50002 – Generic Attacks Default Action
50009 – Session Fixation Cookie Mangling ?
50007 – Blind SQL Injection Attack
50903 – Blind SQL Injection Attack
50904 – Blind SQL Injection Attack
50001 – SQL Injection Attack
50905 – SQL Injection Attack
50906 – SQL Injection Attack
50004 – Cross-site Scripting (XSS) Attack
50005 – Remote File Access Attempt
50002 – System Command Access
50006 – System Command Injection
50008 – Injection of Undocumented ColdFusion Tags
50010 – LDAP Injection Attack
50011 – SSI injection Attack
50013 – PHP Injection Attack

bad_robots.conf

90900 – Bad Robots Default Action
90002 – Block Known Bot Scanners
90901 – Block Known Bot Scanners
90902 – Block Known Bot Scanners
90012 – Rogue Site Crawlers
90011 – Automated Site Crawler

outbound.conf

70001 – Outbound Filter Default Action
70002 – Statistic Software Information Leak
70003 – SQL Information Leakage
70004 – IIS Information Leakage
70007 – Zope Information Leakage
70008 – Cold Fusion Information Leakage
70009 – PHP Information Leakage
70010 – ISA server existence revealed
70012 – Microsoft Word document properties leakage
70013 – Directory Listings Turned OFF !!
70011 – File or Directory Names Leakage
70014 – ASP/JSP source code leakage
70903 – ASP/JSP source code leakage
70015 – PHP source code leakage
70016 – Cold Fusion source code leakage
70901 – IIS Application Not Available
70118 – IIS Application Not Available

protocol_violations.conf

60007 – Protocol Violations Default Action
60008 – Request Missing a Host Header
60009 – Request Missing a User Agent Header
60015 – Request Missing an Accept Header
60016 – Non Numeric Content-Length Header
60017 – Host header is a numeric IP address
60011 – Block GET or HEAD requests with bodies
60012 – POST request must have a Content-Length header
60013 – ModSecurity does not support transfer encodings
50107 – URL Encoding Abuse Attack
50801 – UTF8 Encoding Abuse Attack
60014 – Proxy access attempt
60015 – Request Missing an Accept Header Byte Range
60901 – Localized Byte Range Check

trojans.conf

50920 – Trojans Default Action
50111 – Possible malicious file upload
50921 – Possible malicious file upload
50922 – Possible malicious file upload

Got root rule ids

Got Root Mod Security 2 Rules – /gotroot/

apache2-rules.conf

400050 – Apache 2 Rules Default Action

jitp.conf

300051 – Just In Time Patches Default Action
390000 – Awstats.pl probe
390080 – Tests For Valid X-Forwarded Header

jitp2.conf

300051 – Just In Time Patches Default Action
390000 – Awstats.pl probe
390070 – Generic phpbb_root_path exploit
390075 – Generic mosConfig_absolute_path File Inclusion Vulnerability
390076 – Generic mosConfig_absolute_path File Inclusion Vulnerability
390083 – tikiwiki XSS Vulnerability
390082 – tikiwiki Remote File Inclusion Vulnerability
390039 – vwar_root remote/local file inclusion
390001 – aWebBB XSS attack on post.php
390002 – aWebBB XSS attack on editac.php
390003 – aWebBB XSS attack on register.php
390004 – aWebBB XSS attack / aWebBB SQL attack
390005 – aWebBB SQL attack
390006 – phpBB cur_password XSS attack
390007 – PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit
390008 – Claroline <= 1.7.4 scormExport.inc.php remote command vuln
390009 – Claroline <= 1.7.4 scormExport.inc.php remote command vuln
390010 – Claroline <= 1.7.4 XSS attack
390011 – aWebNews XSS attack
390012 – aWebBBNewsSQL attack
390013 – aWebBBNewsSQL attack
390014 – aWebAPP XSS attack
390015 – qliteNEws SQL injection attack
390016 – RedCMS SQL Injection
390017 – RedCMS SQL Injection
390018 – RedCMS XSS attack
390019 – Oxygen SQL Injection
390020 – Mantis XSS attack
390021 – Oxygen SQL Injection
390022 – Mantis XSS attack
390023 – PHPCollab v2.x / NetOffice v2.x sendpassword.php SQL Injection
390024 – Sourceworkshop newsletter SQL Injection Vulnerability
390025 – X-Changer SQL Injection Vulnerability
390025 – X-Changer SQL Injection Vulnerability
390026 – X-Changer XSS Vulnerability
390027 – Null news Multiple SQL Injection Vulnerabilities
390028 – Null news Multiple SQL Injection Vulnerabilities
390029 – Null news Multiple SQL Injection Vulnerabilities
390030 – PHPLiveHelper 1.8 remote command execution Xploit
390031 – Pixel Motion Blog SQL Injection Vulnerabilities
390032 – Pixel Motion Blog SQL Injection Vulnerabilities
390033 – Nuked-Klan SQL Injection Vulnerability
390035 – TFT Gallery passwd Exposure of User Credentials
390036 – Nuked-Klan SQL Injection Vulnerability
390037 – WEBalbum Local File Inclusion Vulnerability
390038 – G-Book g_message Script Insertion Vulnerability
390039 – PHPMyChat exploit
390040 – Horde Help Module Remote Execution
390041 – Internet PhotoShow Remote File Inclusion Exploit
390042 – Censtore.cgi exploit
390043 – quizz.pl exploit
390044 – phpinfo.cgi command execution
390045 – phpRaid phpbb_root_path File Inclusion Vulnerability
390046 – openEngine template Parameter Local File Inclusion Vulnerability
390047 – ISPConfig go_info[server][classes_root] File Inclusion
390048 – ManageEngine OpManager searchTerm Cross-Site Scripting
390049 – AliPAGER ubild Cross-Site Scripting and SQL Injection
390050 – MxBB Portal pafileDB Module module_root_path File Inclusion
390051 – Jadu CMS register.php Cross-Site Scripting Vulnerabilities
390052 – OpenFAQ q Parameter Script Insertion Vulnerability
390053 – phpBB foing Module phpbb_root_path File Inclusion
390054 – Sugar Suite sugarEntry Parameter Security Bypass
390055 – Sugar Suite sugarEntry Parameter Security Bypass
390056 – Sugar Suite sugarEntry Parameter Security Bypass
390057 – Sugar Suite exploit
390058 – TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390059 – TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390060 – TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390061 – TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390062 – TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390063 – TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390095 – TikiWiki Multiple Cross-Site Scripting Vulnerabilities
390064 – WordPress shell injection Vulnerability
390065 – Nucleus arbitrary remote inclusion exploit
390066 – Horde passthru exploit
390067 – CMS-Bandits spaw_root File Inclusion Vulnerability
390068 – phpBB Blend Portal System Module phpbb_root_path File Inclusion
390069 – Admanager Pro exploit
390071 – Bible Portal Project destination File Inclusion Vulnerability
390072 – Flipper Poll root_path File Inclusion Vulnerability
390073 – PictureDis Products lang Parameter File Inclusion Vulnerability
390074 – Joomla/Mambo Weblinks blind SQL injection
390076 – Generic m2f_root_path File Inclusion Vulnerability
390077 – Generic PHP download incddir File Inclusion Vulnerability
390078 – SiteDepth CMS SD_DIR Parameter Handling Remote File Inclusion Vulnerability
390079 – PhpLinkExchange page Parameter Handling Remote File Inclusion Vulnerability
390080 – Tests For Valid X-Forwarded Header

recons.conf

350001 – Recons Default Action
350000 – Gravity Board Google Recon attempt
350001 – SilverNews Google Recon attempt
350002 – PHPBB 2.0 Google Recon attempt
350003 – PHPFreeNews Google Recon attempt
350004 – /cgi-bin/guery Google Recon attempt
350005 – tiki-edit Google Recon attempt
350006 – wps_shop.cgi Google Recon attempt
350007 – edit_blog.php Google Recon attempt
350008 – passwd.txt Google Recon attempt
350008 – admin.mdb Google Recon attempt

rootkits.conf

390143 – Root Kits Default Action
390144 – Generic Attempt to install rootkit in Horde
390145 – Generic Attempt to install rootkit

rules.conf

340001 – Got Root Rules Default Action
340000 – Enforce proper HTTP requests
340002 – Generic rule for allowed characters
340004 – Dis-allowed Transfer Encoding
340007 – deny TRACE method
300002 – XSS insertion into headers
300003 – Don’t accept chunked encodings
330003 – Code injection via content length
300004 – generic recursion signatures
300005 – generic recursion signatures
300006 – generic bogus path sigs
330001 – Generic PHP exploit signatures
330002 – Generic PHP exploit signatures
300008 – Generic PHP exploit pattern
300010 – generic XSS PHP attack types
300011 – Prevent SQL injection in cookies
300012 – Prevent SQL injection in UA
300013 – Generic filter to prevent SQL injection attacks
300014 – Generic SQL sigs
300015 – Generic SQL sigs
300016 – Generic SQL sigs
380015 – Meta character SQL injection
300017 – Generic command line attack filter
300018 – Generic PHP code injection protection via ARGS
300040 – Generic PHP code injection protection in URI

useragents.conf

380001 – User Agents Default Action
380000 – Addresses With No HTTP_Accept

————————————————
Ref: http://osdir.com/ml/apache.mod-securityuser/2006-11/msg00148.html