Skip to content

Commit

Permalink
Merge pull request #3713 from azurit/UrlDecodeUni
Browse files Browse the repository at this point in the history 
fix: replacing t:UrlDecode with t:UrlDecodeUni (921240 PL1, 932170 PL1, 932171 PL1, 932190 PL3, 932190 PL1, 933211 PL3, 941310 PL1, 941350 PL1)
  • Loading branch information
@theseion
theseion committed Jun 18, 2024
2 parents 41fde24 + d8accb5 commit 6265222
Show file tree
Hide file tree
Showing 4 changed files with 8 additions and 8 deletions.
2 changes: 1 addition & 1 deletion rules/REQUEST-921-PROTOCOL-ATTACK.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -290,7 +290,7 @@ SecRule REQUEST_URI "@rx unix:[^|]*\|" \
phase:1,\
block,\
capture,\
t:none,t:urlDecode,t:lowercase,\
t:none,t:urlDecodeUni,t:lowercase,\
msg:'mod_proxy attack attempt detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down
6 changes: 3 additions & 3 deletions rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -589,7 +589,7 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \
phase:1,\
block,\
capture,\
t:none,t:urlDecode,\
t:none,t:urlDecodeUni,\
msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand All @@ -610,7 +610,7 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
phase:2,\
block,\
capture,\
t:none,t:urlDecode,t:urlDecodeUni,\
t:none,t:urlDecodeUni,\
msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down Expand Up @@ -1670,7 +1670,7 @@ SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" \
phase:2,\
block,\
capture,\
t:none,t:urlDecode,t:urlDecodeUni,t:normalizePath,t:cmdLine,\
t:none,t:urlDecodeUni,t:normalizePath,t:cmdLine,\
msg:'Remote Command Execution: Wildcard bypass technique attempt',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down
4 changes: 2 additions & 2 deletions rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -493,7 +493,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
phase:2,\
block,\
capture,\
t:none,t:urlDecode,t:replaceComments,t:removeWhitespace,\
t:none,t:urlDecodeUni,t:replaceComments,t:removeWhitespace,\
msg:'PHP Injection Attack: Variable Function Call Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down Expand Up @@ -744,7 +744,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
phase:2,\
block,\
capture,\
t:none,t:urlDecode,t:replaceComments,t:removeWhitespace,\
t:none,t:urlDecodeUni,t:replaceComments,t:removeWhitespace,\
msg:'PHP Injection Attack: Variable Function Call Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down
4 changes: 2 additions & 2 deletions rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -583,7 +583,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
phase:2,\
block,\
capture,\
t:none,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,\
msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down Expand Up @@ -612,7 +612,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
phase:2,\
block,\
capture,\
t:none,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,\
msg:'UTF-7 Encoding IE XSS - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down

0 comments on commit 6265222

Please sign in to comment.