mod_security rule for e107 ‘plugindir’ and ‘ifile’ remote include vulnerability

Posted on by Randy

Here are modsecurity2 rules for the latest string of vulnerabilities affecting the E107 CMS system described in the following links:

http://www.exploit-db.com/exploits/12818/
http://www.exploit-db.com/exploits/12715/

SecRule ARGS:THEMES_DIRECTORY "^http" "t:htmlEntityDecode,t:urlDecode,t:lowercase,deny,log,auditlog,msg:'Denied e107 vulnerability'"
SecRule ARGS:ifile "^http" "t:htmlEntityDecode,t:urlDecode,t:lowercase,deny,log,auditlog,msg:'Denied e107 vulnerability'"
SecRule ARGS:plugindir "^http" "t:htmlEntityDecode,t:urlDecode,t:lowercase,deny,log,auditlog,msg:'Denied e107 vulnerability'"
SecRule ARGS:author_name "\[php\]" "t:htmlEntityDecode,t:urlDecode,t:lowercase,deny,log,auditlog,msg:'Denied e107 vulnerability'"

No Comments.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>