Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
I have been asked to design a mod_security rule to protect sites from the recent PHPBB worm. Now, I don't have access to PHPBB (vulnerable or not) but looking at the worm log entries I have found online it should be simple:
SecFilterSelective ARG_highlight %27
This should prevent someone from trying to sneak an URL-encoded apostrophe in through the vulnerable variable "highlight". As I said, don't take my word for it. If you have a vulnerable installation use the exploit after installing the rule to see if it works. Please let me know whether the rule works or not. And don't forget to fix the real problem by upgrading your version of PHPBB. Update: As Ralph Germershausen points out, while you are fixing PHPBB also make sure you are using the latest PHP version (4.3.10 if you are still with the 4.x branch or 5.0.3 if you are with the 5.x branch). This is to take care of the recently announced vulnerabilities.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.