https://inliniac.net/blog/tag/bleedingthreats/ Recent content in Bleedingthreats on Inliniac Hugo en Tue, 20 Mar 2007 18:03:21 +0000 https://inliniac.net/blog/2007/03/20/new-wordpress-issue-modsecurity-rule/ Tue, 20 Mar 2007 18:03:21 +0000 https://inliniac.net/blog/2007/03/20/new-wordpress-issue-modsecurity-rule/ <p>I just read about a new issue with <a href="http://www.wordpress.org/">WordPress</a> <a href="http://www.securityfocus.com/archive/1/463291">here</a> at SecurityFocus. It&rsquo;s a potential credential stealing vulnerability, so I quickly created these <a href="http://www.modsecurity.org">ModSecurity</a> 2 rules:</p> <p><strong>SecDefaultAction &ldquo;log,deny,status:403,phase:2,t:lowercase,t:escapeSeqDecode&rdquo;</strong> <strong>SecRule REQUEST_FILENAME &ldquo;/wp-login.php$&rdquo; &ldquo;chain,msg:&lsquo;WORDPRESS wp-login.php redirect_to credentials stealing attempt&rsquo;,severity:2,t:normalisePath&rdquo;</strong> <strong>SecRule ARGS_NAMES &ldquo;^redirect_to$&rdquo; &ldquo;chain&rdquo;</strong> <strong>SecRule ARGS:redirect_to &ldquo;(ht|f)tps?://&rdquo;</strong></p> <p>I can still login to my WordPress install, so it seems that the rule does no harm. Use at your own risk!</p> <p><strong>Update</strong>: I&rsquo;ve created a Snort rule as well:</p>