I have been asked to design a mod_security rule to protect sites from the recent PHPBB worm. Now, I don't have access to PHPBB (vulnerable or not) but looking at the worm log entries I have found online it should be simple:
SecFilterSelective ARG_highlight %27
This should prevent someone from trying to sneak an URL-encoded apostrophe in through the vulnerable variable "highlight". As I said, don't take my word for it. If you have a vulnerable installation use the exploit after installing the rule to see if it works. Please let me know whether the rule works or not. And don't forget to fix the real problem by upgrading your version of PHPBB. Update: As Ralph Germershausen points out, while you are fixing PHPBB also make sure you are using the latest PHP version (4.3.10 if you are still with the 4.x branch or 5.0.3 if you are with the 5.x branch). This is to take care of the recently announced vulnerabilities.
