Ryan,
    Thanks and this is working as expected (though your reminder is accurate about crafty attackers) for PHP files.  I'm wondering if I can specify a list of file names on the line below that should not be allowed.

SecRule FILES "\.php$" log,deny,status:403,phase:2

Thanks!

Clay


On Fri, 2008-02-15 at 16:44 -0500, Ryan Barnett wrote:
Hello Clayton and welcome to the list J  Yes, ModSecurity can help you.  The Core Rules (http://www.modsecurity.org/projects/rules/index.html) has rules that will help to protect against SQL Injection attacks and also when clients try to access Trojan/backdoor web pages that may have been uploaded through a non-HTTP interface.  As for preventing PHP file uploads, you may be able to use the example rule shown here (http://www.modsecurity.org/documentation/modsecurity-apache/2.5.0-rc4/modsecurity2-apache-reference.html#N10B39) by inspecting the FILES variable data to try and prevent the “.php” extension as this would be the uploaded filename.  Keep in mind, however that this is prone to evasions by a crafty attacker.

 

Hope this helps.

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Training

Web Application Security Consortium (WASC) Member

CIS Apache Benchmark Project Lead

SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache


 



From:mod-security-users-bounces@lists.sourceforge.net [mailto:mod-security-users-bounces@lists.sourceforge.net] On Behalf Of Clayton Dillard
Sent: Friday, February 15, 2008 4:41 PM
To: mod-security-users@lists.sourceforge.net
Subject: [mod-security-users] blocking php uploads


 

Folks,
    I'm new to this list and I'm researching mod_security.  So far it seems like a very good tool.  At my company, we host shared SugarCRM instances for our customers.  Thus, we would need to know if mod_security can be configured so that it provides a strong level of defense against common PHP, SQL-injection, and Apache attacks.  One thing we want to do is to prevent anyone from uploading php files (or any executable code for that matter).  Can mod_security do this?

Best regards,



Clayton Taylor Dillard

http://hspcd.blogspot.com/



 




Clayton Taylor Dillard

http://hspcd.blogspot.com/