Re: [mod-security-users] Directory traversal directive not working
Brought to you by:
victorhora,
zimmerletw
From: Ivan R. <iv...@we...> - 2004-01-08 17:50:17
|
> I am testing mod_security with 2.0.48 on Solaris 8. > mod_security as been setup as a DSO. > My problem is that the very simple directory traversal directive ( below) > does not work: > SecFilter "\.\./" > > ... > > Am i missing something? The Apache is normalizing the path before mod_security gets to it (you can see it in the debug log if you increase the verbosity of the log). If you try something like: /cgi-bin/modsec-test.pl?p=123/../456 it will work. Apache only normalizes the data on the left hand of the question mark character. For some time now I've been thinking whether to move mod_security processing into an earlier stage but there are so many advantages and disadvantages that I haven't made the decision yet. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |