[mod-security-users] locations in windows, XSS
Brought to you by:
victorhora,
zimmerletw
From: Daniel G. <inf...@sp...> - 2004-06-28 08:28:41
|
i have a very simple php script that has guestbook-like functionality. it also has no input sanitation. therefore, i'd like to use one of those XSS regex's provided to check for XSS exploits in ONLY that one script being that I use things like javascript elsewhere on my server. here is what i used. it doesn't prevent me from putting javascript into the input fields, submitting it over POST, and then having it display on the page. SecFilterEngine DynamicOnly SecFilterScanPOST On ... <Location "C:\Apache2\users\www\feedback.php"> SecFilterSelective ARGS "<[[:space:]]*script" </Location> can anyone offer me any help? i'm obviously running windows. maybe the path is being handled wrong? maybe the regex is wrong? winxp, apache2, modsec 1.8.2, php4. i ran the tests included in the source for modsecurity, they all worked. dan |