Re: [mod-security-users] SecFilterForceByteRange
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] SecFilterForceByteRange
|
From: Ivan R. <iv...@we...> - 2004-08-24 18:48:04
|
Hugh Beaumont wrote:
> Hi,
>
> I have a question about the pdf documentation :
>
> In many places, this is given as an example config :
>
> # Accept almost all byte values
> SecFilterForceByteRange 1 255
>
> My understanding is that this will allow all byte values except for zero.
>
> Is this correct?
Yes.
> On page 12 (Null byte attack prevention) it says that versions 1.7 and above will automatically
> convert %00 to a space. I assume this means that it is filter byte 0 out of all requests
> automtically.
Not quite. The data that goes to the application is never changed
(at least not yet, I'm considering that for future releases). The
conversion that takes place only affects the rules.
> Does this mean that :
>
> SecFilterForceByteRange 1 255
>
> is really not necassary if you are using version 1.7 and above?
It depends. The way I see it is as follows:
* You should always refuse certain byte values in the
payload.
* If you allow null bytes then the %00 -> %20 conversion is
there to allow filters to still make sense (they wouldn't
otherwise).
> I hope I'm not being a pain with all the questions - I've been trying to read the manual carefully
> and thought I would pass along any spots that I found hard to understand or conflicting. I realize
> it is hard to keep documentation totally up-to-date with the latest features of a program.
The documentation is up to date, but it is not structured properly. It
is really a notebook I use to write stuff down. For 2.0 I plan to
rewrite the documentation, providing HTML and PDF versions. It would
have happened already if it wasn't for the book taking away most
of my time.
--
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]
|