Re: [mod-security-users] SecFilterForceByteRange
Brought to you by:
victorhora,
zimmerletw
From: Ivan R. <iv...@we...> - 2004-08-24 18:48:04
|
Hugh Beaumont wrote: > Hi, > > I have a question about the pdf documentation : > > In many places, this is given as an example config : > > # Accept almost all byte values > SecFilterForceByteRange 1 255 > > My understanding is that this will allow all byte values except for zero. > > Is this correct? Yes. > On page 12 (Null byte attack prevention) it says that versions 1.7 and above will automatically > convert %00 to a space. I assume this means that it is filter byte 0 out of all requests > automtically. Not quite. The data that goes to the application is never changed (at least not yet, I'm considering that for future releases). The conversion that takes place only affects the rules. > Does this mean that : > > SecFilterForceByteRange 1 255 > > is really not necassary if you are using version 1.7 and above? It depends. The way I see it is as follows: * You should always refuse certain byte values in the payload. * If you allow null bytes then the %00 -> %20 conversion is there to allow filters to still make sense (they wouldn't otherwise). > I hope I'm not being a pain with all the questions - I've been trying to read the manual carefully > and thought I would pass along any spots that I found hard to understand or conflicting. I realize > it is hard to keep documentation totally up-to-date with the latest features of a program. The documentation is up to date, but it is not structured properly. It is really a notebook I use to write stuff down. For 2.0 I plan to rewrite the documentation, providing HTML and PDF versions. It would have happened already if it wasn't for the book taking away most of my time. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |