RE: [mod-security-users] [ANNOUNCE] ModSecurity 1.8.7 has been re leased
Brought to you by:
victorhora,
zimmerletw
From: Spence, I. (ELS-CAM) <I.Spence@Elsevier.com> - 2005-03-09 11:14:55
|
Ivan, Does this version contain the functionality for "SecFilterExternal" ? Regards, Ian Spence -----Original Message----- From: mod...@li... [mailto:mod...@li...] On Behalf Of Ivan Ristic Sent: 09 March 2005 09:54 To: mod...@li... Subject: [mod-security-users] [ANNOUNCE] ModSecurity 1.8.7 has been released ModSecurity 1.8.7 has been released. It is available for immediate download from: http://www.modsecurity.org/download/ This release brings a mixture of small bug fixes, one minor security fix, and minor enhancements. Cookie parsing has been enhanced. ModSecurity now has two cookie parsers, one for each major version of the specification. Failures to execute external scripts are now properly logged. If the approver script is missing or not working the request is now rejected. A bug that allows attacker to bypass some of the checks is now fixed. About ModSecurity ----------------- ModSecurity is a web application firewall, designed to protect vulnerable applications and reject manual and automated attacks. It is an open source intrusion detection and prevention system. It can work embedded in Apache, or as a standalone security device when configured to work as part of an Apache-based reverse proxy. Optionally, ModSecurity creates application audit logs, which contain the full request body in addition to all other details. Requests are filtered using regular expressions. Some of the things possible are: * Apply filters against any part of the request (URI, headers, either GET or POST) * Apply filters against individual parameters * Reject SQL injection attacks * Reject Cross site scripting attacks * Store the files uploaded through the web server, and have them checked by external scripts With few general rules ModSecurity can protect from both known and unknown vulnerabilities. A Java version is also available, which works with any Servlet 2.3 compatible web server. Changes (v1.8.7) ---------------- * Stefan Esser discovered a trivial way to craft request to sneak in the request parameters that are in the request body past the named parameter syntax (e.g. ARG_name). Non-selective filtering (SecFilter), other variables (e.g. THE_REQUEST, ARGS, POST_PAYLOAD), and the audit log worked fine. Fixed. * Stefan Esser also pointed out PHP parses cookies differently from mod_security, and demonstrated a way to exploit the differences to sneak in a cookie past the named cookie syntax (e.g. COOKIE_name). So I decided to add another cookie parser to mod_security. A new directive, SecFilterCookieFormat, determines which parser is used. Possible values are 0 (default, for Netscape-style cookies, aka version 0) and 1 (for RFC 2965 aka version 1 cookies). Without spending more time on research (to determine how different platforms parse cookies) -- which is on my TODO list -- I can't give a definitive answer whether the COOKIE_name syntax is good enough. It should be, but if you are very paranoid you may choose to use the HTTP_Cookie syntax to examine the whole cookie header. Look for more details in the documentation. As a consequence of the recent changes, the SecFilterCheckCookieFormat directive is now obsolete and has no effect. * BUG Request error messages are now escaped properly when logged to the audit log. * BUG (Apache 2 only) Failure to execute external scripts is now properly detected and logged. * BUG If the approver script does not exist the file is rejected. * BUG (Apache 2 only) Made the allow action work with output filtering. * BUG (Apache 2 only) Warning messages (e.g. "log,pass") did not get logged in output filtering. * Cookie normalization is now off by default (as was stated in the documentation previously). * BUG (Apache 2 only) The audit logging code can cause a segfault when it isn't explicitly configured in the configuration, and the main handler does not run for some reason. Fixed. * BUG (Apache 2 only) Fixed a bug in the code that handles the exec action, which would sometimes cause a segfault (when an external script is executed). -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users |