RE: [mod-security-users] [ANNOUNCE] ModSecurity 1.8.7 has been re leased
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
RE: [mod-security-users] [ANNOUNCE] ModSecurity 1.8.7 has been re leased
|
From: Spence, I. (ELS-CAM) <I.Spence@Elsevier.com> - 2005-03-09 11:14:55
|
Ivan,
Does this version contain the functionality for "SecFilterExternal" ?
Regards,
Ian Spence
-----Original Message-----
From: mod...@li...
[mailto:mod...@li...] On Behalf Of Ivan
Ristic
Sent: 09 March 2005 09:54
To: mod...@li...
Subject: [mod-security-users] [ANNOUNCE] ModSecurity 1.8.7 has been released
ModSecurity 1.8.7 has been released. It is available for immediate download
from:
http://www.modsecurity.org/download/
This release brings a mixture of small bug fixes, one minor security fix,
and minor enhancements. Cookie parsing has been enhanced.
ModSecurity now has two cookie parsers, one for each major version of the
specification. Failures to execute external scripts are now properly logged.
If the approver script is missing or not working the request is now
rejected. A bug that allows attacker to bypass some of the checks is now
fixed.
About ModSecurity
-----------------
ModSecurity is a web application firewall, designed to protect vulnerable
applications and reject manual and automated attacks.
It is an open source intrusion detection and prevention system. It can work
embedded in Apache, or as a standalone security device when configured to
work as part of an Apache-based reverse proxy.
Optionally, ModSecurity creates application audit logs, which contain the
full request body in addition to all other details. Requests are filtered
using regular expressions. Some of the things possible are:
* Apply filters against any part of the request (URI,
headers, either GET or POST)
* Apply filters against individual parameters
* Reject SQL injection attacks
* Reject Cross site scripting attacks
* Store the files uploaded through the web server, and have them
checked by external scripts
With few general rules ModSecurity can protect from both known and unknown
vulnerabilities. A Java version is also available, which works with any
Servlet 2.3 compatible web server.
Changes (v1.8.7)
----------------
* Stefan Esser discovered a trivial way to craft request to sneak
in the request parameters that are in the request body past the
named parameter syntax (e.g. ARG_name). Non-selective filtering
(SecFilter), other variables (e.g. THE_REQUEST, ARGS, POST_PAYLOAD),
and the audit log worked fine. Fixed.
* Stefan Esser also pointed out PHP parses cookies differently from
mod_security, and demonstrated a way to exploit the differences
to sneak in a cookie past the named cookie syntax (e.g. COOKIE_name).
So I decided to add another cookie parser to mod_security. A new
directive, SecFilterCookieFormat, determines which parser is used.
Possible values are 0 (default, for Netscape-style cookies, aka
version 0) and 1 (for RFC 2965 aka version 1 cookies). Without
spending more time on research (to determine how different platforms
parse cookies) -- which is on my TODO list -- I can't give a
definitive answer whether the COOKIE_name syntax is good enough. It
should be, but if you are very paranoid you may choose to use the
HTTP_Cookie syntax to examine the whole cookie header. Look for more
details in the documentation. As a consequence of the recent changes,
the SecFilterCheckCookieFormat directive is now obsolete and has
no effect.
* BUG Request error messages are now escaped properly when logged
to the audit log.
* BUG (Apache 2 only) Failure to execute external scripts is now
properly detected and logged.
* BUG If the approver script does not exist the file is rejected.
* BUG (Apache 2 only) Made the allow action work with output
filtering.
* BUG (Apache 2 only) Warning messages (e.g. "log,pass") did
not get logged in output filtering.
* Cookie normalization is now off by default (as was stated in the
documentation previously).
* BUG (Apache 2 only) The audit logging code can cause a segfault
when it isn't explicitly configured in the configuration, and
the main handler does not run for some reason. Fixed.
* BUG (Apache 2 only) Fixed a bug in the code that handles the exec
action, which would sometimes cause a segfault (when an external
script is executed).
--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web
application firewall - http://www.modsecurity.org
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
|