RE: [mod-security-users] Command injection attack
Brought to you by:
victorhora,
zimmerletw
From: Sander H. - O. X. <in...@or...> - 2005-08-12 12:33:56
|
mod...@li... wrote: > Hi, > > I would like to write a rule to filter this kind of attack (Command > injection attack): > > GET /stats.pl?toto=aa+bb+cc+|+any_unix_command+#+dd+ee&titi=tata > > In GET or POST > > In fact I would like to block all the ";", "|", "#" > > I wrote : > SecFilterSelective ARGS [;|\||#] > > It works but is it the best way ? > > David ROBERT No. You do not need to separate characters by an or (|) statement in [] or [^] containers. They should contain all the characters you want to match. Where, for instance a dot (.) will match any character, [;|#] will match to ; or | or #. They more or less contain an array (only not seperated by ,) of characters you want to match to. Putting an ^ after the [ does the opposite. Kind regards, Sander Holthaus |