Re: [mod-security-users] Enhancement proposal: Proxy access attempt -rule 960014
Brought to you by:
victorhora,
zimmerletw
From: Marc S. <mar...@ad...> - 2007-06-15 12:27:15
|
SecRule REQUEST_URI_RAW ^\w:/ "t:none,deny,log,auditlog,status:400,msg:'Proxy access attempt',severity:'2',id:'960014'" seems safe to me. I tested it, and http://.., ftp://..., etc. are blocked. We could add the second /, but I think it is not necessary as "GET abc:/" doesn't look valid to me. Would you to modify core rule 960014 accordingly ? Marc Ryan Barnett wrote: > You can block those too if you desire, although I would recommend that > you test your Regex to ensure that it is matching appropriately. If the > t:normalisePath is used (or inherited from a previous SecDefaultAction) > the 2nd forward slash would be removed and thus this would not match. > This was also an issue when we originally used REQUEST_URI as Apache > normalized this as well. This is why we switched the Mod variable to > REQUEST_URI_RAW. > > |