Re: [mod-security-users] blocking php uploads

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Ryan,
    Thanks and this is working as expected (though your reminder is
accurate about crafty attackers) for PHP files.  I'm wondering if I can
specify a list of file names on the line below that should not be
allowed.

SecRule FILES "\.php$" log,deny,status:403,phase:2

Thanks!

Clay

On Fri, 2008-02-15 at 16:44 -0500, Ryan Barnett wrote:
> Hello Clayton and welcome to the list J  Yes, ModSecurity can help
> you.  The Core Rules
> (http://www.modsecurity.org/projects/rules/index.html) has rules that
> will help to protect against SQL Injection attacks and also when
> clients try to access Trojan/backdoor web pages that may have been
> uploaded through a non-HTTP interface.  As for preventing PHP file
> uploads, you may be able to use the example rule shown here
> (http://www.modsecurity.org/documentation/modsecurity-apache/2.5.0-rc4/modsecurity2-apache-reference.html#N10B39) by inspecting the FILES variable data to try and prevent the “.php” extension as this would be the uploaded filename.  Keep in mind, however that this is prone to evasions by a crafty attacker.
> 
>  
> 
> Hope this helps.
> 
>  
> 
> 
> -- 
> Ryan C. Barnett
> ModSecurity Community Manager
> 
> Breach Security: Director of Training
> 
> Web Application Security Consortium (WASC) Member
> 
> CIS Apache Benchmark Project Lead
> 
> SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> 
> Author: Preventing Web Attacks with Apache
> 
> 
> 
>  
> 
> 
>                                    
> ______________________________________________________________________
> 
> From:mod...@li...
> [mailto:mod...@li...] On Behalf Of
> Clayton Dillard
> Sent: Friday, February 15, 2008 4:41 PM
> To: mod...@li...
> Subject: [mod-security-users] blocking php uploads
> 
> 
> 
>  
> 
> Folks,
>     I'm new to this list and I'm researching mod_security.  So far it
> seems like a very good tool.  At my company, we host shared SugarCRM
> instances for our customers.  Thus, we would need to know if
> mod_security can be configured so that it provides a strong level of
> defense against common PHP, SQL-injection, and Apache attacks.  One
> thing we want to do is to prevent anyone from uploading php files (or
> any executable code for that matter).  Can mod_security do this?
> 
> Best regards,
> 
> 
> 
> Clayton Taylor Dillard
> 
> http://hspcd.blogspot.com/ 
> 
> 
> 
>  
> 
> 

Clayton Taylor Dillard

http://hspcd.blogspot.com/