Re: [mod-security-users] ByteRange Filter not acting as expected.
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] ByteRange Filter not acting as expected.
|
From: Ivan R. <iv...@we...> - 2003-11-19 00:35:21
|
> Interestingly enough, only the second one gets caught(406) by > mod_security. Does something really stand out here that didnt catch my eye? It's Apache. If it finds an encoded / character (using %2f) it returns a 404 early in the request processing phase, and before it reaches mod_security. Try these two: http://www.modsecurity.org/documentation/index.html http://www.modsecurity.org/documentation%2findex.html Some Web servers (IIS, I believe) would return the same document for both requests. Whisker uses this Apache behavior to fingerprint it. I've thought of making mod_security modify this behavior, but I'm not quite sure about it yet. ... BTW. mod_security rules are case insensitive. Your rule: SecFilter "[Ww][Ii][Nn][Nn][Tt]" should be equivalent to SecFilter "winnt" Also, if the string appears only in the URL (and not POST), you should consider using SecFilterSelective REQUEST_URI "winnt" as it is more efficient. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
