Re: [mod-security-users] ByteRange Filter not acting as expected.
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] ByteRange Filter not acting as expected.
|
From: N N. <nan...@ne...> - 2003-11-19 00:53:09
|
iv...@we... wrote: > >> Interestingly enough, only the second one gets caught(406) by >> mod_security. Does something really stand out here that didnt catch >> my eye? > > > It's Apache. If it finds an encoded / character (using %2f) it > returns a 404 early in the request processing phase, and before > it reaches mod_security. > > Try these two: > > http://www.modsecurity.org/documentation/index.html > http://www.modsecurity.org/documentation%2findex.html > > Some Web servers (IIS, I believe) would return the same document > for both requests. Whisker uses this Apache behavior to fingerprint > it. > > I've thought of making mod_security modify this behavior, > but I'm not quite sure about it yet. > > ... > > BTW. mod_security rules are case insensitive. Your rule: > > SecFilter "[Ww][Ii][Nn][Nn][Tt]" > > should be equivalent to > > SecFilter "winnt" > > Also, if the string appears only in the URL (and not POST), > you should consider using > > SecFilterSelective REQUEST_URI "winnt" > > as it is more efficient. Whoa. That was a super-fast response, Ivan. As you can see, I'm playing around with the beginner example rules ( pasted from the web ) since I installed it y'day. Thanks for your suggestions. Sounds like I have some more reading to do ;) before I can become a power user. Understood. Over and out. |
