Re: [mod-security-users] Restriction to / dir
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Restriction to / dir
|
From: Ivan R. <iv...@we...> - 2004-01-07 23:34:45
|
Ulf Harnhammar wrote: >> ModSecurity can scan parameters for suspicious strings but it's >> not foolproof. It needs something distinctive to act upon. For >> example, protecting "/boot" is easy. But the root "/" - not simple. > > > What about this regular expression? > > ^/[^/]*$ > > It will match strings that begin with a slash and then have zero > or more characters that are something else than slashes. That will work if you use it like this: SecFilterSelective SCRIPT_FILENAME "^/[^/]*$" but, again, that only covers the files executed and/or served by Apache. In my earlier email I was referring to various scripts that allow file download, accepting filenames as parameters. For example: http://www.xyz.com/cgi-bin/download.php?filename=/etc/passwd If you know about this script you can secure it (either by making sure it works properly, or by using mod_security to look after it). But in a shared hosting environment when you have customers uploading arbitrary scripts with arbitrary parameters crafting a filter to catch those / downloads is pretty difficult (without creating a large number of false positives, that is). -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
