RE: [mod-security-users] How to disable this?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
RE: [mod-security-users] How to disable this?
|
From: Tkachenko A. <al...@tk...> - 2004-01-10 21:19:35
|
Thank you! -----Original Message----- From: Ivan Ristic [mailto:iv...@we...] Sent: 10 ????? 2004 ?. 22:55 To: Tkachenko Alexei Cc: mod...@li... Subject: Re: [mod-security-users] How to disable this? Tkachenko Alexei wrote: > Let I have "SecFilter /somedir". > With CGI-Telnet Version 1.0 user can perform the following: > 1) cd / > 2) ls /somedir - get's error > 3) ls somedir - and get content of the somedir. > > Is there any way to prevent this? No, not really. You see, once you allowed your users to have CGI access you have also given them permission to read the contents of various folders on the server. You can write rules to stop users from using shell-emulators but, ultimately, knowledgeable users will always be able to get around them. The only proper solution is to to use cgiwrap for CGI scripts and the safe mode/open_basedir restrictions for PHP. If you still want to continue with mod_security, you should look into the source code of the shell emulator and make note of the variable names it uses to pass commands to the server. Then, add a filter to watch for those. cgitelnet, if I recall correctly uses 'a' for action and 'c' for command. This filter will reject requests with a parameter 'c' that start with "ls"... SecFilterSelective ARG_c "^[[:space::]*ls" -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
