[mod-security-users] Webdav Exploit - What Rule To Catch?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] Webdav Exploit - What Rule To Catch?
|
From: Purl G. <pur...@pu...> - 2004-03-30 18:23:55
|
Many of you have noticed Apache log entries for
this idiotic Webdav exploit which are extremely
long and generate a "URI too long" error response.
An example which is truncated:
66.215.211.96 66.215.211.96 [30/Mar/2004:09:48:40 -0800] "SEARCH /\x90
This request method "SEARCH" is not recognized by
Apache 1.3.x series and presents a problem.
I enjoy very good success loading and running mod_security
for my Apache server. Ran the enclosed tests, all seems to
be working perfectly. Very nice module, indeed.
However, I am having difficulties capturing these Webdav
exploits before Apache sends a 414 error response. Those
"SEARCH" request methods are slipping by mod_security.
Currently I am trying this entry for mod_security:
# Kill Search Request Method
SecFilterSelective "REQUEST_METHOD" "^.*SEARCH.*$"
I have tried variations on this, tried a simple filter,
but cannot capture those darn Webdav exploits. My return
error message should be a 405 method not allowed but
have yet to succeed at this.
Anyone having success at capturing Webdav exploits
using mod_security? I am sure there is something
I am overlooking in my configuration.
Both your comments and help are appreciated.
Thanks,
Kira
|
