Re: [mod-security-users] [Fwd: Re: Mod_Security]
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] [Fwd: Re: Mod_Security]
|
From: Ivan R. <iv...@we...> - 2005-02-07 21:12:06
|
> Got that issue fixed but now noone can get to phpmyadim-
> well they can get to to, but can not select any tables
>
> ...
>
> This rule kills phpMyAdmin
>
> # Very crude filters to prevent SQL injection attacks
> SecFilter "delete[[:space:]]+from"
> SecFilter "insert[[:space:]]+into"
> SecFilter "select.+from"
It does, because of this:
> sql_query=SELECT+%2A+FROM+%60columns_priv%60
That's what the rule was designed to prevent.
> Is there are way to still stop injection attacks and keep phpmyadmin
> running ??
I have a limited understanding of how PHPMyAdmin works but my
impression is that you log into it (PHPMyAdmin) with your
database username and password. Because of this it makes no sense
to try and use SQL injection against PHPMyAdmin because it already
allows you to do anything you want with the database. (Some other
types of attack, e.g. file disclosure, are more appropriate.)
Therefore you should look at telling mod_security not to bother
with SQL injection filters with PHPMyAdmin:
<Location /MyAdmin/>
SecFilterInheritance Off
# now you have the same configuration as
# in the parent context but no rules
# Add the rules you want below, but not the ones
# that deal with SQL injection
# ...
</Location>
--
Ivan Ristic (http://www.modsecurity.org)
|
