Re: [mod-security-users] [ANNOUNCE] ModSecurity 1.8.7 has been released
Brought to you by:
victorhora,
zimmerletw
From: Gerwin K. -|- D. W. <ge...@di...> - 2005-03-09 10:02:53
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Great ivan :) Will do some testing .... Ivan Ristic wrote: | | ModSecurity 1.8.7 has been released. It is available for immediate | download from: | | http://www.modsecurity.org/download/ | | This release brings a mixture of small bug fixes, one minor security | fix, and minor enhancements. Cookie parsing has been enhanced. | ModSecurity now has two cookie parsers, one for each major version of | the specification. Failures to execute external scripts are now properly | logged. If the approver script is missing or not working the request is | now rejected. A bug that allows attacker to bypass some of the checks is | now fixed. | | | About ModSecurity | ----------------- | ModSecurity is a web application firewall, designed to protect | vulnerable applications and reject manual and automated attacks. | It is an open source intrusion detection and prevention system. It | can work embedded in Apache, or as a standalone security device when | configured to work as part of an Apache-based reverse proxy. | | Optionally, ModSecurity creates application audit logs, which contain | the full request body in addition to all other details. Requests are | filtered using regular expressions. Some of the things possible are: | | * Apply filters against any part of the request (URI, | headers, either GET or POST) | * Apply filters against individual parameters | * Reject SQL injection attacks | * Reject Cross site scripting attacks | * Store the files uploaded through the web server, and have them | checked by external scripts | | With few general rules ModSecurity can protect from both known | and unknown vulnerabilities. A Java version is also available, which | works with any Servlet 2.3 compatible web server. | | | Changes (v1.8.7) | ---------------- | | * Stefan Esser discovered a trivial way to craft request to sneak | in the request parameters that are in the request body past the | named parameter syntax (e.g. ARG_name). Non-selective filtering | (SecFilter), other variables (e.g. THE_REQUEST, ARGS, POST_PAYLOAD), | and the audit log worked fine. Fixed. | | * Stefan Esser also pointed out PHP parses cookies differently from | mod_security, and demonstrated a way to exploit the differences | to sneak in a cookie past the named cookie syntax (e.g. COOKIE_name). | So I decided to add another cookie parser to mod_security. A new | directive, SecFilterCookieFormat, determines which parser is used. | Possible values are 0 (default, for Netscape-style cookies, aka | version 0) and 1 (for RFC 2965 aka version 1 cookies). Without | spending more time on research (to determine how different platforms | parse cookies) -- which is on my TODO list -- I can't give a | definitive answer whether the COOKIE_name syntax is good enough. It | should be, but if you are very paranoid you may choose to use the | HTTP_Cookie syntax to examine the whole cookie header. Look for more | details in the documentation. As a consequence of the recent changes, | the SecFilterCheckCookieFormat directive is now obsolete and has | no effect. | | * BUG Request error messages are now escaped properly when logged | to the audit log. | | * BUG (Apache 2 only) Failure to execute external scripts is now | properly detected and logged. | | * BUG If the approver script does not exist the file is rejected. | | * BUG (Apache 2 only) Made the allow action work with output | filtering. | | * BUG (Apache 2 only) Warning messages (e.g. "log,pass") did | not get logged in output filtering. | | * Cookie normalization is now off by default (as was stated in the | documentation previously). | | * BUG (Apache 2 only) The audit logging code can cause a segfault | when it isn't explicitly configured in the configuration, and | the main handler does not run for some reason. Fixed. | | * BUG (Apache 2 only) Fixed a bug in the code that handles the exec | action, which would sometimes cause a segfault (when an external | script is executed). | - -- Met vriendelijke groet/With kind regards, Gerwin Krist Digitalus First-class Internet Webhosting (w) http://www.digitalus.nl (e) gerwin at digitalus.nl (p) PGP-ID: 79B325D4 (t) +31 (0) 598 630000 (f) +31 (0) 598 631860 *************************************************************************************** This message may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. *************************************************************************************** -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCLsm/CwaJ0XmzJdQRAq5LAJ9OnxePfeUHX9xwAPkdrbKhFPJZbwCghbVI coBoSBKAm/BQf/xowzs7yF8= =qi9k -----END PGP SIGNATURE----- |