[mod-security-users] Re: The directory traversal problem
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] Re: The directory traversal problem
|
From: cyril <cyr...@la...> - 2005-04-14 11:34:24
|
Ulf Harnhammar <metaur <at> operamail.com> writes: > > I haven't tested this, but the following regexes should be helpful when trying to combat directory traversal: > > ^[/\] > \.\. > > The first matches any string that begins with "/" or "\" characters (like in "/etc/passwd"). The second > matches any string with two dots in a row (which of course disallows legitimate filenames like > "ulfs.nice.document..doc", but it also catches malicious things like "../../../../../../etc/passwd"). > > Any other ideas? > > As Ivan wrote on webappsec, putting together a repository with regexes and other snippets for > mod_security would be a good idea. > > // Ulf > Hello ^[/\] Doesn't work, because you erase all / of your URL, so your website doesn't work anymore ^^ I have tried ^[\+] It doesn't work too. I have problems with dir traversal, so i am investigating... Regards Cyril |
