[mod-security-users] THE_REQUEST vs. REQUEST_URI vs. REQUEST_FILE
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] THE_REQUEST vs. REQUEST_URI vs. REQUEST_FILE
|
From: Sander H. - O. X. <in...@or...> - 2005-08-05 14:11:32
|
I'm trying to implement some custom rules for mod_security, but I'm slightly confused on what the best and most efficient way is to implement rules. Looking at existent rules, there seems to be no real definitive way to match requests. Is there any? How do the internals work of mod_security in this regard? Are all KEYWORDS generated in one pass, or are some keywords initiated and filtered before others? An example for the same rule: # Exploit phpBB Highlighting Code Execution Attempt (v1) SecFilterSelective REQUEST_FILENAME "/viewtopic\.php$" chain SecFilterSelective ARG_highlight "(\'\.|\x2527\x252E)" # Exploit phpBB Highlighting Code Execution Attempt (v2) SecFilterSelective REQUEST_URI "/viewtopic\.php\?.*highlight=(\'\.|\x2527\x252E)" # Exploit phpBB Highlighting Code Execution Attempt (v3) SecFilterSelective THE_REQUEST "/viewtopic\.php\?.*highlight=(\'\.|\x2527\x252E)" Kind Regards, Sander Holthaus - Orange XL |
