Re: [mod-security-users] modsecurity and spam in OWA

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Tom Anderson wrote:
> Jason Haar wrote:
> 
>> Anyway, I had "SecFilterForceByteRange 32 126" and it blocked that URL
>> as there was a char 228 in there
>>
>> Sooo, what should I block instead? Given the fact that the Webapp needs
>> to present almost any char (i.e. assuming a Subject line could contain
>> any char), could I do an exclusion list instead? i.e. accept everything
>> other than NULL, etc? And if so, can someone tell me what "etc" should
>> actually be? ;-)
> 
> 
> I've found SecFilterForceByteRange to provide false positives on
> anything less than 0-255.  Unless you're running a very simple website,
> you just don't know when a user will enter a valid character outside of
> your arbitrary range.  As you said, many applications require the use of
> almost any character.  I addressed user complaints over a period of
> months, slowly expanding the range, until I was left at 0-255 before the
> complaints stopped.

  That's probably true if you want to have one configuration for
  all sites on a shared hosting server. But if you are controlling
  your own ModSecurity configuration then you surely now the
  character set you are using. And if you need to include all
  sorts of characters you are much better off using Unicode with
  UTF-8 validation feature.

> As far as blocking certain characters, yes you can, but even NULL may
> give false positives.  Whatever that list may be is entirely driven by
> what your site needs to process.

  I am not aware of any legitimate use of a NULL byte. Can you
  provide an example?

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org