Re: [mod-security-users] mod_security causing Apache 1.3.33 to ha ng
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] mod_security causing Apache 1.3.33 to ha ng
|
From: Ivan R. <iv...@we...> - 2006-01-13 12:59:31
|
Tom Anderson wrote: > > ... > > I'm not sure if you can use mod_security > to do this, but maybe you can try something like: > > SecFilterSelective THE_REQUEST "vulnerable-script-name" chain > SecFilterSelective ARG_SANITIZEME "(<|>)" "exec:html_escape.pl" > > But I don't think the exec'd script gets passed the info or inserts > anything back into the string. Ideally "html_escape.pl" would be passed > the "ARG_SANITIZEME" content on STDIN and then mod_security would > replace "ARG_SANITIZEME" with the output of "html_escape.pl". That > would be a true external filter, similar to how procmail works. Ivan, > correct me if I'm wrong in saying that you can't do using mod_security > what I'm suggesting would be the right technique. Actually, ideally you > could do this: > > SecFilterSelective THE_REQUEST "vulnerable-script-name" chain > SecFilterSelective ARG_SANITIZEME s/</</ > SecFilterSelective ARG_SANITIZEME s/>/>/ > > But that too wouldn't work in mod_security I believe. That's correct. It is not possible to change request data using ModSecurity, at least not at the moment. > Is this something > that could be added in future versions? I have been thinking about that but there's a lot of work involved and I just don't see the benefit. Personally, I don't believe in sanitisation. It's too easy to do it wrong, and if you do you get to feel secure where, in fact, you still have a hole in your defences. I am open to discussion, though. > I think it would be extremely useful to be able to modify request > content in this way rather than just flagging it. Perhaps, give me one real-life example where you would use it? -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com Tel: +44 20 8141 2161, Fax: +44 87 0762 3934 |
