Re: [mod-security-users] mod_security causing Apache 1.3.33 to ha ng

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Ivan Ristic wrote:
>>I think it would be extremely useful to be able to modify request
>>content in this way rather than just flagging it.
> 
> 
>   Perhaps, give me one real-life example where you would use it?
> 

The present example of trying to prevent HTML injection in posts where 
user input is going to be displayed on a webpage, possibly by software 
that doesn't do proper sanitizing of its own.  Doing little-constrained 
wildcard matching like "<.+?>" is a recipe for potentially huge 
performance hits, plus it wholesale rejects user input that should 
otherwise be acceptable in an escaped format.  This would be true for 
SQL injection filters as well, and anywhere else that strings are 
blocked simply for containing dubious characters when they would be 
known OK if those characters could be escaped.  Sanitizing functionality 
is like a bouncer at a club who checks IDs and stamps people's hands if 
they're over 21 so that they can order alcohol, and not reject from the 
club entirely those under 21.  Likewise, you might not want to prevent 
people from having discussions _about_ HTML or SQL or other topics which 
might just contain strings that would trigger a filter block.  Allow 
them to post their comments, but remove the attack potential by escaping 
those characters which would allow the strings to do damage under the 
wrong circumstances.

Formats such as these might be ideal:
SecFilterSelective ARG_BLOGPOST s/>/&gt;/
SecFilterExternal ARG_BLOGPOST "html_escape.pl"
SecFilterEscapeHTML ARG_BLOGPOST
SecFilterEscapeSQL ARG_SEARCHSTRING

Doing something like the last two should not be all that difficult, as 
simple generic escape functions can be written and simply applied to the 
argument listed.  Just implementing SecFilterEscapeHTML ARG_BLOGPOST to 
replace SecFilterSelective ARG_BLOGPOST "<.+>" would both prevent lots 
of false positives (valid HTML discussions, etc) and measurably improve 
performance on moderately busy discussion forum or blog sites.  This is 
real security, not just a perception... replacing key symbols with their 
HTML escape codes can annihilate HTML injection, XSS, and scripting 
attacks with little overhead.

Tom