Re: [mod-security-users] mod_security causing Apache 1.3.33 to ha ng

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Fri, 13 Jan 2006, Ivan Ristic wrote:

!! Tom Anderson wrote:
!! >
!! > ...
!! >
!! > Is this something
!! > that could be added in future versions?
!!
!!   I have been thinking about that but there's a lot of work involved
!!   and I just don't see the benefit. Personally, I don't believe
!!   in sanitisation. It's too easy to do it wrong, and if you do you
!!   get to feel secure where, in fact, you still have a hole in your
!!   defences.
!!
!!   I am open to discussion, though.

I totally agree with Ivan: don't try to sanitize data at such a central place

!! > I think it would be extremely useful to be able to modify request
!! > content in this way rather than just flagging it.
!!
!!   Perhaps, give me one real-life example where you would use it?
!!

OK, here we go, why you should not use something like s/</&lt;/

assume you have an URL with following QUERY_STRING:
	cmd=ls
where someone uses (for fun or whatever:)
	cmd=ls<i>/sbin/shutdown
which might be "sanitized" to:
	cmd=ls&lt;i&gt;/sbin/shutdown

Hopefully the web server's application performing this request is not
running as user root, do you know ... ?

{-: Achim