Re: [mod-security-users] mod_security causing Apache 1.3.33 to ha ng
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] mod_security causing Apache 1.3.33 to ha ng
|
From: Tom A. <tan...@oa...> - 2006-01-13 21:35:07
|
Achim Hoffmann wrote: > I totally agree with Ivan: don't try to sanitize data at such a central place I would tend to agree that sanitizing input should be done in the applicaiton itself. However, the main advantage of mod_security is that it is a central place to define security rules, and it runs before anything gets to the application layer which may be written by third parties and contain holes. In programs that I write, I do proper sanitizing before using any data, but if I'm using a standard package, I try to intercept problems before they get there. There's no reason that mod_security shouldn't have this functionality, especially since it's needed and useful in some circumstances, but users should understand that it's not necessarily the best place to do it. > OK, here we go, why you should not use something like s/</</ > > assume you have an URL with following QUERY_STRING: > cmd=ls > where someone uses (for fun or whatever:) > cmd=ls<i>/sbin/shutdown > which might be "sanitized" to: > cmd=ls<i>/sbin/shutdown Well, I wouldn't run that on the QUERY_STRING, I'd run it on a particular argument which is going to be posted as HTML to a webpage and not used in other contexts. Also, if you're allowing users to enter commands directly on the QUERY_STRING, you've got bigger problems! Tom |
