Re: [mod-security-users] mod_security causing Apache 1.3.33 to ha ng
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] mod_security causing Apache 1.3.33 to ha ng
|
From: Achim H. <ki...@se...> - 2006-01-14 20:26:44
|
On Fri, 13 Jan 2006, Tom Anderson wrote:
!! mod_security shouldn't have this functionality, especially since it's
!! needed and useful in some circumstances, but users should understand
!! that it's not necessarily the best place to do it.
that's the point.
IMHO you give users and programmers a wrong feeling of security if they
read somewhere that for example "mod_security can do input sanitation".
But that's another discussion, let Ivan deside how to go from here ..
!! > OK, here we go, why you should not use something like s/</</
!! >
!! > assume you have an URL with following QUERY_STRING:
!! > cmd=ls
!! > where someone uses (for fun or whatever:)
!! > cmd=ls<i>/sbin/shutdown
!! > which might be "sanitized" to:
!! > cmd=ls<i>/sbin/shutdown
!!
!! Well, I wouldn't run that on the QUERY_STRING, I'd run it on a
!! particular argument which is going to be posted as HTML to a webpage and
!! not used in other contexts. Also, if you're allowing users to enter
!! commands directly on the QUERY_STRING, you've got bigger problems!
This example is not restricted to GET, could be POST too, and it could
be expanded to be a combination of more than one parameter, and, and, and ...
My intention was just to show in a short example what's wrong with such
sanitations. Could have used a SQL injection example too. It's an example,
nothing more, nothing less.
{-: Achim
|
