|
From: Tom A. <tan...@oa...> - 2006-02-08 14:25:32
|
CASTELLE Thomas wrote: > Is it possible to improve these rules : > > SecFilterSelective ARGS "select.+from" > SecFilterSelective ARGS "union.+select" > SecFilterSelective ARGS "update.+set.+=" > > Because we have quite a few false positives on our websites. For instance : > > http://www.foo.net/blablabla/toto.jsp?test=blabla%20SELECTION%20blabla&test2=29300230&test3=+&test4=+&test5=+&test4=%2Fblablabla%26fromblablabla > <http://www.foo.net/blablabla/toto.jsp?test=blabla%20SELECTION%20blabla&test2=29300230&test3=+&test4=+&test5=+&test4=%2Fblablabla%26fromblablabla> These rules are way too inclusive and generic. They will tend to match nearly any sufficiently long text. You need to make them much more specific. Since it's nearly impossible to consider every possible combination of strings which could possibly be executed as SQL, including extra spacing and ignored characters, you need to limit such filters only to programs and variables which deal directly with database queries. Any other use is superfluous anyway. For instance, if you wanted to protect a program called "search.cgi", where a form field called "string" is used to construct an SQL query, and there is no sanitation written into "search.cgi", and you cannot add it, you might use this filter: SecFilterSelective THE_REQUEST "search.cgi" chain SecFilterSelective ARG_string "update.+?set.+?=" Of course, this might cause a problem if your site is a search engine, encyclopedia, or discussion forum which might include topics about SQL or even interior decorating (eg. "I want to update my dining room set to something more formal"). That's why it's better to sanitize input such as this (escape special characters, etc.) rather than filter it. Tom |
