Re: [mod-security-users] defeating slash control system
Brought to you by:
victorhora,
zimmerletw
From: Ivan R. <iva...@gm...> - 2006-05-02 09:26:26
|
On 5/2/06, Uve Lokk <Uve...@ri...> wrote: > Hi all, > > Am I correct that using mod_security one can't reject 'POST //script.php?= blaah' and pass 'POST /script.php?blaah' at the same time? Not right now, with 1.9.x, because this version performs implicit normalisation that results in two slashes being combined into one. But 2.x, which is around the corner (next week), can be configured not to transform the input data and makes it possible to detect the case you are asking about. Why do you need this BTW? -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |