[mod-security-users] Modsecurity and Apache Expect header vulnerability
Brought to you by:
victorhora,
zimmerletw
From: Birol E. <bi...@ig...> - 2006-09-22 22:38:51
|
Hi, =20 Has anybody tried stopping Apache Expect Header XSS vulnerability with mod_security? =20 I tried these two filters, but they did not work: =20 SecFilterSelective HEADERS_NAMES "!^(Host|User-Agent|Accept|Accept-Encoding|Accept-Language|Accept-Charse t|Keep-Alive|Connection|Referer|TE)$" =20 =20 Or =20 SecFilterSelective HEADERS_NAMES "(Expect)" =20 I tried the first the filters with Referer header and they worked fine; but somehow mod security did not stop connections coming in with Expect header and apache was still vulnerable to Expect Header XSS vulnerability. =20 Any comments? =20 Thanks, =20 - Birol |