Re: [mod-security-users] Modsecurity and Apache Expect header vulnerability

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On 9/22/2006 3:38 PM, Birol Ertekin wrote:
>=20
> Has anybody tried stopping Apache Expect Header XSS vulnerability with=20
> mod_security?
>=20
> I tried these two filters, but they did not work:
>=20
> SecFilterSelective HEADERS_NAMES=20
> "!^(Host|User-Agent|Accept|Accept-Encoding|Accept-Language|Accept-Chars=
et|Keep-Alive|Connection|Referer|TE)$"
>=20
> Or
>=20
> SecFilterSelective HEADERS_NAMES "(Expect)=94

What about just restricting the value of the "Expect" header to "100-[Cc]=
ontinue",
which is the only valid example of the use of that header that I've been =
able
to find.

Something like this:

SecFilterSelective HTTP_Expect "!^(100-[Cc]ontinue)$" "deny,log, status:4=
03"

I have that installed, but I haven't seen any samples - yet! ;)

Jim
--=20
Jim Watt                           EMAIL: jim @ Watt.COM
1044 Belvedere Lane                Voice: +1 408 446 9677
San Jose, CA 95129-2901            Fax:   +1 408 446 4907