Re: [mod-security-users] Modsecurity and Apache Expect header vulnerability
Brought to you by:
victorhora,
zimmerletw
From: Jim W. <ji...@wa...> - 2006-09-24 00:31:42
|
On 9/22/2006 3:38 PM, Birol Ertekin wrote: >=20 > Has anybody tried stopping Apache Expect Header XSS vulnerability with=20 > mod_security? >=20 > I tried these two filters, but they did not work: >=20 > SecFilterSelective HEADERS_NAMES=20 > "!^(Host|User-Agent|Accept|Accept-Encoding|Accept-Language|Accept-Chars= et|Keep-Alive|Connection|Referer|TE)$" >=20 > Or >=20 > SecFilterSelective HEADERS_NAMES "(Expect)=94 What about just restricting the value of the "Expect" header to "100-[Cc]= ontinue", which is the only valid example of the use of that header that I've been = able to find. Something like this: SecFilterSelective HTTP_Expect "!^(100-[Cc]ontinue)$" "deny,log, status:4= 03" I have that installed, but I haven't seen any samples - yet! ;) Jim --=20 Jim Watt EMAIL: jim @ Watt.COM 1044 Belvedere Lane Voice: +1 408 446 9677 San Jose, CA 95129-2901 Fax: +1 408 446 4907 |