Re: [mod-security-users] files with cd in filename
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] files with cd in filename
|
From: Rich M. <r.m...@ct...> - 2007-02-07 16:12:50
|
Thanks for reply. Can I just upload rules without changing anything? I tried it and apache would not start. Must be a bad path in there. Rich From: Ofer Shezaf [mailto:OferS@Breach.com] Sent: Wednesday, February 07 3:32 AM To: Rich McCabe; mod...@li... Subject: RE: [mod-security-users] files with cd in filename ModSecurity itself does not block anything, it is the rules that you use that provide the security know how. Assuming that you use the Core Rule Set that comes with ModSecurity, there is a bug in older versions of the Core Rule Set that blocks the word cd (which indicates a command injection) in certain situations it should not be. Upgrading to the latest version should fix this. ~ Ofer _____ From: mod...@li... [mailto:mod...@li...] On Behalf Of Rich McCabe Sent: Tuesday, February 06, 2007 6:50 PM To: mod...@li... Subject: [mod-security-users] files with cd in filename We have customers with images called cd.gif and cd.jpg. Mod Security is not allowing these to be displayed. Is there a rule somewhere prohibiting this? I assume it has something to do with prohibiting change directory?? Thanks, Rich |