Re: [mod-security-users] ModSecurity ASCIIZ Evasion Issue
Brought to you by:
victorhora,
zimmerletw
From: Steve W. <ste...@gm...> - 2007-03-07 13:49:44
|
Hi Ivan, I've been following the Month of PHP Bugs and was sad to see they listed mod_security as one app that is also vulnerable. Thank you for releasing a temporary rule fix. My question is the following: > A ModSecurity update will be released to deal with this issue. 1. Will mod_sec 1.9x be also patched? Many of us who use mod_sec are running apache 1.3.x still so if it is possible, please do consider providing an update for the 1.9.x. > SecRule REQUEST_BODY "@validateByteRange 1-255" \ > "log,deny,phase:2,t:none,msg:'ModSecurity ASCIIZ Evasion Attempt'" 2. The rule you provided, will it work as is for mod_sec 1.9.x? Thanks again, SW |