[mod-security-users] (no subject)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] (no subject)
|
From: Avi A. <av...@br...> - 2007-05-06 12:48:44
|
Dear ModSecurity users, A new version of the core rules, 1.4, is now available at = http://www.modsecurity.org/download/index.html. The rules have been tested with version 2.1.1, and might not work with = an older version. Please note that this ruleset is newer than the rules bundled with = version 2.1.1 of ModSecurity. Here's a list of the changes made in this version: ---------- New Events ---------- - 970021 - WebLogic information disclosure =A0=A0=A0 Matching of "<title>JSP compile error</title>" in the response = body, will trigger this rule, with severity 4 (Warning) - 950015,950910,950911 - HTTP Response Splitting =A0=A0=A0HTTP Response Splitting is described in Amit Klein's excellent = article: =A0=A0=A0 = http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse= .pdf ModSecurity does not support compressed content at the moment. Thus, the = following rules have been added: - 960013 - Content-Encoding in request not supported =A0=A0=A0 Any incoming compressed request will be denied - 960051 - Content-Encoding in response not suppoted =A0=A0=A0 An outgoing compressed response will be logged to alert, but = ONLY ONCE. --------------------- False Positives Fixes --------------------- The following FPs have been reported. They have been examined and found = to be commonly used in the web. - Removed <.exe>,<.shtml> from restricted extensions - Will not be looking for SQL Injection signatures <root@>,<coalesce> in = the Via request header - Excluded Referer header from SQL injection, XSS and command injection = rules - Excluded X-OS-Prefs header from command injection rule - Will be looking for command injection signatures in =A0 REQUEST_COOKIES|REQUEST_COOKIES_NAMES instead of = REQUEST_HEADERS:Cookie. - Allowing charset specification in the = <application/x-www-form-urlencoded> Content-Type =A0=A0=A0 i.e.: The following Content-Type will be allowed: = application/x-www-form-urlencoded; charset=3DISO-8859-1 =A0=A0=A0=A0=A0=A0=A0=A0=A0 (or any other valid charset) ---------------------- Additional rules logic ---------------------- - Corrected match of OPTIONS method in event 960015 =A0=A0=A0 No transformation, and looking exactly for ^OPTIONS$, to = dismiss it from having an Accept header. - Changed location for event 960014 (proxy access) to REQUEST_URI_RAW =A0=A0=A0 REQUEST_URI_RAW also contains the domain name, if provided by = the client. =A0=A0=A0 In a normal case, a client will not provide the domain name in = the URI =A0=A0=A0 The appearence of "http:/" in the URI, may imply an attempt = for proxy access. - Moved all rules apart from method inspection from phase 1 to phase 2 - =A0=A0=A0 This will enable viewing content if such a rule triggers as = well as setting exceptions using Apache scope tags. - Added match for double quote in addition to single quote for <or = x=3Dx> signature (SQL Injection) - Added 1=3D1 signature (SQL Injection) Avi Aminov, ModSecurity Core Rule Set Team |
