Re: [mod-security-users] Mod Security 1.x on Apache1 (cpanel)
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-08-21 13:46:44
|
Comments inline below. =20 --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 =20 ________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of Aaron - Lists Sent: Tuesday, August 21, 2007 5:08 AM To: mod...@li... Subject: [mod-security-users] Mod Security 1.x on Apache1 (cpanel) =20 Hello, We currently run mod_security 1.x on apache1, however I can't find seem to find any documentation on it. Is there any place I can find documentation? [Ryan Barnett] There are a few different places you can look - 1. Here is a link to the 1.9 manual - http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/modsec urity-manual.html 2. There is also a good article on SecurityFocus - http://www.securityfocus.com/infocus/1739 We need to reach PCI compliance on one of our websites, however scanalert is showing a website cross-scripting attack. The software in question does not have any security vulnerabilities, and hence does not have any upgrades available.=20 [Ryan Barnett] Just to clarify your statement above, just because the commercial application you are using does not have any updates available does not necessarily mean that the application does not have any vulnerabilities :-) As the scanning vendor is reporting, there seems to be XSS problems. We want to block XSS attacks by using mod_security. The specific attacks are like follows, does anyone know how we can do this? [Ryan Barnett] There are some XSS prevention examples in the document links above, as well as here - http://www.modsecurity.org/documentation/quick-examples.html |