Re: [mod-security-users] Mod Security 1.x on Apache1 (cpanel)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Comments inline below.

=20

--=20
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

=20

=20

________________________________

From: mod...@li...
[mailto:mod...@li...] On Behalf Of
Aaron - Lists
Sent: Tuesday, August 21, 2007 5:08 AM
To: mod...@li...
Subject: [mod-security-users] Mod Security 1.x on Apache1 (cpanel)

=20

Hello,

We currently run mod_security 1.x on apache1, however I can't find seem
to find any documentation on it.  Is there any place I can find
documentation?

[Ryan Barnett] There are a few different places you can look -

1.	Here is a link to the 1.9 manual -
http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/modsec
urity-manual.html
2.	There is also a good article on SecurityFocus -
http://www.securityfocus.com/infocus/1739

We need to reach PCI compliance on one of our websites, however
scanalert is showing a website cross-scripting attack.  The software in
question does not have any security vulnerabilities, and hence does not
have any upgrades available.=20

[Ryan Barnett] Just to clarify your statement above, just because the
commercial application you are using does not have any updates available
does not necessarily mean that the application does not have any
vulnerabilities :-)  As the scanning vendor is reporting, there seems to
be XSS problems.

We want to block XSS attacks by using mod_security.  The specific
attacks are like follows, does anyone know how we can do this?

[Ryan Barnett] There are some XSS prevention examples in the document
links above, as well as here -
http://www.modsecurity.org/documentation/quick-examples.html