mod-security-users — General discussion about mod_security

[mod-security-users] Which Rules to use?

[Alex <gra...@we...>]

Hello,

we´re using Plesk 7.5 for Unix on Fedora Core2 Server, and my question is:

Which rules is prefered to us:

 Application protection rules
 UserAgent rules
 Comment spam rules
 RootKit/Owned boxes blacklist
 Proxy scan rules
 Additional Apache 2.x rules

Must we all take to the httpd.conf?

Thanks for help

[mod-security-users] Custom directive needed

[Wally <car...@gm...>]

Hey guys, i need to know how to block this one call in mod_security.
Here is the error_log with the errors that i want to stop happening.
The problem is that these errors take up the bandwidth, so i need to
know how to stop apache handling them.

/usr/local/apache/logs]# tail -f access_log
211.229.230.115 - - [02/Aug/2005:01:21:21 -0400]
"6bNLilgBIbuJkWI3pww0QhnhnM" 501 -
65.10.248.190 - - [02/Aug/2005:01:21:24 -0400] "Kgd365YCZadmlioSqs8" 501 -
211.195.177.209 - - [02/Aug/2005:01:21:25 -0400] "CSwG8ImRNvWzpEsjntEnASp" =
501 -
219.104.191.68 - - [02/Aug/2005:01:21:25 -0400]
"9kX7QLZbtIhLKCaq2qm9bpEKgoHNkYOkLJ0CW9igCN8ttTqYGRMH3zNCOfxOIJnlYlnMG31fA1=
gKpHmJG1oYzS7oDYYIuzgv"
501 -
206.149.212.240 - - [02/Aug/2005:01:21:27 -0400] "UXrSXYDCKyq6RJmJQzhw" 501=
 -
200.106.17.162 - - [02/Aug/2005:01:21:28 -0400]
"LuoWg58vto0JSfk0l6veD1luOAKBK1DaO54rfEP9TKTk3l58paSL10JjCFqCcMUyPCuWD4"
501 -
219.66.107.70 - - [02/Aug/2005:01:21:28 -0400]
"s8fEcwNOx0SqYlOGIwqnnp5oxx3TG8qR1mlyN2H4bWgJAvz19RKtuZdQYqsAJdsaay6NydjrKW=
30RcyUA44womsD"
501 -
61.235.157.180 - - [02/Aug/2005:01:21:29 -0400]
"vTiFxczhCX2tQ1XNehWfxyruQLDtH6uaCJuFmxlJggLoEUuC6fhHIB4rpj27" 501 -
221.185.120.244 - - [02/Aug/2005:01:21:29 -0400] "ptmrUX5v" 501 -
70.177.54.195 - - [02/Aug/2005:01:21:29 -0400] "mLRoUP6DdIj52v5voMxmsksz" 5=
01 -
210.213.147.250 - - [02/Aug/2005:01:21:31 -0400] "xfxeKjsQjg5A6SWDkG" 501 -
60.214.223.1 - - [02/Aug/2005:01:21:34 -0400] "-" 408 -
24.45.203.10 - - [02/Aug/2005:01:21:34 -0400] "1sLtDPrGScL0uIoz" 501 -
67.168.31.96 - - [02/Aug/2005:01:21:35 -0400] "-" 408 -
68.219.29.135 - - [02/Aug/2005:01:21:35 -0400]
"S9vtUMgKOoMHgi5QARCLQlMWCNGP2Pv6TugQXLSNH01e5e7bTl0OszkQJ1zlVeDQsWUjjt3yKR=
A8ZbLxJZ"
501 -

Thanks,
Matt

Re: [mod-security-users] Error 500, need help under Plesk Server

[Ivan R. <iv...@we...>]

Alex wrote:
> Hello,
> 
> we installed ht efine mod_security on our Plesk 7.5.3 Unix Server, based on
> Fedora Core2.
> We installed the Rule regression-v2.
> 
> Now some customer/users said to us, that the visitor gots an Internal Error
> 500, so mod_security gots a pattern match.
> But when we looked on the site, all seems to be fine!
> 
> So i don´t know the problem what is wrong!
> 
> Has someone for us a standard working ruleset, that works with our plesk
> server?

   "Rule regression-v2" is *not* a working ruleset. You need to remove
   it from your configuration. For sets of rules have a look at
   http://www.gotroot.com

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

[mod-security-users] Error 500, need help under Plesk Server

[Alex <gra...@we...>]

Hello,

we installed ht efine mod_security on our Plesk 7.5.3 Unix Server, based on
Fedora Core2.
We installed the Rule regression-v2.

Now some customer/users said to us, that the visitor gots an Internal Error
500, so mod_security gots a pattern match.
But when we looked on the site, all seems to be fine!

So i don´t know the problem what is wrong!

Has someone for us a standard working ruleset, that works with our plesk
server?

Many thanks for help

Alex

Re: [mod-security-users] mod_security specific to each virtual host

[Terry D. <tdo...@na...>]

Terry Dooher wrote:
[snip]
> Depending on the rule you're matching, it might simply be possible to 
> skip mod_security and just add a Redirect directive to your VirtualHost, 
> issuing a 301 for the specific file:
> 
> Redirect 301 /files/hiddenfile.txt http://main.example.com
> 
> This doesn't do any pattern matching however. the mod_security way would 
> be to issue a "redirect:http://main.example.com" for the specific rule. 
> (I think this is a 301, but I haven't used this)

My mistake. You _can_ do pattern matching with redirect. RedirectMatch does 
regexp pattern matching.

'tis all in here:

http://httpd.apache.org/docs/2.0/mod/mod_alias.html

Terry.

Re: [mod-security-users] mod_security specific to each virtual host

[Terry D. <tdo...@na...>]

Lonnie wrote:
> Greeting All,
> 
> I am working to get mod_security installed and running well for our 
> systems and am wondering if you can please tell me how i can customize 
> it for each virtual server that we have?

This is simply a matter of adding your ruleset to the configuration inside 
your chosen VirtualHost directive. The rules should then only be enabled for 
that host and not the others.

> What I mean is that I think that there is supposed to be some way to 
> redirect the user if any of the SecFilters are triggered to a particular 
> web address, right?

Depending on the rule you're matching, it might simply be possible to skip 
mod_security and just add a Redirect directive to your VirtualHost, issuing a 
301 for the specific file:

Redirect 301 /files/hiddenfile.txt http://main.example.com

This doesn't do any pattern matching however. the mod_security way would be to 
issue a "redirect:http://main.example.com" for the specific rule. (I think 
this is a 301, but I haven't used this)

> I want to set this up so that if a SecFilter is triggered by a 
> particular virtual server in my httpd.conf for ssl.conf then I will 
> redirect them to that main server instead of an error message page.

You could issue a "deny,log,status:403" as is recommended and specify a custom 
ErrorDocument directive for that VirtualHost, such as:

ErrorDocument 403 http://main.example.com

Though this would redirect all 403s, not just this specific example. Is there 
a specific reason you want to hide the error in this way? Do you only want to 
hide it for this one specific rule match?

Terry.

[mod-security-users] mod_security specific to each virtual host

[Lonnie <lo...@ou...>]

Greeting All,

I am working to get mod_security installed and running well for our 
systems and am wondering if you can please tell me how i can customize 
it for each virtual server that we have?

What I mean is that I think that there is supposed to be some way to 
redirect the user if any of the SecFilters are triggered to a particular 
web address, right?

I want to set this up so that if a SecFilter is triggered by a 
particular virtual server in my httpd.conf for ssl.conf then I will 
redirect them to that main server instead of an error message page.

How can this be done?

Thanks,
Lonnie

Re: [mod-security-users] Fedora3 mod_security not working

[Ivan R. <iv...@we...>]

Lonnie wrote:
> Never mind......
> 
> I solved the problem and all is working well at this point.....
> 
> If you see any additional SecFilter statements that should be added then 
> please let me know, ok.

   We can't tell you which rules to add, as that depends entirely
   on your application and your defence strategy.

   We can, however, tell you to remove all of the SecFilter
   statements from the configuration sent in your previous email
   (they are just examples). Then you can put back some you think
   you need.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] Fedora3 mod_security not working

[Lonnie <lo...@ou...>]

Never mind......

I solved the problem and all is working well at this point.....

If you see any additional SecFilter statements that should be added then 
please let me know, ok.

Thanks,
Lonnie

Lonnie wrote:

> Sir,
>
> I have subscribed to your mod_security list but after replying to the 
> confirmation, I get no notice that i can go ahead and post or welcome 
> message.
>
> My problem is that even after installing the mod_security on my Linux 
> Fedora3 Apache2 system and adding your quick example to the httpd.conf 
> and restarting my server, I can still do a traversal attack on my system.
>
> http://www.paysafenet.com/?x=../../../../../../../etc/passwd
>
> with
> <IfModule mod_security.c>
>
>   # Turn the filtering engine On or Off
>   SecFilterEngine On
>
>   # Make sure that URL encoding is valid
>   SecFilterCheckURLEncoding On
>
>   # Only allow bytes from this range
>   SecFilterForceByteRange 32 126
>
>   # The audit engine works independently and
>   # can be turned On of Off on the per-server or
>   # on the per-directory basis
>   SecAuditEngine RelevantOnly
>
>   # The name of the audit log file
>   SecAuditLog logs/audit_log
>
>   SecFilterDebugLog logs/modsec_debug_log
>   SecFilterDebugLevel 0
>
>   # Should mod_security inspect POST payloads
>   SecFilterScanPOST On
>
>   # Action to take by default
>   SecFilterDefaultAction "deny,log,status:406"
>
>   # Redirect user on filter match
>   SecFilter xxx redirect:http://www.webkreator.com
>
>   # Execute the external script on filter match
>   SecFilter yyy log,exec:/home/ivanr/apache/bin/report-attack.pl
>
>   # Simple filter
>   SecFilter 111
>      # Only check the QUERY_STRING variable
>   SecFilterSelective QUERY_STRING 222
>
>   # Only check the body of the POST request
>   SecFilterSelective POST_PAYLOAD 333
>
>   # Only check arguments (will work for GET and POST)
>   SecFilterSelective ARGS 444
>
>   # Test filter
>   SecFilter "/cgi-bin/keyword"
>
>   # Another test filter, will be denied with 404 but not logged
>   # action supplied as a parameter overrides the default action
>   SecFilter 999 "deny,nolog,status:404"
>
>   # Prevent OS specific keywords
>   SecFilter /etc/password
>
>   # Prevent path traversal (..) attacks
>   SecFilter "\.\./"
>
>   # Weaker XSS protection but allows common HTML tags
>   SecFilter "<( |\n)*script"
>
>   # Prevent XSS atacks (HTML/Javascript injection)
>   SecFilter "<(.|\n)+>"
>
>   # Very crude filters to prevent SQL injection attacks
>   SecFilter "delete[[:space:]]+from"
>   SecFilter "insert[[:space:]]+into"
>   SecFilter "select.+from"
>
>   # Require HTTP_USER_AGENT and HTTP_HOST headers
>   SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
>
>   # Forbid file upload
>   SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data
>
>   # Only watch argument p1
>   SecFilterSelective "ARG_p1" 555
>
>   # Watch all arguments except p1
>   SecFilterSelective "ARGS|!ARG_p2" 666
>
>   # Only allow our own test utility to send requests (or Mozilla)
>   SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla)"
>
>   # Do not allow variables with this name
>   SecFilterSelective ARGS_NAMES 777
>
>   # Do now allow this variable value (names are ok)
>   SecFilterSelective ARGS_VALUES 888
>
> </IfModule>
>
> can you please help me to figure out why this is not working?
>
> Thanks,
> Lonnie Cumberland
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

[mod-security-users] Fedora3 mod_security not working

[Lonnie <lo...@ou...>]

Sir,

I have subscribed to your mod_security list but after replying to the 
confirmation, I get no notice that i can go ahead and post or welcome 
message.

My problem is that even after installing the mod_security on my Linux 
Fedora3 Apache2 system and adding your quick example to the httpd.conf 
and restarting my server, I can still do a traversal attack on my system.

http://www.paysafenet.com/?x=../../../../../../../etc/passwd

with
<IfModule mod_security.c>

   # Turn the filtering engine On or Off
   SecFilterEngine On

   # Make sure that URL encoding is valid
   SecFilterCheckURLEncoding On

   # Only allow bytes from this range
   SecFilterForceByteRange 32 126

   # The audit engine works independently and
   # can be turned On of Off on the per-server or
   # on the per-directory basis
   SecAuditEngine RelevantOnly

   # The name of the audit log file
   SecAuditLog logs/audit_log

   SecFilterDebugLog logs/modsec_debug_log
   SecFilterDebugLevel 0

   # Should mod_security inspect POST payloads
   SecFilterScanPOST On

   # Action to take by default
   SecFilterDefaultAction "deny,log,status:406"

   # Redirect user on filter match
   SecFilter xxx redirect:http://www.webkreator.com

   # Execute the external script on filter match
   SecFilter yyy log,exec:/home/ivanr/apache/bin/report-attack.pl

   # Simple filter
   SecFilter 111
      # Only check the QUERY_STRING variable
   SecFilterSelective QUERY_STRING 222

   # Only check the body of the POST request
   SecFilterSelective POST_PAYLOAD 333

   # Only check arguments (will work for GET and POST)
   SecFilterSelective ARGS 444

   # Test filter
   SecFilter "/cgi-bin/keyword"

   # Another test filter, will be denied with 404 but not logged
   # action supplied as a parameter overrides the default action
   SecFilter 999 "deny,nolog,status:404"

   # Prevent OS specific keywords
   SecFilter /etc/password

   # Prevent path traversal (..) attacks
   SecFilter "\.\./"

   # Weaker XSS protection but allows common HTML tags
   SecFilter "<( |\n)*script"

   # Prevent XSS atacks (HTML/Javascript injection)
   SecFilter "<(.|\n)+>"

   # Very crude filters to prevent SQL injection attacks
   SecFilter "delete[[:space:]]+from"
   SecFilter "insert[[:space:]]+into"
   SecFilter "select.+from"

   # Require HTTP_USER_AGENT and HTTP_HOST headers
   SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

   # Forbid file upload
   SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data

   # Only watch argument p1
   SecFilterSelective "ARG_p1" 555

   # Watch all arguments except p1
   SecFilterSelective "ARGS|!ARG_p2" 666

   # Only allow our own test utility to send requests (or Mozilla)
   SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla)"

   # Do not allow variables with this name
   SecFilterSelective ARGS_NAMES 777

   # Do now allow this variable value (names are ok)
   SecFilterSelective ARGS_VALUES 888

</IfModule>

can you please help me to figure out why this is not working?

Thanks,
Lonnie Cumberland

Re: [mod-security-users] End of file error?

[ffolkes <ff...@ff...>]

I happened to notice that the error was in suexec_log - it said the
current user apache was running as didn't have permission to access the
script, despite the confusing EOF error. What baffles me is, this is
running on a box administered by Plesk, so why are two domains unable to
gain permission to run it, while all the others can? Obviously something
must be set wrong in my apache configuration, but that's beyond the
scope of this mailing list.

Thanks.

TM

Ivan Ristic wrote:

> ffolkes wrote:
>
>> Hello-
>>
>> I've setup a PHP script to ban offending IPs, but some filters fail 
>> with this:
>>
>> Executing command "path/to/my/script"
>> File execution failed: End of file found (70014)
>>
>> Anyone have any ideas why?
>
>
>   Does that script create any output to stdout? If not, make
>   it print something (e.g. one line of text) and let me know if the
>   problem goes away.
>

Re: [mod-security-users] Arguments in the exec action?

[ffolkes <ff...@ff...>]

What I had initially done was make a PHP script to add offending IPs to
APF, or optionally just notify me. Thus the use of flags, to tell it if
I wanted it to run in notifyonly mode or not. I've since gotten around
this problem by just copying the script and hardcoding the options.

TM

Ivan Ristic wrote:

> ffolkes wrote:
>
>> Hello-
>>
>> Is there a way to put arguments in the exec action? For example:
>>
>> "exec:/path/to -a=123"
>>
>> I tried but it appeared to never run the command at all.
>
>
>   Correct. At the moment the whole thing is treated as the
>   path to the script. It would help if you could explain why
>   you need this feature.
>

Re: [mod-security-users] Arguments in the exec action?

[Ivan R. <iv...@we...>]

ffolkes wrote:
> Hello-
> 
> Is there a way to put arguments in the exec action? For example:
> 
> "exec:/path/to -a=123"
> 
> I tried but it appeared to never run the command at all.

   Correct. At the moment the whole thing is treated as the
   path to the script. It would help if you could explain why
   you need this feature.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] create sendmail command log file

[Ivan R. <iv...@we...>]

M.Saeed Shaikh wrote:
> Hi,
> 
> Someone is spamming from our mail server. Is there any way to create
> sendmail commands log file. So at least I can see who is using
> sendmail command. I think its usie php/FormMail script for send mail.
> However i alreay implement FormMail rule.
> 
> I just want to create log file whenever sendmail command use.

   As Tom already mentioned, it's likely you already have a log of
   all sendmail invocations. Some other ideas:

   * Replace the sendmail binary with a "fake" one that logs the
     parameters, and then calls the real thing.

   * Enable process accounting on the server (differs from OS to OS,
     use Google to find out more).

   * Use grsecurity (http://www.grsecurity.org) to log process creation.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] Problem with upload

[Ivan R. <iv...@we...>]

Ivan Ristic wrote:
> Pierre Henriot wrote:
> 
>> Hi
>>  
>> I use photoshare, there is a form with 8 possible file uploads.
>>  
>> I always get a rejection from mod_security with the comment "invalid 
>> multipart/form-data format"
>>  
>> I don't see why the form data is invalid. Any ideas?
> 
> You should find more information in your error log, right above the
> "invalid multipart/form-data format" message. My guess is that
> mod_security is unable to create a temporary file on disk.
> 
> I'll see to make the error message better.

   FYI, it was a permission problem.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] End of file error?

[Ivan R. <iv...@we...>]

ffolkes wrote:
> Hello-
> 
> I've setup a PHP script to ban offending IPs, but some filters fail with 
> this:
> 
> Executing command "path/to/my/script"
> File execution failed: End of file found (70014)
> 
> Anyone have any ideas why?

   Does that script create any output to stdout? If not, make
   it print something (e.g. one line of text) and let me know if the
   problem goes away.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] create sendmail command log file

[Tom A. <tan...@oa...>]

Firstly, disconnect your server from the internet so as to stop spamming 
people.

Try "ps" or "top" to see if there are any unidentified processes running, 
especially ones using lots of cpu or memory.  You may have been compromised 
in some other way than FormMail, and a zombie mailserver installed somewhere 
like /tmp or /usr/tmp.  Eliminate that possibility before assuming mail is 
being sent via sendmail through your form.  Run one or more rootkit 
detection programs such as "rkhunter" or "chkrootkit".  If it is being sent 
with sendmail, then your syslog daemon should be keeping logs in a standard 
location such as /var/log/mail.  Look in your apache logs to see if any 
weird parameters were passed into any of your scripts at the time the 
spamming started, or each time it occurs.  If so, create a mod_security rule 
to prevent it from happening again.  Hope that helps.

Tom


----- Original Message ----- 
From: "M.Saeed Shaikh" <sha...@gm...>
To: <mod...@li...>
Sent: Thursday, July 28, 2005 4:53 AM
Subject: [mod-security-users] create sendmail command log file


> Hi,
>
> Someone is spamming from our mail server. Is there any way to create
> sendmail commands log file. So at least I can see who is using
> sendmail command. I think its usie php/FormMail script for send mail.
> However i alreay implement FormMail rule.
>
> I just want to create log file whenever sendmail command use.
>
> Thanx.
>
> -- 
> M.A.Shaikh
> Linux System Administrator
>
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO 
> September
> 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
> 
> 

[mod-security-users] create sendmail command log file

[M.Saeed S. <sha...@gm...>]

Hi,

Someone is spamming from our mail server. Is there any way to create
sendmail commands log file. So at least I can see who is using
sendmail command. I think its usie php/FormMail script for send mail.
However i alreay implement FormMail rule.

I just want to create log file whenever sendmail command use.

Thanx.

--=20
M.A.Shaikh
Linux System Administrator

[mod-security-users] (no subject)

[M.Saeed S. <sha...@gm...>]

Hi,

Someone is spamming from our mail server. Is there any way to create
sendmail commands log file. So at least I can see who is using
sendmail command. I think its usie php/FormMail script for send mail.
However i alreay implement FormMail rule.

I just want to create log file whenever sendmail command use.

Thanx.

--=20
M.A.Shaikh
Linux System Administrator

[mod-security-users] End of file error?

[ffolkes <ff...@ff...>]

Hello-

I've setup a PHP script to ban offending IPs, but some filters fail with 
this:

Executing command "path/to/my/script"
File execution failed: End of file found (70014)

Anyone have any ideas why?

Thanks.

TM

Re: [mod-security-users] Problem with upload

[Ivan R. <iv...@we...>]

Pierre Henriot wrote:
> Hi
>  
> I use photoshare, there is a form with 8 possible file uploads.
>  
> I always get a rejection from mod_security with the comment "invalid 
> multipart/form-data format"
>  
> I don't see why the form data is invalid. Any ideas?

   You should find more information in your error log, right above the
   "invalid multipart/form-data format" message. My guess is that
   mod_security is unable to create a temporary file on disk.

   I'll see to make the error message better.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

[mod-security-users] Problem with upload

[Pierre H. <pie...@sw...>]

Hi=20

I use photoshare, there is a form with 8 possible file uploads.

I always get a rejection from mod_security with the comment "invalid =
multipart/form-data format"

I don't see why the form data is invalid. Any ideas?

[mod-security-users] Arguments in the exec action?

[ffolkes <ff...@ff...>]

Hello-

Is there a way to put arguments in the exec action? For example:

"exec:/path/to -a=123"

I tried but it appeared to never run the command at all.

Thanks.

ffolkes

Re: [mod-security-users] Little problems with encoding type

[Ivan R. <iv...@we...>]

Daniel Fdez. Bleda wrote:
> Hello,
> 
> I'm having some problems parsing the HTML with libxml2.
> I thought I could use the request_rec->content_encoding but I see that
> where some web pages specify UTF-8 as encoding this info in not in
> this structure

   My guess that field is populated only when the content encoding
   information is in the HTTP headers.


> when I'm in sec_filter_out() so I don't know how now
> the encription type to use (or use some as "ISO-8859-1" by default).

   The correct procedure may be to start parsing using the default
   encoding. If a change of the encoding is encountered, go back
   and start all over.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

[mod-security-users] Little problems with encoding type

[Daniel F. B. <dfe...@is...>]

Hello,

I'm having some problems parsing the HTML with libxml2.
I thought I could use the request_rec->content_encoding but I see that
where some web pages specify UTF-8 as encoding this info in not in
this structure when I'm in sec_filter_out() so I don't know how now
the encription type to use (or use some as "ISO-8859-1" by default).

Thanks,
--=20
_________________________________
Daniel Fern=E1ndez Bleda
Gerente de cuentas
e-Security Engineer
OPSA/OPST Trainer, CISSP
dfernandez<arroba>isecauditors.com

Internet Security Auditors, S.L.
c. Santander, 101. Edif. A. 2=BA 1=AA.
08030 Barcelona
Tel: 93 305 13 18
Fax: 93 278 22 48
www.isecauditors.com