Thank you!
-----Original Message-----
From: Ivan Ristic [mailto:iv...@we...]
Sent: 10 ????? 2004 ?. 22:55
To: Tkachenko Alexei
Cc: mod...@li...
Subject: Re: [mod-security-users] How to disable this?
Tkachenko Alexei wrote:
> Let I have "SecFilter /somedir".
> With CGI-Telnet Version 1.0 user can perform the following:
> 1) cd /
> 2) ls /somedir - get's error
> 3) ls somedir - and get content of the somedir.
>
> Is there any way to prevent this?
No, not really. You see, once you allowed your users to have
CGI access you have also given them permission to read the
contents of various folders on the server.
You can write rules to stop users from using shell-emulators
but, ultimately, knowledgeable users will always be able to
get around them.
The only proper solution is to to use cgiwrap for CGI
scripts and the safe mode/open_basedir restrictions for PHP.
If you still want to continue with mod_security, you should
look into the source code of the shell emulator and make note
of the variable names it uses to pass commands to the server.
Then, add a filter to watch for those. cgitelnet, if I
recall correctly uses 'a' for action and 'c' for command.
This filter will reject requests with a parameter 'c' that
start with "ls"...
SecFilterSelective ARG_c "^[[:space::]*ls"
--
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]
|
