Thread: [mod-security-users] blocking php uploads

Brought to you by: victorhora, zimmerletw

mod-security-users

[mod-security-users] blocking php uploads

From: Clayton D. <cla...@gm...> - 2008-02-15 21:40:47

Folks,
    I'm new to this list and I'm researching mod_security.  So far it
seems like a very good tool.  At my company, we host shared SugarCRM
instances for our customers.  Thus, we would need to know if
mod_security can be configured so that it provides a strong level of
defense against common PHP, SQL-injection, and Apache attacks.  One
thing we want to do is to prevent anyone from uploading php files (or
any executable code for that matter).  Can mod_security do this?

Best regards,


Clayton Taylor Dillard

http://hspcd.blogspot.com/

Re: [mod-security-users] blocking php uploads

From: Ryan B. <Rya...@Br...> - 2008-02-15 21:45:56

Hello Clayton and welcome to the list :-)  Yes, ModSecurity can help
you.  The Core Rules
(http://www.modsecurity.org/projects/rules/index.html) has rules that
will help to protect against SQL Injection attacks and also when clients
try to access Trojan/backdoor web pages that may have been uploaded
through a non-HTTP interface.  As for preventing PHP file uploads, you
may be able to use the example rule shown here
(http://www.modsecurity.org/documentation/modsecurity-apache/2.5.0-rc4/m
odsecurity2-apache-reference.html#N10B39) by inspecting the FILES
variable data to try and prevent the ".php" extension as this would be
the uploaded filename.  Keep in mind, however that this is prone to
evasions by a crafty attacker.

 

Hope this helps.

 

-- 
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Training

Web Application Security Consortium (WASC) Member

CIS Apache Benchmark Project Lead

SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

 

________________________________

From: mod...@li...
[mailto:mod...@li...] On Behalf Of
Clayton Dillard
Sent: Friday, February 15, 2008 4:41 PM
To: mod...@li...
Subject: [mod-security-users] blocking php uploads

 

Folks,
    I'm new to this list and I'm researching mod_security.  So far it
seems like a very good tool.  At my company, we host shared SugarCRM
instances for our customers.  Thus, we would need to know if
mod_security can be configured so that it provides a strong level of
defense against common PHP, SQL-injection, and Apache attacks.  One
thing we want to do is to prevent anyone from uploading php files (or
any executable code for that matter).  Can mod_security do this?

Best regards,



Clayton Taylor Dillard

http://hspcd.blogspot.com/

Re: [mod-security-users] blocking php uploads

From: Clayton D. <cla...@gm...> - 2008-03-24 15:48:31

Ryan,
    Thanks and this is working as expected (though your reminder is
accurate about crafty attackers) for PHP files.  I'm wondering if I can
specify a list of file names on the line below that should not be
allowed.

SecRule FILES "\.php$" log,deny,status:403,phase:2

Thanks!

Clay


On Fri, 2008-02-15 at 16:44 -0500, Ryan Barnett wrote:
> Hello Clayton and welcome to the list J  Yes, ModSecurity can help
> you.  The Core Rules
> (http://www.modsecurity.org/projects/rules/index.html) has rules that
> will help to protect against SQL Injection attacks and also when
> clients try to access Trojan/backdoor web pages that may have been
> uploaded through a non-HTTP interface.  As for preventing PHP file
> uploads, you may be able to use the example rule shown here
> (http://www.modsecurity.org/documentation/modsecurity-apache/2.5.0-rc4/modsecurity2-apache-reference.html#N10B39) by inspecting the FILES variable data to try and prevent the “.php” extension as this would be the uploaded filename.  Keep in mind, however that this is prone to evasions by a crafty attacker.
> 
>  
> 
> Hope this helps.
> 
>  
> 
> 
> -- 
> Ryan C. Barnett
> ModSecurity Community Manager
> 
> Breach Security: Director of Training
> 
> Web Application Security Consortium (WASC) Member
> 
> CIS Apache Benchmark Project Lead
> 
> SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> 
> Author: Preventing Web Attacks with Apache
> 
> 
> 
>  
> 
> 
>                                    
> ______________________________________________________________________
> 
> From:mod...@li...
> [mailto:mod...@li...] On Behalf Of
> Clayton Dillard
> Sent: Friday, February 15, 2008 4:41 PM
> To: mod...@li...
> Subject: [mod-security-users] blocking php uploads
> 
> 
> 
>  
> 
> Folks,
>     I'm new to this list and I'm researching mod_security.  So far it
> seems like a very good tool.  At my company, we host shared SugarCRM
> instances for our customers.  Thus, we would need to know if
> mod_security can be configured so that it provides a strong level of
> defense against common PHP, SQL-injection, and Apache attacks.  One
> thing we want to do is to prevent anyone from uploading php files (or
> any executable code for that matter).  Can mod_security do this?
> 
> Best regards,
> 
> 
> 
> Clayton Taylor Dillard
> 
> http://hspcd.blogspot.com/ 
> 
> 
> 
>  
> 
> 



Clayton Taylor Dillard

http://hspcd.blogspot.com/