Ulf Harnhammar wrote:
>> ModSecurity can scan parameters for suspicious strings but it's
>> not foolproof. It needs something distinctive to act upon. For
>> example, protecting "/boot" is easy. But the root "/" - not simple.
>
>
> What about this regular expression?
>
> ^/[^/]*$
>
> It will match strings that begin with a slash and then have zero
> or more characters that are something else than slashes.
That will work if you use it like this:
SecFilterSelective SCRIPT_FILENAME "^/[^/]*$"
but, again, that only covers the files executed and/or served
by Apache. In my earlier email I was referring to various scripts
that allow file download, accepting filenames as parameters.
For example:
http://www.xyz.com/cgi-bin/download.php?filename=/etc/passwd
If you know about this script you can secure it (either by making
sure it works properly, or by using mod_security to look after it).
But in a shared hosting environment when you have customers uploading
arbitrary scripts with arbitrary parameters crafting a filter to
catch those / downloads is pretty difficult (without creating a
large number of false positives, that is).
--
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]
|
