mod-security-users

[mod-security-users] The directory traversal problem

[Ulf H. <me...@op...>]

I haven't tested this, but the following regexes should be helpful when trying to combat directory traversal:

  ^[/\]
  \.\.

The first matches any string that begins with "/" or "\" characters (like in "/etc/passwd"). The second matches any string with two dots in a row (which of course disallows legitimate filenames like "ulfs.nice.document..doc", but it also catches malicious things like "../../../../../../etc/passwd").

Any other ideas?

As Ivan wrote on webappsec, putting together a repository with regexes and other snippets for mod_security would be a good idea.

// Ulf

-- 
___________________________________________________
Check out the latest SMS services @ http://www.operamail.com, which allows you to send SMS through your mailbox.

Powered by Outblaze

Re: [mod-security-users] The directory traversal problem

[Ivan R. <iv...@we...>]

> As Ivan wrote on webappsec, putting together a repository
> with regexes and other snippets for mod_security would be
> a good idea.

   I'm half way there. The most boring bits of the (web)
   application are completed and I expect to have the rule
   database running (in a beta version) by the end of
   January.

   On a similar note, I've joined the WAS TC committee:
   http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=was

   to work on a specification for Web server/application
   protection. I expect the rule database to be compatible
   with the WAS spec. once it is completed.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

[mod-security-users] Re: The directory traversal problem

[cyril <cyr...@la...>]

Ulf Harnhammar <metaur <at> operamail.com> writes:

> 
> I haven't tested this, but the following regexes should be helpful when trying
to combat directory traversal:
> 
>   ^[/\]
>   \.\.
> 
> The first matches any string that begins with "/" or "\" characters (like in
"/etc/passwd"). The second
> matches any string with two dots in a row (which of course disallows
legitimate filenames like
> "ulfs.nice.document..doc", but it also catches malicious things like
"../../../../../../etc/passwd").
> 
> Any other ideas?
> 
> As Ivan wrote on webappsec, putting together a repository with regexes and
other snippets for
> mod_security would be a good idea.
> 
> // Ulf
> 

Hello

^[/\]
Doesn't work, because you erase all / of your URL, so your website doesn't work
anymore ^^
I have tried  ^[\+] It doesn't work too.

I have problems with dir traversal, so i am investigating...

Regards
Cyril