Thread: [mod-security-users] Wrong post trigger
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Gerwin K. -|- D. W. <ge...@di...> - 2005-12-16 08:26:25
|
Hey there my fellow list readers. I was testing some new rules (mostly for php
email injection rules), for this it was required to have ScanPOST on.
I have the following rule:
SecFilterSelective ARGS_VALUES "(http:/).+(\.txt|\.jpg|\.dat|\.gif|\.jpeg
\.ini|\:[0-9]{1,9})"
Which should check for remote locations in server arguments (GET) only right?
Well mod_security also triggers it when I put a remote location in an email
form. Am I making a thinking error here? Maybe I looked to long to this
issue :)
--
Met vriendelijke groet/With kind regards,
Gerwin Krist
Digitalus
First-class Internet Webhosting
(w) http://www.digitalus.nl
(e) gerwin at digitalus.nl
(p) PGP-ID: 79B325D4
(t) +31 (0) 598 630000
(f) +31 (0) 598 631860
***************************************************************************************
This message may contain information which is confidential or privileged.
If you are not the intended recipient, please advise the sender immediately
by reply e-mail and delete this message and any attachments without
retaining
a copy.
***************************************************************************************
|
|
From: Justin G. <web...@sw...> - 2005-12-16 08:34:06
|
Gerwin,
Unless this is a dedicated server in which you have absolute control on the scripts, I find
these techniques more hurting than adding something...
We are using shared servers here and anything we tried gave false positives.
We are hitting the issue from a different pov - installing spam-assassin on the gateway and
quarantining the suspected spam messages for later review. If we find false positives, we instruct
the client on how to fix it (mainly modify the email text).
Adding spamhaus/spamcop with a big score in spam-assassin does the trick, many spammers are blacklisted
or use zombies to send spam which are also getting listed fast in the bls.
happy spam fighting,
Justin
Gerwin Krist -|- Digitalus Webhosting wrote:
> Hey there my fellow list readers. I was testing some new rules (mostly for php
> email injection rules), for this it was required to have ScanPOST on.
>
> I have the following rule:
> SecFilterSelective ARGS_VALUES "(http:/).+(\.txt|\.jpg|\.dat|\.gif|\.jpeg
> \.ini|\:[0-9]{1,9})"
> Which should check for remote locations in server arguments (GET) only right?
> Well mod_security also triggers it when I put a remote location in an email
> form. Am I making a thinking error here? Maybe I looked to long to this
> issue :)
>
|
|
From: Gerwin K. -|- D. W. <ge...@di...> - 2005-12-16 08:42:12
|
He Justin,
We do install it on a private server (i still not agree on your opinion
though), I rather see php adding a solution for it.
Greetings,
On Friday 16 December 2005 09:33, Justin Grindea wrote:
> Gerwin,
>
> Unless this is a dedicated server in which you have absolute control on the
> scripts, I find these techniques more hurting than adding something...
>
> We are using shared servers here and anything we tried gave false
> positives.
>
> We are hitting the issue from a different pov - installing spam-assassin on
> the gateway and quarantining the suspected spam messages for later review.
> If we find false positives, we instruct the client on how to fix it (mainly
> modify the email text).
> Adding spamhaus/spamcop with a big score in spam-assassin does the trick,
> many spammers are blacklisted or use zombies to send spam which are also
> getting listed fast in the bls.
>
> happy spam fighting,
>
> Justin
>
> Gerwin Krist -|- Digitalus Webhosting wrote:
> > Hey there my fellow list readers. I was testing some new rules (mostly
> > for php email injection rules), for this it was required to have ScanPOST
> > on.
> >
> > I have the following rule:
> > SecFilterSelective ARGS_VALUES
> > "(http:/).+(\.txt|\.jpg|\.dat|\.gif|\.jpeg \.ini|\:[0-9]{1,9})"
> > Which should check for remote locations in server arguments (GET) only
> > right? Well mod_security also triggers it when I put a remote location in
> > an email form. Am I making a thinking error here? Maybe I looked to long
> > to this issue :)
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files for problems? Stop! Download the new AJAX search engine that makes
> searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
--
Met vriendelijke groet/With kind regards,
Gerwin Krist
Digitalus
First-class Internet Webhosting
(w) http://www.digitalus.nl
(e) gerwin at digitalus.nl
(p) PGP-ID: 79B325D4
(t) +31 (0) 598 630000
(f) +31 (0) 598 631860
***************************************************************************************
This message may contain information which is confidential or privileged.
If you are not the intended recipient, please advise the sender immediately
by reply e-mail and delete this message and any attachments without
retaining
a copy.
***************************************************************************************
|
|
From: Justin G. <web...@sw...> - 2005-12-16 08:50:53
|
What solution can PHP add? You do want to have an email address as an ARG, right?
You do want to have multiple recipients, right?
If this is a private server and it DOESN'T do mailing lists (only submission forms),
you can tweak the smtp to send one mail/minute. Spammers will not waiste time on a server
that sends one message per minute out and will probably leave you alone.
For better performance, put the mailboxes on the same server as the web and set the smtp to
send to local immediatelly and remote email one per minute.
Justin
Gerwin Krist -|- Digitalus Webhosting wrote:
> He Justin,
>
> We do install it on a private server (i still not agree on your opinion
> though), I rather see php adding a solution for it.
>
> Greetings,
>
> On Friday 16 December 2005 09:33, Justin Grindea wrote:
>
>>Gerwin,
>>
>>Unless this is a dedicated server in which you have absolute control on the
>>scripts, I find these techniques more hurting than adding something...
>>
>>We are using shared servers here and anything we tried gave false
>>positives.
>>
>>We are hitting the issue from a different pov - installing spam-assassin on
>>the gateway and quarantining the suspected spam messages for later review.
>>If we find false positives, we instruct the client on how to fix it (mainly
>>modify the email text).
>>Adding spamhaus/spamcop with a big score in spam-assassin does the trick,
>>many spammers are blacklisted or use zombies to send spam which are also
>>getting listed fast in the bls.
>>
>>happy spam fighting,
>>
>> Justin
>>
>>Gerwin Krist -|- Digitalus Webhosting wrote:
>>
>>>Hey there my fellow list readers. I was testing some new rules (mostly
>>>for php email injection rules), for this it was required to have ScanPOST
>>>on.
>>>
>>>I have the following rule:
>>>SecFilterSelective ARGS_VALUES
>>>"(http:/).+(\.txt|\.jpg|\.dat|\.gif|\.jpeg \.ini|\:[0-9]{1,9})"
>>>Which should check for remote locations in server arguments (GET) only
>>>right? Well mod_security also triggers it when I put a remote location in
>>>an email form. Am I making a thinking error here? Maybe I looked to long
>>>to this issue :)
>>
>>-------------------------------------------------------
>>This SF.net email is sponsored by: Splunk Inc. Do you grep through log
>>files for problems? Stop! Download the new AJAX search engine that makes
>>searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
>>http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
>>_______________________________________________
>>mod-security-users mailing list
>>mod...@li...
>>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>
|
|
From: Ivan R. <iv...@we...> - 2005-12-16 11:02:03
|
Gerwin Krist -|- Digitalus Webhosting wrote:
> Hey there my fellow list readers. I was testing some new rules (mostly for php
> email injection rules), for this it was required to have ScanPOST on.
>
> I have the following rule:
> SecFilterSelective ARGS_VALUES "(http:/).+(\.txt|\.jpg|\.dat|\.gif|\.jpeg
> \.ini|\:[0-9]{1,9})"
> Which should check for remote locations in server arguments (GET) only right?
No. It checks all arguments, no matter where they are. If you are
only interested in GET try QUERY_STRING.
--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
|
Thanks for helping keep SourceForge clean.
X