Is there a reason that this feature was removed from
the 1.8 release? It's actually very handy to have.
> -----Original Message-----
> From: Ivan Ristic [mailto:ivanr@...]
> Sent: Wednesday, July 28, 2004 5:42 AM
> To: Dionysios G. Synodinos
> Cc: mod-security-users@...
> Subject: Re: [mod-security-users] Not allowed in
> VirtualHost ?
> Dionysios G. Synodinos wrote:
> > After upgrading mod_security from 1.7.6 to 1.8.3 I
> get the following
> > errors:
> > ---------------
> > Starting apache.
> > Syntax error on line 1356 of
> > SecServerResponseToken not allowed in VirtualHost
> > Syntax error on line 1359 of
> > SecServerSignature not allowed in VirtualHost
> That's correct. Just move them outside the
> VirtualHost area
> to make it work again.
> It is not possible to have different yet foolproof
> signature policies across different virtual hosts.
> ModSecurity (http://www.modsecurity.org)
> [ Open source IDS for Web applications ]
> This SF.Net email is sponsored by BEA Weblogic
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1
> mod-security-users mailing list
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
From: Ivan Ristic <ivanr@we...> - 2004-07-29 10:02:44
Sandy Koufax wrote:
> Is there a reason that this feature was removed from
> the 1.8 release? It's actually very handy to have.
I mentioned the reason already - it can't be done reliably.
There are two places where we can change the server signature:
upon Apache child initialization, and before a request is
processed. Malformed requests never reach the processing phase
so whatever signature is configured in the child initilization
phase is sent back to the user.
So let's say an attacker suspects mod_security is installed. To
confirm the suspicion he would only need to send a malformed
request and compare the Server field with a value received in
a valid request.
[ Open source IDS for Web applications ]