From: Ivan Ristic <ivanr@we...> - 2004-07-29 12:14:57
Mod_security 1.8.4 has been released. It is available for immediate
This maintenance release relaxes the multipart/form-data encoding
validation to allow for broken clients (IE), fixes the mod_dir and
mod_fastcgi compatibility problems in the Apache 2.x version, fixes the
ARGS variable to test against the correct content, and fixes the problem
that causes a crash when the default response action is not explicitly
defined (via SecFilterDefaultAction in the configuration).
Mod_security is an Apache module whose purpose is to protect
vulnerable applications and reject human or automated attacks.
It is an open source intrusion detection and prevention system
for Apache. In addition to request filtering, it also creates Web
application audit logs. Requests are filtered using regular
expressions. Some of the things possible are:
* Apply filters against any part of the request (URI,
headers, either GET or POST)
* Apply filters against individual parameters
* Reject SQL injection attacks
* Reject Cross site scripting attacks
With few general rules mod_security can protect from both
known and unknown vulnerabilities.
* BUG When the ARGS variable was used in a multipart
request it used to test against the raw payload. Now
it only works on the request parameters (names & values),
just as with non-multipart requests.
* BUG mod_security would crash when the default action
is not specified in the configuration file.
* Fixed a problem when Apache loses our input filter on
fast redirects (e.g. mod_dir) and subrequests (e.g.
* Relaxed the validation of multipart/form-data requests
to allow broken clients (i.e. Internet Explorer) to work.
[ Open source IDS for Web applications ]