Thread: [mod-security-users] [ANNOUNCE] ModSecurity 1.8.7 has been released
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Ivan R. <iv...@we...> - 2005-03-09 09:51:30
|
ModSecurity 1.8.7 has been released. It is available for immediate
download from:
http://www.modsecurity.org/download/
This release brings a mixture of small bug fixes, one minor security
fix, and minor enhancements. Cookie parsing has been enhanced.
ModSecurity now has two cookie parsers, one for each major version of
the specification. Failures to execute external scripts are now properly
logged. If the approver script is missing or not working the request is
now rejected. A bug that allows attacker to bypass some of the checks is
now fixed.
About ModSecurity
-----------------
ModSecurity is a web application firewall, designed to protect
vulnerable applications and reject manual and automated attacks.
It is an open source intrusion detection and prevention system. It
can work embedded in Apache, or as a standalone security device when
configured to work as part of an Apache-based reverse proxy.
Optionally, ModSecurity creates application audit logs, which contain
the full request body in addition to all other details. Requests are
filtered using regular expressions. Some of the things possible are:
* Apply filters against any part of the request (URI,
headers, either GET or POST)
* Apply filters against individual parameters
* Reject SQL injection attacks
* Reject Cross site scripting attacks
* Store the files uploaded through the web server, and have them
checked by external scripts
With few general rules ModSecurity can protect from both known
and unknown vulnerabilities. A Java version is also available, which
works with any Servlet 2.3 compatible web server.
Changes (v1.8.7)
----------------
* Stefan Esser discovered a trivial way to craft request to sneak
in the request parameters that are in the request body past the
named parameter syntax (e.g. ARG_name). Non-selective filtering
(SecFilter), other variables (e.g. THE_REQUEST, ARGS, POST_PAYLOAD),
and the audit log worked fine. Fixed.
* Stefan Esser also pointed out PHP parses cookies differently from
mod_security, and demonstrated a way to exploit the differences
to sneak in a cookie past the named cookie syntax (e.g. COOKIE_name).
So I decided to add another cookie parser to mod_security. A new
directive, SecFilterCookieFormat, determines which parser is used.
Possible values are 0 (default, for Netscape-style cookies, aka
version 0) and 1 (for RFC 2965 aka version 1 cookies). Without
spending more time on research (to determine how different platforms
parse cookies) -- which is on my TODO list -- I can't give a
definitive answer whether the COOKIE_name syntax is good enough. It
should be, but if you are very paranoid you may choose to use the
HTTP_Cookie syntax to examine the whole cookie header. Look for more
details in the documentation. As a consequence of the recent changes,
the SecFilterCheckCookieFormat directive is now obsolete and has
no effect.
* BUG Request error messages are now escaped properly when logged
to the audit log.
* BUG (Apache 2 only) Failure to execute external scripts is now
properly detected and logged.
* BUG If the approver script does not exist the file is rejected.
* BUG (Apache 2 only) Made the allow action work with output
filtering.
* BUG (Apache 2 only) Warning messages (e.g. "log,pass") did
not get logged in output filtering.
* Cookie normalization is now off by default (as was stated in the
documentation previously).
* BUG (Apache 2 only) The audit logging code can cause a segfault
when it isn't explicitly configured in the configuration, and
the main handler does not run for some reason. Fixed.
* BUG (Apache 2 only) Fixed a bug in the code that handles the exec
action, which would sometimes cause a segfault (when an external
script is executed).
--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
|
|
From: Gerwin K. -|- D. W. <ge...@di...> - 2005-03-09 10:02:53
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Great ivan :) Will do some testing .... Ivan Ristic wrote: | | ModSecurity 1.8.7 has been released. It is available for immediate | download from: | | http://www.modsecurity.org/download/ | | This release brings a mixture of small bug fixes, one minor security | fix, and minor enhancements. Cookie parsing has been enhanced. | ModSecurity now has two cookie parsers, one for each major version of | the specification. Failures to execute external scripts are now properly | logged. If the approver script is missing or not working the request is | now rejected. A bug that allows attacker to bypass some of the checks is | now fixed. | | | About ModSecurity | ----------------- | ModSecurity is a web application firewall, designed to protect | vulnerable applications and reject manual and automated attacks. | It is an open source intrusion detection and prevention system. It | can work embedded in Apache, or as a standalone security device when | configured to work as part of an Apache-based reverse proxy. | | Optionally, ModSecurity creates application audit logs, which contain | the full request body in addition to all other details. Requests are | filtered using regular expressions. Some of the things possible are: | | * Apply filters against any part of the request (URI, | headers, either GET or POST) | * Apply filters against individual parameters | * Reject SQL injection attacks | * Reject Cross site scripting attacks | * Store the files uploaded through the web server, and have them | checked by external scripts | | With few general rules ModSecurity can protect from both known | and unknown vulnerabilities. A Java version is also available, which | works with any Servlet 2.3 compatible web server. | | | Changes (v1.8.7) | ---------------- | | * Stefan Esser discovered a trivial way to craft request to sneak | in the request parameters that are in the request body past the | named parameter syntax (e.g. ARG_name). Non-selective filtering | (SecFilter), other variables (e.g. THE_REQUEST, ARGS, POST_PAYLOAD), | and the audit log worked fine. Fixed. | | * Stefan Esser also pointed out PHP parses cookies differently from | mod_security, and demonstrated a way to exploit the differences | to sneak in a cookie past the named cookie syntax (e.g. COOKIE_name). | So I decided to add another cookie parser to mod_security. A new | directive, SecFilterCookieFormat, determines which parser is used. | Possible values are 0 (default, for Netscape-style cookies, aka | version 0) and 1 (for RFC 2965 aka version 1 cookies). Without | spending more time on research (to determine how different platforms | parse cookies) -- which is on my TODO list -- I can't give a | definitive answer whether the COOKIE_name syntax is good enough. It | should be, but if you are very paranoid you may choose to use the | HTTP_Cookie syntax to examine the whole cookie header. Look for more | details in the documentation. As a consequence of the recent changes, | the SecFilterCheckCookieFormat directive is now obsolete and has | no effect. | | * BUG Request error messages are now escaped properly when logged | to the audit log. | | * BUG (Apache 2 only) Failure to execute external scripts is now | properly detected and logged. | | * BUG If the approver script does not exist the file is rejected. | | * BUG (Apache 2 only) Made the allow action work with output | filtering. | | * BUG (Apache 2 only) Warning messages (e.g. "log,pass") did | not get logged in output filtering. | | * Cookie normalization is now off by default (as was stated in the | documentation previously). | | * BUG (Apache 2 only) The audit logging code can cause a segfault | when it isn't explicitly configured in the configuration, and | the main handler does not run for some reason. Fixed. | | * BUG (Apache 2 only) Fixed a bug in the code that handles the exec | action, which would sometimes cause a segfault (when an external | script is executed). | - -- Met vriendelijke groet/With kind regards, Gerwin Krist Digitalus First-class Internet Webhosting (w) http://www.digitalus.nl (e) gerwin at digitalus.nl (p) PGP-ID: 79B325D4 (t) +31 (0) 598 630000 (f) +31 (0) 598 631860 *************************************************************************************** This message may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. *************************************************************************************** -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCLsm/CwaJ0XmzJdQRAq5LAJ9OnxePfeUHX9xwAPkdrbKhFPJZbwCghbVI coBoSBKAm/BQf/xowzs7yF8= =qi9k -----END PGP SIGNATURE----- |
|
From: Ivan R. <iv...@we...> - 2005-03-09 10:06:35
|
Gerwin Krist -|- Digitalus Webhosting wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Great ivan :) Will do some testing .... Maybe next time I can notify you *before* I make a release for testing? :) Speaking of which, if there's anyone interested to give a RC release a quick compile and test drive please let me know. I still test only on Linux. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Mark <ad...@as...> - 2005-03-09 10:12:57
|
> -----Original Message-----
> From: mod...@li...
> [mailto:mod...@li...] On
> Behalf Of Ivan Ristic
> Sent: woensdag 9 maart 2005 11:07
> To: mod...@li...
> Subject: Re: [mod-security-users] [ANNOUNCE] ModSecurity
> 1.8.7 has been released
>
>
> Gerwin Krist -|- Digitalus Webhosting wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Great ivan :) Will do some testing ....
>
> Maybe next time I can notify you *before* I make a release
> for testing? :)
Great!
But I already downloaded 1.8.7 on the 6th. Is this still the
same release?
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
|
|
From: Ivan R. <iv...@we...> - 2005-03-09 10:16:06
|
Mark wrote: > > But I already downloaded 1.8.7 on the 6th. Is this still the > same release? Yes it is. I just couldn't find the time to write & send the announcements sooner. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
Thanks for helping keep SourceForge clean.
X