mod-security-users

[mod-security-users] Webdav won't work with SecFilter

[<li...@32...>]

Hello,

I am running Mac OS X Tiger. When I attempt to connect to my webdav folder I
cannot. The 2 secfilters blocking me are as follows...

#XSS Attacks
SecFilter "<(.|\n)+>"

# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective HTTP_Content-Type
"!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"


Is there any changes I can make to the secfilter syntax so webdav will work,
BUT not opening up possible exploit paths?

Thanks 

-Mike

Re: [mod-security-users] Webdav won't work with SecFilter

[Ivan R. <iv...@we...>]

li...@32... wrote:
> Hello,
> 
> I am running Mac OS X Tiger. When I attempt to connect to my webdav folder I
> cannot. The 2 secfilters blocking me are as follows...
> 
> #XSS Attacks
> SecFilter "<(.|\n)+>"
> 
> # Only accept request encodings we know how to handle
> # we exclude GET requests from this because some (automated)
> # clients supply "text/html" as Content-Type
> SecFilterSelective HTTP_Content-Type
> "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
> 
> 
> Is there any changes I can make to the secfilter syntax so webdav will work,
> BUT not opening up possible exploit paths?

  The only thing you can do is disable those two rules selectively,
  for the WebDAV areas. The attacks they are guarding against are
  not effective for WebDAV anyway.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org