|
|
|
Choosing A Webhost: |
multipart/form-data: msg#00022apache.mod-security.user
Greetings, mod_security gurus. I have a question about protecting a CGI that accepts file uploads. I have a rule that I'm using to protect the various form variables: SecFilterSelective "ARGS" "!^[A-Za-z0-9.&/?@_%=:;, -]*$" I also have a SecUploadApproveScript configured. This config is nice and tight - passes all the usual XSS/SQL/etc. tests. The problem I'm running into is that, while the ARGS rule above works great for normal everyday input, it doesn't do so well for this one particular CGI (renamed in the log below to protect the guilty :-), which accepts file uploads. I get this: [22/Jul/2004:21:49:08 -0500] [patchy/sid#2b1908][rid#2d32d8][/worldsmostvulnerable.cgi] verify_uploaded_files: got result "100 ACCEPT /usr/local/patchy/logs/secuploaddir/20040722-214855-10.21.15.150-safefile" [22/Jul/2004:21:49:08 -0500] [patchy/sid#2b1908][rid#2d32d8][/worldsmostvulnerable.cgi] Checking signature "!^[A-Za-z0-9.&/?@_%=:;, -]*$" at VAR_ARGS [22/Jul/2004:21:49:08 -0500] [patchy/sid#2b1908][rid#2d32d8][/worldsmostvulnerable.cgi] Checking against "--curl CgdSGkLTecdCGgqD4iVTIEkN96p\x0d\x0aContent-Disposition: form-data; name=""FileItem""; filename=""safefile""\x0d\ x0aContent-Type: text/plain\x0d\x0a\x0d\x0aThis file contains nothing but plain text.\x0a\x0d\x0a--curlCgdSGkLTecdCGgqD4iVTIEkN96p--\x0d\x0a" [22/Jul/2004:21:49:08 -0500] [patchy/sid#2b1908][rid#2d32d8][/worldsmostvulnerable.cgi] Signature check returned 406 On the one hand, I think I may be able to set up a "skip" rule and try to outsmart mod_security when handling file uploads. However, that seems like a bad idea, as it might make me vulnerable to a different class of attacks (someone attaching a bogus file but providing valid inputs to the other form fields, which then wouldn't get checked by my ARGS filter). What's the correct mod_security way to do this? Thanks in advance. RudeYak@xxxxxxxxx ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
|
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: Creating A rule for Search's, Jim Gifford |
|---|---|
| Next by Date: | Re: Creating A rule for Search's, David Fletcher |
| Previous by Thread: | Apache2 Install Error, Rudi Starcevic |
| Next by Thread: | Re: multipart/form-data, Ivan Ristic |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
Free MagazinesCisco NewsReceive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business. subscribe Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field. subscribe The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business. subscribe Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company. subscribe Total Telecom Total Telecom is "The Economist of the communications industry". subscribe |
