[ANNOUNCE] ModSecurity 1.8.7 has been released

ModSecurity 1.8.7 has been released. It is available for immediate
download from:

    http://www.modsecurity.org/download/

This release brings a mixture of small bug fixes, one minor security
fix, and minor enhancements. Cookie parsing has been enhanced.
ModSecurity now has two cookie parsers, one for each major version of
the specification. Failures to execute external scripts are now properly
logged. If the approver script is missing or not working the request is
now rejected. A bug that allows attacker to bypass some of the checks is
now fixed.


About ModSecurity
-----------------
ModSecurity is a web application firewall, designed to protect
vulnerable applications and reject manual and automated attacks.
It is an open source intrusion detection and prevention system. It
can work embedded in Apache, or as a standalone security device when
configured to work as part of an Apache-based reverse proxy.

Optionally, ModSecurity creates application audit logs, which contain
the full request body in addition to all other details. Requests are
filtered using regular expressions. Some of the things possible are:

  * Apply filters against any part of the request (URI,
    headers, either GET or POST)
  * Apply filters against individual parameters
  * Reject SQL injection attacks
  * Reject Cross site scripting attacks
  * Store the files uploaded through the web server, and have them
    checked by external scripts

With few general rules ModSecurity can protect from both known
and unknown vulnerabilities. A Java version is also available, which
works with any Servlet 2.3 compatible web server.


Changes (v1.8.7)
----------------

* Stefan Esser discovered a trivial way to craft request to sneak
  in the request parameters that are in the request body past the
  named parameter syntax (e.g. ARG_name). Non-selective filtering
  (SecFilter), other variables (e.g. THE_REQUEST, ARGS, POST_PAYLOAD),
  and the audit log worked fine. Fixed.

* Stefan Esser also pointed out PHP parses cookies differently from
  mod_security, and demonstrated a way to exploit the differences
  to sneak in a cookie past the named cookie syntax (e.g. COOKIE_name).
  So I decided to add another cookie parser to mod_security. A new
  directive, SecFilterCookieFormat, determines which parser is used.
  Possible values are 0 (default, for Netscape-style cookies, aka
  version 0) and 1 (for RFC 2965 aka version 1 cookies). Without
  spending more time on research (to determine how different platforms
  parse cookies) -- which is on my TODO list -- I can't give a
  definitive answer whether the COOKIE_name syntax is good enough. It
  should be, but if you are very paranoid you may choose to use the
  HTTP_Cookie syntax to examine the whole cookie header. Look for more
  details in the documentation. As a consequence of the recent changes,
  the SecFilterCheckCookieFormat directive is now obsolete and has
  no effect.

* BUG Request error messages are now escaped properly when logged
  to the audit log.

* BUG (Apache 2 only) Failure to execute external scripts is now
  properly detected and logged.

* BUG If the approver script does not exist the file is rejected.

* BUG (Apache 2 only) Made the allow action work with output
  filtering.

* BUG (Apache 2 only) Warning messages (e.g. "log,pass") did
  not get logged in output filtering.

* Cookie normalization is now off by default (as was stated in the
  documentation previously).

* BUG (Apache 2 only) The audit logging code can cause a segfault
  when it isn't explicitly configured in the configuration, and
  the main handler does not run for some reason. Fixed.

* BUG (Apache 2 only) Fixed a bug in the code that handles the exec
  action, which would sometimes cause a segfault (when an external
  script is executed).

--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click