osdir.com
mailing list archive F.A.Q. -since 2001!



Subject: Re: how to prevent directory
traversal withmodsecurity2 - msg#00206

List: apache.mod-security.user

Mail Archive Navigation:
by Date: Prev Next Date Index by Thread: Prev Next Thread Index

You could use a rule similar to this –

 

SecRule REQUEST_URI "\.\." "phase:1,log,deny,msg:'Directory Traversal Attack Detected'"

 

The only issue to be aware of is to make sure you verify exactly which transformation functions may be inherited with this rule.  If it applies the normalisePath function (http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/modsecurity2-apache-reference.html#N10E9C) it will not match as it will remove the .. characters.  It is for these types of reasons that you should always turn up the debug log level and review your new rule processing with some tests.

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

 

 

From: mod-security-users-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:mod-security-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Yavuz Maslak
Sent: Wednesday, June 27, 2007 5:27 AM
To: mod-security-users@xxxxxxxxxxxxxxxxxxxxx
Subject: [mod-security-users] how to prevent directory traversal withmodsecurity2

 

Hello,

 

I am novice at modsecurity

 

I installed mod_security2 on apache2.0.59

 

I couldn't find  how to prevent directory traversal with modsecurity2 .

I know that with modsecurity1. But I couldn't find for modsecurity2.

How can I get useful examples about that ?

 

 

Thanks a lot.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/_______________________________________________
mod-security-users mailing list
mod-security-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Thread at a glance:

Previous Message by Date:

Re: Input filtering rule

On Wed, Jun 27, 2007 at 07:03:48AM -0400, Ryan Barnett wrote: > Take a look at mod_line_edit - > http://apache.webthing.com/mod_line_edit/. For html entity encoding, > you could probably use the following directives - Very nice link Ryan. I used to work with mod_filter before. Webthing is Nick Kew, is not it? That's somebody who definitely know how to write an Apache module in a stable way. Does anybody have mod_line_edit in productive use? Performance? regs, Christian -- We have to remember that what we observe is not nature herself, but nature exposed to our method of questioning. -- Werner Heisenberg ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/

Next Message by Date:

Problems with SecFilterRemove

Hi, We've got apache2 (2.0.54-5sarge1) running with rules from gotroot, and libapache2-mod-security ( 1.9.4-1duo+sarge1) One of our php sites is getting caught in filter 300017. I've tried adding the following to the vhost file <Location "/"> SecFilterRemove 300017 </Location> but this doesn't seem to have made any difference. If I instead set a SecFilterEngine Off inside that Location block then that works. Is my syntax wrong for the SecFilterRemove tag? Thanks --- Jeremy Wilkins Ibex Internet Ltd Parkside Business Park Parkside Rd. Kendal Cumbria LA9 7EN Tel: 0845 226 8342 Fax: 08718 729374 http://www.ibexinternet.co.uk/ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/

Previous Message by Thread:

how to prevent directory traversal with modsecurity2

Hello,   I am novice at modsecurity   I installed mod_security2 on apache2.0.59   I couldn't find  how to prevent directory traversal with modsecurity2 . I know that with modsecurity1. But I couldn't find for modsecurity2. How can I get useful examples about that ?     Thanks a lot. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/_______________________________________________ mod-security-users mailing list mod-security-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/mod-security-users

Next Message by Thread:

Problems with SecFilterRemove

Hi, We've got apache2 (2.0.54-5sarge1) running with rules from gotroot, and libapache2-mod-security ( 1.9.4-1duo+sarge1) One of our php sites is getting caught in filter 300017. I've tried adding the following to the vhost file <Location "/"> SecFilterRemove 300017 </Location> but this doesn't seem to have made any difference. If I instead set a SecFilterEngine Off inside that Location block then that works. Is my syntax wrong for the SecFilterRemove tag? Thanks --- Jeremy Wilkins Ibex Internet Ltd Parkside Business Park Parkside Rd. Kendal Cumbria LA9 7EN Tel: 0845 226 8342 Fax: 08718 729374 http://www.ibexinternet.co.uk/ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
blog comments powered by Disqus

Home | News | Sitemap | FAQ | advertise | OSDir is an Inevitable website. GBiz is too!