HughA
01-29-2006, 12:06 AM
I have Apache 2.2 on FC4, and I am in the process of setting up mod_security. According to what I have read on the web, mod_security used POSIX regex under Apache 1.3, but uses Perl Complex regex under Apache 2.
I have set up some mod_security rules in httpd.conf, and the sample I used included the line:
SecFilter "../"
with the comment that it would prevent directory traversal exploits. It doesn't work, of course, since the dots will match any character - with the result being that if you enter, say, http://{IP ADDRESS}/aa/bb, the rule is triggered by 'aa/' and access is denied. This is obviously not the intended result, so this rule was broken at the start. I have tried just catching two periods as follows: "\.\.", \.\. (not quoted), "/\.\./" (a la perl), /\.\./ (a la perl, not quoted), and none of these works. Has anyone actually managed to make this work, or does anyone have any ideas?
Thanks in advance for your advice :-)
Regards,
Hugh
I have set up some mod_security rules in httpd.conf, and the sample I used included the line:
SecFilter "../"
with the comment that it would prevent directory traversal exploits. It doesn't work, of course, since the dots will match any character - with the result being that if you enter, say, http://{IP ADDRESS}/aa/bb, the rule is triggered by 'aa/' and access is denied. This is obviously not the intended result, so this rule was broken at the start. I have tried just catching two periods as follows: "\.\.", \.\. (not quoted), "/\.\./" (a la perl), /\.\./ (a la perl, not quoted), and none of these works. Has anyone actually managed to make this work, or does anyone have any ideas?
Thanks in advance for your advice :-)
Regards,
Hugh