18 Aug 20:05
Re: Mod-Security and php forums
From: Tom Anderson <tanderso <at> oac-design.com>
Subject: Re: Mod-Security and php forums
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2006-08-18 18:05:05 GMT
Subject: Re: Mod-Security and php forums
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2006-08-18 18:05:05 GMT
Matt Wrycraft wrote: > I am running SQL and can certainly understand the need to keep the rules > dealing with injection attacks. SQL is used throughout my site and I > would like to keep the rules generally, just exclude them from forum > posts. I do have sanitation of forum posts anyway, which is why I'm > happy to avoid using modsec there. In my experience, it's mostly the "select from" part of the rule which trips up normal speech in discussion forums. Most other SQL commands are not a part of normal speech. Therefore, allowing "select from" (by removing that part of the rule) may be worth your while if seperate sanitation is done within the software. If your discussion forums actually have SQL as a topic, then that theory goes out the window though and sanitation is absolutely required so that all text goes through unfiltered (and unexecuted), and the entire SQL-injection rule should be removed. In the latter case, your location-based rule removal should work, assuming you've specified your SQL-injection rule correctly. Alternatively, you can start fresh with new rules for the forums: <Location /forums/≥ SecFilterInheritance Off SecFilterImport ... SecFilter ... </Location> Tom ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
RSS Feed