Hi Jean-Raymond, On Mon, Apr 17, 2017 at 10:27:49AM +0200, Jean-Raymond Ferrer wrote: > Hi all > > I read this : > modsecurity-nginx module, master, sha1: 3de175) > > Knowing that sha1 is broken and considered as weak, some bad guy could > potentially replace genuine package with corrupt one. > > Has this issue been considered at Modsecurity management level?
I think it's NO. The sha1 value above just shows the current version of code in Git repository. See: https://github.com/SpiderLabs/ModSecurity-nginx and you can see the latest commit at top-right corner of inside div: "Latest commit 3de175b 14 days" For more infos about Git commit identifiers: http://stackoverflow.com/questions/9392365/how-would-git-handle-a-sha-1-collision-on-a-blob a. > Kind regards, > > Jean-Raymond Ferrer > > Le dim. 16 avr. 2017 21:27, Ervin Hegedus <[email protected]> a écrit : > > > Hi all, > > > > I'm new in Modsecurity. A few days ago, I've been created few > > packages for my Debian (8) systems from Github repos: > > - libmodsecurity 3.0, v3/master, sha1: b58f713 > > - nginx 1.6.2 (patched the official Debian package with > > modsecurity-nginx module, master, sha1: 3de175) > > - owasp-modsecutiy-crs 3.0, v3.0/master, sha1: d1692b > > > > I'm using the Nginx as frontend proxy for my Apache webservers, > > which runs in containers (LXC). The patched nginx and another > > components are works as well. I could run few basic checks, and I > > could demonstrate the advantages of WAF to my collegues. But > > there were only two basic attack, what I could show them: XSS and > > SQL injection. > > > > My 2 cents question is: how can I demonstrate another features? I > > meant, it could be show the session fixating: I put a simple PHP > > script to a webroot, load the page in a browser. I found the > > PHPSESSID cookie, and then I tried to load the page in another > > browser (on another host) - but there didn't happened anything... > > the page had been loaded as well with the hijacked session. > > > > What did I miss, or how can I show this feature? > > > > In general way, how can I show the all features of Modsecurity, > > and OWASP CRS? > > > > > > Thank you, > > > > > > Ervin > > > > > > -- > > I � UTF-8 > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > [email protected] > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > -- I � UTF-8 _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
