I've been following the discussion on this topic and, and I'd like to
share a thought with you.
From the security perspective, allowing end users to control how %2f
is treated is problematic. Consider the situation in which you have
some sort of a HTTP monitoring device (either passive, or a
things?
I'd love any feedback!
Anyone?
--
Adam Hasselbalch Hansen
UNIX Systems Developer, CPH
e: a...@one.com, w: www.one.com
--
Ivan Ristic
ModSecurity Handbook [http://www.modsecurityhandbook.com]
SSL Labs [https://www.ssllabs.com/ssldb/]
SSLMutex default to SSLMutex default instead of SSLMutex none?
(does this default to none to avoid checking if a session cache is
enabled before creating the mutex?)
--
Ivan Ristic
ModSecurity Handbook [https://www.feistyduck.com]
SSL Labs [https://www.ssllabs.com/ssldb/]
[Sorry for my late response Ben, I missed your reply originally.
Comments below.]
On Mon, Sep 14, 2009 at 9:14 PM, Ben Noordhuis i...@bnoordhuis.nl wrote:
On Mon, Sep 14, 2009 at 21:39, Ivan Ristic ivan.ris...@gmail.com wrote:
There's an incompatibility between ModSecurity and mod_deflate
Are your multi-megabyte submissions going to use multipart/form-data
encoding? If so, ModSecurity does exactly what you need when you
enable request body buffering.
Ivan
On 19 Jun 2009, at 21:01, Houser, Rick houser.r...@aoins.com wrote:
I'm facing a situation where we may be required to
in an input filter, but as far as I
understand it, the filter is only active, if I read the content in another
hook outside the filter. So how can I read the data and write it back?
/Regards,
Ferdinand
--
Ivan Ristic
On Mon, Dec 15, 2008 at 11:30 AM, Ferdinand Arndt
ferdinand.ar...@axiros.com wrote:
On Dec 15, 2008, at 12:10 PM, Ivan Ristic wrote:
You can look at how ModSecurity (http://www.modsecurity.org) does it:
you can read the request body and store it somewhere, then you insert
and input filter
I think it will be all right provided the feature is disabled by
default and, as you say, the potential security issue is documented.
On Jan 28, 2008 1:28 PM, Akins, Brian [EMAIL PROTECTED] wrote:
On 1/28/08 4:35 AM, Ivan Ristic [EMAIL PROTECTED] wrote:
The FastCGI process is likely
X-sendfile into the
normal httpd distribution (along with mod_fcgid...)
--
Brian Akins
Chief Operations Engineer
Turner Digital Media Technologies
--
Ivan Ristic
://www.apachetutor.org/
--
Ivan Ristic
RĂ¼diger
--
Ivan Ristic
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
--
Dziugas
--
Ivan Ristic
On 2/13/07, Nick Kew [EMAIL PROTECTED] wrote:
On Tue, 13 Feb 2007 11:30:32 +
Ivan Ristic [EMAIL PROTECTED] wrote:
No. If there's no C-L ModSecurity will count the bytes as they arrive.
If there are too many the entire response will be blocked with 500
(and the error page sent
in advance.
[1]
http://www.visolve.com:81/squid/squid30/accesscontrols.php#reply_body_max_size
[2] http://www.snert.com/Software/apache.html
[3] http://cband.linux.pl/
[4] http://bwmod.sourceforge.net/, http://svn.apache.org/viewvc/httpd/mod_bw/
--
Dziugas Baltrunas
--
Ivan Ristic
. As for the access log
permissions - root should be the only user allowed write access.
Either way, if a file descriptor is inherited then any user can write
to it (permissions of the user that opened the FD are used).
--
Ivan Ristic
this into a good solution.
Best regards,
Arnold
Ivan Ristic schreef:
Hi Arnold,
You have obviously spent a great deal of time implementing your
solution. Personally I have always felt complete separation (e.g. what
is done with FastCGI) is a more robust approach. But I don't think the
issues
of Apache?
Patches welcome.
Bear in mind that perchild was threaded, and therefore never
likely to be suitable for php.
--
Ivan Ristic
or restarting the httpd process?
Essentially, to inject a module into a running httpd process, given
appropriate, even root, permissions.
Not off-the-shelf, but there are third-party modules that'll
load and unload .so s in a running server.
Can you name some of them? Thanks.
--
Ivan Ristic
.
Just comment out the DEFS = -DWITH_LIBXML2 line in the Makefile.
--
Ivan Ristic
On 11/2/06, Nick Kew [EMAIL PROTECTED] wrote:
On Thu, 2 Nov 2006 12:41:39 +
Ivan Ristic [EMAIL PROTECTED] wrote:
Other modules i found that work fine:
mod_auth_xml
mod_macro
mod_security 1.9.4 (2.0 doesn't work because of libxml grrr)
FYI you should be able compile ModSecurity
header will do that anyway. Apache supporting the feature
directly would mean that they will be able to do the job quickly and
get on with their lives.
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
, or APR-UTIL.)
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
) and mod_fcgi (never used it).
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
On 7/5/05, William A. Rowe, Jr. [EMAIL PROTECTED] wrote:
RFC2616 says TRACE doesn't accept a body.
Patches I'd committed to 1.3.x and working on 2.1.x (to port
to 2.0.x) enforce this with TraceEnable On.
But what about a 0-byte body?
I think it is a body. Yes, it is only 0 bytes long but
://swatch.sourceforge.net/) or SEC (Simple Event
Correlator, http://kodu.neti.ee/~risto/sec/). The later is more
complex but significantly more powerful.
--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
Which reading part? I am not in a position to test right now but
I think FastCGI never even required a file to exist on the local
system, provided a proper handler was assigned to the request.
But even if it does it's an implementation issue of
mod_fastcgi, as FastCGI is just a data exchange
Max Bowsher wrote:
Quoting Ivan Ristic ivanr webkreator com (2004-11-17 17:31:39 GMT):
I've used FastCGI to give individual
users their own PHP engines (since PHP now comes with FastCGI protocol
support built-in).
This sounds useful - would you be willing to share some config file
Leif W wrote:
Andrew Stribblehill, Thursday, November 18, 2004 07:53
Quoting Ivan Ristic [EMAIL PROTECTED] (2004-11-17 17:31:39 GMT):
Paul Querna wrote:
Are you familiar with FastCGI? My first impression is that most of
what you envision is possible today with FastCGI, or would
Andrew Stribblehill wrote:
Quoting Ivan Ristic [EMAIL PROTECTED] (2004-11-17 17:31:39 GMT):
Paul Querna wrote:
I have had an idea for replacing the perchild MPM boggling around inside
my head for awhile now. This is an idea for a different architecture to
allowing different UIDs to serve
Nathanael Noblet wrote:
On Nov 18, 2004, at 11:43 AM, Graham Leggett wrote:
Hi all,
I've been keen to do some digging for reasons why someone might need
to install httpd v1.3 instead of v2.0 or later.
Support for mod_backhand seems to be a significant reason (and getting
backhand
Jim Jagielski wrote:
A can think of 4 big reasons, two from a developer standpoint and
two from an admin.
developer:
1. Builds and compiles in a minute, rather than several. This
means you can play around and develop more and compile
less.
2. More streamlined
Paul Querna wrote:
I have had an idea for replacing the perchild MPM boggling around inside
my head for awhile now. This is an idea for a different architecture to
allowing different UIDs to serve httpd requests. I am looking for all
feedback with my proposed approach.
Are you familiar
Roy T. Fielding wrote:
What would make more sense is Error while reading HTTP request line.
(remote browser didn't send a request?). This indicates exactly what
httpd was trying to do when the error occurred, and gives a hint of
why the error might have occurred.
We used to have such a
In the case you just mentioned... it is going to take
a special 'filter' to 'sense' that a possible DOS
attack is in progress. Just fair amounts of 'dataless'
connection requests from one or a small number of orgins
doesn't qualify. There are plenty of official
algorithms around now to
Jeff Trawick wrote:
On Tue, 26 Oct 2004 14:51:59 +0100, Ivan Ristic [EMAIL PROTECTED] wrote:
Sure, you may need to have some logic to determine what makes
an attack and what not, but you must have the log entry to
begin with so you feed it to the algorithm.
Something I'm still curious
[EMAIL PROTECTED] wrote:
You MUST have SOMETHING that knows the difference
or you don't have DOS protection.
Also... if you wait all the way until you have a 'log' entry for
a DOS in progress then you haven't achieved the goal
of sensing them 'at the front door'.
I don't set myself that
Paul Querna wrote:
Brian Akins wrote:
We are interesting in the event mpm mainly for dealing with keep alives.
Yes, this is the target the Event MPM aims at :)
If I understand the nature of the patch correctly then you don't
need to go increasing the number of clients at all. Instead
Perhaps I don't understand the request, but wouldn't it be
straightforward for a module like mod_security to implement
this feature by using one of the connection hooks, perhaps
create_connection? Or even by registering an input filter
at the beginning of the chain?
I don't know. I
[ The request is trivial to implement (at least I think so),
but the feature itself is very important. ]
If one connects to Apache 1.3.x and just sits on the
connection, it gets disconnected after a while and a
message is written to the error log:
[info] [client 127.0.0.1] read
Is there a module / or a development effort that allows to log form-based
authentication (field j_username) i.e. username in standard apache log
files?
Not to the standard log files, but close.
With mod_security (http://www.modsecurity.org), you can log POST
requests to a separate log
Jim Jagielski wrote:
I'd like to get some sort of feedback concerning the idea
of having ServerTokens not only adjust what Apache
sends in the Server header, but also allow the directive
to fully set that info.
For example: ServerTokens Set Aporche/3.5
would cause Apache to send Aporche/3.5 as
I like the idea. Right now you either have to
change the source code or use mod_security to achieve
this, but I think the feature belongs to the server core.
But I think a new server directive is a better solution.
As Lars said (and I agree), it has nothing to do with security. Why do you
I recently changed the signature of the Apache running on
modsecurity.org (to pretend to be IIS5). As a result, I've started
getting more IIS-related attacks than before. So, the signature
does matter.
And what was the security advantage?
Smaller number of attack attempts made
I've installed mod_log_forensic to test (from the CVS, 1.3 branch)
but the shell script check_forensic does not work for me. It fails
because the xargs binary does not implement the -I placeholder
parameter.
Checked on RH, Suse and Cygwin, all running the GNU version
of xargs. On which platforms
Checked on RH, Suse and Cygwin, all running the GNU version
of xargs. On which platforms does it work?
Works for me on FreeBSD and OS X and would work with -i on RH8.0's GNU
version of xargs.
You're right, I missed that. After replacing -I xx with -ixx the
script works fine.
Eli Marmor wrote:
Hi,
...
It is VERY easy for mod_proxy of Apache to recognize such sessions and
block them. Before I'm starting such a project, I'd like to know:
1. Is there any existing code and/or module that implements this?
2. Is there any plan to add this to Apache / mod_proxy? My plan
46 matches
Mail list logo