I was looking at an Apache module design to (among other things) prevent people from grabbing '/etc/passwd'. The module is called mod_security, and can be found here: http://www.webkreator.com/mod_security/
After looking at an example configuration file: http://www.webkreator.com/download/mod_security/httpd.conf.example-full I noticed the following line: SecFilter /etc/password and SecFilter "\.\./" it seems that ALOT of different 'filters' use this, but would that stop something like: url.html?q=/etc/../passwd I think this one might be fine, but most of the filters I see just look for /etc/passwd. Does anyone have any suggestions on a more fool proof way of stopping all '/etc/' attacks? Tim On Thu, 23 Jan 2003, Diego Figueroa wrote: > How easy would it be in your script to do something like "userid=root"? > Think about the possibility of someone injection code. > > Are you passing this information somewhere in the URL or in one of the > "hidden" variables? > > IMHO messing with /etc/passwd and /etc/shadow from the web is a no-no. > > > Diego. > > On Tue, 21 Jan 2003, Ing. Bernardo Lopez wrote: > > > How secure could be my webserver if i allow some php scripts to modify > > the file (directly) /etc/passwd & /etc/shadow but my script will only > > allow to modify the line of the loged user (like userid=visitor, then he > > only can see/modify visitor's line)?? > > > > It is secure, if i enforce very enougth the security of the script... or > > this stills being a stupid option? > > > > Also if i use that script only for modify the permisions of ftp's users > > it stills unsecure? (if the ftpd runs whit a very unpriviligiated uid?) > > > > Thanks in advance > > >
