httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Grant Peel" <gp...@thenetnow.com>
Subject [users@httpd] mod_security
Date Fri, 19 Oct 2007 13:48:59 GMT
Hi all,

I installed mod_security yesterday on one server and am in the process of
debugging.

Along with mod_security itself, I have installed  a number of rules, most of
which are not causing any issues. The two below are causing some problems
though:

Number one seems to do its job too well as it breaks any URL pages that use
../../ etc. Our clients use those in a number of places, most of which are
image loading i.e. <img = "../../images/myimage.gif">

Any ideas on how I can re enable it and not break realative links like the
one above?

    # 1. Prevent path traversal (..) attacks
#    SecFilter "../"


The second one breaks the ability to read an email in Openwebmail (v2.51).
Any ideas on this?

    # 2. Prevent XSS atacks (HTML/Javascript injection)
#    SecFilter "<(.|n)+>"

TIA,

-Grant


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message