httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Danie Qian" <dan...@bestningning.com>
Subject Re: [users@httpd] mod_security
Date Fri, 19 Oct 2007 14:21:27 GMT
at the end of the rules ( or in an included rule file with the highest 
number) put this line to reverse the effect of that rule in question
SecRuleRemoveById       xxxxxxx

where xxxxxxx is the rule ID you can see from the debug output.




----- Original Message ----- 
From: "Grant Peel" <gpeel@thenetnow.com>
To: <users@httpd.apache.org>
Sent: Friday, October 19, 2007 9:48 AM
Subject: [users@httpd] mod_security


> Hi all,
>
> I installed mod_security yesterday on one server and am in the process of
> debugging.
>
> Along with mod_security itself, I have installed  a number of rules, most 
> of
> which are not causing any issues. The two below are causing some problems
> though:
>
> Number one seems to do its job too well as it breaks any URL pages that 
> use
> ../../ etc. Our clients use those in a number of places, most of which are
> image loading i.e. <img = "../../images/myimage.gif">
>
> Any ideas on how I can re enable it and not break realative links like the
> one above?
>
>    # 1. Prevent path traversal (..) attacks
> #    SecFilter "../"
>
>
> The second one breaks the ability to read an email in Openwebmail (v2.51).
> Any ideas on this?
>
>    # 2. Prevent XSS atacks (HTML/Javascript injection)
> #    SecFilter "<(.|n)+>"
>
> TIA,
>
> -Grant
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message