Return-Path: 
 <users-return-76484-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 58644 invoked from network); 19 Oct 2007 13:51:05 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 19 Oct 2007 13:51:05 -0000
Received: (qmail 26912 invoked by uid 500); 19 Oct 2007 13:50:40 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 26894 invoked by uid 500); 19 Oct 2007 13:50:40 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 26883 invoked by uid 99); 19 Oct 2007 13:50:40 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 19 Oct 2007 06:50:40 -0700
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy)
Received: from [69.90.69.141] (HELO thenetnow.com) (69.90.69.141)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 19 Oct 2007 13:50:43 +0000
Received: from hpeel.ody.ca ([216.240.12.2] helo=GRANT)
	by constellation.thenetnow.com with esmtpa (Exim 4.63 (FreeBSD))
	(envelope-from <gpeel@thenetnow.com>)
	id 1IisDq-0008zE-RG
	for users@httpd.apache.org; Fri, 19 Oct 2007 09:49:07 -0400
Message-ID: <003401c81256$cd2e2520$6501a8c0@GRANT>
Reply-To: "Grant Peel" <gpeel@thenetnow.com>
From: "Grant Peel" <gpeel@thenetnow.com>
To: <users@httpd.apache.org>
Date: Fri, 19 Oct 2007 09:48:59 -0400
Organization: The Net Now
MIME-Version: 1.0
Content-Type: text/plain;
	format=flowed;
	charset="iso-8859-1";
	reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-Virus-Checked: Checked by ClamAV on apache.org
Subject: [users@httpd] mod_security

Hi all,

I installed mod_security yesterday on one server and am in the process of
debugging.

Along with mod_security itself, I have installed  a number of rules, most of
which are not causing any issues. The two below are causing some problems
though:

Number one seems to do its job too well as it breaks any URL pages that use
../../ etc. Our clients use those in a number of places, most of which are
image loading i.e. <img = "../../images/myimage.gif">

Any ideas on how I can re enable it and not break realative links like the
one above?

    # 1. Prevent path traversal (..) attacks
#    SecFilter "../"


The second one breaks the ability to read an email in Openwebmail (v2.51).
Any ideas on this?

    # 2. Prevent XSS atacks (HTML/Javascript injection)
#    SecFilter "<(.|n)+>"

TIA,

-Grant


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org