2007/12/29, Zed A. Shaw <[EMAIL PROTECTED]>: > 1) If you use nginx or apache (and maybe other full web servers with a > proxy module) then you can wait to upgrade, but probably not very > long. This is because these servers do their own checking as well, and > are handling your files. That means a request for the file will be > dropped, and blocked.
I have an Apache 2.0 protected by modsecurity (with standard configuration), and the result of GETting http://host.domain.it//.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd is HTTP 501: Method Not Implemented GET to //.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd not supported. Apache/2.0.x (RHEL) Server at host.domain.it Port 80 that means that modsecurity stops the request before it hits Apache. Don't know if Apache would stop it by itself, just to suggest that this extra layer of security could be added for free and it does not interfere with Rails application we've here. _______________________________________________ Mongrel-users mailing list Mongrel-users@rubyforge.org http://rubyforge.org/mailman/listinfo/mongrel-users
