[Owasp-modsecurity-core-rule-set] Rule 950005: Remote File Access Attempt

theMiddle Fri, 16 Oct 2015 02:06:23 -0700

Hi,

i've see that rule 950005 (Remote File Access Attempt) does not blockrequest like:


/user?current=/proc/self/environ
/?page=/proc/self/environ%00

i've change this rule in my implementation, with the following:

SecRuleREQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*"(?:(?<!\w)(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/|\/proc\/)"\


it may make sense?

thank you!
best regards.

--
Andrea (aka theMiddle) Menin
mail: i...@waf.blue
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

[Owasp-modsecurity-core-rule-set] Rule 950005: Remote File Access Attempt

Reply via email to