Hey all, I just released a custom mod_security <https://modsecurity.org/> ruleset for ownCloud 5.0. - I've rewritten the whole set yesterday which means that it most probably still has some bugs inside ;-)
The ruleset is written following a positive security model, this means all request and parameters have been manually whitelisted. (e.g. an parameter called ID only allows ^[0-9]+$) - This has the advantage that it can prevent a lot of potential security bugs and also would have "prevented" nearly all of the past security issues. If you're a brave person that wants to harden your installation, check it out <https://github.com/owncloud/mod_security/tree/stable5> and report bugs<https://github.com/owncloud/mod_security/issues>. - The installation should be straight forward, just clone the stable5 branch somewhere and include it as it is done in the README. Please notice: - Compatible with the current stable5 Git version of ownCloud (aka the upcoming 5.0.6) - At the moment only tested with mod_security 2.6 - Most probably only compatible with Apache since it uses <LocationMatch> - The kiddy_blocker rules are not yet compatible with reverse proxies, if you have a reverse proxy in place: Don't include them. - This is only compatible with the packaged apps of ownCloud - if you need another one: Please write the ruleset yourself and make a pull request. (I'll write some rules for some apps I use soon - e.g. the awesome news app by Bernhard) Cheers, Lukas -- ownCloud Your Cloud, Your Data, Your Way! GPG: 0xEB32B77BA406BE99
_______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
