On 09/29/2014 06:57 PM, Stefan Fritsch wrote:
On Monday 29 September 2014 10:07:40, Nick Kew wrote:
Yes. It's catching potential attacks in r-headers_in.
The rest is paranoia-mode afterthoughts:
PATH_INFO/QUERY_STRING because they could contain something
interesting, subprocess_env just
On 01/22/2014 05:42 PM, Graham Leggett wrote:
On 22 Jan 2014, at 5:36 PM, Thomas Eckert thomas.r.w.eck...@gmail.com
mailto:thomas.r.w.eck...@gmail.com wrote:
Some time ago I put up HTTP to HTTPS redirects in place which now needed an
update so they would not only work for
constant host names
On 08/08/2013 09:24 AM, Nick Edwards wrote:
As per FD list post..
Does this seem valid?
FWD MESSAGE
Apache suEXEC privilege elevation / information disclosure
Discovered by Kingcope/Aug 2013
The suEXEC feature provides Apache users the ability to run CGI and SSI programs
under user IDs
On 05/03/2013 07:24 AM, Ben Reser wrote:
On Tue, Apr 30, 2013 at 5:23 PM, André Warnier a...@ice-sa.com wrote:
Alternatives :
1) if you were running such a site (which I would still suppose is a
minority of the 600 Million websites which exist), you could easily disable
the feature.
2) you
Hi guys,
I'm developing a module that needs to do the following things:
1. Read POST arguments
2. Read input headers
3. Read Query string arguments
I have decided to implement it by having an input filter for the POST parsing(since this is the only way to look into
the POST without consuming
On 05/01/2013 12:19 PM, Tom Evans wrote:
On Wed, May 1, 2013 at 1:47 AM, André Warnier a...@ice-sa.com wrote:
Christian Folini wrote:
Hey André,
I do not think your protection mechanism is very good (for reasons
mentioned before) But you can try it out for yourself easily with 2-3
On 05/01/2013 03:00 PM, Reindl Harald wrote:
Am 01.05.2013 13:51, schrieb André Warnier:
There is so far one possible pitfall, which was identified by someone earlier
on this list : the fact that delaying
404 responses might have a bad effect on some particular kind of usage by
legitimate
On 05/01/2013 03:22 PM, André Warnier wrote:
Dirk-Willem van Gulik wrote:
On 1 mei 2013, at 13:31, Graham Leggett minf...@sharp.fm wrote:
The evidence was just explained - a bot that does not get an answer quick
enough gives up and looks elsewhere.
The key words are looks elsewhere.
For
On 05/01/2013 04:23 PM, Eric Covener wrote:
However I'm unable to make my input filter function to be called before my
handler.
Input filters are normally called during the handler, when the handler
tries to read the request body through the filter chain.
In your case, the body is probably