logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> News & Hangout View previous topic :: View next topic
Reply to topic   Topic: ModSecurity 2.5.11 released
Author
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Sat 07 Nov '09 12:25    Post subject: ModSecurity 2.5.11 released Reply with quote

ModSecurity 2.5.11 is now available, build with the newest Windows SDK v7.0 and against the newest libxml2-2.7.4.

This release fixes a multipart parsing issue that has the potential to allow bypassing the rules engine. This bypass can be avoided via some simple rules, however. Other changes include a rules update (CRS 2.0.3) and some minor cleanup in build, mlogc, persistence and the output filter ordering.

By using non-standard (but accepted by some platforms) quoting, ModSecurity may be fooled into thinking some parameters are uploaded iles. A working example was presented at POC2009. To mitigate this, the following rules (also included in the latest CRS v2.0.3, included with ModSecurity 2.5.11) are recommended until you can update to ModSecurity 2.5.11:

# Identify multipart/form-data name evasion attempts
SecRule FILES "['\";=]" \
"phase:2,deny,log,t:none,\
msg:'Attempted multipart/form-data bypass'"
SecRule FILES_NAMES "['\";=]" \
"phase:2,deny,log,t:none,\
msg:'Attempted multipart/form-data bypass'"


Steffen


Change log 2.5.11

* Added a new multipart flag, MULTIPART_INVALID_QUOTING, which will be
set true if any invalid quoting is found during multipart parsing.

* Fixed parsing quoted strings in multipart Content-Disposition headers.
Discovered by Stefan Esser.

* Cleanup persistence database locking code.

* Added warning during configure if libcurl is found linked against
gnutls for SSL. The openssl lib is recommended as gnutls has
proven to cause issues with mutexes and may crash.

* Cleanup some mlogc (over)logging.

* Do not log output filter errors in the error log.

* Moved output filter to run before other stock filters (mod_deflate,
mod_cache, mod_expires, mod_filter) to avoid analyzing modified data
in the response. Patch originally submitted by Ivan Ristic.
Back to top


Reply to topic   Topic: ModSecurity 2.5.11 released View previous topic :: View next topic
Post new topic   Forum Index -> News & Hangout