logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Directory Recursion
Author
dickinse



Joined: 29 Aug 2013
Posts: 2
Location: USA, Bethesda

PostPosted: Thu 29 Aug '13 17:50    Post subject: Directory Recursion Reply with quote

Good Morning,
I have been searching/reading the archives, perhaps I am just searching incorrectly but I can find no precedence. I cannot believe that I am the first to do this so here it goes anyway.

I have a number of WordPress, Drupal, Wiki sites running under RHEL6.

Apache version:httpd -v
Server version: Apache/2.2.15 (Unix)
Server built: Aug 2 2013 08:02:18

We are subject to internal scans by Appscan and Tenable.
It is a security requirement so I cannot just block them.

The scanners, of course, attempt to recurse the directory structure and find vulnerable files such as boot.ini, winnt.com and such.

This drives the php content management systems nuts.
Request comes in and is handled by php.
PHP checks the cache for that name and does not find it.
PHP generates a MySQL query and sends it.
MySQL tries and fails to satisfy the query.
MySQL returns result to php.
PHP Writes a cached of the result and presents it to the web.

In other words, a whole lot of processor/memory.

The security scans typically look like......

[Thu Aug 29 00:35:15 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET /../../../../../../../../../../../../etc/passwd HTTP/1.1

[Thu Aug 29 00:35:15 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET ../../../../../../../../../../../../etc/passwd HTTP/1.1

[Thu Aug 29 00:35:15 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET //../../../../../../../../../../../../etc/passwd HTTP/1.1

[Thu Aug 29 00:32:26 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET ..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\windows\\win.ini HTTP/1.1

[Thu Aug 29 00:32:26 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET ..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\winnt\\win.ini HTTP/1.1

I have been able to improve performance, speed and security by mod_rewrite

RewriteRule .*\.(dll|ini|exe|com)$ - [R=404,NC]

Now (Finally) the question.
I have not been able to create a rule for the directory recursion.

I want to R=404 any that has a "../.." or "..\.." or ..\\.." but I can not get it to recognize the string correctly.

I believe that this would improve speed and security.

I appreciate any help.

eric
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3093
Location: Hilversum, NL, EU

PostPosted: Thu 29 Aug '13 19:16    Post subject: Reply with quote

Advisable that you going to use mod_security ( www.modsecurity.org ) it can catch a lot.

Not sure your specific ../../ issue is included in the base rules of mod_security. If not you can add for example the rule:

SecRule ARGS "\.\./" "t:normalizePathWin,id:50904,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'directory recursion'"
Back to top
dickinse



Joined: 29 Aug 2013
Posts: 2
Location: USA, Bethesda

PostPosted: Thu 29 Aug '13 19:55    Post subject: Reply with quote

Thank you. Looking into it!

eric
Back to top


Reply to topic   Topic: Directory Recursion View previous topic :: View next topic
Post new topic   Forum Index -> Apache