A lazy night yesterday watching Tomb Raider, and working on mod_ifier. It is almost ready for a 0.2 release now.

The Debian package now builds in magic support for loading files from /etc/apache2/mod-ifier.d/ and ships some sample files in there for blocking user-agents, referers and now CGI parameters.

There are three types of CGI parameter blocking:

• Based on the presence of a particular CGI parameter name, eg. "mosConfig_absolute_path" is some kind of exploit attempt.
• Based upon a named parameter having a particular value, eg "theme contains 'http://'".
• Based upon the contents of any submitted parameter.

If I can get the CGI GET variable parsing a bit cleaner I'll make a release and drop mod_security on my dedicated host. There are still a few things that would be nice to have, CGI POST parsing, etc, but I can live without them for the moment.

Anybody with interesting ideas of things to match/block feel free to comment.

No tags | No comments