A lazy night yesterday watching Tomb Raider, and working on mod_ifier. It is almost ready for a 0.2 release now.
The Debian package now builds in magic support for loading files from /etc/apache2/mod-ifier.d/ and ships some sample files in there for blocking user-agents, referers and now CGI parameters.
There are three types of CGI parameter blocking:
- Based on the presence of a particular CGI parameter name, eg. “mosConfig_absolute_path” is some kind of exploit attempt.
- Based upon a named parameter having a particular value, eg “theme contains ‘http://’”.
- Based upon the contents of any submitted parameter.
If I can get the CGI GET variable parsing a bit cleaner I’ll make a release and drop mod_security on my dedicated host. There are still a few things that would be nice to have, CGI POST parsing, etc, but I can live without them for the moment.
Anybody with interesting ideas of things to match/block feel free to comment.