My Apache module for filtering incoming HTTP requests, mod_ifier, has had a lot of loving. Yesterday I reworked the structure of the code to make it more generic and extensible.

Taking advantage of the cleanup I added a new match-target. In addition to matching Referers, User-Agents, headers, Paths, and CGI parameters/values it will now also allow you to match on the HTTP Request method. (ie. GET|POST|OPTIONS|PROPFIND|SEARCH|TRACE).

I've made a 0.5 release, and a new package will be uploaded to unstable shortly.

There was a tiny bugfix too - parsing/matching of CGI POST variables will work 100% correctly!

ObAudit: I looked over the Debian Mentors Website and reported an XSS attack against it.

Package names/descriptions were not filtered before being displayed so anybody with a mentors.debian.net account could upload a package causing an XSS attack - stealing the login session of any user who viewed the package details.

No tags | No comments