[horde] mod_security
Dick Hoogendijk
dick at nagual.st
Sat Jul 9 14:09:41 PDT 2005
I have mod_security in my httpd.conf for quit some time now, but lately
I get more errors, now that I run more php programs.
phpBB2 had issues with rule (a)
mySQL and horde have issues with (b)
and today sending mail from imp to "horde" <horde at lists.horde.org>
did no work (internal webserver error on rule (c)
I can mark them out (like I do now), but that way I loose a lot of
defense against all kinds of php injections.
Does anybody use mod_security too and if so, what are good rules for a
good working mysql / php website?
==--==--== quote mod_security ==--==--==
# =================================================
# Logging GET/POST requests, defending against
# Cross-Site-Scripting and SQL Injection attacks
# =================================================
<IfModule mod_security.c>
AddHandler application/x-httpd-php .php
SecAuditEngine On
SecAuditLog /var/log/apache/audit.log
SecFilterScanPOST On
SecFilterEngine On
SecFilterDefaultAction "deny,log,status:500"
## SecFilter "<(.|\n)+>" <---------- rule (a)
## SecFilter "," <---------- rule (b)
## SecFilter "\"" <---------- rule (c)
</IfModule>
--
dick -- http://nagual.st/ -- PGP/GnuPG key: F86289CE
++ Running FreeBSD 4.11-stable ++ FreeBSD 5.4
+ Nai tiruvantel ar vayuvantel i Valar tielyanna nu vilja
More information about the horde
mailing list