Results 1 to 3 of 3
  1. #1

    how to defend against poison NULL byte vulnerabilities??

    Things like http://www.securityfocus.com/archive.../30/0/threaded

    Is there any way to protect from this using mod_security because I can't think of a way and this is a VERY serious security issue since anyone can upload anything they want and it's just a matter of hours before there are automated worms doing it...

    Yes I realize it's only a customer's account that can get 'owned' if their scripts are vulnerable - but who's to say the 'hackers' won't just get in and sit tight until there's a kernel root hole discovered/reported and then BAM they have you..

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    I believe mod_security already takes care of this:

    http://www.modsecurity.org/projects/...che/index.html

    Detect and remove null-bytes (%00)
    i would have to look into it more.

    Another thing to look at:

    # Whether to restrict which bytes can be used in a request.
    #
    # TODO The default setting is not very restrictive. It only disallows
    # the null byte (only known use of this value is for attacks).
    # Applications that are English-only could try to use "10 126"
    # or "32 126" (if there are not <TEXTAREA> tags in the
    # application).
    #
    # This directive allows only one range to be specified. You should
    # note that it is possible to use regular expressions to specify
    # multiple ranges. For following example allows characters 10, 13
    # and 32-126:
    #
    # SecFilterSelective THE_REQUEST "!^[\x0a\x0d\x20-\x7e]+$"
    #
    # NOTE Languages other than English require bytes in the higher range.
    #
    SecFilterForceByteRange 1 255
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Hi Steven

    I'm not sure that would work because mod_security only checks GET and POST payloads from what I know (and I know very little) and it doesn't check uploaded files ..or does it? Is there a way to scan uploaded content as well?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •