Results 1 to 3 of 3
-
09-11-2006, 10:46 PM #1Aspiring Evangelist
- Join Date
- Jan 2004
- Posts
- 370
how to defend against poison NULL byte vulnerabilities??
Things like http://www.securityfocus.com/archive.../30/0/threaded
Is there any way to protect from this using mod_security because I can't think of a way and this is a VERY serious security issue since anyone can upload anything they want and it's just a matter of hours before there are automated worms doing it...
Yes I realize it's only a customer's account that can get 'owned' if their scripts are vulnerable - but who's to say the 'hackers' won't just get in and sit tight until there's a kernel root hole discovered/reported and then BAM they have you..
-
09-11-2006, 10:53 PM #2Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
I believe mod_security already takes care of this:
http://www.modsecurity.org/projects/...che/index.html
Detect and remove null-bytes (%00)
Another thing to look at:
# Whether to restrict which bytes can be used in a request.
#
# TODO The default setting is not very restrictive. It only disallows
# the null byte (only known use of this value is for attacks).
# Applications that are English-only could try to use "10 126"
# or "32 126" (if there are not <TEXTAREA> tags in the
# application).
#
# This directive allows only one range to be specified. You should
# note that it is possible to use regular expressions to specify
# multiple ranges. For following example allows characters 10, 13
# and 32-126:
#
# SecFilterSelective THE_REQUEST "!^[\x0a\x0d\x20-\x7e]+$"
#
# NOTE Languages other than English require bytes in the higher range.
#
SecFilterForceByteRange 1 255Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
09-11-2006, 10:57 PM #3Aspiring Evangelist
- Join Date
- Jan 2004
- Posts
- 370
Hi Steven
I'm not sure that would work because mod_security only checks GET and POST payloads from what I know (and I know very little) and it doesn't check uploaded files ..or does it? Is there a way to scan uploaded content as well?