[Modsecurity] iframe filtering rules
Michael Shinn
mike at gotroot.com
Sat Sep 8 07:41:42 EDT 2007
Steve West wrote:
> Hi Michael,
>
> Thank you for the great tool! We've had a few customers web sites have
> their web pages altered by hackers to add iframe tags, etc. The
> customers gave out their ftp credentials to the wrong ppl so we can't
> always protect against that. But I do have a few questions:
>
> 1. Is there any tool we can use if we are running apache 1.3.x?
I'll look into. I'm not positive if apache 1.x supports external
filters. If it does, then it should be easy enough to put this together
for 1.3.x too. A quick look doesn't seem to show mod_ext_filter is
supported in 1.3.x, so I'll have to look for other options.
> 2. You should also add some filtering for obfuscated javascript which
> I'm seeing some recent hacks employ to get around security
> countermeasures on the server side.
Thanks for the suggestion. I'll see what I can put together for that
too. If you have some examples, please send them my way I'll see what I
can put together this weekend.
And for anyone wondering where the big update is, I'm almost finished
with it finally. I'm just debugging a final problem with phase 2
transforms, which was stopping chained rules from working entirely. So
many rules, so many dependencies...
> thx,
>
> SW
>
>
> Michael Shinn wrote:
>> I put together a method for filtering out bad iframes from websites.
>> Output filtering, for websites that become infected. You can read on
>> for the details here:
>>
>> http://www.gotroot.com/tiki-read_article.php?articleId=278
>>
>> Rules update is in testing now, will be putting out a major overhaul
>> this week. The major performance improvements will require modsec 2.5.
>>
>>
>
More information about the Modsecurity
mailing list