<div>I would recommend mod_publisher - <a href="http://apache.webthing.com/mod_publisher/">http://apache.webthing.com/mod_publisher/</a> It is more efficient performance-wise vs. using mod_ext_filter to spawn command line sed for each outbound response. It is also more accurate for updating html.
</div>
<div> </div>
<div>I actually described using mod_ext_filters and sed to remove html comments, etc... in my book "Preventing Web Attacks with Apache." I wanted to present this concept to users to show how to use them for security, however there can be some severe performance problems if you attempt to use it in production. There is a great article here that compares mod_ext_filter, mod_line_edit and mod_publisher for these types of security purposes -
<a href="http://www.apachetutor.org/security/information-leak">http://www.apachetutor.org/security/information-leak</a>.</div>
<div> </div>
<div>One question for Michael - why just silently remove the malicious iframe? Wouldn't it be better to implement these RegExs into ModSecurity rules that monitor outbound traffic and then block and alert in such situations?
</div>
<div> </div>
<div>-- <br>Ryan C. Barnett<br>ModSecurity Community Manager<br>Breach Security: Director of Application Security Training<br>Web Application Security Consortium (WASC) Member<br>CIS Apache Benchmark Project Lead<br>SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
<br>Author: Preventing Web Attacks with Apache <br><br> </div>
<div><span class="gmail_quote">On 9/8/07, <b class="gmail_sendername">Michael Shinn</b> <<a href="mailto:mike@gotroot.com">mike@gotroot.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Steve West wrote:<br>> Hi Michael,<br>><br>> Thank you for the great tool! We've had a few customers web sites have
<br>> their web pages altered by hackers to add iframe tags, etc. The<br>> customers gave out their ftp credentials to the wrong ppl so we can't<br>> always protect against that. But I do have a few questions:
<br>><br>> 1. Is there any tool we can use if we are running apache 1.3.x?<br><br>I'll look into. I'm not positive if apache 1.x supports external<br>filters. If it does, then it should be easy enough to put this together
<br>for 1.3.x too. A quick look doesn't seem to show mod_ext_filter is<br>supported in 1.3.x, so I'll have to look for other options.<br><br>> 2. You should also add some filtering for obfuscated javascript which
<br>> I'm seeing some recent hacks employ to get around security<br>> countermeasures on the server side.<br><br>Thanks for the suggestion. I'll see what I can put together for that<br>too. If you have some examples, please send them my way I'll see what I
<br>can put together this weekend.<br><br>And for anyone wondering where the big update is, I'm almost finished<br>with it finally. I'm just debugging a final problem with phase 2<br>transforms, which was stopping chained rules from working entirely. So
<br>many rules, so many dependencies...<br><br>> thx,<br>><br>> SW<br>><br>><br>> Michael Shinn wrote:<br>>> I put together a method for filtering out bad iframes from websites.<br>>> Output filtering, for websites that become infected. You can read on
<br>>> for the details here:<br>>><br>>> <a href="http://www.gotroot.com/tiki-read_article.php?articleId=278">http://www.gotroot.com/tiki-read_article.php?articleId=278</a><br>>><br>>> Rules update is in testing now, will be putting out a major overhaul
<br>>> this week. The major performance improvements will require modsec 2.5.<br>>><br>>><br>><br><br>_______________________________________________<br>Modsecurity mailing list<br><a href="mailto:Modsecurity@gotroot.com">
Modsecurity@gotroot.com</a><br><a href="http://lists.gotroot.com/mailman/listinfo/modsecurity">http://lists.gotroot.com/mailman/listinfo/modsecurity</a><br></blockquote></div>