Hi all, I installed mod_security yesterday on one server and am in the process of debugging. Along with mod_security itself, I have installed a number of rules, most of which are not causing any issues. The two below are causing some problems though: Number one seems to do its job too well as it breaks any URL pages that use ../../ etc. Our clients use those in a number of places, most of which are image loading i.e. <img = "../../images/myimage.gif"> Any ideas on how I can re enable it and not break realative links like the one above? # 1. Prevent path traversal (..) attacks # SecFilter "../" The second one breaks the ability to read an email in Openwebmail (v2.51). Any ideas on this? # 2. Prevent XSS atacks (HTML/Javascript injection) # SecFilter "<(.|n)+>" TIA, -Grant --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|