[nycphp-talk] mod_security
Hans Zaunere
zaunere at yahoo.com
Tue Jun 10 12:12:24 EDT 2003
--- Chris Snyder <chris at psydeshow.org> wrote:
> Is anybody on the list using mod_security? Thoughts? Performance?
> http://www.modsecurity.org
I haven't used it first hand, but I'd be happy to share my thoughts on it
anyway :) It looks nice and well written, but I'm always biased against
mod_something that depends on a series of regex rules - although it does look
better than mod_rewrite.
>From looking at the functionality it provides, I can't see that it would
offer much protection to a well written application. Sure, you can filter
"INSERT" and "DELETE FROM" out of requests, but if the application is
susecptible to that type of thing anyway, there's more trouble than
mod_security can fix. Just seems like a patchy way of doing things (akin to
mod_rewrite). But, this directive looks nice:
SecFilterByteRange 65 122
Assuming mod_security doesn't have any security issues/overflows itself :)
H
> It allows you to filter get and post requests before they are handed off
> to scripts. I wonder if it will do cookies as well?
>
> It looks like an excellent way to add an extra layer of security to
> anything that's being run via Apache. In the latest version you can
> apparently chroot the environment in which scripts are run:
> http://www.modsecurity.org/documentation/apache-internal-chroot.html
>
> chris.
>
>
>
>
> --- Unsubscribe at http://nyphp.org/list/ ---
>
>
More information about the talk
mailing list