ModSecurity Rules for Specific Applications & Environments

Tagged:

[View]

The most common way to solve a compatibility issue between ModSecurity or one of its rule sets and an application is to disable ModSecurity. In ModSecurity 1.x this can be done in .htaccess limiting it to the current directory, but in ModSecurity 2.x there is no such mechanism. Whether global or limited to a directory, such an exception is not advisable security-wise.

A better way is to create a finer exception that would disable specific rules or signatures only for a specific URL or parameter. This section collects such exceptions.

In addition, people have contributed virtual patches. Virtual patches are rules that block specific known attacks on unpatched applications, allowing to delay of the patch.

A note of caution: the trade off between false positives, i.e. letting the application work flawlessly and false negatives, i.e. not detecting attacks, is not trivial. Some of the exceptions below may be too wide and while squashing false positives, reduce to an extent of security provides by the core rule set. We would love to hear your remarks and suggestions regarding them.

Browsers

ModSecurity blocking Firefox Indonesian version

Applications

Complete exceptions rule set for WordPress 2.7 with ModSecurity 2.5.0 and . Additional info on the specific exceptions:
- Exception options-general.php
- Exception for spell checker (this is a TinyMCE issue, so may be relevant in many other environments)
Wordpress Flash Uploader issue and exception for ModSecurity 1.x.
Fix a false positive for PHPMyAdmin
Fix a false positive for ACatalog Actinic
A virtual patch for Mambo
Jira uses // in URI which requires disabling 960911 (Marc Stern)
Hudson uses // in URI which requires disabling 960911. It also accepts the unusual characters ()#\[\]{} which may require more exceptions (Marc Stern)
NetNewsWire (Cristóbal Palmer)
MOSS aka SharePoint (Yersinia Spiros)
Rules for Protecting WebGoat - Since WebGoat is an application security demonstration program, the rules for it are only useful mostly for educational purposes.

Add new comment

Thankyou

Submitted by Anonymous on 22 February 2009 - 10:45pm.

Great article. Thanks for including The Theme Blog's Wordpress Flash Uploader solution ;)

James Armstrong
// thethemeblog.com

Joomla Exceptions by che.utah.edu do NOT even related to Joomla

Submitted by Anonymous on 8 February 2009 - 11:25pm.

http://www.che.utah.edu/~gregorcy/?p=132 barely even talks about joomla exceptions. The gist of securing joomla is there BUT not the exception rules for Joomla but rather bugzilla. Consider modifying your content title for this anchor to talk about bugzilla mod_security exceptions.

Thanks

Submitted by Ofer Shezaf on 11 February 2009 - 12:05pm.

True. The article is not valuable enough and I removed it from the list.

Latest Stories

WAFs are not perfect, but is any security tool perfect? (Feb 9th 2010)
Forrester estimates the WAF market to be $220M in 2010 (Feb 9th 2010)
ModSecurity exceptions for TYPO3 (Jan 20th 2010)
Presentation about WAFs in the cloud (Jan 15th 2010)
The curse of PCI for WAFs (Jan 11th 2010)
A New Year, a New Acronym (Jan 10th 2010)
A Remote Command Injection Vulnerability Applicure's dotDefender Site Management. (Dec 10th 2009)

Navigation

Subscribe:

Xiom is the place to find information about Web Application Firewalls (WAFs) including reviews, analysis, announcements and research. Tune to the RSS channel to get every bit of information or subscribe to the newsletter to receive only in depth articles.

Xiom also leasd and hosts the Web Hacking Incidents Database, a Web Application Security Consortium project aimed at maintaining a list of web applications related security incidents.

Xiom is a community web site lead by Ofer Shezaf.

Xiom.com

The Web Application Firewalls Information Center

ModSecurity Rules for Specific Applications & Environments

Browsers

Applications

WAF Resources

Latest Stories

Navigation