ModSecurity

You can find a rule set for using ModSecurity with TYPO3 installations here. The rule set consists of pretty inelegant exceptions to entire rules, but at least it should enable using ModSecurity with TYPO3

A new ModSecurity book, of for that matter WAF book, is rare enough and I was overjoyed that one ModSecuirty book was released earlier this week. What can I say now that two ModSecurity books where released in the same week!

I tend to think that technical books are obsolete. The rate of change in software and systems makes them outdated before they hit the bookshelves, even if these are virtual books and virtual book shelves. The tedious writing, editing and publishing cycle makes a book better but old. Community generated content such as blogs and forums seems to provide a much better documentation than books.

Breach has release a new version of ModSecurity which fixes a vulnerability that may lead to an evasion. As stated in the release announcement sent to the mailing list by Brian Rectanus, by using non-standard (but accepted by some platforms) quoting, ModSecurity may be fooled into thinking some parameters are uploaded files.

The vulnerability was presented by  Stefan Esser at POC 2009 in Seol and not posted online yet.

A new blog post by Dmitry Evteev shows how an obscure MySQL syntax can be used to bypass ModSecurity signatures. The interesting thing is that the new technique actually takes advantage of a ModSecurity anti-evasion measure. ModSecurity rule set ignore MySQL comments in order to detect attacks that is split using a comment:

Nix101 posts a light weight version of the gotroot rule set targeted at shared hosting servers. The rule set removed old stuff and rules that are too dangerous for shared environment.

You can the rule set here.

Well sure it works. However a short blog entry of an insulted WordPress lover shows that it also delivers security.

The story is quoting a hosting provider recommending to a client to be very careful with a WordPress installation as it is often defaced, and the reason? WordPress does not work well with ModSecurity and therefore an exception is needed to remove ModSecurity protection. This results in the WordPress site being defaced more often...