ModSecurity Trustwave
This blog has moved! Please update your
bookmarks to http://blog.spiderlabs.com/modsecurity/.

ModSecurity Blog: July 2003

New action: pause

I have added a new action to the CVS, called "pause". It accepts one parameter, time in milliseconds, and blocks response to the request when a filter is triggered. I've been told that it can be really useful for blocking automated discovery tools.

Added Unicode encoding validation

I've just committed the Unicode validation feature to the CVS. It is a very good thing to have if the application or the operating system support and/or understand Unicode. Most importantly, this feature will protect from attacks where an ASCII character is encoded with more than one byte thus avoiding detection. In addition to this, ModSecurity checks that there is sufficient number of bytes available, and that all bits in all bytes have correct values. For a detailed description of the Unicode attack have a look at the OWASP guide.

Selective Filtering

I've just added a new feature to mod_security (CVS, both versions) that allows you to achieve a better control of what gets filtered. Up until now mod_security looked at every single request. Since most static resources (e.g. images) are not vulnerable it is safe to assume that we don't need to look at those types of requests. And, the number of image requests versus (dynamic) page requests is much bigger the savings in CPU cycles are probably quite big.

Fun with PHP CLI scripts

I've had quite a lot of "fun" with PHP CLI scripts the other day. As you perhaps know, there is an "exec" feature built into mod_security that allows you to execute some external binary in response to a filter match. This was working properly with Perl scripts but not with PHP scripts.

It seems that the problem lies in PHP itself. Apparently, it is designed to work as a CGI engine and as a command line binary at the same time, and uses environment variables to figure out how it was run. So, when it sees a bunch of web-releated environment variables it concludes that it should behave like a CGI script. That alone would not be a problem but then certain security restrictions kick in and script execution just stops.

Finally, after reading the source code for PHP the problem was resolved by simulating REDIRECT_STATUS and PATH_TRANSLATED environment variables from mod_security. Thanks to Shane Lahey who discovered this problem and exchanged countless emails with me until we nailed it down.