- A1: Injection
- A2: Cross-Site Scripting (XSS)
- A3: Broken Authentication and Session Management
- A4: Insecure Direct Object References
- A5: Cross-Site Request Forgery (CSRF)
- A6: Security Misconfiguration
- A7: Insecure Cryptographic Storage
- A8: Failure to Restrict URL Access
- A9: Insufficient Transport Layer Protection
- A10: Unvalidated Redirects and Forwards
In my previous post, I wrote about ModSecurity book that will be published by Packt Publishing. In November 24, 2009, I received the book in PDF format.
The book is titled “ModSecurity 2.5:Securing your Apache installation and web applications” and authored by Magnus Mischel. It contains nine chapters and covers the topic from the installation to deployment of ModSecurity.
ModSecurity version 2.5.11 has been released.
Here are several changes in this release according to the CHANGES file included in the tarball.
- Added a new multipart flag, MULTIPART_INVALID_QUOTING, which will be set true if any invalid quoting is found during multipart parsing.
- Fixed parsing quoted strings in multipart Content-Disposition headers. Discovered by Stefan Esser.
- Cleanup persistence database locking code.
- Added warning during configure if libcurl is found linked against gnutls for SSL. The openssl lib is recommended as gnutls has proven to cause issues with mutexes and may crash.
- Cleanup some mlogc (over)logging.
- Do not log output filter errors in the error log.
- Moved output filter to run before other stock filters (mod_deflate, mod_cache, mod_expires, mod_filter) to avoid analyzing modified data in the response. Patch originally submitted by Ivan Ristic.
I’ve also updated my RPM spec file (for OpenSUSE 11.x).
Since the Indonesian Government and Legislative Body published Cyber Law (UU No. 11/2008) in 2008, there is a potential that one will go to jail because of testing web application belongs to other organization.
In OWASP AppSec Europe 2009 in Poland, Sandro Gauci and Wendel G. Henrique gave a presentation titled “The Truth About Web Application Firewalls:What the vendors do not want you to know“.
In the presentation they mentions that Web Application Firewalls (WAFs) :
- can be detected, because they leave several signs
- can be bypassed by changing the attack in order to avoid rules
I just noticed that ModSecurity 2.5.8 and 2.5.9 has been released on the same day (March 11, 2009).
Later on I found out that version 2.5.8 fix the following security issues :
- Fixed PDF XSS issue where a non-GET request for a PDF file would crash the Apache httpd process. Discovered by Steve Grubb at Red Hat.
- Removed an invalid “Internal error: Issuing “%s” for unspecified error.” message that was logged when denying with nolog/noauditlog set and
While the 2.5.9 superseded it to fix major security issue :
- Fixed parsing multipart content with a missing part header name which would crash Apache. Discovered by “Internet Security Auditors” (isecauditors.com).
So if you are using ModSecurity version <= 2.5.8, please do upgrade your ModSecurity to version 2.5.9.
Oh BTW, if you are going to compile the ModSecurity by yourself, you may need to add –with-apr= option to the configure script, like the following :