Hi catch-
It's a web application firewall and it can prevent SQL and XSS. mod_security handles requests with filters by signature before they're handled by apache. Edit made on the other post.
Printable View
Hi catch-
It's a web application firewall and it can prevent SQL and XSS. mod_security handles requests with filters by signature before they're handled by apache. Edit made on the other post.
None-the-less, it still can't prevent the application from doing things it is legitimately allowed to do, and since the web application firewall doesn't know how to tell different types of message board users apart, it cannot attcks which remain within the application itself.
That said, it may use various filters and such to limit these types of attacks, and although that is better then nothing, for the multi-user web application (where users are contained within the app itself) I would not trust this type of solution.
cheers,
catch
Quick question.. directed at anyone who can answer it.
The only free open source CMS/BBS whatever you want to call it I've ever seen that allows you to use multiple db accounts is the one I've been working on for a few months now. I'd be interested in a CMS that does this that is established already, if anyone happens to know of one I'd like to see it. I don't think any of the ones on opensourcecms.com have this capability. (They all seem pretty crappy :/)Quote:
Other techniques would be to limit access to files and functions by IP address and direct create several DB accounts with different powers (least privilege) and assign each script to the appropriate DB connection. This dramatically reduces the risk of SQL injection attacks.
Hi catch
Even a "root" account with a separate database user on a multi-user web application can be XSS'ed and be forced to do malicious things, in that case mod_security would be pretty valuable. Personally I would go for that extra layer if mod_security itself doesn't add too much. :DQuote:
That said, it may use various filters and such to limit these types of attacks, and although that is better then nothing, for the multi-user web application (where users are contained within the app itself) I would not trust this type of solution.