Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: gov forum hacked

  1. March 2nd, 2005, 02:57 AM #11
    Soda_Popinsky
    Soda_Popinsky is offline
    Join Date
    Nov 2003
    Posts
    1,426
    Hi catch-

    It's a web application firewall and it can prevent SQL and XSS. mod_security handles requests with filters by signature before they're handled by apache. Edit made on the other post.
    Reply With Quote Reply With Quote
  2. March 2nd, 2005, 03:16 AM #12
    catch
    catch is offline
    Banned
    Join Date
    May 2003
    Posts
    1,004
    None-the-less, it still can't prevent the application from doing things it is legitimately allowed to do, and since the web application firewall doesn't know how to tell different types of message board users apart, it cannot attcks which remain within the application itself.

    That said, it may use various filters and such to limit these types of attacks, and although that is better then nothing, for the multi-user web application (where users are contained within the app itself) I would not trust this type of solution.

    cheers,

    catch
    Reply With Quote Reply With Quote
  3. March 2nd, 2005, 03:32 AM #13
    Soda_Popinsky
    Soda_Popinsky is offline
    Join Date
    Nov 2003
    Posts
    1,426
    Quick question.. directed at anyone who can answer it.

    Other techniques would be to limit access to files and functions by IP address and direct create several DB accounts with different powers (least privilege) and assign each script to the appropriate DB connection. This dramatically reduces the risk of SQL injection attacks.
    The only free open source CMS/BBS whatever you want to call it I've ever seen that allows you to use multiple db accounts is the one I've been working on for a few months now. I'd be interested in a CMS that does this that is established already, if anyone happens to know of one I'd like to see it. I don't think any of the ones on opensourcecms.com have this capability. (They all seem pretty crappy :/)

    Hi catch

    That said, it may use various filters and such to limit these types of attacks, and although that is better then nothing, for the multi-user web application (where users are contained within the app itself) I would not trust this type of solution.
    Even a "root" account with a separate database user on a multi-user web application can be XSS'ed and be forced to do malicious things, in that case mod_security would be pretty valuable. Personally I would go for that extra layer if mod_security itself doesn't add too much.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules