Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Directory Recursion |
|
| Author |
|
dickinse
Joined: 29 Aug 2013
Posts: 2
Location: USA, Bethesda
|
 Posted: Thu 29 Aug '13 17:50 Post subject: Directory Recursion |
 |
|
Good Morning,
I have been searching/reading the archives, perhaps I am just searching incorrectly but I can find no precedence. I cannot believe that I am the first to do this so here it goes anyway.
I have a number of WordPress, Drupal, Wiki sites running under RHEL6.
Apache version:httpd -v
Server version: Apache/2.2.15 (Unix)
Server built: Aug 2 2013 08:02:18
We are subject to internal scans by Appscan and Tenable.
It is a security requirement so I cannot just block them.
The scanners, of course, attempt to recurse the directory structure and find vulnerable files such as boot.ini, winnt.com and such.
This drives the php content management systems nuts.
Request comes in and is handled by php.
PHP checks the cache for that name and does not find it.
PHP generates a MySQL query and sends it.
MySQL tries and fails to satisfy the query.
MySQL returns result to php.
PHP Writes a cached of the result and presents it to the web.
In other words, a whole lot of processor/memory.
The security scans typically look like......
[Thu Aug 29 00:35:15 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET /../../../../../../../../../../../../etc/passwd HTTP/1.1
[Thu Aug 29 00:35:15 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET ../../../../../../../../../../../../etc/passwd HTTP/1.1
[Thu Aug 29 00:35:15 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET //../../../../../../../../../../../../etc/passwd HTTP/1.1
[Thu Aug 29 00:32:26 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET ..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\windows\\win.ini HTTP/1.1
[Thu Aug 29 00:32:26 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET ..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\winnt\\win.ini HTTP/1.1
I have been able to improve performance, speed and security by mod_rewrite
RewriteRule .*\.(dll|ini|exe|com)$ - [R=404,NC]
Now (Finally) the question.
I have not been able to create a rule for the directory recursion.
I want to R=404 any that has a "../.." or "..\.." or ..\\.." but I can not get it to recognize the string correctly.
I believe that this would improve speed and security.
I appreciate any help.
eric |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3053
Location: Hilversum, NL, EU
|
| Posted: Thu 29 Aug '13 19:16 Post subject: |
|
|
Advisable that you going to use mod_security ( www.modsecurity.org ) it can catch a lot.
Not sure your specific ../../ issue is included in the base rules of mod_security. If not you can add for example the rule:
SecRule ARGS "\.\./" "t:normalizePathWin,id:50904,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'directory recursion'" |
|
| Back to top |
|
dickinse
Joined: 29 Aug 2013
Posts: 2
Location: USA, Bethesda
|
| Posted: Thu 29 Aug '13 19:55 Post subject: |
|
|
Thank you. Looking into it!
eric |
|
| Back to top |
|
|
|
|
|
|
