2 Jun 08:29
Re: SecServerSignature not working
<christian.folini <at> post.ch>
2008-06-02 06:29:31 GMT
2008-06-02 06:29:31 GMT
I'd like to follow up on Ryan's message here. > While I am all for "Security WITH Obscurity" this is ultimately a losing > battle. There is no way that you can totally obscure the platform that > you are running. When working with obscurity, you have to be very careful about your intentions. Obscurity lures you into a false security feeling. You mean to go unnoticed, while in fact it's plainly obvious what you are hiding. However, there are things you really should do and it has to do with modern style attacking. Amichai Shulman presented on Google Hacking at the OWASP conference in Belgium. http://www.owasp.org/images/6/6a/AppSecEU08-BeyondGoogleHacking-AmichaiS hulman.ppt The point is, that you do not want to show up in google with your Apache version and possibly the PHP version string on top of that. So setting Apache ServerSignature and also ServerTokens is a must. See Ryan's CIS Apache Benchmark for details. -> http://www.cisecurity.org/bench_apache.html And there is more to it. If you are obscuring your server, you are(Continue reading)
Here's my problem:
I'm using mod-security (current rules) with a Mailman system. All
works well except for one small problem.... If an administrator
rejects a moderated post, and includes additional (optional) rejection
text via the message detailed form, mod-security blocks the post with
these details:
H:
Message: Access denied with code 500 (phase 2). Pattern match
"\\n[[:space:]]*(to|b?cc)[[:space:]]*:.*@" at ARGS:headers-58.
C: (sanitized)
58=2&forward-addr-58=list-owner%40domain.tld&comment-58=Your+message+was+deemed+inappropriate+by+the+moderator.++Blah...test+text...%0D%0Athis+is+more+text...&headers-58=Return-Path%3A+%26lt%3Badmin%40domain.tld%26gt%3B%0D%0AX-Original-To%3A+list%40domain.tld%0D%0AReceived%3A+from+mx.domain.tld+%28localhost.localdomain+%5B127.0.0.1%5D%29%0D%0A%09by+mx.domain.tld+%28Postfix%29+with+ESMTP+id+4403F254204%0D%0A%09for+%26lt%3Blist%40domain.tld%26gt%3B%3B+Tue%2C++3+Jun+2008+13%3A32%3A57+-0400+%28EDT%29%0D%0AReceived%3A+by+mx.domain.tld+%28Postfix%2C+from+userid+65534%29%0D%0A%09id+327FA374009%3B+Tue%2C++3+Jun+2008+13%3A32%3A57+-0400+%28EDT%29%0D%0AX-Spam-Checker-Version%3A+SpamAssassin+3.2.3+%282007-08-08%29+on+mx.domain.tld%0D%0AX-Spam-Level%3A+%0D%0AX-Spam-Status%3A+No%2C+score%3D-0.3+required
%3D3.5+list%3DBAYES_00%2CFORGED_YAHOO_RCVD%0D%0A%09autolearn%3Dno+version%3D3.2.3%0D%0AReceived%3A+from+wx-out-0506.google.com+%28wx-out-0506.google.com+%5B66.249.82.230%5D%29%0D%0A%09by+mx.
domain.tld+%28Postfix%29+with+ESMTP+id+E7754254204%0D%0A%09for+%26lt%3Blist%40domain.tld%26gt%3B%3B+Tue%2C++3+Jun+2008+13%3A32%3A55+-0400+%28EDT%29%0D%0AReceived%3A+by+wx-out-0506.google.com+with+SMTP+id+i30so1140636wxd.2%0D%0A%09for+%26lt%3Blist%40domain.tld%26gt%3B%3B+Tue%2C+03+Jun+2008+10%3A32%3A56+-0700+%28PDT%29%0D%0AReceived%3A+by+10.90.101.7+with+SMTP+id+y7mr13478646agb.119.1212514376528%3B%0D%0A%09Tue%2C+03+Jun+2008+10%3A32%3A56+-0700+%28PDT%29%0D%0AReceived%3A+by+10.90.75.3+with+HTTP%3B+Tue%2C+3+Jun+2008+10%3A32%3A56+-0700+%28PDT%29%0D%0AMessage-ID%3A+%26lt%3B7ff145960806031032y26261f9etc8d36c7f1d283373%40mail.gmail.com%26gt%3B%0D%0ADate%3A+Tue%2C+3+Jun+2008+13%3A32%3A56+-0400%0D%0AFrom%3A+%26quot%3BUser+Name%26quot%3B+%26lt%3Bposter%40domain.tld%26gt%3B%0D%0ASender%3A+admin%40do
main.tld%0D%0ATo%3A+list%40domain.tld%0D%0ASubject%3A+Test+email%0D%0AMIME-Version%3A+1.0%0D%0AContent-Type%3A+text%2Fplain%3B+charset%3DISO-8859-1%0D%0AContent-Transfer-Encoding%3A+7bit%0D%
0AContent-Disposition%3A+inline%0D%0AX-Virus-Scanned%3A+ClamAV+on+mx.domain.tld&fulltext-58=Test+email%0D%0A%0D%0A&submit=Submit+All+Data
This action makes sense for non-Mailman systems, how can I override
this for specific hosts/text/etc?
Thanks!
-Jim P.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
RSS Feed
