[nycphp-talk] mod_security
Analysis & Solutions
danielc at analysisandsolutions.com
Tue Jun 10 12:25:23 EDT 2003
Hi Chris:
On Tue, Jun 10, 2003 at 09:50:54AM -0400, Chris Snyder wrote:
> Is anybody on the list using mod_security? Thoughts? Performance?
> http://www.modsecurity.org
Interesting. I just took a look at the site. The documentation, which is
unfortunately only in pdf, could provide better detail on how the thing
operates.
Sanitizing and validating input is so very important, and by the number of
items showing up on bugtraq, is too often overlooked. My Form Solution
class, http://www.analysisandsolutions.com/software/form/, helps with that
a bit.
> In the latest version you can
> apparently chroot the environment in which scripts are run:
> http://www.modsecurity.org/documentation/apache-internal-chroot.html
It sounds like they're talking about chrooting Apache itself via this
module, without having to rely on chrooting via the operating system.
But, what if their module or apache gets circumvented somehow? Then the
attacker is home free.
Enjoy,
--Dan
--
FREE scripts that make web and database programming easier
http://www.analysisandsolutions.com/software/
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
4015 7th Ave #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409
More information about the talk
mailing list