WEB HOSTING UK AFFORDABLE WEBSITE HOSTING SERVICES IN UNITED KINGDOM
PHP LINUX SHARED HOSTING WINDOWS ASP.NET HOSTING PACKAGES
ECOMMERCE HOSTING ASP MSSQL MS ACCESS ODBC FRONTPAGE HOSTING
CPANEL WHM FANTASTICO RESELLER DEDICATED SERVER WEB HOSTING
CHEAP PLESK CPANEL HTML MYSQL BEST UK VPS HOSTING COMPANY
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |  |
|
||||||
 |
|
|
LinkBack | Thread Tools | Display Modes |
07-22-2006, 06:31 PM
|
||||
|
||||
mod_security
I've just had an interesting afternoon trying to sort out a problem on my forum. Having now fixed it I'd like to know if someone can tell me why the answer is what it is.
I run a phpBB forum and had a user who was having problems sending a PM. It looked like a fairly standard message but each time he tried to send it he got Quote:
After consulting an online operator who assured me it wasn't a server issue I did some reading around and found out it's related to a server side application called mod_security which has a list of disallowed words or characters (for security reasons). After chopping the PM up into sections and test sending it, I managed to narrow it down to one single character that was causing the problem. é The message contained the word coupé. So, my question is, why is é such a major security problem to be on a disallowed list? 
|
|
08-16-2006, 01:28 PM
|
|||
|
|||
|
Hello Pumazooma,
We have customized rules in mod_security on our server and most of the commands that are executed by guys running exploits from browser are turned off in mod_security. There must have been something in your private message which was turned off in mod_security. If you can let me know the exact time you will be trying same message then I can check the logs on the server and make out which word is getting blocked in mod_security.
|
|
08-16-2006, 01:36 PM
|
|||
|
|||
|
The é character exists outside the basic characters. (I am not sure of it's ASCII or UNICODE values) I would assume that mod_security bans all non-standard characters from strings just to ensure that you can't break any applications it is protecting. Personally, I find that PHP is fairly robust and the escape() function does a very good job on its own but you can never guess what might break a proprietary application because you don't know what characters they might use for delimiters, so the safest bet would be to only allow a-z, A-Z, 0-9 and the common special characters.
That is my guess...
__________________
Why me?
|
|
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 05:34 PM.
Copyright 2002-2007 WebHosting.uk.com. All rights reserved.
Web Hosting UK Forum
Copyright 2002-2007 WebHosting.uk.com. All rights reserved.
Web Hosting UK Forum
