commit 00f64cc90aff33fed6489df26b63bd99036d4059
parent ec28ff9e279f5bc146698cd9a005405dfcbad620
Author: dankert <devnull@localhost>
Date: Thu, 30 Nov 2006 23:16:49 +0100
Funktionsf?hig, aber noch unvollst?ndig.
Diffstat:
1 file changed, 66 insertions(+), 28 deletions(-)
diff --git a/doc/examples/mod-security.conf b/doc/examples/mod-security.conf
@@ -32,6 +32,7 @@
# Standard-Aktion für zutreffende Filterregeln
SecFilterDefaultAction "deny,log,status:403"
+ #SecFilterDefaultAction "deny,log,status:'Aktuelle sicherheitseinstellungen verbieten einen Zugriff auf diese Seite'"
# Filterregeln aus mod-security.d einbinden
# Include /etc/mod-security.d/[^.#]*
@@ -44,47 +45,68 @@
SecFilter /bin/sh
+
+
+
# Bilder und andere statische Dateien
SecFilterSelective REQUEST_FILENAME "^.*\.(png|jpe?g|gif|css|js)$" allow
+ # SecFilterSelective ARG_action "^$" chain
+ # SecFilterSelective ARG_subaction "^$" chain
+ # Startseite
+ SecFilterSelective REQUEST_URI "^.*/$" allow
+ #SecFilterSelective SCRIPT_FILENAME "!^do\.php[3-5]?$"
+
+
+
+
+ # Parameter Whitelist
+ SecFilterSelective ARGS_NAMES "!^(subaction|action|oi|id|login_name|login_password|elementid|dbid|ok|screenwidth)$"
+ #
+ SecFilterSelective ARGS_NAMES "xxx"
+
+
+
+ # Einzelne Parameter
+ SecFilterSelective ARG_id "!^[0-9-]*$"
+
+ SecFilterSelective ARG_login_name "!^[A-Za-z0-9_-]*$"
+ SecFilterSelective ARG_login_password "!^[A-Za-z0-9_-]*$"
+
+ SecFilterSelective ARG_action "!^[a-z]*$"
+ SecFilterSelective ARG_subaction "!^[a-z]*$"
+
+ SecFilterSelective ARG_oi "!^[a-f0-9]*$"
+ SecFilterSelective ARG_elementid "!^[0-9]*$"
+ SecFilterSelective ARG_dbid "!^[a-zA-Z0-9_-]*$"
+
+
+
+ # Aktionen
SecFilterSelective ARG_action "^folder$" chain
- SecFilterSelective ARG_subaction "^(|show|create|pub|prop|rghts)$" chain
- SecFilterSelective ARGS_NAMES "^id$" chain
- SecFilterSelective ARG_id "^[0-9-]*$" allow
+ SecFilterSelective ARG_subaction "^(|show|save|create|pub|prop|rights)$" allow
SecFilterSelective ARG_action "^page$" chain
- SecFilterSelective ARG_subaction "^(|show|edit|el|pub|prop|rghts)$" chain
- SecFilterSelective ARGS_NAMES "^id$" chain
- SecFilterSelective ARG_id "^[0-9-]*$" allow
+ SecFilterSelective ARG_subaction "^(|show|save|edit|el|pub|prop|src|rights)$" allow
SecFilterSelective ARG_action "^file$" chain
- SecFilterSelective ARG_subaction "^(|show|pub|prop|rights)$" chain
- SecFilterSelective ARGS_NAMES "^id$" chain
- SecFilterSelective ARG_id "^[0-9-]*$" allow
+ SecFilterSelective ARG_subaction "^(|show|save|pub|prop|rights)$" allow
SecFilterSelective ARG_action "^link$" chain
- SecFilterSelective ARG_subaction "^(|show|pub|prop|rghts)$" chain
- SecFilterSelective ARGS_NAMES "^id$" chain
- SecFilterSelective ARG_id "^[0-9-]*$" allow
+ SecFilterSelective ARG_subaction "^(|show|save|pub|prop|rights)$" allow
SecFilterSelective ARG_action "^index$" chain
- SecFilterSelective ARG_subaction "^(|project|object|projectmenu|administration|changepassword|register|password|showlogin|login|logout)$" chain
- SecFilterSelective ARGS_NAMES "^(id|login_name|login_password|dbid)$" chain
- SecFilterSelective ARG_id "^[0-9-]*$" allow
+ SecFilterSelective ARG_subaction "^(|project|object|projectmenu|administration|changepassword|register|password|showlogin|login|logout)$" allow
SecFilterSelective ARG_action "^pageelement$" chain
- SecFilterSelective ARG_subaction "^(|editlink|editlongtext)$" chain
- SecFilterSelective ARGS_NAMES "^id$" chain
- SecFilterSelective ARG_id "^[0-9-]*$" allow
-
- SecFilterSelective ARG_action "^main$" chain
- SecFilterSelective ARG_subaction "^(folder|page|pageelement|file|link)$" chain
- SecFilterSelective ARGS_NAMES "!^(id)$" chain
- SecFilterSelective ARG_id "^[0-9-]*$" allow
-
- SecFilterSelective ARG_action "^mainmenu$" chain
- SecFilterSelective ARG_subaction "^(folder|page|pageelement|link|file)$" allow
+ SecFilterSelective ARG_subaction "^(|save|editlink|editlongtext|archivelink|archivelongtext|diff)$" allow
+ SecFilterSelective ARG_action "^(main|mainmenu)$" chain
+ SecFilterSelective ARG_subaction "^(folder|page|pageelement|file|link|template|language|model|search|project|user|group)$" allow
+
+ SecFilterSelective ARG_action "^template$" chain
+ SecFilterSelective ARG_subaction "^(|prop|el|listing|show|edit|src)$" allow
+
SecFilterSelective ARG_action "^tree$" chain
SecFilterSelective ARG_subaction "^(load|open|close)$" allow
@@ -100,11 +122,27 @@
SecFilterSelective ARG_action "^treetitle$" chain
SecFilterSelective ARG_subaction "^(|show)$" allow
+ SecFilterSelective ARG_action "^model$" chain
+ SecFilterSelective ARG_subaction "^(|list|setdefault|save|edit|remove)$" allow
+
+ SecFilterSelective ARG_action "^language$" chain
+ SecFilterSelective ARG_subaction "^(|listing|add|edit|remove)$" allow
+
+ SecFilterSelective ARG_action "^search$" chain
+ SecFilterSelective ARG_subaction "^(|prop|value)$" allow
+
+ SecFilterSelective ARG_action "^project$" chain
+ SecFilterSelective ARG_subaction "^(|listing|edit|save|add|remove|maintanance)$" allow
+
+ SecFilterSelective ARG_action "^user$" chain
+ SecFilterSelective ARG_subaction "^(|listing|edit|save|add|remove|groups|pw|rights)$" allow
+
+ SecFilterSelective ARG_action "^group$" chain
+ SecFilterSelective ARG_subaction "^(|listing|edit|save|add|remove|users)$" allow
+
# Fallback: Alles ablehnen.
SecFilter ".*"
-
-
# Ausgabe-Filterung
SecFilterScanOutput On
SecFilterSelective OUTPUT "Fatal error:" deny,status:500