보안 문제로 한동안 지원하지 않았던 .htaccess파일을 다시 지원할지 여부를 묻는 글이 올라왔습니다.

편의성을 높이고 보안성을 약간 희생한것이라 볼 수 있는데 다시 논의가 되는것을 보니 해당 기능을 요구하는

사람들이 꽤 많았나봅니다.


We are seeking feedback from the community on the idea of re-enabling Apache.htaccess support for
ModSecurity. 

https://www.modsecurity.org/tracker/browse/MODSEC-58

This functionality existed in the v1 branch of ModSecurity -

http://modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/03-configuration.html#N1027D

It was removed due to valid security concerns, namely that attackers could easily  bypass the ModSecurity
protections if they could just upload a .htaccess file with – SecFilterEngine Off in it While the security concerns
are valid, we also realize that there are many, many Hosting Providers  who are using old ModSecurity v1
strictly because they need this capability to allow their customers to use  .htaccess files for adding exceptions.
Without this feature, end users are flooding the Help Desk/Support  forums with requests to add exceptions for
ModSecurity rules for their sites.

So, we are considering adding support for this feature back into ModSecurity v2.7.x. 
It will NOT be enabled by default and would require the user to use a new --enable-htaccess-config configure
flag and re-compiling.  Users would have to understand the tradeoffs with regards to security and allowing
distributed configurtions in a multi-user environment.  
......


원본글은 아래 링크에서 보실 수 있습니다..

http://article.gmane.org/gmane.comp.apache.mod-security.user/10024


'Security' 카테고리의 다른 글

SecuritySpace News - April  (0) 2013.04.27
SecuritySpace News  (0) 2013.04.10
ModSecurity - Re-Enabling htaccess Support  (0) 2013.02.23
XE 1.5.3.4 보안 패치 배포  (2) 2012.11.22
XE 1.5.2.6 보안패치  (2) 2012.06.26
1.5.2.5 배포(보안패치 포함)  (0) 2012.05.14

+ Recent posts