Advanced search  

News:

cpg1.5.46 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Compliance with Modsecurity + OWASP  (Read 842 times)

0 Members and 1 Guest are viewing this topic.

marcelm

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 60
Compliance with Modsecurity + OWASP
« on: November 17, 2016, 08:41:28 am »

Now OWASP is out since October and the last big version was from 2013. OWASP 3.0 is designed to give less false positives I updated my website to that release. In previous version I had to switch off a lot of the filters that keep hackers and other bad people from trying to do bad stuff with my site.

I have run a quick test and the only thing that cropped up in that period was that the cookie set by Coppermine could contain a "=" and that triggered a detection. Maybe there are more non alphabetical/number characters that could trigger detections but I have not yet tested it that much because it was already late in the evening.

Information what it filters:

1. More than 16,000 specific rules, broken out into the following attack
categories:
 * SQL injection
 * Cross-site Scripting (XSS)
 * Local File Include
 * Remote File Include

2. User option for application specific rules, covering the same
vulnerability classes for applications such as:
 * WordPress
 * cPanel
 * osCommerce
 * Joomla

I saw that it also is covering Coppermine Gallery with 30 settings, however I think the main part if not all are already fixed by the programmers in contact with users of Coppermine.

I am also using Owncloud that is triggering a lot more of detections so Coppermine is very clean in the eyes of OWASP

Some links:
https://modsecurity.org/crs/
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
https://github.com/SpiderLabs/owasp-modsecurity-crs
Logged
Pages: [1]   Go Up
 

Page created in 0.012 seconds with 20 queries.