Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Compliance with Modsecurity + OWASP  (Read 2080 times)

0 Members and 1 Guest are viewing this topic.

marcelm

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 60
Compliance with Modsecurity + OWASP
« on: November 17, 2016, 08:41:28 am »

Now OWASP is out since October and the last big version was from 2013. OWASP 3.0 is designed to give less false positives I updated my website to that release. In previous version I had to switch off a lot of the filters that keep hackers and other bad people from trying to do bad stuff with my site.

I have run a quick test and the only thing that cropped up in that period was that the cookie set by Coppermine could contain a "=" and that triggered a detection. Maybe there are more non alphabetical/number characters that could trigger detections but I have not yet tested it that much because it was already late in the evening.

Information what it filters:

1. More than 16,000 specific rules, broken out into the following attack
categories:
 * SQL injection
 * Cross-site Scripting (XSS)
 * Local File Include
 * Remote File Include

2. User option for application specific rules, covering the same
vulnerability classes for applications such as:
 * WordPress
 * cPanel
 * osCommerce
 * Joomla

I saw that it also is covering Coppermine Gallery with 30 settings, however I think the main part if not all are already fixed by the programmers in contact with users of Coppermine.

I am also using Owncloud that is triggering a lot more of detections so Coppermine is very clean in the eyes of OWASP

Some links:
https://modsecurity.org/crs/
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
https://github.com/SpiderLabs/owasp-modsecurity-crs
Logged
Pages: [1]   Go Up
 

Page created in 0.021 seconds with 20 queries.