News and Updates
ModSecurity v2.5.9
(March 11, 2009)
ModSecurity v2.5.9 (change log) has been released.
This release fixes a potential DoS vulnerability discovered by "Internet Security Auditors" when parsing multipart requests. Additionally, the release cleans up the build process and adds a few features, including atomic updates of persistent counters and macro expansion of the append/prepend actions. It is highly recommended to upgrade to this release.
ModSecurity v2.5.8
(March 11, 2009)
ModSecurity v2.5.8 (change log) has been released.
This release fixes a potential DoS vulnerability when PDF XSS protection is enabled (default is disabled) as well as a minor issue with an invalid "internal error" message. This release was immediately superseded by the 2.5.9 to fix another major issue found during the 2.5.8 release cycle. You should install the 2.5.9 release instead.
ModSecurity v2.5.7
(September 30, 2008)
ModSecurity v2.5.7 (change log) is
a maintenance release, which verify fixes some not-so-common issues with request limits, logging,
XML processing, and handling some "legacy" protocols in the request body.
ModProfiler v0.2.0
(September 8, 2008)
This is another development release of ModProfiler. This
version features support for incremental logging and resource confidence.
ModSecurity v2.5.6
(July 31, 2008)
ModSecurity v2.5.6 is a maintenance release, which fixes the stability and evasion issues in the transformation cache subsystem.
Furthermore, transformation caching is now deprecated, and you are advised to turn it off in your configuration.
This is also the first version of ModSecurity to use a licensing
exception to make mixing with other open source projects possible.
ModSecurity v2.5.5
(June 6, 2008)
ModSecurity v2.5.5 is a maintenance release, which fixes a few bugs and compatibility problems (e.g. the WordPress upload issue).
ModSecurity v2.5.4
(May 8, 2008)
ModSecurity v2.5.4 is a maintenance release, which fixes an issue with transformation caching that would, in some
cases, cause targets to be incorrectly transformed.
ModSecurity Console v1.0.5
(May 7, 2008)
ModSecurity Console v1.0.5 fixes a small bug when displaying multipart requests.
ModSecurity v2.5.3
(April 25, 2008)
ModSecurity v2.5.3 is a maintenance release, which fixes a few small defects in the code and in the rules.
This version also allows macros to be expanded in the expirevar and deprecatevar actions.
What Is ModSecurity?
ModSecurity is a web application firewall that can work either embedded or as a reverse proxy.
It provides protection from a range of attacks against web applications and allows for HTTP
traffic monitoring, logging and real-time analysis.
It is also an open source project that aims to make the web application firewall
technology available to everyone.
Books
Apache Security is a comprehensive Apache Security resource, written by Ivan Ristic
for O'Reilly. Two chapters (Apache Installation and Configuration and PHP) are available as free
download, as are the Apache security tools created for the book.
Preventing Web Attacks with Apache. Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against.
|
Support/Mailing lists
Community support is available on the
mod-security-users/lists.sourceforge.net mailing list. You must
subscribe first (by clicking here)
in order to post. The list archives are available as
News (NNTP),
Threaded HTTP,
Bloggy HTTP,
and RSS.
Commercial support and appliances based on ModSecurity can be
obtained from Breach Security.
Getting Started
External Links
ModSecurity 2.0 with Ivan Ristic
ModSecurity is an open source web application firewall that runs as an Apache module, and version 2.0 offers many new features and improvements. Federico Biancuzzi interviewed Ivan Ristic to discuss the new logging system, events tracking and correlation, filtering AJAX or AFLAX applications, and just-in-time patching for closed source applications.
Web Application Firewalls Primer
Introduction to Web Application Firewalls, published in INSECURE Magazine 1.5.
Talks
Our talks are available for download following the links below:
|
