Say you have a nasty application on your Apache webserver that has been installed by some
jerks from the marketing department and you can neither patch nor remove it.
Maybe it is a problem of ressources, a lack of know-how, a lack of source-code, or possibly even due to political
reasons. Consequently, you need to protect it without
touching it. There is ModSecurity, but they say this is only for experts.
A straightforward alternative is Remo, a graphical rule editor for ModSecurity that comes with a
whitelist approach. It has all you need to lock down the application.
For the sake of this tutorial we will use a really simple test application.
One that is so ugly, not even your marketing department would want to have it around.
But hey, it’s only a tutorial.
The direct execution of any shell command posted in form of the parameter command makes ls.php
an unwelcome guest on just about any webserver – or a perfect test case
to try out Remo in order to protect you from the dangers of this
script. So what is Remo then? Over at remo.netnea.com
you will learn, that it is meant as a simple way to configure ModSecurity without
becoming a security wizard first. The second catch is, that Remo writes whitelist rules,
while most people use ModSecurity with a blacklisting approach. Blacklisting means you
tell ModSecurity everything about all know attacks. Whitelisting does it the other
way round: It makes sure your application will only get the input, you really want it to get.
So that ls.php will only get ls commands as its command parameter and furthermore you will make sure
no dirty tricks are possible using backticks and semicolon within the parameter.
To put it short: Remo helps doing input validation on the server without touching the application.
Leave a Reply