Best kept TYPO3 secret: WAF
By Steffen Müller. Licensed under the Creative Commons License
The security team long time ago promised to release a ruleset for a Web Application Firewall (WAF) based on Apache's mod_security. Some are still waiting for an official announcement after the conference talk at T3CON07. And some have heard about it on todays talk at T3CON08.
For those who can't wait any longer for official announcements: it's already there since, well, since the beginning of this year I guess. The waf-newsgroup lacks a bit in activity (4 postings in one year), but one postings already revealed the secret on January 2008:
The ruleset hides at http://typo3.org/waf.txt
I didn't test it but had a quick look at the file. It's a quite short configuration and I could not spot any TYPO3 specific rules. One lines points to an external file called modsecurity_crs_9999_typo3.conf but I couldn't find that file. Well, waf.txt also reveals that the current version was written on September, 2007. So maybe a newer one is already released, but kept secret somewhere else ;-)
License
This article is licensed under the Creative Commons License CC BY-SA 3.0. You are free to share (copy, distribute and transmit) and to remix (to adapt) the work under the following conditions:
- You must attribute the work by mentioning the name of the author (Steffen Müller) and setting a link back to the original article using its URL.
- If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
When will the rules for Typo3? I look forward to for so long.