Oct. 10., 2008

Best kept TYPO3 secret: WAF

The security team long time ago promised to release a ruleset for a Web Application Firewall (WAF) based on Apache's mod_security. Some are still waiting for an official announcement after the conference talk at T3CON07. And some have heard about it on todays talk at T3CON08.

For those who can't wait any longer for official announcements: it's already there since, well, since the beginning of this year I guess. The waf-newsgroup lacks a bit in activity (4 postings in one year), but one postings already revealed the secret on January 2008:

The ruleset hides at http://typo3.org/waf.txt

I didn't test it but had a quick look at the file. It's a quite short configuration and I could not spot any TYPO3 specific rules. One lines points to an external file called modsecurity_crs_9999_typo3.conf but I couldn't find that file. Well, waf.txt also reveals that the current version was written on September, 2007. So maybe a newer one is already released, but kept secret somewhere else ;-)

--> Back to the list of articles

Tags: TYPO3, Security, WAF, Web Application Firewall, mod_security

Comments

  1. Webagentur wrote on November 12, 2008 at 00:22

    When will the rules for Typo3? I look forward to for so long.

Leave a comment:

(will not be published)

CAPTCHA image for SPAM prevention Click here for audio version of the word to enter.

If you can't read the captcha word, please click to load a new image.
(You need Javascript turned on. Otherwise press the submit button and wait until the page has reloaded.)