[SOGo] Apache Defaults in Fedora Core 8
Will Hawkins
sogo@opengroupware.org
Tue, 22 Jan 2008 16:35:17 -0500
From what I can tell, modsecurity looks for two things in the
Content-Length header, by default:
1. That it is numeric,
2. That it is *not* zero.
It does not *appear* to check whether or not the Content-Length actually
makes the length of the HTTP packet minus the header, etc. Also, these
troublesome security defaults are only applicable to POST requests.
Perhaps an easy workaround would be to simply set the Content-Length
value to 1 when a default value of 0 would normally be used.
Thanks again for looking in to this,
Will
Wolfgang Sourdeau wrote:
>> Well, the original XMLHttpRequest is just the ActiveX IE object
>> exposed to the webpage ... Anyways, AFAIK it depends on the browser,
>> "probably" most modern versions set it ...
>
> Actually it gets better.... When setting it under Firefox to a value of "0", Firefox removes it... And it's not firefox 1.5, it's 2.0. So it may not even be fixable, unless mod_security is clever enough to tolerate those requests...
>