mouss wrote:
Jason Haar wrote:
Karsten Bräckelmann wrote:
uri EXECUTABLE /\.(?:exe|scr|dll|pif|vbs|wsh|cmd|bat)$/i
That won't stop "blah.exe?token=cookie". Web servers will still
return "blah.exe" (and the attacker can trackback who clicked on it
too that way! ;-)
How about
uri EXECUTABLE /\.(?:exe|scr|dll|pif|vbs|wsh|cmd|bat)($|\?)/i
and these won't catch "foo.exe," and the like due to how URIs are
parsed by SA.
Any smart RE guys/gals out there that want to suggest a better
expression here. I think some of the counter points raised here are
quite valid, but I'm not the guy to fix them.
Skip
--
Get my PGP Public key here:
http://pelorus.org/[EMAIL PROTECTED]
