Best kept TYPO3 secret - WAF
The security team long time ago promised to release a ruleset for a Web Application Firewall (WAF) based on Apache's mod_security. Some are still waiting for an official announcement after the conference talk at T3CON07. And some have heard about it on todays talk at T3CON08.
For those who can't wait any longer for official announcements: it's already there since, well, since the beginning of this year I guess. The waf-newsgroup lacks a bit in activity (4 postings in one year), but one postings already revealed the secret on January 2008:
The ruleset hides at http://typo3.org/waf.txt
I didn't test it but had a quick look at the file. It's a quite short configuration and I could not spot any TYPO3 specific rules. One lines points to an external file called modsecurity_crs_9999_typo3.conf but I couldn't find that file. Well, waf.txt also reveals that the current version was written on September, 2007. So maybe a newer one is already released, but kept secret somewhere else ;-)
When will the rules for Typo3? I look forward to for so long.