URI Filtering in Web Servers???

[Boni Bruno <boni () dsw net>]

I was wondering why apache, iPlanet, IIS, Oracle, etc have not built a
module
to filter uri submissions to their web server.  Instead of waiting for
patches
to be made available by these vendors, it seems a lot easier to just
have a
file that the web server could reference as a filter before processing a 
request.  

Having a filter file that supports wildcards and restricts meta
characters
and size of uri requests can solve a lot of security problems. 

I know you can do this with IDS systems, but why not handle it in the
web
server itself?  The designer of a web site could filter everyting but
his
programs.  If he did not program buffer restrictions or traps or
sandboxes
in his code, the web server could compensate for a lot of short commings
if
such a uri filtering scheme was made available.

I know this does not address all the security problems, but I think it
will
help a lot!

What do you think?

Mr. Ranum, did you address this in your WEB Security book???

If I'm way off base here, forgive me...

Regards,

boni bruno
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards