Drupal and mod_security : Part 2
Hi all,
I've gotten quite a few emails regarding my last post about Drupal and mod_security, and what those rules I'm removing actually do. Well, I'll explain.
First Rule: 960010
SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" \
"chain, t:lowercase, deny,log,auditlog,status:401,msg:'Request content type
is not allowed by policy',,id:'960010',severity:'4'"
SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded
(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)"
This rule basically only allows certain content-type headers to be passed with the request methods listed in REQUEST_METHOD. Apparently, Drupal doesn't respect this rule in posts.
Next, 960015
SecRule &REQUEST_HEADERS:Accept "@eq 0" \
"chain,skip:1,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',,id:'960015',"
SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"
SecRule REQUEST_HEADERS:Accept "^$" \
"chain,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',,id:'960015',"
SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"
This basically says, any request other than an OPTIONS request, *must* have an Accept header sent with it.
Next, 960032:
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:2,log,auditlog,status:401,msg:'Method is not allowed by policy', severity:'2',,id:'960032',"
This says any methods other than POST, GET, OPTIONS or HEAD aren't allowed. While generally this is true, and I don't know why Drupal will occasionally hit this rule, I just remove it out of completeness.
And Lastly,
Rule 950107:
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
"chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',,id:'950107',severity:'4'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
This rule merely checks the URL encoding on a URL. I say merely, but this rule is also matched almost _all of the time_.
I haven't actually run through the Drupal code and figured out why these are completely necessary, however I do know that they've fixed quite a few peoples problems.
Anyway, hope that clarifies some things for people.
Dantes Inferno: ++
Well, last week I got Dante's Inferno for the PS3 (the game, I've had the poem for years), and I have to say it's a pretty good game overall. It chronicles a soldier of the crusade fighting through hell as described by Dante Alighieri to try to win back the soul of the woman he loves. Later, we find out Dante wasn't such a good guy while he was slaughtering thousands of people, but you probably guessed that already.
Oh, and he didn't know he was dead? Fighting Death and stealing his scythe didn't give that away? What? A few little plot holes aside. It was awesome. Any other difficulty higher than Hellish is damn near impossible even with a decked out set of gear (It's probably because I suck at it, though).
And it has King Minos! Everyone loves King Minos! Remember that show? with his wife Deborah?
...
Wait.
Stuff I care about, but Delicious is being a pain in the ass.
USB VGA Adapters that work in Linux
nload
NSLU2 Ideas
Changing windows key in server 2008
Yay, paranoia!
Maybe because I've got this head cold, but I am oddly paranoid about random things in general as of late.
One sentence posts aren't usually my style, but short posts are better than no posts.
Wow. Not the warcraft kind.
Wow, it has been a long time since I posted something. You'd think I could find something to rant about. Anything.
So, I'll just post randomness.
The car chase scene from Mr. and Mrs. Smith? Awesome. Hilarity.
My Job? Not to brag, but I have quite possibly the most awesome job that has ever existed. Anywhere.
I'm making a remarkable attempt to get back into photography. Some of the photos from my last jaunt in this art are over on my deviantart page. It's in the sidebar.
Categories
- Gaming (3)
- General (18)
- Link Dump (3)
- Tech (14)
- Content Delivery (1)
- Linux (7)
- OSX (1)
- Virtualization (3)
- Uncategorized (5)
Z Photo a day
Archives
- March 2010
- February 2010
- August 2009
- June 2009
- April 2009
- January 2009
- December 2008
- October 2008
- September 2008
Recent Posts
- What happened to BlueBear?
- Wow.
- The world would be a much healthier place if…
- Reasons *I* love (and hate) gentoo (v2.0)
- The Curse
