Drupal and mod_security : Part 2
Hi all,
I've gotten quite a few emails regarding my last post about Drupal and mod_security, and what those rules I'm removing actually do. Well, I'll explain.
First Rule: 960010
SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" \
"chain, t:lowercase, deny,log,auditlog,status:401,msg:'Request content type
is not allowed by policy',,id:'960010',severity:'4'"
SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded
(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)"
This rule basically only allows certain content-type headers to be passed with the request methods listed in REQUEST_METHOD. Apparently, Drupal doesn't respect this rule in posts.
Next, 960015
SecRule &REQUEST_HEADERS:Accept "@eq 0" \
"chain,skip:1,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',,id:'960015',"
SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"
SecRule REQUEST_HEADERS:Accept "^$" \
"chain,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',,id:'960015',"
SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"
This basically says, any request other than an OPTIONS request, *must* have an Accept header sent with it.
Next, 960032:
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:2,log,auditlog,status:401,msg:'Method is not allowed by policy', severity:'2',,id:'960032',"
This says any methods other than POST, GET, OPTIONS or HEAD aren't allowed. While generally this is true, and I don't know why Drupal will occasionally hit this rule, I just remove it out of completeness.
And Lastly,
Rule 950107:
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
"chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',,id:'950107',severity:'4'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
This rule merely checks the URL encoding on a URL. I say merely, but this rule is also matched almost _all of the time_.
I haven't actually run through the Drupal code and figured out why these are completely necessary, however I do know that they've fixed quite a few peoples problems.
Anyway, hope that clarifies some things for people.
mod_security and Drupal 6.2 issues.
If you're going to be using Drupal with mod_security, making the following changes will probably save you some frustration later 
.
<LocationMatch "/">
SecRuleRemoveById 960010
SecRuleRemoveById 960015
SecRuleRemoveById 960032
SecRuleRemoveById 950107
</LocationMatch>
Also, set SecResponseBodyLimit and SecRequestBodyInMemoryLimit to something like 51200000 and 12288000 respectively. They may seem a bit high, but if you're managing a lot of Drupal users and permissions I've run into problems with them.
Happy Drupal-ing.
Categories
- Gaming (3)
- General (18)
- Link Dump (3)
- Tech (13)
- Content Delivery (1)
- Linux (7)
- OSX (1)
- Virtualization (2)
- Uncategorized (5)
Z Photo a day
Archives
- March 2010
- February 2010
- August 2009
- June 2009
- April 2009
- January 2009
- December 2008
- October 2008
- September 2008
Recent Posts
- Wow.
- The world would be a much healthier place if…
- Reasons *I* love (and hate) gentoo (v2.0)
- The Curse
- Jakalope: Evolution
