ConvolutedTheory » drupal http://www.convolutedtheory.com Nerdy. Deal with it. Or go away. Fri, 30 Dec 2011 15:39:02 +0000 en hourly 1 http://wordpress.org/?v= Drupal and mod_security : Part 2 http://www.convolutedtheory.com/tech/linux/drupal-modsecurity-part-2/ http://www.convolutedtheory.com/tech/linux/drupal-modsecurity-part-2/#comments Sat, 27 Feb 2010 23:29:06 +0000 Derek http://www.convolutedtheory.com/?p=126 Hi all,

I’ve gotten quite a few emails regarding my last post about Drupal and mod_security, and what those rules I’m removing actually do. Well, I’ll explain.

First Rule: 960010
SecRule REQUEST_METHOD “!^(?:get|head|propfind|options)$” \
“chain, t:lowercase, deny,log,auditlog,status:401,msg:’Request content type
is not allowed by policy’,,id:’960010′,severity:’4′”
SecRule REQUEST_HEADERS:Content-Type “!(?:^(?:application\/x-www-form-urlencoded
(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)”

This rule basically only allows certain content-type headers to be passed with the request methods listed in REQUEST_METHOD. Apparently, Drupal doesn’t respect this rule in posts.

Next, 960015
SecRule &REQUEST_HEADERS:Accept “@eq 0″ \
“chain,skip:1,log,auditlog,msg:’Request Missing an Accept Header’, severity:’2′,,id:’960015′,”
SecRule REQUEST_METHOD “!^OPTIONS$” “t:none”
SecRule REQUEST_HEADERS:Accept “^$” \
“chain,log,auditlog,msg:’Request Missing an Accept Header’, severity:’2′,,id:’960015′,”
SecRule REQUEST_METHOD “!^OPTIONS$” “t:none”

This basically says, any request other than an OPTIONS request, *must* have an Accept header sent with it.

Next, 960032:
SecRule REQUEST_METHOD “!^((?:(?:POS|GE)T|OPTIONS|HEAD))$” \
“phase:2,log,auditlog,status:401,msg:’Method is not allowed by policy’, severity:’2′,,id:’960032′,”

This says any methods other than POST, GET, OPTIONS or HEAD aren’t allowed. While generally this is true, and I don’t know why Drupal will occasionally hit this rule, I just remove it out of completeness.

And Lastly,

Rule 950107:
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer “@validateUrlEncoding” \
“chain, deny,log,auditlog,status:400,msg:’URL Encoding Abuse Attack Attempt’,,id:’950107′,severity:’4′”
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer “\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})”

This rule merely checks the URL encoding on a URL. I say merely, but this rule is also matched almost _all of the time_.

I haven’t actually run through the Drupal code and figured out why these are completely necessary, however I do know that they’ve fixed quite a few peoples problems.

Anyway, hope that clarifies some things for people.

]]> http://www.convolutedtheory.com/tech/linux/drupal-modsecurity-part-2/feed/ 0 mod_security and Drupal 6.2 issues. http://www.convolutedtheory.com/tech/mod_security-and-drupal-62-issues/ http://www.convolutedtheory.com/tech/mod_security-and-drupal-62-issues/#comments Thu, 02 Oct 2008 11:25:27 +0000 Derek http://www.convolutedtheory.com/?p=15 If you’re going to be using Drupal with mod_security, making the following changes will probably save you some frustration later :) .

<LocationMatch “/”>
SecRuleRemoveById 960010
SecRuleRemoveById 960015
SecRuleRemoveById 960032
SecRuleRemoveById 950107
</LocationMatch>

Also, set SecResponseBodyLimit and SecRequestBodyInMemoryLimit to something like 51200000 and 12288000 respectively. They may seem a bit high, but if you’re managing a lot of Drupal users and permissions I’ve run into problems with them.

Happy Drupal-ing.

]]> http://www.convolutedtheory.com/tech/mod_security-and-drupal-62-issues/feed/ 6