ConvolutedTheory Nerdy. Deal with it. Or go away.

Drupal and mod_security : Part 2

Hi all,

I've gotten quite a few emails regarding my last post about Drupal and mod_security, and what those rules I'm removing actually do. Well, I'll explain.

First Rule: 960010
SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" \
"chain, t:lowercase, deny,log,auditlog,status:401,msg:'Request content type
is not allowed by policy',,id:'960010',severity:'4'"
SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded
(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)"

This rule basically only allows certain content-type headers to be passed with the request methods listed in REQUEST_METHOD. Apparently, Drupal doesn't respect this rule in posts.

Next, 960015
SecRule &REQUEST_HEADERS:Accept "@eq 0" \
"chain,skip:1,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',,id:'960015',"
SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"
SecRule REQUEST_HEADERS:Accept "^$" \
"chain,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',,id:'960015',"
SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"

This basically says, any request other than an OPTIONS request, *must* have an Accept header sent with it.

Next, 960032:
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:2,log,auditlog,status:401,msg:'Method is not allowed by policy', severity:'2',,id:'960032',"

This says any methods other than POST, GET, OPTIONS or HEAD aren't allowed. While generally this is true, and I don't know why Drupal will occasionally hit this rule, I just remove it out of completeness.

And Lastly,

Rule 950107:
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
"chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',,id:'950107',severity:'4'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"

This rule merely checks the URL encoding on a URL. I say merely, but this rule is also matched almost _all of the time_.

I haven't actually run through the Drupal code and figured out why these are completely necessary, however I do know that they've fixed quite a few peoples problems.

Anyway, hope that clarifies some things for people.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.