Hi all,
I’ve gotten quite a few emails regarding my last post about Drupal and mod_security, and what those rules I’m removing actually do. Well, I’ll explain.
First Rule: 960010
SecRule REQUEST_METHOD “!^(?:get|head|propfind|options)$” \
“chain, t:lowercase, deny,log,auditlog,status:401,msg:’Request content type
is not allowed by policy’,,id:’960010′,severity:’4′”
SecRule REQUEST_HEADERS:Content-Type “!(?:^(?:application\/x-www-form-urlencoded
(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)”
This rule basically only allows certain content-type headers to be passed with the request methods listed in REQUEST_METHOD. Apparently, Drupal doesn’t respect this rule in posts.
Next, 960015
SecRule &REQUEST_HEADERS:Accept “@eq 0″ \
“chain,skip:1,log,auditlog,msg:’Request Missing an Accept Header’, severity:’2′,,id:’960015′,”
SecRule REQUEST_METHOD “!^OPTIONS$” “t:none”
SecRule REQUEST_HEADERS:Accept “^$” \
“chain,log,auditlog,msg:’Request Missing an Accept Header’, severity:’2′,,id:’960015′,”
SecRule REQUEST_METHOD “!^OPTIONS$” “t:none”
This basically says, any request other than an OPTIONS request, *must* have an Accept header sent with it.
Next, 960032:
SecRule REQUEST_METHOD “!^((?:(?:POS|GE)T|OPTIONS|HEAD))$” \
“phase:2,log,auditlog,status:401,msg:’Method is not allowed by policy’, severity:’2′,,id:’960032′,”
This says any methods other than POST, GET, OPTIONS or HEAD aren’t allowed. While generally this is true, and I don’t know why Drupal will occasionally hit this rule, I just remove it out of completeness.
And Lastly,
Rule 950107:
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer “@validateUrlEncoding” \
“chain, deny,log,auditlog,status:400,msg:’URL Encoding Abuse Attack Attempt’,,id:’950107′,severity:’4′”
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer “\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})”
This rule merely checks the URL encoding on a URL. I say merely, but this rule is also matched almost _all of the time_.
I haven’t actually run through the Drupal code and figured out why these are completely necessary, however I do know that they’ve fixed quite a few peoples problems.
Anyway, hope that clarifies some things for people.
More From derek
derek Recommends
- Free Backlinks…..Get Backlinks Every Day! (Chad Nicely)
- What Can You Do With Craigslist? (Chad Nicely)
