A place where the Joyent community can gather, help each other out, and stay informed.
You are not logged in.
How do I disable mod_security with lighttpd? I've searched through the forums and I have been unable to find anything. I'm getting the following error on my rails app running under lighttpd
The precondition on the request for the URL /albums/edit_details/7 evaluated to false.
I submitted a ticket on a couple of 412 errors I've ran into the past couple of days but I have yet to have a reply so I figured I would post here. Thanks
Offline
Offline
Ok, this is plainly stupid, while posting a lyric I have found this:
[Tue Nov 29 20:36:35 2005] [error] [client 83.55.202.173] mod_security: Access denied with code 412. Pattern match "echo\\x20" at POST_PAYLOAD [hostname "itorres.bedynamic.net"] [uri "/admin/content/preview"] [unique_id LQSnWs8HbPMAAXVEN3wAAABH]
The offending line is this one:
Voices echo in the hall
Being that I'm proxied in lighttpd and that a .htaccess will not help, what can I do? I could replace the space behind echo with a entity, that will permit me to send this text, but won't fix the problem on the long run.
Rules like this one make no sense to me. I understand and thanks the TD crew for setting up mod_security, but I think fine tuning of the rules is in order.
Offline
itorres wrote:
Rules like this one make no sense to me. I understand and thanks the TD crew for setting up mod_security, but I think fine tuning of the rules is in order.
I'm not saying that the rule is necessarily a good one, but I'd guess it's meant to prevent XSS attacks and SQL injection (for example, someone might craft a POST request that tries to query a password out of a site's database and show it on the page with the PHP echo function).
Offline
ubernostrum wrote:
itorres wrote:
Rules like this one make no sense to me. I understand and thanks the TD crew for setting up mod_security, but I think fine tuning of the rules is in order.
I'm not saying that the rule is necessarily a good one, but I'd guess it's meant to prevent XSS attacks and SQL injection (for example, someone might craft a POST request that tries to query a password out of a site's database and show it on the page with the PHPechofunction).
I guessed that much, but still it feels like the solution is worst than the problem, for it is actually banning a proper english word.
Think of something like manuals.textdrive.com. It would go completely bananas with this.
cch wrote:
you can ticket in and ask them to disable mod_security for your account in their htconf.
you can probably have it so that it allows everything in /admin, but not elsewhere.
That would be the best for me, but if I think about someone with a forum on textdrive I can understand that they get pissed about this.
Maybe a link for further information about mod_security on TD on the error page would be welcome by lots of folks.
On the other hand, I don't like to abuse tickets, I think that the technical team haves enough work as it is and harassing them with small petitions like this one makes me uncomfortable.
Would it be very hard to make a webmin mod_security section with on/off settings? Or an interface for deactivating/fine tuning offending rules?
I know I will regret saying this, but I would be glad to help with making it work.
Offline
Is there a way to tell mod_security to ignore this specific rule? It's not a rule I can live with. If somebody tries to post anything on my Drupal sites like "is there an echo in here?" it trips the rule and displays the incomprehensible 412 error.
I don't want to turn mod_security off. I could add a rule like this:
SecFilterSelective "POST_PAYLOAD" "echo " "allow,nolog"
Would that just override the existing rule which I imagine looks something like this:
SecFilterSelective "POST_PAYLOAD" "echo " "log,deny,status:412"
Or would it do a Bad Thing and override all other filter rules if it finds "echo "?
Offline
Geary wrote:
Is there a way to tell mod_security to ignore this specific rule? It's not a rule I can live with. If somebody tries to post anything on my Drupal sites like "is there an echo in here?" it trips the rule and displays the incomprehensible 412 error.
For now you can just override things in the manner you've listed; I've done it with my own weblog, which once had an unfortunate URL title for an entry. But...
The recently-released version 1.9 of mod_security has a whole bunch of new features, including the ability to override specific rules, and looks pretty cool. Any word from the admins on whether/when we'll get upgraded?
Last edited by ubernostrum (2005-12-04 11:27:22)
Offline
I have tried visiting a sight in the 9rules networks hosted at dreamhost that always gives me a 412 precondition failed error and tells me to use firefox (which I do). Most frustrating.
Offline
ubernostrum wrote:
The recently-released version 1.9 of mod_security has a whole bunch of new features, including the ability to override specific rules, and looks pretty cool. Any word from the admins on whether/when we'll get upgraded?
Sweet! Yes, that is exactly what I'm looking for. The way it sits right now, mod_security is its own DOS attack. I've had several people tell me their site was broken because they were getting these mysterious precondition failed errors. And they're right, the site IS broken when a legitimate user visit or post triggers mod_security.
Offline
