How do I get around mod_security precondition failed the way Txp does?

Walker · 2006-10-16 15:09:14

Hi,

I’m working on an application hosted on my textdrive account and I ran into a problem where placing the acronym ftp into a text field would kick off mod_security and it would produce a 412 error.

Apparently mod_security can be set to check POST data for particular strings and then reject the client with a 412 error if particular strings are found (ftp\\x20 and wget\\x20 for instance).

I tried putting the same strings into my textpattern blog installed on the same hosting account and textpattern was able to post the data just fine. I looked and saw that nothing was being done to the field data before being posted (by javascript of other client-side language or system).

So…..how does textpattern deal with this and what can it teach me on how to handle this type of security system within my own apps?

Thanks

Last edited by Walker (2006-10-16 15:09:56)

Sencer · 2006-10-16 15:34:21

You have either turned off mod_security for your textpattern folder, or the people at textdrive have added general rules that exempt “textpattern”-directories.

AFAIK we do not do anything to work around too tight/strictly configured security software. In a proper hosting setup the customer always has the ability to change or turn off such a system (and I know Textdrive has this in their documentation), so this is a deployment problem, and IMHO not really a development problem.

Walker · 2006-10-16 15:37:09

Awesome! That was the direction pointer I was looking for.

Thanks Sencer.

Mary · 2006-10-16 23:56:36

With my own blog, I haven’t had any problems yet. With my mom’s blog, I had a problem just once, which was fixed by

SecFilterEngine On
SecFilterSelective "HTTP_REFERER" "/journal/169/specialist" "allow,nolog"

(Turns off mod_security for one post that had problems.)

Walker · 2006-10-25 00:41:25

Thanks Mary, Sencer answered this question perfectly. The issue I was running into was when writing tutorials for txpmanual.com. Putting the word “ ftp “ in a form field was causing the problem, I relieved it by specifying that single phrase in the .htaccess like so:

SecFilterEngine On
SecFilterSelective "POST_PAYLOAD" "ftp" "allow,nolog"

The first line turns on Security Filtering Access.
The second line says that if data being posted to the folder has the word ftp in it, that it should still be allowed and that the security filter does not need to bother logging the possible security breach.

Last edited by Walker (2006-10-25 00:44:12)

els · 2007-04-23 20:53:22

Can I do something like this in my .htaccess to solve this problem I’m having? When I write the word ‘select’ in an article I get a 406 Not Acceptable. It took me a while to figure out what the offending word was ;)
If I can, what should it be exactly?

Walker · 2007-04-23 23:02:42

Like this in htaccess:

SecFilterEngine On
SecFilterSelective "POST_PAYLOAD" "select" "allow,nolog"

colak · 2007-04-24 05:58:17

I use my ip to bypass security.

SecFilterSelective REMOTE_ADDR ^###.###.###.###$ nolog,allow

where ###.###.###.###is my ip. This allows for any input from the particular ip. My ip is not 100% static but i have adsl and i seldom logout so changing it once every few weeks is not a real problem for me:)

Last edited by colak (2007-04-24 06:27:20)

els · 2007-04-24 14:37:54

Thanks both! :)

els · 2007-04-26 21:22:30

Unfortunately neither of your suggestions seem to work :( Does it matter where in .htaccess I put these lines?
The only thing that I was able to find that does work is adding SecFilterEngine Off, save my article, and remove it again (I don’t suppose it’s safe to just leave it there?)
I’m also having trouble changing certain things in the admin panel of a Pixelpost install. The same solution works for this problem. But I’d prefer to have a better way of solving this.

Walker · 2007-04-26 21:30:39

Pixelpost? is that a hosting comp.?

Anyway, I dunno what to tell you..I just put:

SecFilterEngine On
SecFilterSelective "POST_PAYLOAD" "select" "allow,nolog"

…in my htaccess file where “select” is whatever word was being blocked by the security filter.

els · 2007-04-26 21:36:25

Walker wrote:

Pixelpost? is that a hosting comp.?

It’s a photoblog app that I have installed in a subdirectory :) Changing the site’s url in the admin panel and saving it leads to a url like domain.com/subdir/admin/index.php?view=options&optaction=updateurl, which I suppose mod_security doesn’t like either.

Anyway, I dunno what to tell you..I just put:

SecFilterEngine On
SecFilterSelective "POST_PAYLOAD" "select" "allow,nolog"

…in my htaccess file where “select” is whatever word was being blocked by the security filter.

I understand that, it just doesn’t work for me. But I’m still googling…

Textpattern CMS

Textpattern CMS support forum

#1 2006-10-16 15:09:14

How do I get around mod_security precondition failed the way Txp does?

#2 2006-10-16 15:34:21

Re: How do I get around mod_security precondition failed the way Txp does?

#3 2006-10-16 15:37:09

Re: How do I get around mod_security precondition failed the way Txp does?

#4 2006-10-16 23:56:36

Re: How do I get around mod_security precondition failed the way Txp does?

#5 2006-10-25 00:41:25

Re: How do I get around mod_security precondition failed the way Txp does?

#6 2007-04-23 20:53:22

Re: How do I get around mod_security precondition failed the way Txp does?

#7 2007-04-23 23:02:42

Re: How do I get around mod_security precondition failed the way Txp does?

#8 2007-04-24 05:58:17

Re: How do I get around mod_security precondition failed the way Txp does?

#9 2007-04-24 14:37:54

Re: How do I get around mod_security precondition failed the way Txp does?

#10 2007-04-26 21:22:30

Re: How do I get around mod_security precondition failed the way Txp does?

#11 2007-04-26 21:30:39

Re: How do I get around mod_security precondition failed the way Txp does?

#12 2007-04-26 21:36:25

Re: How do I get around mod_security precondition failed the way Txp does?

Board footer