Textpattern CMS

#1 2008-09-22 20:58:14

jamm1n

Member

Registered: 2008-04-23

Posts: 19

mod_security issue

Hi, I have had a look around and I cant find any problems exactly similar to mine.

I am trying to acquaint myself with mod_security, (with limited success)

A past issue (i wasn’t able to save pages/articles) resulted in my having to ask for mod_security on each domain to be disabled to get txp to work properly. (hope this is normal) I dont get high enough admin rights to do this myself with my resellers account.

so anyway

I think one of my customers corrupted his db, or he was the unfortunate victim of an injection attack which rendered the admin side of txp unusable; as something in it caused the servers firewall blocked his ip. I repaired the db through cpanel … all ok.

as a result of the firewall block, mod_security is back on for his domain. When I asked my tech support to switch it off again, they told me the following:

“Instead of disabling Mod_security for the domain. You will just need to change all the instances of “txp_img” with “txp-img” . As we have updated the security rules for the word _img, _image, _images etc. As there were few injections attempts on our servers tried to inject few malicious code.

So for security reasons please change all the instances of “txp_img” with “txp-img” in your web pages.”

This has me somewhat stumped. I understand only vaguely what he is saying, and certainly don’t know how to implicate it.

Please can someone help me? I am back to my original problem of being unable to edit articles.

Many thanks

Last edited by jamm1n (2008-09-23 07:39:29)

#2 2008-09-22 22:12:16

ruud

Developer Emeritus

From: a galaxy far far away

Registered: 2006-06-04

Posts: 5,068

Website

Re: mod_security issue

So for security reasons please change all the instances of “txp_img” with “txp-img” in your web pages.

Does that translate as: because some piece of software has a known security problem, please perform unnecessary modifications to all other software even though that software is not vulnerable and by doing so make it harder to keep that software up-to-date (security updates!)?

Which hosting company are you using?

#3 2008-09-23 07:37:06

jamm1n

Member

Registered: 2008-04-23

Posts: 19

Re: mod_security issue

a company called eukhost.
they have always been pretty good to me! I see what you are getting at though….
I really DO NOT want to do have to do this, (or I think I dont!) It would mean a lot of extra work.

#4 2008-09-23 09:07:38

ruud

Developer Emeritus

From: a galaxy far far away

Registered: 2006-06-04

Posts: 5,068

Website

Re: mod_security issue

Try putting this in a .htaccess file within the textpattern directory:

<IfModule mod_security.c>
SecFilterScanPOST Off
</IfModule>

#5 2008-09-23 09:38:00

jamm1n

Member

Registered: 2008-04-23

Posts: 19

Re: mod_security issue

that works a treat! – thank you so much
I shall be using this all the time from now on. :)
thanks again

#6 2008-09-23 09:52:57

wet

Developer Emeritus

From: Schoerfling, Austria

Registered: 2005-06-06

Posts: 3,324

Website Mastodon

Re: mod_security issue

Any clues on why a server admin might ban *_img for file names but allows overriding crucial Apache options?

#7 2008-09-23 10:32:30

jamm1n

Member

Registered: 2008-04-23

Posts: 19

Re: mod_security issue

I [obviously] have much to learn….. if this is bad practice, do you think I should start looking for a different host?

#8 2008-09-23 17:45:25

ruud

Developer Emeritus

From: a galaxy far far away

Registered: 2006-06-04

Posts: 5,068

Website

Re: mod_security issue

If there has been a recent security breach that can be avoided by letting a mod_security rule block _img, then that in itself isn’t such a bad thing, but the rest of the story doesn’t make sense. I think they should recommend that people upgrade/fix the software that is vulnerable to a ‘_img’ attack instead of telling people to simply rename similar named functions to use -img instead of _img, because if this is done for a vulnerable software package as well, you’ve just opened yourself to a new injection attack, since mod_security only filters _img, not -img. That does not make sense.

As I said before, this makes it more work to do security update, because you’d have to do those replacements after each update. More work often means the security update happens later rather than sooner. And that means a greater risk of people abusing a security leak (one that mod_security doesn’t prevent). The end result is that the well intended use of mod_security to increase security can actually lead to reduced security due to out-of-date (manually modified) software packages not being updated in time.

The hosting company perhaps didn’t think of both aforementioned side-effects. Might be a good idea to mention this to them.

If they didn’t allow you to override the mod_security settings per directory, then I’d recommend moving, but since you can now easily circumvent those mod_security rules (do keep TXP up-to-date!) and you seem to be satisfied with their service… why bother moving ;)

#9 2008-09-23 18:23:03

jamm1n

Member

Registered: 2008-04-23

Posts: 19

Re: mod_security issue

I understand, point taken. I had to ask though, (they have been great to me so far!)
Many thanks.