[wp-hackers] What would strip $_POST before 'init' runs?

Dion Hulse (dd32) wordpress at dd32.id.au
Thu Jul 19 11:41:17 UTC 2012


mod_Security itself is a major PITA most of the time, I'm not saying
it's useless, but that doesn't make it a pain when you come up against
it.
The mod_security rules are often defined very loosely, in your case,
it might be catching a fieldname containing 'action' and a url as the
value,  incase a site is doing something such as include(
$_GET['field-action'] . '.php' ); ..Now that might sound like a
utterly stupid thing for an application to do.. but it's exactly what
mod_security is used to protect against in many cases.
Many people do not realise the rules can be updated either, or know
how - I certainly don't - but I do know the only time i've ever run
afoul of them, the rules were over 4 years old, and updating them to
the latest release solved the users issue.


On 19 July 2012 18:57, Mike Walsh <mpwalsh8 at gmail.com> wrote:
> It wasn't my server but the server of someone who is using my WordPress
> Google Form plugin.  As it turns out, the problem isn't completely solved
> because if someone submits a form that contains a URL in one of the post
> variables, the Apache security module (ModSecurity?) kicks in and issues a
> 403.
>
> AtomicModSecurity Rules:
> http://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules
>
> I tried adding this to the .htaccess file based on this thread:
> http://forums.asmallorange.com/topic/7356-mod-security-wordpress-403-forbidden/
>
>
> <IfModule mod_security.c>
>     SecFilterEngine Off
>     SecFilterScanPOST Off
> </IfModule>
>
> Unfortunately it didn't work.  What PITA this is.  If I update my WordPress
> profile on this site and add a URL, it posts correctly.  Looking at the
> headers for that post versus the headers for my post, nothing jumps out at
> me as an obvious difference but I will keep poking at it.
>
> Mike
>
> On Wed, Jul 18, 2012 at 4:30 PM, Brian Layman <wp-hackers at thecodecave.com>wrote:
>
>> Can you clarify that a little further? Was that just the value for a post
>> field?
>>
>> I'd like to understand what your server didn't like in case it ever comes
>> up again.
>>
>> Brian Layman
>>
>> On 7/18/2012 2:07 PM, Mike Walsh wrote:
>>
>>> Replying to my own message - I have finally figured it out.  The Apache
>>> server security doesn't like that I was passing a Google Form URL in a
>>> post parameter.  By encoding it and then decoding it later when I actually
>>> needed it, the server is happy and is no longer throwing 403 errors.
>>>
>>> Mike
>>>
>>> On Wed, Jul 18, 2012 at 12:45 PM, Mike Walsh <mpwalsh8 at gmail.com> wrote:
>>>
>>>  I finally got some additional data on this problem I am chasing.  The
>>>> hosting provider coughed up a server error log.  This is what it
>>>> contains:
>>>>
>>>> [error] ModSecurity: Access denied with code 403 (phase 2).Match of "rx
>>>> ://%{SERVER_NAME}/" against "MATCHED_VARS:gform-action" required.
>>>> [file "/usr/local/apache/conf/**modsec/10_asl_rules.conf"]
>>>> [line "489"]
>>>> [id "340162"]
>>>> [rev "262"]
>>>> [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection
>>>> attempt in ARGS (AE)"]
>>>> [data "
>>>> https://docs.google.com/**spreadsheet/formresponse?**formkey=**
>>>> dhzsutftwllwzwf6lwdyb0xcmkzsog**c6mq&ifq<https://docs.google.com/spreadsheet/formresponse?formkey=dhzsutftwllwzwf6lwdyb0xcmkzsogc6mq&ifq>
>>>> "]
>>>> [severity "CRITICAL"]
>>>> [hostname "lanaddicts.org"]
>>>> [uri "/test-form/"]
>>>> [unique_id "UAbUbnrJTaEAAHtoboQAAAAG"]
>>>>
>>>> Thanks,
>>>>
>>>> Mike
>>>>
>>>> Anyone have any suggestions on how to interpret this?
>>>>
>>>> --
>>>>
>>> Mike Walsh - mpwalsh8 at gmail.com
>>> ______________________________**_________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>
>>
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>
>
>
>
> --
> Mike Walsh - mpwalsh8 at gmail.com
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers


More information about the wp-hackers mailing list