View Single Post
  #12  
Old 12th March 2013, 13:05
SpeedyB SpeedyB is offline
HowtoForge Supporter
 
Join Date: Dec 2009
Posts: 46
Thanks: 3
Thanked 4 Times in 3 Posts
Default

Remoting is not working with mod-security installed

This is due to an "Request Missing an Accept Header" error.

to fix this add the following code to the 000-ispconfig.vhost (at the bottom)
Code:
<LocationMatch "/remote/index.php">
  SecRuleRemoveById 960015 
</LocationMatch>

==================

Since I only want to enable rules for the PHP files which need to be excluded I have the following ruleset for WordPress:

Code:
<LocationMatch "/">
  SecRuleRemoveById 910006 # Google robot activity - Useful in someways but noisy for sites where you want them crawled
  SecRuleRemoveById 960015 # Request Missing an Accept Header -  Allow for Google Reader
</LocationMatch>

<LocationMatch "/wp-admin/post.php">
  SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
  SecRuleRemoveById 950004 # Disable XSS 
</LocationMatch>

<LocationMatch "/wp-admin/admin-ajax.php">
  SecRuleRemoveById 950004 # Disable XSS 
</LocationMatch>

<LocationMatch "(/wp-admin/|/wp-login.php)">
  SecRuleRemoveById 950005 # Remote File Access Attempt - Probably no need to be disabled by everyone; it allows me putting /etc/ and other linux paths in posts.
  SecRuleRemoveById 950117 # Remote File Inclusion Attack - Disable to allow http:// to be passed in args
</LocationMatch>

<LocationMatch "(/wp-admin/options.php|/wp-admin/theme-editor.php|/wp-content/plugins/)">
  SecRuleRemoveById 950907 # System Command Injection
  SecRuleRemoveById 950005 # Remote File Access Attempt - Probably no need to be disabled by everyone; it allows me putting /etc/ and other linux paths in posts.
  SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
  SecRuleRemoveById 959006 # SQL Injection Attack -
  SecRuleRemoveById 960008 # Request Missing a Host Header
  SecRuleRemoveById 960011 # GET or HEAD requests with bodies
  SecRuleRemoveById 960904 # Request Containing Content, but Missing Content-Type header

  SecRuleRemoveById phpids-17 # Detects JavaScript object properties and methods
  SecRuleRemoveById phpids-20 # Detects JavaScript language constructs
  SecRuleRemoveById phpids-21 # Detects very basic XSS probings
  SecRuleRemoveById phpids-30 # Detects common XSS concatenation patterns 1/2
  SecRuleRemoveById phpids-61 # Detects url injections and RFE attempts
</LocationMatch>

<LocationMatch "/wp-includes/">
  SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
  SecRuleRemoveById 959006 # SQL Injection Attack -
  SecRuleRemoveById 960010 # Request content type is not allowed by policy - Allows for amongst other things spell check to work on admin area
  SecRuleRemoveById 960012 # Require Content-Length to be provided with every POST request - Same as above

  SecRuleRemoveById phpids-17 # Detects JavaScript object properties and methods
  SecRuleRemoveById phpids-20 # Detects JavaScript language constructs
  SecRuleRemoveById phpids-21 # Detects very basic XSS probings
  SecRuleRemoveById phpids-30 # Detects common XSS concatenation patterns 1/2
  SecRuleRemoveById phpids-61 # Detects url injections and RFE attempts
</LocationMatch>
Reply With Quote