#1  
Old 16th July 2012, 15:43
alb3 alb3 is offline
Junior Member
 
Join Date: Mar 2012
Posts: 5
Thanks: 1
Thanked 0 Times in 0 Posts
Default Wordpress and mod_security

Hello everybody,
I administer a server based on Debian with Ispconfig3, and I'm having issues related to image and videos management with the Wordpress CMS: It's possible to upload files, but when I try to insert them in a post, I get a 403 error.

Here's what I get from /var/log/apache2/modsec_audit.log:

Quote:
[www.mysite.net/sid#xxx][rid#xxx][/robots.txt][1] Access denied with code 403 (phase 2). Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/apache2/mod-security/modsecurity_crs_21_protocol_anomalies.conf"] [line "xx"] [id "xxx"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"]
Now, If I set SecRuleEngine to Off, everything works, but of course it's not a good solution.
Setting up rules on .htaccess could maybe do the trick, but I don't know where to start from.
Could anybody provide a link or a suggestion to solve the problem?
Reply With Quote
Sponsored Links
  #2  
Old 17th July 2012, 09:33
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,446
Thanks: 813
Thanked 5,216 Times in 4,089 Posts
Default

Try to add this line in the .htaccess file:

SecRuleRemoveById 1234567

replace the number 1234567 with the ID of the rule that you want to disable for this website.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 17th July 2012, 12:03
alb3 alb3 is offline
Junior Member
 
Join Date: Mar 2012
Posts: 5
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Hi till,
adding that line to .htaccess causes an internal server error that blocks everything, no matter which rule I add (I'm having issues with basically everything is not plain text or standard html code).
Reply With Quote
  #4  
Old 17th July 2012, 12:40
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,446
Thanks: 813
Thanked 5,216 Times in 4,089 Posts
Default

Then add the rule in the apache directives field of the website settings in isponfig instead.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 17th July 2012, 13:21
alb3 alb3 is offline
Junior Member
 
Join Date: Mar 2012
Posts: 5
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Thank you, It works!
Just wondering, isn't a security issue to disable the rule?
Looking better in the logs, I've found out the upload process it's actually detected as a SQL injection attack: ok, I can remove the rule only for the file that causes the problem (media-upload.php in this case), but I mean, what happens if I get a real SQL injection attack?
Maybe now I understand why some says Wordpress have security problems...
Reply With Quote
  #6  
Old 17th July 2012, 13:58
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,446
Thanks: 813
Thanked 5,216 Times in 4,089 Posts
Default

If the rule is enabled, then wordpress will not work. So you can decide if you want to use this rule or if you want to use wordpress. By the way, you disabled just one specific rule and its normal that you have to disable some rules for somecms systems as you always get false positives with mod_security, so thats not wordpess's fault and its not related to the fact if wordpress is a secure or insecure system. Wordpress belongs to the better cms systems, if you want a insecure cms, use joomla
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
alb3 (17th July 2012)
  #7  
Old 17th July 2012, 14:08
alb3 alb3 is offline
Junior Member
 
Join Date: Mar 2012
Posts: 5
Thanks: 1
Thanked 0 Times in 0 Posts
 
Default

Good to know.
And thanks for your work with Howtoforge and ISPconfig: I'm learning a lot about how a server works!
Reply With Quote
Reply

Bookmarks

Tags
debian 6, ispconfig 3, mod_security, wordpress

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 04:33.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.