Low variables and mod_security
Hi Low
Re: https://getsatisfaction.com/low/topic...
I'm seeing this problem more and more where saving an LV entry page bumps the user to a 404 page. In all cases the host thinks it's related to new mod_security rules being rolled out.
Obviously I can just disable mod_security on a site by site basis but long term disabling security is not a good thing to do!
I'm wondering if there's anything you can do with LV to take this into account.
For reference it seems to happen with the file field and text fields that have a http:// url in them.
Rob
Replies
Low 11 Mar 2015 15:14
It's hard for me to take this into account. It's not mod_security as a whole, but only certain rules in it, which can be defined by the host. I'm not sure why LV triggers this. If it's only the input field content, then regular publish form should encounter these issues more often, too. But as long as I don't know what combination of factors triggers the mod_security rules, there's not much I can do to prevent it.
FYI, mod_security doesn't need to be disabled completely; just the rules that trigger the 404/403.
Rob (Bluedreamer) 11 Mar 2015 16:21
Thanks for the reply!
I haven't seen it happen on regular channel entries, so yes it's very hard to guess!
Good note about only disabling 403/404 rules...
Rob
Rob (Bluedreamer) 11 Mar 2015 18:15
FYI the stuff that was causing it were:
Rules were 340633 and 340634, both "Remote File Injection attempt".
Low 11 Mar 2015 18:23
Those rules differ from server to server, and I don't know what exactly would trigger "remote file injection". It would be a combination of post data, vars and urls. And again, this is different per server...
Rob (Bluedreamer) 11 Mar 2015 20:23
Yep that's the catch eh?
That's for clarifying things Low!