2

I get a 500 Internal Server Error when trying to save a file with some text that may resemble an sql query. So ModSecurity is blocking it:

[client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 500 (phase 2). Pattern match "(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\\\\(.*from)" at ARGS:description. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "359"] [id "300016"] [rev "2"] [msg "Generic SQL injection protection"] [severity "CRITICAL"] [hostname "xxxxxxxxxxxxx.net"] [uri "/app/3/admin/modules/product/product_a.php"] [unique_id "TzvCxkPj2kkAAH4WkMwAAAAE"]

So I create an .htaccess file on the folder /app/3/admin/modules/product/

<IfModule mod_security.c>
SecFilterRemove 300015
SecFilterRemove 300016
</IfModule>

But this is not solving the issue either. I am still getting a 500 code with log entries in apache's log file.

Any idea why this may not be working?

Straseus
  • 478
  • 1
  • 4
  • 14
  • First things first, why do you have a need to "avoid" this? This is really asking for trouble. – Oldskool Feb 15 '12 at 14:46
  • 1
    This file handles POST request to add data to a database. The POST request may contain SQL statements, is there another way to avoid this? – Straseus Feb 15 '12 at 14:49
  • 1
    phpMyAdmin must have the same problem. It would be interesting to find out how they circumvent it - Edit: ah, they don't. See the edit to my answer – Pekka Feb 15 '12 at 15:04

1 Answers1

2

Is it really the saving of the file that is the problem? I find it hard to imagine, seeing as that isn't Apache's jurisdiction at atll. Isn't it rather the query being in a query string that is causing trouble?

You might be able to circumvent that e.g. by base64 encoding the query (if the 33% size increase doesn't test the URL's size limits), or storing the query in a session variable and passing only a unique random key pointing to the variable.

Edit: if you're really transmitting live SQL queries that you later execute - don't do it. It's exactly the reason why this mod_security filter exists.

either way, phpMyAdmin, a database management tool, has the same problem: It transmits live queries for running. There is a number of posts dealing with phpMyAdmin and mod_security. This one suggests a number of other filter IDs to disable. (Ideally, you would do this only for the one file that needs to receive the POST data.)

Community
  • 1
  • 1
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • It's a POST request that's being intercepted by Apache. The file is actually a form handler. – Straseus Feb 15 '12 at 14:49
  • How do I base64 encode? It's a simple form that posts to a php page. I think I can use JS ajax to do this, but I'd prefer to avoid if possible. Though the base64 encoding idea is genius! – Straseus Feb 15 '12 at 15:11
  • @Straseus see [How can you encode to Base64 using Javascript?](http://stackoverflow.com/q/246801) although I would try disabling some more filters first (see my edit), using base64 feels a bit hacky – Pekka Feb 15 '12 at 15:12
  • My initial issue was that my rule exclusions are not working. =) – Straseus Feb 15 '12 at 15:14
  • @Straseus as said, see my edit. The linked forum post has some more rule ID: `SecRuleRemoveById 950004,950006,950911,950801,950001` – Pekka Feb 15 '12 at 15:15
  • @Straseus right! That stinks... Then you may indeed have to resort to base64 – Pekka Feb 15 '12 at 15:23