Mod security resulted in 406 error

**thewave** · 11-23-2005, 12:55 PM

I'm having the same problem with a mambo/joomla install. Its breaking half of the SEF url's

**thewave** · 11-23-2005, 01:53 PM

Add this to your .htaccess Should fix the problem

SecFilterEngine Off

**AndrewT** · 11-23-2005, 01:55 PM

Doing that is strongly discouraged. This virtually disables much of mod_security meaning that your scripts will not be protected by it at all and there will be no tolerance given to accounts that choose to disable it and get exploited.

**thewave** · 11-23-2005, 02:00 PM

Then perhaps you could offer another solution? SMF forum seems to have similar problems with MOD_security. Can you perhaps modify the rules ?

**thewave** · 11-23-2005, 02:04 PM

Is seems mod_security also filters certain "keywords" as well.

You can see an example below

Having problems with mod_security?

http://www.simplemachines.org/community/index.php?topic=34270.msg377287

Having problems with mod_security?

**AndrewT** · 11-23-2005, 02:05 PM

The problem is that the /../../ string is used quite often through exploited scripts. There really isn't much reason for a production script to be using that sort of pathing instead of absolute paths.

**AndrewT** · 11-23-2005, 02:06 PM

Originally posted by thewave

Is seems mod_security also filters certain "keywords" as well.

You can see an example below
http://www.simplemachines.org/commun...4270.msg377287

Yes. We filter GET and POST requests.

**thewave** · 11-23-2005, 02:09 PM

On its face, this seems overly restrictive. Is there nothing that can be done to mitigate the potential risk but still allow the search engine friendly urls?

**thewave** · 11-23-2005, 02:23 PM

This is amusing. Simply entering the word curl in some contact forms or search scripts is enough to trigger mod_security.

**AndrewT** · 11-23-2005, 03:07 PM

Recent events made one thing particularly clear - we cannot depend on users to run secure and properly coded scripts. Therefore we are stuck with this solution.

Overall I've had only four or five people that have raised issues that they've had with mod_security thus far.

**thewave** · 11-23-2005, 06:49 PM

Originally posted by AndrewT

Recent events made one thing particularly clear - we cannot depend on users to run secure and properly coded scripts. Therefore we are stuck with this solution.
.

I know where this "discussion" will probably end up, but I didn't realize that users were expected to know which scripts were "properly coded". Are we expected to be PHP programmers in order to be hosted here? What makes your statement above even more amusing is the fact that "improperly coded" scripts are available via auto-installer.

Further, this module as presently configured seems to function arbitrarily.

can you explain why this url triggers mod_security, but the next doesn't?

http://www.marketinginfo.co.uk//content/view/37/28/

http://www.marketinginfo.co.uk//content/view/9/1/

**AndrewT** · 11-23-2005, 06:59 PM

I'm not asking for everyone to be experts. But far too many users just go through cPanel and install every script available with no plans to even use them let alone update them.

I was referring more specifically to the mail injection problems due to MANY people using horribly coded PHP scripts using the mail() function without first check user input for additional mail headers.

You will not have this problem if you use the script with real GET requests instead of the pathing method.

**thewave** · 11-23-2005, 07:23 PM

Originally posted by thewave

Further, this module as presently configured seems to function arbitrarily.

can you explain why this url triggers mod_security, but the next doesn't?

http://www.marketinginfo.co.uk//content/view/37/28/

http://www.marketinginfo.co.uk//content/view/9/1/

I'm still wondering if you can explain why the first URL above sets off mod-security, but the second does not.

**AndrewT** · 11-23-2005, 11:00 PM

I didn't write the script, I don't know how it is all handled internally. Perhaps you should ask the developers.

Mod security resulted in 406 error

Mod security resulted in 406 error

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment