Possibly Jonathan's issue with posting content

7 views
Skip to first unread message

Daniel Bachhuber

unread,
Apr 13, 2011, 7:36:28 PM4/13/11
to CoPress Support
Hooray for infinitely expansive Google email

Begin forwarded message:

From: Miles Skorpen <mi...@copress.org>
Date: 09 June 2009 4:45:17 PM EDT
To: Daniel Bachhuber <dan...@copress.org>
Subject: Fwd: [Liquid Web, Inc. support ID# 1482018] Re: [Liquid Web, Inc. support ID# 1482018] Re: [Liquid Web, Inc. support ID# 1482018] Re: [Liquid Web, Inc. support ID# 1482018] Re: mod_security



Begin forwarded message:

To figure out what the rule ID being triggered was I ran the following
command:

 tail /usr/local/apache/logs/modsec_audit.log

which returned: --97a7c73b-H-- Message: Access denied with code 500 (phase 2).
Pattern match
"(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)"
at ARGS:content. [file "/usr/local/apache/conf/modsec2.user.conf"] [line
"355"] [id "300016"] [rev "2"] [msg "Generic SQL injection protection"]
[severity "CRITICAL"] Action: Intercepted (phase 2) Stopwatch:
1233185129379248 482649 (109716* 122107 -) Producer: ModSecurity for
Apache/2.5.7 (http://www.modsecurity.org/). Server: Apache/2.0.63 (Unix)
mod_ssl/2.0.63 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4
FrontPage/5.0.2.2635 PHP/5.2.6

[id "300016"] is what I needed. I then had to create a .conf file at the
following location to be complaint with cpanel (not the directories past
"conf" did not previously exist):

 /usr/local/apache/conf/userdata/std/thewhit/thewhitonline.com/<whatevernameyouwant>.conf

Inside this file, which I named "modsec2_300016_disable.conf" I placed the
following:

 <LocationMatch "/">
  SecRuleRemoveById 300016
 </LocationMatch>

Now, I had to run a few cpanel scripts to make sure that it would accept the
custom vhost entry we made above and that the new entry would be persistent
through various apache reconfigurations/recompiles.

Check to make sure cpanel will accept the custom vhost:
 /scripts/ensure_vhost_includes --user=thewhit

Save the httpd.conf configuration changes made by the above script so they are
persistent:

 /usr/local/cpanel/bin/apache_conf_distiller --update

Then one last restart of apache just to make sure everything is working as
intended:

 /etc/init.d/httpd restart



Jonathan Morgan

unread,
Apr 13, 2011, 8:04:52 PM4/13/11
to cop...@googlegroups.com, Daniel Bachhuber
Awesome.  Thank you all for the help.  It is much appreciated!

--
You received this message because you are a part of CoPress (http://www.copress.org/).
- To post a message to this group, send email to cop...@googlegroups.com
- To unsubscribe from this group, send an email to copress+u...@googlegroups.com
- For more options, visit this group at http://groups.google.com/group/copress
- Get connected on Twitter http://www.twitter.com/copress or Facebook http://www.facebook.com/copress
 
http://www.copress.org/



--
"The man with the new idea is a Crank until the idea succeeds."
- Mark Twain, from 'Following the Equator: A Journey Around the World'

Jonathan Morgan

unread,
Apr 19, 2011, 11:07:11 AM4/19/11
to cop...@googlegroups.com, Daniel Bachhuber
Well, after mucking around with server configuration, it looks like this one was a remnant of my brief use of Wordpress MU before I switched to Wordpress 3.  There is a plugin called Unfiltered MU that used to keep the editor from stripping out HTML in Wordpress MU (I guess the plain old wordpress had similar code integrated into it, but it didn't work right in MU).

Right when I first installed, I chucked that plugin in the mu-plugins directory sort of as a reflex, and then forgot it was there.  Removing it seems to have fixed the problem with truncation.

Wanted to throw it out there as another potential cause of truncation, in case others run into this.

Jon
Reply all
Reply to author
Forward
0 new messages