compatibility with mod_security

Submitted by dydimustk on Sat, 03/15/2008 - 16:36.

Project:	ProjectPier
Component:	Code
Category:	bug report
Priority:	normal
Assigned:	Unassigned
Status:	new

A number of actions in projectpier utilize a url based function that is highly suspicious of hacking and injection, to the point that most mod_security installations will block the action rather than allowing it to execute. projectpier should take this into consideration since (a) more and more users will run into this issue as more hosts install mod_security to protect themselves and other customers.

For example, the url:
http://projects.ekklesialab.com/index.php?c=account&a=edit_avatar&id=1&redirect_to=http%3A...

triggers this error:
406 Not Acceptable
This request was blocked by mod_security.
Access denied with code 406. Pattern match "\\.php\\?.*=(http|https|ftp)\\:/.*\\?" at REQUEST_URI [severity "EMERGENCY"]

Submitted by dydimustk on Sat, 03/15/2008 - 16:39.

Priority:

critical

» normal

Opps, meant normal

Submitted by Ryan on Sun, 03/16/2008 - 03:08.

I think this is unavoidable because of the nature of dynamic web applications - you have to be able to pass arguments through the url.

If I'm missing something, please suggest a fix.

Submitted by miknight on Tue, 03/25/2008 - 11:32.

We could possibly get around it by base64_encoding it.

Submitted by activeingredient on Tue, 03/25/2008 - 20:31.

Maybe there is not need to include ROOT_URL and this can be added at time of executing redirect?

http://projects.ekklesialab.com/index.php?c=account&a=edit_avatar&id=1&redirect_to=c%3Dacc...

Is there ever a need to redirect offsite?

compatibility with mod_security

Jump to:

Search

User login