Web Hosting Talk : Web Hosting Main Forums : Programming Discussion : Developers not supporting Mod_security

Developers not supporting Mod_security

Hello all,
this is actually my first post in this category as I'm more of a web host now than a programmer.
I've just had a client who couldn't get a gallery script to work (SMF Gallery) because mod_security flagged and wouldn't allow them to view full sized images. After reading through the developers forums, it would appear they are completely unwilling to adjust their program to be compatible with mod_security and are recommending that people completely disable it through an outdated and exploitable method (.htaccess adjustment).
Now when I used to program PHP, I've never experienced any problems, whether in shared or dedicated environments, with mod_security of any version. This begs me to wonder what is in this script that flags mod_sec.
Has anyone else had problems with mod_security in a shared environment? Has your host been able to accommodate you and get your script to work by editing the server? If not, have you been able to modify your script to function correctly?
I'd be interested in knowing how other people have fared with this as it's taken me and my tech team the better part of 2 days to figure out a feasible solution to this clients problem.
Mike





__________________| FragSwitch Ltd.: Specialist Community Hosting.| Looking to set up your own forums or community site? We can help!| My Blog: Hosting stuff and other things may well reside there!

[foobic]

I don't think it's really fair to expect the developers to work around mod_sec rules. Some of the "standard" rulesets are designed to be as general as possible - and they have to be, to stand a chance of blocking exploits heuristically. But of course this also makes it inevitable that they'll trigger some false positives, particularly on the lesser-known applications. And since the rules are always changing, the developers could end up in a never-ending struggle to avoid them.
I use both shared accounts and VPS, but I've only hit problems on VPS, I guess because I'm using the standard (more aggressive?) rulesets - gotroot etc. - where perhaps the shared hosts have already tailored / tamed their rules to work with common apps. But for me the solution is simply to check which rule is causing the problem and disable it by id for the specific account and directory.





__________________
Chris <ClonePanel>
"Not everything that can be counted counts, and not everything that counts can be counted" - Albert Einstein

Well from what I read, it's an often occurrence for this script to flag mod_sec. Surely if a large proportion of your users are having to disable an extra layer of defence, your script should be adjusted to accommodate them?





__________________| FragSwitch Ltd.: Specialist Community Hosting.| Looking to set up your own forums or community site? We can help!| My Blog: Hosting stuff and other things may well reside there!

[foobic]

You make it sound like mod_sec is a firewall, just blocking well-known ports, and all developers should simply adjust their application to use port 80 so they don't get blocked. It's not like that at all - the full rulesets are immensely complex, different on every host and changing all the time. How would you expect the developers to "adjust" for that? Can you specify exactly what they should do?
If this is a common application and frequently causes false positives then the rules should be changed to fix the problem. Ideally the rules should always be designed to differentiate between innocent use of an application and malicious exploitation of it, but of course this is extremely difficult to do (as with any kind of content-based filtering). Considering this I think mod_sec works remarkably well (a testament to the skill of the people writing the rules) but in practice it is and always will be imperfect, with both false positives and false negatives inevitable. As a host you can affect the likelihood of each by choosing the rulesets you use. Or, as I suggested before, you can take a reactive approach, disabling as necessary only those rules that trigger false positives.
There is one way developers could do what you ask: by encrypting all user input client-side before submitting it. So there'd be nothing for mod_sec to work on and you're guaranteed no false positives. Unfortunately you'd also be guaranteed no positives at all; since malicious inputs would go through exactly the same way this would make mod_sec completely useless. Better hope they aren't forced to go that way...





__________________
Chris <ClonePanel>
"Not everything that can be counted counts, and not everything that counts can be counted" - Albert Einstein

As a host, that is exactly what I have done. I have removed the rule by id when requested for the site that has problems.
What I'm saying is that I haven't encountered a script before this one that flags mod_security. The rules I employ on my server aren't over generalised, but they are effective at blocking out malicious attacks directed towards the server.
I do realise that rule sets for mod_security can change drastically over different hosts, but the same could be said for a firewall as well. When there is the ability to customise something, you will find differences wherever you look.
I'm more interested in what causes this false positive as the rule has listed it as a critical attack and I wouldn't be happy if the script were exploited because something that helps keep it secure had to be disabled to make it work.





__________________| FragSwitch Ltd.: Specialist Community Hosting.| Looking to set up your own forums or community site? We can help!| My Blog: Hosting stuff and other things may well reside there!