mod_security can kiss my ass

So there's been a problem with this blog, both on the comment side and this admin side where I make my posts. Namely, mod_security, an apache module, seems to be installed on my server and I can't disable it.

What does mod_security do? It scans all data sent to the server, and rejects any that fit a regex indicating it could be a potential SQL Injection.

Now, this sounds like an okay feature, except the regex it uses is completely retarded. And because of this, I'm leaving my server hosting when it's time to pay again. HostGator here I come.

Seriously, it's retarded. If I have the word "from" in my posts, it rejects it sometimes. If I have "create", or "insert", or "create table", it will probably reject it. My last post had 1 = 1^3, and the regex must have picked up "1 = 1", which is commonly used in SQL Injection, and rejected it.

So, what's my fix? I tried disabling mod_security, but that failed. And I was at a loss until using the bathroom tonight. (Funny how lots of my bright ideas come while using the bathroom...)

As of now, I'm base64 encoding all text-box input on the client side using JavaScript. (The function's toward the bottom of main.js if you're curious, I think it's generic. I just found it and copy-pasted.) Also, I'm adding "B 64_ENCODED" (without that space) at the beginning so the server knows it is receiving a base64_encoded string. It tries decoding the input, and seeing if that string is there. It will blindly remove all occurrences of that string because..well, I could go back and fix it to only remove the first, but I'm tired and pretty much done for the night. This is to protect submitted data from idiots trying to submit without JavaScript, because if I didn't have the check then their data would be empty (since PHP's base64_decode() will return an empty string if it fails for some reason somehow).

mod_security is the worst idea-with-good-intentions ever. Seriously, if you don't know how to deal with SQL Injection, and you're making websites, you deserve it when you are inevitably exploited. Apache, don't try to hold dev's hands on this.

Posted on 2010-04-03 by Jach

Tags: rant

Permalink: https://www.thejach.com/view/id/86

Trackback URL: https://www.thejach.com/view/2010/4/mod_security_can_kiss_my_ass

Back to the top

Back to the first comment

Comment using the form below

TheJach.com

Jach's personal blog

(Largely containing a mind-dump to myselves: past, present, and future)

Current favorite quote: "Supposedly smart people are weirdly ignorant of Bayes' Rule." William B Vogt, 2010

mod_security can kiss my ass

Posted on 2010-04-03 by Jach

Archives

Selected Posts

Recent Posts

Recent Comments

Better Websites

Email:
Password:
Remember Me

TheJach.com

Jach's personal blog

(Largely containing a mind-dump to myselves: past, present, and future)

Current favorite quote: "Supposedly smart people are weirdly ignorant of Bayes' Rule." William B Vogt, 2010

mod_security can kiss my ass

Posted on 2010-04-03 by Jach

Archives

Selected Posts

Recent Posts

Recent Comments

Tag Cloud

aliens

altruism

Anarchy

anime

anti-anarchy

artificial intelligence

assembly

atheism

awesome

bash

basics

bayes

books

business

c

c++

cars

circuit analysis

clojure

cloning

cognition

college

comics

computer engineering

couchdb

cryonics

curl

daily life

databases

debate

demo

design

disaster

economics

evolution

existentialism

FFP Machine

fiction

flex

fodder

food

forth

FPGA

free will

french

furcadia

future

games

git

government

grammar

hacking

HDL

hiring

history

immigration

intellectual property

italy

japan

java

jMonkeyEngine

language

learning

lisp

LucidDB

management

math

memo

money