Jach's personal blog

(Largely containing a mind-dump to myselves: past, present, and future)
Current favorite quote: "Supposedly smart people are weirdly ignorant of Bayes' Rule." William B Vogt, 2010

mod_security can kiss my ass

So there's been a problem with this blog, both on the comment side and this admin side where I make my posts. Namely, mod_security, an apache module, seems to be installed on my server and I can't disable it.

What does mod_security do? It scans all data sent to the server, and rejects any that fit a regex indicating it could be a potential SQL Injection.

Now, this sounds like an okay feature, except the regex it uses is completely retarded. And because of this, I'm leaving my server hosting when it's time to pay again. HostGator here I come.

Seriously, it's retarded. If I have the word "from" in my posts, it rejects it sometimes. If I have "create", or "insert", or "create table", it will probably reject it. My last post had 1 = 1^3, and the regex must have picked up "1 = 1", which is commonly used in SQL Injection, and rejected it.

So, what's my fix? I tried disabling mod_security, but that failed. And I was at a loss until using the bathroom tonight. (Funny how lots of my bright ideas come while using the bathroom...)

As of now, I'm base64 encoding all text-box input on the client side using JavaScript. (The function's toward the bottom of main.js if you're curious, I think it's generic. I just found it and copy-pasted.) Also, I'm adding "B 64_ENCODED" (without that space) at the beginning so the server knows it is receiving a base64_encoded string. It tries decoding the input, and seeing if that string is there. It will blindly remove all occurrences of that string because..well, I could go back and fix it to only remove the first, but I'm tired and pretty much done for the night. This is to protect submitted data from idiots trying to submit without JavaScript, because if I didn't have the check then their data would be empty (since PHP's base64_decode() will return an empty string if it fails for some reason somehow).

mod_security is the worst idea-with-good-intentions ever. Seriously, if you don't know how to deal with SQL Injection, and you're making websites, you deserve it when you are inevitably exploited. Apache, don't try to hold dev's hands on this.

Posted on 2010-04-03 by Jach

Tags: rant


Trackback URL:

Back to the top

Back to the first comment

Comment using the form below

(Only if you want to be notified of further responses, never displayed.)

Your Comment:

LaTeX allowed in comments, use $$\$\$...\$\$$$ to wrap inline and $$[math]...[/math]$$ to wrap blocks.