Host with LiquidWeb - mod_security rules

Host with LiquidWeb - mod_security rules

by Ken Task -
Number of replies: 2
Picture of Particularly helpful Moodlers

I don't host there ... this is for someone else who does ...

Was creating a page resource in a course of a 3.5.highest of Moodle - code git acquired.

Went to save the page and got the dreaded Error 500 page. Internal Server Error ... blah, blah, blah.

URL: /course/modedit.php

In the customer/account area web server logs:

xx.xx.xx.xx - - [24/Dec/2018:09:33:51 -0500] "POST /site/course/modedit.php HT
TP/1.1" 404 - "https://server/site/course/modedit.php?add=page&type=&course
=4&section=1&return=0&sr=0" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64
.0) Gecko/20100101 Firefox/64.0"

404 is an apache error - NOT FOUND - file is there and owerships/permissions are correct.

After an hour or two of looking around, finally ... find the main apache server logs.

I find the error 500 and 404 which is what is returned by mod_security ... grumble, grumble ...

ModSecurity: Access denied with code 500
msg "Generic SQL injection protection"

The rule:

The rule:
#Generic SQL sigs
SecRule ARGS "((alter|create|drop):space:+(column|database|procedure|table)|delete:space:+from|update.+set.+=)" "id:300015,t:lowercase,rev:1,severity:2,msg:'Generic SQL injection protection'"

In the /modsec2/exclude.conf file I see quite a few entries for things like wordpresses, joomla's, other PHP based web apps ... none for Moodle.

Could venture guesses like:

# moodle
<LocationMatch "/course/modedit.php">
  SecRuleRemoveById 300015
</LocationMatch>

But rather than spend what might be hours and hours ... and testing anything/everything that Moodle does, thought I'd ask community ...

Now the question ...

Has anyone a set of mod_security rules for Moodle?

Thanks, in advance ... and have a Merry, Merry!

'spirit of sharing', Ken

Average of ratings: -
In reply to Ken Task

Re: Host with LiquidWeb - mod_security rules

by Ken Task -
Picture of Particularly helpful Moodlers

Let me re-phrase ... clarify ...

am not asking for a mod_security config file ... the entire thing ...

1. those that run mod_security ... have you also experienced the generic sql injection rule kick in ... sporadically.

2. is my 'guess' (for course/modedit.php) for configuring an exclusion to the rule correct?

# moodle
<LocationMatch "/course/modedit.php">
  SecRuleRemoveById 300015
</LocationMatch>

3. may as well go for it ... is there a rule where one could completely trust that Moodle code is secure enough to protect vs SQL injection? (if the moodle instance uses localhost for db server and no other access to the DB server is allowed or configured ... plus is git acquired and easily updated)

Thanks, in advance, Ken


Average of ratings: -
In reply to Ken Task

Re: Host with LiquidWeb - mod_security rules

by Ken Task -
Picture of Particularly helpful Moodlers

Well, since no one is participating here ... or don't host with LiquidWeb ... or generally dunno ... that's OK, BTW ...

Think am on the path of resolving ....

Please see: https://moodle.org/mod/forum/discuss.php?d=379900#p1533366

Will make this comment, however ... as much as we all would like for things to be easy, in the 'modern' world things like ModSecurity (MS) I think will become more common place.  So turning it off, like sELinux, isn't really wise.   Too bad MS is doing it's thing at the application layer and not at the network layer but I guess that's 'safer'.

2 cents worth ....

'spirit of sharing', Ken


Average of ratings: -