5

I've created a Wordpress plugin which became popular but I'm getting lots of complaints that it's not working. After logging in to many user's WP websites(after asking for admin password) I noticed that the last problem I can't easily solve is mod_security and mod_security2 blocking some AJAX requests or .htaccess which is causing 500 error on some configurations.

So first of all why is this piece of code causing some servers to return 500 error

<IfModule mod_security2.c>
  SecRuleRemoveById 300015
  SecRuleRemoveById 300016
  SecRuleRemoveById 300017
  SecRuleRemoveById 950907
  SecRuleRemoveById 950005
  SecRuleRemoveById 950006
  SecRuleRemoveById 960008
  SecRuleRemoveById 960011
  SecRuleRemoveById 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61

on other servers removing rules by id this way is causing 500 error:

<IfModule mod_security.c>
  SecRuleRemoveById 300015
  ...
  SecRuleRemoveById phpids-61
</IfModule>

so for now the only working thing which is not causing any server to crash is

<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>

but it's not enough for servers with mod_security2 !

How to write a cross-server .htaccess file, and what IF conditions should I add to disable mod_security and mod_security2 anywhere where it applies and not cause 500 errors on other configurations?

Edit: Not only in Apache. Anywhere where .htaccess is used.

Pawel
  • 16,093
  • 5
  • 70
  • 73
  • 5
    If a hoster uses mod_security in their environment, I guess they do it for a reason – so I doubt they would let just anyone disable it or alter its configuration via htaccess. – CBroe Sep 30 '13 at 12:22
  • @CBroe mod_security is a good thing but it's set as a general rule for entire server that's why it's possible to make exceptions using htaccess. It's also buggy(sometimes allowing and denying access randomly) and breaks POST requests made with AJAX. This is a common problem in Wordpress plugins and most people using Wordpress don't know what mod_security is and blame plugin developers for their "broken" plugins. – Pawel Sep 30 '13 at 13:19
  • 1
    @Pawel: It is not always possible to solve communication and social problems with a technical measurement. Instead compile an easy to understand warticle that describes the issue, how a user can find out if the problem experienced is that problem, how to contact their hosters and what to ask them. Then kindly offer further individual support at the end of the document and your terms and conditions. If the plugins users are choosing such hosting, it's not your duty to patch around it. Same applies to Wordpress, too. And your users love this patchwork, otherwise they would not choose WP. – hakre Oct 10 '13 at 05:57
  • 1
    So better keep things face-to-face with your potential customers and understand how they solve these things: Unless knowing better, just moaning, but they can't change a thing and their understanding is a very little. But you don't need to blame them. Instead offer a helping hand, it does wonders. Just consider you're doing first-level support for them. – hakre Oct 10 '13 at 05:58
  • @hakre I can't support this many users directly. The plugin has 100+ new users daily. It's very popular and it's not even my job(it's just a hobby and I'm a contractor, and this role makes me work more than full time employee) so I have no time to solve a repeating issue. – Pawel Oct 11 '13 at 15:46
  • 1
    I don't think your program comes with support requirements. Instead there is a clear disclaimer with it which is part of the GPL (or whichever license you're using). I didn't say you have to support these users, nor that it is you job. It is the free decision of these 100+ new daily users to - popular or not - use the plugin AS-IS. Also you should provide a link to the plugin if an author might have interest to try it out for some solution idea. – hakre Oct 11 '13 at 19:15

2 Answers2

6

Ryan C. Barnett, ModSecurity Community Manager claimed:

Support for .htaccess files was discontinued in 2.x as it raised too many security issues.

source: http://article.gmane.org/gmane.comp.apache.mod-security.user/3065

The only possible configuration that enable on htaccess are the following (since 2.7.3) but you need to ./configure --enable-htaccess-config:

  • SecAction

  • SecRule

  • SecRuleRemoveByMsg

  • SecRuleRemoveByTag

  • SecRuleRemoveById

  • SecRuleUpdateActionById

  • SecRuleUpdateTargetById
  • SecRuleUpdateTargetByTag
  • SecRuleUpdateTargetByMsg

https://github.com/SpiderLabs/ModSecurity/blob/876d4f5f9558595c00f40af25ea6216386f15cd7/CHANGES#L69

Kakawait
  • 3,929
  • 6
  • 33
  • 60
  • Maybe htaccess is disabled by default. BUT in cases when it's enabled THEN the page is crashing. Otherwise it is completely ignored. My question is how to make this .htaccess stop crashing any configuration. – Pawel Oct 11 '13 at 15:44
0

Displaying a message telling to contact server administrator will be the last thing to do. First of all I'll try one of this solutions for automatic config creation:

Create 2-3 sandboxed .htaccess configs in subfolders

  1. During plugin activation test configs one by one with simulated remote AJAX test
  2. Start from the best general settings config subfolder
  3. Check for AJAX proxy script calls and image, style etc. files access in this folder
  4. After finding successful(unblocking and not crashing) config, save selected .htaccess file to the folder containing AJAX proxy PHP file
  5. If none of the configs (or built-in wordpress AJAX script - not very reliable) is functional display an error telling to contact server admin to allow htaccess for given folder

OR

  1. Check loaded modules with PHP
  2. add SecRuleRemoveById id only if mod_security2 is present to prevent basic mod_security crashing
Pawel
  • 16,093
  • 5
  • 70
  • 73