WordPress.org

Ready to get started?Download WordPress

Forums

Security update and mod_security (4 posts)

  1. Kelson
    Member
    Posted 9 years ago #

    Is there a particular mod_security rule needed to protect against the vulnerability in get_the_category_by_ID fixed in 1.5.1.2, or is it taken care of by a config option or just the mere presence of mod_security?

  2. skippy
    Member
    Posted 9 years ago #

    It is my understanding that out of the box, mod_security protects against SQL injections. The vulnerability in WordPress 1.5.1.1 was, in fact, a SQL injection vulnerability due to an un-cast integer variable.

  3. skippy
    Member
    Posted 9 years ago #

    Correction: out o fthe box, mod_security does nothing. You need a specific rule to protect against SQL injections. The following rule was suggested to me; but I have not tested it (I don't use mod_security yet):
    [[[
    SecFilterEngine On
    SecFilterScanPOST On
    SecAuditLog /dev/null
    SecFilterDefaultAction "deny,log,status:402"

    SecFilter "delete[[:space:]]+from"
    SecFilter "insert[[:space:]]+into"
    SecFilter "select.+from"
    SecFilter "../"
    SecFilterSelective "REQUEST_METHOD" "SEARCH"
    ]]]

  4. gnukerman
    Member
    Posted 8 years ago #

    After seeing this post I wanted to ask around for input on the effectiveness of these rules.

    Instead of trying to relay the information, you should see:

    http://www.gotroot.com/tiki-view_forum_thread.php?topics_offset=1&forumId=35&comments_parentId=586

    If you use mod_security or are planning to do so, you should consider updating the rulesets with those provided at GotRoot.com.

Topic Closed

This topic has been closed to new replies.

About this Topic