Introducing mod_security
Subject:   Problem with host
Date:   2007-10-18 07:42:24
From:   dogheart
I've been getting an error (404, not 406 for some reason) from an admin script on a site I'm developing on a shared server. The user edits the contents of a page in a large textarea, which is POSTed to the server and, unless they click 'cancel', processed in the MySQL database. Certain pages have been triggering the error consistently and it's been baffling me for months. I've finally got out of the host's support department this entry (edited for privacy) from their log:

"(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\\\\(.*from)" at ARGS:page_text. ... [msg "Generic SQL injection protection"]

...and they pointed me to the mod_security page for reference.

Before I go back and shout at them, isn't this a misapplication of mod_security? It seems to me that there can be no way of telling when a user is perfectly innocently going to type something like '... select ... from ...'. Not only that but their regex is suspect because in a couple of my cases it's catching 'selecting'. It's also catching instances where the 'select' and the 'from' are several lines apart, and yet I've always understood the regex '.' to stand for any character apart from a newline - no?

Other than jumping through hoops with JavaScript - which goes against the grain anyway as non-JS-enabled users will still get trapped - there's nothing I can do to intervene between the data being POSTed and its being trapped by mod_security... is there?

I'd be grateful for any advice as to what I should say to the host. It's their 'new' (well, newish) platform that this site is running on, and I suspect they've only recently installed mod_security.