[wp-trac] [WordPress Trac] #7211: Common mod_security rules,
conflicts with media uploader
WordPress Trac
wp-trac at lists.automattic.com
Mon Jun 30 11:55:52 GMT 2008
#7211: Common mod_security rules, conflicts with media uploader
----------------------------+-----------------------------------------------
Reporter: pishmishy | Owner: pishmishy
Type: defect | Status: new
Priority: high | Milestone: 2.7
Component: Administration | Version: 2.5.1
Severity: normal | Keywords: mod_security apache mediauploader
----------------------------+-----------------------------------------------
I've a customer who's having problems with mod_security and WordPress.
This manifests itself in the new media uploader. Whilst there's a
published workaround using .htaccess (see
http://wordpress.org/support/topic/164999), their host won't allow them to
bypass the global mod_security settings in this way.
There's a not-unpopular set of mod_security rules for securing WordPress
that haven't been uploaded to cater for 2.5.1
(http://blogsecurity.net/wordpress/modsecurity-and-wordpress-defense-in-
depth/).
I'm still looking to root out all the conflicts I can spot but in the
first instance
{{{
SecFilter "insert[[:space:]]+into"
}}}
which is designed to protect against SQL injections, matches against the
"Insert into Post" button and blocks the HTTP request (this appears to be
a common rule outside of the WordPress specific paper referenced above).
--
Ticket URL: <http://trac.wordpress.org/ticket/7211>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list