Closed (won't fix)
Project:
Drupal core
Version:
6.0-beta4
Component:
base system
Priority:
Minor
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
14 Dec 2007 at 18:01 UTC
Updated:
30 Jan 2010 at 19:23 UTC
When you save changes on the user settings page (admin/user/settings) -- Drupal sends as "part" of the http request:
mail\x20
or
mail\\x20
(I can't say for sure which by reading my server logs but either one causes the problem below.)
This is a known "web attack", i.e. an attempt to get access to the mail command.
It is blocked by mod_security and other "security" software.
Is this intentional or just something that was not considered?
It is probably not serious, unless someone that really hates you, hacks your mail command and sends threats to our beloved president.... :-)
Keith
Comments
Comment #1
chx commentedSo there is a mail and a space. So what? This comes from "you will receive another e-mail containing information" but why is that a problem? Setting to won't fix until we get more information.
Comment #2
KeithDaniels commentedI have my own server and use mod_security (an apache module) to prevent spam and web attacks. When I upgraded to version 6 mod_security prevented anyone from saving any user changes and prevented me, as administrator, from assigining an account to someone. I removed the filter in mod_security so I have no problems.
Like I said, problaby not a big issue and I think the ability to hack the mail command or a mail server though using a space in the command has long been fixed.
I just wanted to make sure you knew about it.
Keith
Comment #3
flickerfly commentedIt might be helpful to understand why ModSecurity takes offense to this. Perhaps they have a point? What rule is it triggering? This should show up in your Apache error_log file.
Comment #4
forestmars commentedI just remembered why posting to old threads is frowned up^H^Hon.