When I visit and field setting page from;

http://www.site.com/admin/content/node-type//fields/

And after I make my modifications, I am getting a "method not implemented" error, which is created by mod_security2

The cause for this error is because of the hidden input field named "previous_field";

Which is like;

<input type="hidden" name="previous_field" id="edit-previous-field" value="a:18:{s:10:'field_name';s:9:'field_url';s:9:'type_name';s:8:'ayakustu';s:16:'display_settings';a:0:{}s:13:'widget_active';s:1:'1';s:4:'type';s:4:'link';s:8:'required';s:1:'1';s:8:'multiple';s:1:'0';s:10:'db_storage';s:1:'1';s:6:'module';s:4:'link';s:6:'active';s:1:'1';s:7:'columns';a:3:{s:3:'url';a:3:{s:4:'type';s:7:'varchar';s:6:'length';i:255;s:8:'not null';b:0;}s:5:'title';a:3:{s:4:'type';s:7:'varchar';s:6:'length';i:255;s:8:'not null';b:0;}s:10:'attributes';a:3:{s:4:'type';s:4:'text';s:4:'size';s:6:'medium';s:8:'not null';b:0;}}s:10:'attributes';a:3:{s:6:'target';s:7:'default';s:3:'rel';s:0:'';s:5:'class';s:0:'';}s:7:'display';a:1:{s:10:'url_cutoff';s:2:'80';}s:3:'url';i:0;s:5:'title';s:8:'optional';s:11:'title_value';s:0:'';s:13:'enable_tokens';i:1;s:6:'widget';a:7:{s:13:'default_value';a:1:{i:0;a:3:{s:3:'url';s:0:'';s:5:'title';s:0:'';s:10:'attributes';s:2:'N;';}}s:17:'default_value_php';s:0:'';s:5:'label';s:3:'URL';s:6:'weight';s:2:'-4';s:11:'description';s:0:'';s:4:'type';s:4:'link';s:6:'module';s:4:'link';}}"  />

As you can see, the field's values include terms like "varchar". And it triggers the mod_security rule 95001 which is;

[Sun Jun 01 17:15:32 2008] [error] [client *.*.*.*] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:s(?:elect\\b(?:.{1,100}?\\b(?:(?:length|count|top)\\b.{1,100}?\\bfrom|from\\b.{1,100}?\\bwhere)|.*?\\b(?:d(?:ump\\b.*\\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(? ..." at ARGS:previous_field. [file "/usr/local/apache/conf/modsecurity/modsecurity_crs_40_generic_attacks.conf"] [line "66"] [id "950001"] [msg "SQL Injection Attack"] [data "varchar"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [hostname "www.hecatomber.org"] [uri "/admin/content/node-type/ayakustu/fields/field_url"] [unique_id "gwpxxUg0@6AAAH4mkUYAAACa"]

So is it a safe method to use this?

Comments

korayal’s picture

korayal commented
Version: 6.x-1.x-dev » 6.x-2.0-beta

still exists in 2.0-beta

dopry’s picture

dopry commented
Status: Active » Closed (won't fix)

don't use mod_security2. not supported.

eli’s picture

eli commented

You can still use mod_security -- just either disable that rule or create a whitelist rule for that URL pattern. Check the mod_security docs on false positives.