Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

mod_security / SecFilterEngine issue

Gunde Svan
2010-08-23
2013-05-28
  • Gunde Svan
    Gunde Svan
    2010-08-23

    Hello, 

    I had an issue with refbase 0.9.5 after a manual install where I got an error message which said: 

    Warning: fopen(): HTTP request failed! HTTP/1.1 403 Forbidden in /includes/include.inc.php on line 5213 Warning: fopen(http:///show.php?records=all&submit=Cite&showRows=5&citeOrder=creation-date&client=inc-refbase-1.0&wrapResults=0): failed to open stream: Invalid argument in /includes/include.inc.php on line 5213

    The way around this was to create a .htaccess file with the line:

    SecFilterEngine Off

    Then refbase worked as it should.

    As I understand it though, this leaves refbase open so SQL injection and perhaps other lines of attack if somebody or something so intended. What would a proper and secure .htaccess file look like for refbase? What are the rules that I need to specify to have a refbase that is both secure and that works? 

    Any suggestions welcome. Thanks!

     
  • refbase does have some checks to prevent malicious sql injections built into it.  If you know of any SQL injection attack that is possible with the current release of refbase, we'd love to hear of it.  An early design decision was to allow full SQL queries, as this makes refbase extremely flexible and powerful.  There is a tradeoff, though, and any external tool that looks for SQL-injection-like behavior will trip on refbase, as there is no way for it to possibly differentiate legitimate SQL queries from attacks.