Last active
April 13, 2018 20:40
-
-
Save jonpugh/88cfb0aad1ef18c0016486557fcb28fe to your computer and use it in GitHub Desktop.
Web server configuration to mitigate Drupal SA-CORE-2018-002. Written by trusted sources. Patch your sites!!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Apache configuration to block attempts to exploit the SA | |
| # If using Aegir, you can put this file in /var/aegir/config/server_master/apache/post.d/SA-CORE-2018-002.conf | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine On | |
| RewriteCond %{QUERY_STRING} (.*)(23value|23default_value|element_parents=%23)(.*) [NC] | |
| RewriteCond %{REQUEST_METHOD} POST [NC] | |
| RewriteRule ^.*$ - [R=403,L] | |
| </IfModule> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # NGINX configuration to block attempts to exploit the SA | |
| # If using Aegir, you can put this file in /var/aegir/config/server_master/nginx/post.d/SA-CORE-2018-002.conf | |
| set $rce "ZZ"; | |
| if ( $query_string ~* (23value|23default_value|element_parents=%23) ) { | |
| set $rce "A"; | |
| } | |
| if ( $request_method = POST ) { | |
| set $rce "${rce}B"; | |
| } | |
| if ( $rce = "AB" ) { | |
| return 403; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment