[wp-hackers] What would strip $_POST before 'init' runs?
Mike Walsh
mpwalsh8 at gmail.com
Wed Jul 18 16:45:00 UTC 2012
I finally got some additional data on this problem I am chasing. The
hosting provider coughed up a server error log. This is what it contains:
[error] ModSecurity: Access denied with code 403 (phase 2).Match of "rx
://%{SERVER_NAME}/" against "MATCHED_VARS:gform-action" required.
[file "/usr/local/apache/conf/modsec/10_asl_rules.conf"]
[line "489"]
[id "340162"]
[rev "262"]
[msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection
attempt in ARGS (AE)"]
[data "
https://docs.google.com/spreadsheet/formresponse?formkey=dhzsutftwllwzwf6lwdyb0xcmkzsogc6mq&ifq
"]
[severity "CRITICAL"]
[hostname "lanaddicts.org"]
[uri "/test-form/"]
[unique_id "UAbUbnrJTaEAAHtoboQAAAAG"]
Thanks,
Mike
Anyone have any suggestions on how to interpret this?
On Mon, Jul 16, 2012 at 2:12 PM, Mike Walsh <mpwalsh8 at gmail.com> wrote:
> I am not sure of anything on this problem!
>
> In the Response Headers "Server" is reported as "Apache". Is there some
> other way to detect "nginx"?
>
> Mike
>
> On Mon, Jul 16, 2012 at 2:04 PM, Brian Layman <wp-hackers at thecodecave.com>wrote:
>
>> On 7/16/2012 1:51 PM, Mike Walsh wrote:
>>
>>> Can anyone think of configuration (I am assuming it is at the Apache
>>> level) that would cause this?
>>>
>>
>> You are certain it is apache and not nginx right? Nginx throws a setting
>> into your cookie to ensure that you are coming from the site and not from a
>> generic posting tool. At times it operates like a poor man's nonce.
>>
>> Brian Layman
>>
>>
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>
>
>
>
> --
> Mike Walsh - mpwalsh8 at gmail.com
>
--
Mike Walsh - mpwalsh8 at gmail.com
More information about the wp-hackers
mailing list