[wp-hackers] What would strip $_POST before 'init' runs?

Mike Walsh mpwalsh8 at gmail.com
Thu Jul 19 08:57:07 UTC 2012


It wasn't my server but the server of someone who is using my WordPress
Google Form plugin.  As it turns out, the problem isn't completely solved
because if someone submits a form that contains a URL in one of the post
variables, the Apache security module (ModSecurity?) kicks in and issues a
403.

AtomicModSecurity Rules:
http://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules

I tried adding this to the .htaccess file based on this thread:
http://forums.asmallorange.com/topic/7356-mod-security-wordpress-403-forbidden/


<IfModule mod_security.c>
    SecFilterEngine Off
    SecFilterScanPOST Off
</IfModule>

Unfortunately it didn't work.  What PITA this is.  If I update my WordPress
profile on this site and add a URL, it posts correctly.  Looking at the
headers for that post versus the headers for my post, nothing jumps out at
me as an obvious difference but I will keep poking at it.

Mike

On Wed, Jul 18, 2012 at 4:30 PM, Brian Layman <wp-hackers at thecodecave.com>wrote:

> Can you clarify that a little further? Was that just the value for a post
> field?
>
> I'd like to understand what your server didn't like in case it ever comes
> up again.
>
> Brian Layman
>
> On 7/18/2012 2:07 PM, Mike Walsh wrote:
>
>> Replying to my own message - I have finally figured it out.  The Apache
>> server security doesn't like that I was passing a Google Form URL in a
>> post parameter.  By encoding it and then decoding it later when I actually
>> needed it, the server is happy and is no longer throwing 403 errors.
>>
>> Mike
>>
>> On Wed, Jul 18, 2012 at 12:45 PM, Mike Walsh <mpwalsh8 at gmail.com> wrote:
>>
>>  I finally got some additional data on this problem I am chasing.  The
>>> hosting provider coughed up a server error log.  This is what it
>>> contains:
>>>
>>> [error] ModSecurity: Access denied with code 403 (phase 2).Match of "rx
>>> ://%{SERVER_NAME}/" against "MATCHED_VARS:gform-action" required.
>>> [file "/usr/local/apache/conf/**modsec/10_asl_rules.conf"]
>>> [line "489"]
>>> [id "340162"]
>>> [rev "262"]
>>> [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection
>>> attempt in ARGS (AE)"]
>>> [data "
>>> https://docs.google.com/**spreadsheet/formresponse?**formkey=**
>>> dhzsutftwllwzwf6lwdyb0xcmkzsog**c6mq&ifq<https://docs.google.com/spreadsheet/formresponse?formkey=dhzsutftwllwzwf6lwdyb0xcmkzsogc6mq&ifq>
>>> "]
>>> [severity "CRITICAL"]
>>> [hostname "lanaddicts.org"]
>>> [uri "/test-form/"]
>>> [unique_id "UAbUbnrJTaEAAHtoboQAAAAG"]
>>>
>>> Thanks,
>>>
>>> Mike
>>>
>>> Anyone have any suggestions on how to interpret this?
>>>
>>> --
>>>
>> Mike Walsh - mpwalsh8 at gmail.com
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>
>
> ______________________________**_________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>



-- 
Mike Walsh - mpwalsh8 at gmail.com


More information about the wp-hackers mailing list