[wp-hackers] What would strip $_POST before 'init' runs?

Mike Walsh mpwalsh8 at gmail.com
Wed Jul 18 16:45:00 UTC 2012

I finally got some additional data on this problem I am chasing.  The
hosting provider coughed up a server error log.  This is what it contains:

[error] ModSecurity: Access denied with code 403 (phase 2).Match of "rx
://%{SERVER_NAME}/" against "MATCHED_VARS:gform-action" required.
[file "/usr/local/apache/conf/modsec/10_asl_rules.conf"]
[line "489"]
[id "340162"]
[rev "262"]
[msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection
attempt in ARGS (AE)"]
[data "
[severity "CRITICAL"]
[hostname "lanaddicts.org"]
[uri "/test-form/"]
[unique_id "UAbUbnrJTaEAAHtoboQAAAAG"]



Anyone have any suggestions on how to interpret this?

On Mon, Jul 16, 2012 at 2:12 PM, Mike Walsh <mpwalsh8 at gmail.com> wrote:

> I am not sure of anything on this problem!
> In the Response Headers "Server" is reported as "Apache".  Is there some
> other way to detect "nginx"?
> Mike
> On Mon, Jul 16, 2012 at 2:04 PM, Brian Layman <wp-hackers at thecodecave.com>wrote:
>> On 7/16/2012 1:51 PM, Mike Walsh wrote:
>>> Can anyone think of configuration (I am assuming it is at the Apache
>>> level) that would cause this?
>> You are certain it is apache and not nginx right? Nginx throws a setting
>> into your cookie to ensure that you are coming from the site and not from a
>> generic posting tool.  At times it operates like a poor man's nonce.
>> Brian Layman
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
> --
> Mike Walsh - mpwalsh8 at gmail.com

Mike Walsh - mpwalsh8 at gmail.com

More information about the wp-hackers mailing list