[wp-hackers] What would strip $_POST before 'init' runs?

Chris McCoy chris at lod.com
Wed Jul 18 18:04:05 UTC 2012

Looks line an issue with your apache module for modsecurity, its probably
firing off an error thinking that the form is insecure.

-----Original Message-----
From: wp-hackers-bounces at lists.automattic.com
[mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Mike Walsh
Sent: Wednesday, July 18, 2012 12:45 PM
To: wp-hackers at lists.automattic.com
Subject: Re: [wp-hackers] What would strip $_POST before 'init' runs?

I finally got some additional data on this problem I am chasing.  The
hosting provider coughed up a server error log.  This is what it contains:

[error] ModSecurity: Access denied with code 403 (phase 2).Match of "rx
://%{SERVER_NAME}/" against "MATCHED_VARS:gform-action" required.
[file "/usr/local/apache/conf/modsec/10_asl_rules.conf"]
[line "489"]
[id "340162"]
[rev "262"]
[msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt
in ARGS (AE)"] [data "
[severity "CRITICAL"]
[hostname "lanaddicts.org"]
[uri "/test-form/"]
[unique_id "UAbUbnrJTaEAAHtoboQAAAAG"]



Anyone have any suggestions on how to interpret this?

On Mon, Jul 16, 2012 at 2:12 PM, Mike Walsh <mpwalsh8 at gmail.com> wrote:

> I am not sure of anything on this problem!
> In the Response Headers "Server" is reported as "Apache".  Is there 
> some other way to detect "nginx"?
> Mike
> On Mon, Jul 16, 2012 at 2:04 PM, Brian Layman
<wp-hackers at thecodecave.com>wrote:
>> On 7/16/2012 1:51 PM, Mike Walsh wrote:
>>> Can anyone think of configuration (I am assuming it is at the Apache
>>> level) that would cause this?
>> You are certain it is apache and not nginx right? Nginx throws a 
>> setting into your cookie to ensure that you are coming from the site 
>> and not from a generic posting tool.  At times it operates like a poor
man's nonce.
>> Brian Layman
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com> 
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://list
>> s.automattic.com/mailman/listinfo/wp-hackers>
> --
> Mike Walsh - mpwalsh8 at gmail.com

Mike Walsh - mpwalsh8 at gmail.com
wp-hackers mailing list
wp-hackers at lists.automattic.com

More information about the wp-hackers mailing list