[wp-hackers] What would strip $_POST before 'init' runs?
Chris McCoy
chris at lod.com
Wed Jul 18 18:04:05 UTC 2012
Looks line an issue with your apache module for modsecurity, its probably
firing off an error thinking that the form is insecure.
-----Original Message-----
From: wp-hackers-bounces at lists.automattic.com
[mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Mike Walsh
Sent: Wednesday, July 18, 2012 12:45 PM
To: wp-hackers at lists.automattic.com
Subject: Re: [wp-hackers] What would strip $_POST before 'init' runs?
I finally got some additional data on this problem I am chasing. The
hosting provider coughed up a server error log. This is what it contains:
[error] ModSecurity: Access denied with code 403 (phase 2).Match of "rx
://%{SERVER_NAME}/" against "MATCHED_VARS:gform-action" required.
[file "/usr/local/apache/conf/modsec/10_asl_rules.conf"]
[line "489"]
[id "340162"]
[rev "262"]
[msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt
in ARGS (AE)"] [data "
https://docs.google.com/spreadsheet/formresponse?formkey=dhzsutftwllwzwf6lwd
yb0xcmkzsogc6mq&ifq
"]
[severity "CRITICAL"]
[hostname "lanaddicts.org"]
[uri "/test-form/"]
[unique_id "UAbUbnrJTaEAAHtoboQAAAAG"]
Thanks,
Mike
Anyone have any suggestions on how to interpret this?
On Mon, Jul 16, 2012 at 2:12 PM, Mike Walsh <mpwalsh8 at gmail.com> wrote:
> I am not sure of anything on this problem!
>
> In the Response Headers "Server" is reported as "Apache". Is there
> some other way to detect "nginx"?
>
> Mike
>
> On Mon, Jul 16, 2012 at 2:04 PM, Brian Layman
<wp-hackers at thecodecave.com>wrote:
>
>> On 7/16/2012 1:51 PM, Mike Walsh wrote:
>>
>>> Can anyone think of configuration (I am assuming it is at the Apache
>>> level) that would cause this?
>>>
>>
>> You are certain it is apache and not nginx right? Nginx throws a
>> setting into your cookie to ensure that you are coming from the site
>> and not from a generic posting tool. At times it operates like a poor
man's nonce.
>>
>> Brian Layman
>>
>>
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://list
>> s.automattic.com/mailman/listinfo/wp-hackers>
>>
>
>
>
> --
> Mike Walsh - mpwalsh8 at gmail.com
>
--
Mike Walsh - mpwalsh8 at gmail.com
_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list