[wp-hackers] What would strip $_POST before 'init' runs?

Mike Walsh mpwalsh8 at gmail.com
Wed Jul 18 18:07:00 UTC 2012

Replying to my own message - I have finally figured it out.  The Apache
server security doesn't like that I was passing a Google Form URL in a
post parameter.  By encoding it and then decoding it later when I actually
needed it, the server is happy and is no longer throwing 403 errors.


On Wed, Jul 18, 2012 at 12:45 PM, Mike Walsh <mpwalsh8 at gmail.com> wrote:

> I finally got some additional data on this problem I am chasing.  The
> hosting provider coughed up a server error log.  This is what it contains:
> [error] ModSecurity: Access denied with code 403 (phase 2).Match of "rx
> ://%{SERVER_NAME}/" against "MATCHED_VARS:gform-action" required.
> [file "/usr/local/apache/conf/modsec/10_asl_rules.conf"]
> [line "489"]
> [id "340162"]
> [rev "262"]
> [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection
> attempt in ARGS (AE)"]
> [data "
> https://docs.google.com/spreadsheet/formresponse?formkey=dhzsutftwllwzwf6lwdyb0xcmkzsogc6mq&ifq
> "]
> [severity "CRITICAL"]
> [hostname "lanaddicts.org"]
> [uri "/test-form/"]
> [unique_id "UAbUbnrJTaEAAHtoboQAAAAG"]
> Thanks,
> Mike
> Anyone have any suggestions on how to interpret this?
> --
Mike Walsh - mpwalsh8 at gmail.com

More information about the wp-hackers mailing list