[wp-hackers] What would strip $_POST before 'init' runs?

Brian Layman wp-hackers at thecodecave.com
Wed Jul 18 20:30:09 UTC 2012


Can you clarify that a little further? Was that just the value for a 
post field?

I'd like to understand what your server didn't like in case it ever 
comes up again.

Brian Layman

On 7/18/2012 2:07 PM, Mike Walsh wrote:
> Replying to my own message - I have finally figured it out.  The Apache
> server security doesn't like that I was passing a Google Form URL in a
> post parameter.  By encoding it and then decoding it later when I actually
> needed it, the server is happy and is no longer throwing 403 errors.
>
> Mike
>
> On Wed, Jul 18, 2012 at 12:45 PM, Mike Walsh <mpwalsh8 at gmail.com> wrote:
>
>> I finally got some additional data on this problem I am chasing.  The
>> hosting provider coughed up a server error log.  This is what it contains:
>>
>> [error] ModSecurity: Access denied with code 403 (phase 2).Match of "rx
>> ://%{SERVER_NAME}/" against "MATCHED_VARS:gform-action" required.
>> [file "/usr/local/apache/conf/modsec/10_asl_rules.conf"]
>> [line "489"]
>> [id "340162"]
>> [rev "262"]
>> [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection
>> attempt in ARGS (AE)"]
>> [data "
>> https://docs.google.com/spreadsheet/formresponse?formkey=dhzsutftwllwzwf6lwdyb0xcmkzsogc6mq&ifq
>> "]
>> [severity "CRITICAL"]
>> [hostname "lanaddicts.org"]
>> [uri "/test-form/"]
>> [unique_id "UAbUbnrJTaEAAHtoboQAAAAG"]
>>
>> Thanks,
>>
>> Mike
>>
>> Anyone have any suggestions on how to interpret this?
>>
>> --
> Mike Walsh - mpwalsh8 at gmail.com
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list