Access denied with code 406 (phase 2). Pattern match

[adg001]

Hi my company has a hosting server running cpanel whm

one of my sites which has a shop keeps being blocked when i looked in the mod_security log i get the following
this is an urgent request for help.

Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"]

Any help would be appreciated

[Infopro]

If modsecurity is blocking a legit script from working properly, this tool might be useful to you:
ConfigServer ModSecurity Control

After installing that, in the settings for it you could whitelist for that one domain (or all domains) the rule giving you problems. In this case its: 950004


HTH!

[srpurdy]

This will get triggered on a POST request if the data in the post consists of code like an iframe or script tag. as well as others. So basically your shop application is allowing these kinds of code to put into post requests. I would actually fix the application rather than disabling that rule, but that's your call.

[d'argo]

based on the rule, it looks like you have an application thats generating a filename with this in the filename

.cookie

and the rule looks for .cookie in filenames, so you either need to change your application so it doesnt do that, change the rule so it doesnt look for that in the filename or use a different filename