mod_security and a WordPress Plugin

**ruicruz** · 07-10-2011 02:08 PM

Hi,

I am using a WordPress plugin called WP Super Popup that has been blocked by mod_security

The logs for an example are:

Code:

[Sun Jul 10 11:17:42 2011] [error] [client 83.132.3.107] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.badooporcas.com"] [uri "/wp-content/plugins/wp-super-popup/jquery.cookie-min.js"] [unique_id "Thl8RlFcy0gAABYIRmsAAAAH"]
[Sun Jul 10 11:18:56 2011] [error] [client 83.132.3.107] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.badooporcas.com"] [uri "/wp-content/plugins/wp-super-popup/jquery.cookie-min.js"] [unique_id "Thl8kFFcy0gAABYIRnkAAAAH"]
[Sun Jul 10 11:18:57 2011] [error] [client 83.132.3.107] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.badooporcas.com"] [uri "/wp-content/plugins/wp-super-popup/jquery.cookie-min.js"] [unique_id "Thl8kVFcy0gAAA6fYAQAAAAV"]
[Sun Jul 10 11:18:59 2011] [error] [client 83.132.3.107] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.badooporcas.com"] [uri "/wp-content/plugins/wp-super-popup/jquery.cookie-min.js"] [unique_id "Thl8k1Fcy0gAABUqRPsAAAAE"]
[Sun Jul 10 11:19:34 2011] [error] [client 83.132.3.107] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.badooporcas.com"] [uri "/wp-content/plugins/wp-super-popup/jquery.cookie-min.js"] [unique_id "Thl8tlFcy0gAAC@lY@UAAAAI"]

I have contacted the author and I got the fowlling reply:

The warning by mod_security is a know issue due to a false positive:
the plugin has a js script called "jquery.cookie-min.js" and mod_sec
identifies the word "cookie" as a hack trial. On the next version of
the plugin I'll just release the jquery cookie plugin with a different
name

The question is: how can I let mod_security ignore this specific script, or the word cookie as an attack?

Thanks,
Rui

**Infopro** · 07-10-2011 03:25 PM

You might edit the ruleset and remark out that rule, not a great idea as thats serverwide. Or, you might install this handy tool just for this sort of thing: ConfigServer ModSecurity Control

Once installed you can disable that one rule by simply typing in the ID number for that one domain. BTW the ID if you didn't see it there is: 950004

Great tool to have indeed.

**ruicruz** · 07-11-2011 04:53 AM

Hi,

Been there, done that.
I was thinking on disallow by script or file name, but I can easly do that per domain.

Thaks for your help!

Rui

LinkBack

Thread Tools

mod_security and a WordPress Plugin

Re: mod_security and a WordPress Plugin

Re: mod_security and a WordPress Plugin

Make Server Compatible with Wordpress automatic updates and plugin installations

cPanel 11.28.42, WHM: Update Preferences: plugin error - CPMisc: plugin not found

mod_security plugin

mod_security plugin apache2

mod_security plugin not seeing log file?