The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_security and a WordPress Plugin

Discussion in 'Security' started by ruicruz, Jul 10, 2011.

  1. ruicruz

    ruicruz Member

    Joined:
    Jul 10, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    I am using a WordPress plugin called WP Super Popup that has been blocked by mod_security

    The logs for an example are:

    Code:
    [Sun Jul 10 11:17:42 2011] [error] [client 83.132.3.107] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.badooporcas.com"] [uri "/wp-content/plugins/wp-super-popup/jquery.cookie-min.js"] [unique_id "Thl8RlFcy0gAABYIRmsAAAAH"]
    [Sun Jul 10 11:18:56 2011] [error] [client 83.132.3.107] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.badooporcas.com"] [uri "/wp-content/plugins/wp-super-popup/jquery.cookie-min.js"] [unique_id "Thl8kFFcy0gAABYIRnkAAAAH"]
    [Sun Jul 10 11:18:57 2011] [error] [client 83.132.3.107] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.badooporcas.com"] [uri "/wp-content/plugins/wp-super-popup/jquery.cookie-min.js"] [unique_id "Thl8kVFcy0gAAA6fYAQAAAAV"]
    [Sun Jul 10 11:18:59 2011] [error] [client 83.132.3.107] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.badooporcas.com"] [uri "/wp-content/plugins/wp-super-popup/jquery.cookie-min.js"] [unique_id "Thl8k1Fcy0gAABUqRPsAAAAE"]
    [Sun Jul 10 11:19:34 2011] [error] [client 83.132.3.107] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.badooporcas.com"] [uri "/wp-content/plugins/wp-super-popup/jquery.cookie-min.js"] [unique_id "Thl8tlFcy0gAAC@lY@UAAAAI"]
    
    I have contacted the author and I got the fowlling reply:


    The question is: how can I let mod_security ignore this specific script, or the word cookie as an attack?


    Thanks,
    Rui
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,476
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You might edit the ruleset and remark out that rule, not a great idea as thats serverwide. Or, you might install this handy tool just for this sort of thing: ConfigServer ModSecurity Control

    Once installed you can disable that one rule by simply typing in the ID number for that one domain. BTW the ID if you didn't see it there is: 950004

    Great tool to have indeed. :)
     
  3. ruicruz

    ruicruz Member

    Joined:
    Jul 10, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    Been there, done that.
    I was thinking on disallow by script or file name, but I can easly do that per domain.

    Thaks for your help!


    Rui
     
Loading...

Share This Page