mod_security and a WordPress Plugin

ruicruz

Member
Jul 10, 2011
6
0
51
Hi,

I am using a WordPress plugin called WP Super Popup that has been blocked by mod_security

The logs for an example are:

Code:
[Sun Jul 10 11:17:42 2011] [error] [client 83.132.3.107] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.badooporcas.com"] [uri "/wp-content/plugins/wp-super-popup/jquery.cookie-min.js"] [unique_id "Thl8RlFcy0gAABYIRmsAAAAH"]
[Sun Jul 10 11:18:56 2011] [error] [client 83.132.3.107] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.badooporcas.com"] [uri "/wp-content/plugins/wp-super-popup/jquery.cookie-min.js"] [unique_id "Thl8kFFcy0gAABYIRnkAAAAH"]
[Sun Jul 10 11:18:57 2011] [error] [client 83.132.3.107] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.badooporcas.com"] [uri "/wp-content/plugins/wp-super-popup/jquery.cookie-min.js"] [unique_id "Thl8kVFcy0gAAA6fYAQAAAAV"]
[Sun Jul 10 11:18:59 2011] [error] [client 83.132.3.107] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.badooporcas.com"] [uri "/wp-content/plugins/wp-super-popup/jquery.cookie-min.js"] [unique_id "Thl8k1Fcy0gAABUqRPsAAAAE"]
[Sun Jul 10 11:19:34 2011] [error] [client 83.132.3.107] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.badooporcas.com"] [uri "/wp-content/plugins/wp-super-popup/jquery.cookie-min.js"] [unique_id "[email protected]@UAAAAI"]
I have contacted the author and I got the fowlling reply:

The warning by mod_security is a know issue due to a false positive:
the plugin has a js script called "jquery.cookie-min.js" and mod_sec
identifies the word "cookie" as a hack trial. On the next version of
the plugin I'll just release the jquery cookie plugin with a different
name

The question is: how can I let mod_security ignore this specific script, or the word cookie as an attack?


Thanks,
Rui
 

Infopro

Well-Known Member
May 20, 2003
17,076
523
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
You might edit the ruleset and remark out that rule, not a great idea as thats serverwide. Or, you might install this handy tool just for this sort of thing: ConfigServer ModSecurity Control

Once installed you can disable that one rule by simply typing in the ID number for that one domain. BTW the ID if you didn't see it there is: 950004

Great tool to have indeed. :)
 

ruicruz

Member
Jul 10, 2011
6
0
51
Hi,

Been there, done that.
I was thinking on disallow by script or file name, but I can easly do that per domain.

Thaks for your help!


Rui