mod_security false positive?

upsforum

Well-Known Member
Jul 27, 2005
473
0
166
I have this alert but the swf file is a my banner on my website

[Thu Feb 28 17:14:14 2013] [error] [client XX.XX.XX.XX] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "20"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.domain .it"] [uri "/adv/300x250.swf"] [unique_id "[email protected]@[email protected]"]
 

arunsv84

Well-Known Member
Oct 20, 2008
373
1
68
127.0.0.1
cPanel Access Level
Root Administrator
Just whitelist the rule/id after logging to your server. If you have confiservermodsec plugin installed on server, you can disable the rule for the domain after logging to WHM >> Plugins >> ConfigServerModSec .

Otherwise you may use the .htaccess to whitelist the id/rule "950107" for the domain.

Cheers!!!