How is this modsec rule getting triggered?

Posted by BipedalShark on Server Fault See other posts from Server Fault or by BipedalShark
Published on 2010-05-06T01:29:28Z Indexed on 2010/05/06 1:38 UTC
Read the original article Hit count: 336

Filed under:
|

I made a GET request to the URL, http://domain.tld/test/docs/index.php?create_table=1&step=2 and got a 403 response code. It turns out this modsec rule is getting triggered:

Access denied with code 403 (phase 2). Pattern match "(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/" at ARGS:gltr_redir. [file "/opt/mod_security/10_asl_rules.conf"] [line "827"] [id "340153"] [rev "22"] [msg "Generic PHP code injection protection via ARGS 3"] [severity "CRITICAL"]

I would assume ARGS refers to GET/POST data, but there's no gltr_redir in the query string. And, being a GET request, there's obviously no POST data. So how is this rule being triggered?

© Server Fault or respective owner

Related posts about apache

Related posts about modsecurity