How is this modsec rule getting triggered?
Posted
by BipedalShark
on Server Fault
See other posts from Server Fault
or by BipedalShark
Published on 2010-05-06T01:29:28Z
Indexed on
2010/05/06
1:38 UTC
Read the original article
Hit count: 336
apache
|modsecurity
I made a GET request to the URL, http://domain.tld/test/docs/index.php?create_table=1&step=2
and got a 403 response code. It turns out this modsec rule is getting triggered:
Access denied with code 403 (phase 2). Pattern match "(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/" at ARGS:gltr_redir. [file "/opt/mod_security/10_asl_rules.conf"] [line "827"] [id "340153"] [rev "22"] [msg "Generic PHP code injection protection via ARGS 3"] [severity "CRITICAL"]
I would assume ARGS refers to GET/POST data, but there's no gltr_redir in the query string. And, being a GET request, there's obviously no POST data. So how is this rule being triggered?
© Server Fault or respective owner