On Tue, May 22, 2012 at 3:17 PM, <retired1af@gmail.com> wrote:
I'm not getting very far with the software developers so I'm now appealing to the experts here to find a solution to my problem.

It appears mod_security is triggering on the word nmap within a forum post, preventing replies to the thread. Link is here: http://www.globalaffairs.org/forum/threads/nmap-6-released.68912/

The mod_security log shows the following:

Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:X-Ajax-Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "149"] [id "959006"] [msg "System Command Injection"] [data "/nmap-"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"]


Hi,

It might be better to post this on the CRS mailing list, as the problem your having is due to a false positive in the core rule set. In any case, there are a few ways you can whitelist this rule from firing, depending on which version of ModSecurity your running. For details take a look at: http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html

--
 - Josh
 
This is the first time I've run across this, but it seems to be a common occurrence with the Xen Foro software package. If a post contains a key word as defined in the mod_security rules, replying to the thread is prevented.

Personally, I feel this is a software issue with Xen Foro. But I'm covering all my bases in my search for a fix.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/