These look like rules from gotroot based on the rule IDs.

The false positive here is due to the rule looking in the request FILENAME variable for the ".cookie" string. This matched on - 

/clients/dynatree- 1.2.1/jquery/jquery.cookie.js 

So you will want to add an exception to remove this variable from inspection -

SecRuleUpdateTargetById 1234123404 !REQUEST_FILENAME

As any FYI - it is low possibility of real attack on request FILENAME and a high false positive rate. This is why we removed that from the OWASP CRS - 

Might want to consider using those. 

Ryan Barnett
Lead Security Researcher
Trustwave - SpiderLabs

On Jul 17, 2013, at 6:02 PM, "Dave Roe ►Direct 202-369-1455" <Dave@3dr360.com> wrote:


I have posted the apache log file for an account that experienced the issue earlier today here (thedonaldsongroup.com):

Again, I am using the default rules for Mod Security.  I am interested in knowing which of the default rules I need to disable or remove to allow for the use of cookies.

I have uploaded a screen shot of the Mod Security log that shows the activity here:

I am specifically interested in preventing this rule from running:

Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"]

Whatever help you can offer would be greatly appreciated.

Thank you.


David Roe | Direct 202-369-1455
CERTIFIED Google AdWords Partner | 360 Virtual Tour Photography | Mobile Web | SMS

-----Original Message-----
From: Reindl Harald [mailto:h.reindl@thelounge.net]
Sent: Wednesday, July 17, 2013 5:29 PM
To: Mailing-List mod_security
Subject: Re: [mod-security-users] Question...

why do you not reply to the list?
*you* need to know where *your* logfiles are configured

Am 17.07.2013 23:27, schrieb Dave Roe ►Direct 202-369-1455:

I apologize...you could send me a link to the apache log file?
I don't know where that is -


David Roe | Direct 202-369-1455
CERTIFIED Google AdWords Partner | 360 Virtual Tour Photography |
Mobile Web | SMS

-----Original Message-----
From: Reindl Harald [mailto:h.reindl@thelounge.net]
Sent: Wednesday, July 17, 2013 2:05 PM
To: mod-security-users@lists.sourceforge.net
Subject: Re: [mod-security-users] Question...

Am 17.07.2013 18:57, schrieb Dave Roe ►Direct 202-369-1455:
I have a simple question.

I am wondering which of the default configuration rules I need to
disable to allow one of my custom apps to set cookies?

Right now we are getting a 406 error

any answer would be easier if you would post the error message in the
apache logfile so we know *what* rule

See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.