[mod-security-users] ModSecurity 2.5.5 and Wordpress 2.5.1 issue
Brought to you by:
victorhora,
zimmerletw
From: cassy s. <cas...@gm...> - 2008-06-22 21:30:54
|
I'm getting these 2 errors with modsecurity 2.5.5 and Wordpress 2.5.1 [Sun Jun 22 11:07:54 2008] [error] [client 192.168.1.1] ModSecurity: Warning. Operator EQ matched 0 at GLOBAL. [file "/etc/modsecurity/modsecurity_crs_30_http_policy.conf"] [line "120"] [id "960903"] [msg "ModSecurity does not support content encodings"] [severity "WARNING"] [hostname "www.bloglocal.com"] [uri "/wp-includes/js/tinymce/tiny_mce_config.php"] [unique_id "NLEVC38AAQEAABnaA2MAAAAF"] [Sun Jun 22 11:08:57 2008] [error] [client 192.168.1.1] ModSecurity: Warning. Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at ARGS:content. [file "/etc/modsecurity/modsecurity_crs_40_generic_attacks.conf"] [line "102"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data "src=\\x22http:"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.bloglocal.com"] [uri "/wp-admin/admin-ajax.php"] [unique_id "OHc3nX8AAQEAABncBMkAAAAH"] -------------------------- The first one corresponds to: SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \ "phase:4,t:none,pass,log,auditlog,msg:'ModSecurity does not support content encodings',id:'960903',severity:'4',chain,initcol:global=global" SecRule &GLOBAL:alerted_960903_compression "@eq 0" "setvar:global.alerted_960903_compression" aka: Outbound compressed content will be logged once, to alert the user Should I just ignore this? -------------------------- The second one corresponds to: # # XSS # SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'950004',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2'" Can I put a line like this before it to prevent this error from coming up? SecRule REQUEST_URI "^/wp-admin/" nolog,pass,skip:1 -------------- Thanks in advance! Cassy |