mod_security warning Pattern match

Posted: Thu Nov 16, 2006 7:30 am

not sure what this means but im seeing it a lot in my error logs.

Code:




[Tue Nov 14 14:26:18 2006] [error] [client 67.149.248.70] mod_security: Warning. Pattern match "([0-9a-zA-Z]+[-._+&])*[0-9a-zA-Z]+@([-0-9a-zA-Z]+[.])+[a-zA-Z]{2,6}" at POST_PAYLOAD [hostname "www.mysite.com"] [uri "/modules.php?name=Your_Account"]

As i am just learning about php & nuke and i know next to nothing about apache so i thought i would ask you guys if you know whats causing this.
it looks to me like something in the Y A module.

I recently added a few charactors to the module/your account/index.php in order to have users not get the invalid username error. this is what the index.php looks like after adding a space and the ( ) charactors.

"if ((!$username) || (empty($username)) || (ereg("[^a-zA-Z0-9_ ()-]",$username)))"

all help appreciated. thanks

Sells PC To Pay For Divorce Joined: Posts: 5661

maybe this helps...

http://www.ravenphpscripts.com/postt8572.html

Posted: Thu Nov 16, 2006 7:49 am

Thanks for that link hitwalker, ill try to ask my host which is "Ipowerweb" about this. i have to say i dont really have a problem with Ipowerweb but im sure there tech support could be more knowledgeable about php/nuke.

I would be happy to move to ravens hosting if he can give me 100 gigs of space and 500 gigs of Xfer or more as long as the latency to the site is good.

Posted: Thu Nov 16, 2006 9:03 am

Your mod_security problem is unlikely to be related to a your_account problem. Mod_security (as I understand it) is a "filter" that is applied by your host prior to a client's request ever getting to your site. So, in a case like Ipowerweb, all the sites (and there may be many) on a given server ... and probably on all their servers ... are being filtered the same way thru mod_security. You can call their tech support but it is unlikely that they will change anything for you. They take a cookie cutter approach to things and are unlikely to change mod_security for any one client.

Posted: Thu Nov 16, 2006 9:43 am

well maybe,maybe not but the other topics deals with the same problem....and also ipowerweb , also known as ipowernothing.

registered · Posted: Fri Nov 17, 2006 6:10 am

Just ran across this from another post by kguske, but not sure your host will let you do this. Try adding this code to your .htaccess:

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

However, doubtful your host will allow this and also you lost the extra "protection". Just thought I'd share it in case it actually could be useful.

Posted: Fri Nov 17, 2006 6:36 am

i was just wondering what the mod security warning was all about.
unless its insecure or is causing something to happen that shoudn't or causes other problems, i guess i dont need to do anything about it. Do i ?.... Confused

Posted: Fri Nov 17, 2006 7:52 am

The warning is 'exactly what it says on the tin' - a url was passed to your site which matched a pattern listed in mod_security.
If you think about how Nuke Sentinel works for script blocking - it looks for matches against known hacks in the uri and if it finds them, it blocks them.

mod_security is slightly more complex and it is run at server level but the principle is similar.

Posted: Fri Nov 17, 2006 9:39 am

Thanks for clearing that up for me Guardian2003. Wink

Posted: Fri Nov 17, 2006 10:02 am

No problem.
The reason you see the errors in your server log (and no where else) is because the message is generated at server level (by the server) and not the website itself.

Posted: Fri Nov 17, 2006 8:12 pm

IMO as Im no guru, but I do believe somewhere it is trying to create:
http://www.mysite.com//modules.php?name=Your_account.

Notice the 2 slashes instead of just one, Ive tested this on my system and it seems to throw up the warnings as well.
Hopefully this will help.