ModSecurity is an open source web application firewall. Working embedded in the web server, or standalone as a network appliance, it detects and prevents attacks against web applications. ModSecurity most of time embed with Apache webserver to block malicious request to the server. But recently I found an annoying false positive block with ModeSecurity. The error is like this:
Access denied with code 403 (phase 2). Match of "rx ://%{SERVER_NAME}/" against "ARGS:review[]" required. [file "/usr/local/apache/conf/modsec2/10_asl_rules.conf"] [line "497"] [id "340162"] [rev "287"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)"] [data "http://www.ivankristianto.com/save-your-gmail-inbox-space-by-delete-old-attachments/"] [severity "CRITICAL"] I created a test case that you can try it [here] (http://www.ivankristianto.com/examples/modescurity/), if you submit an URL with http:// then you will get an Error of 403: Forbidden. But if you submit an URL without http:// then it will working.
Until now i cannot solve this without turning off the ModSecurity, which i won’t. The only workaround is when submitted i removed the http:// via javascript.
If you know how please let me know from the comment form below. Thanks
