CMS Made Simple Forums

Hi Andrew,

I have checked and found that IP address was behind server firewall.

203.x.x.x # lfd: (mod_security) mod_security triggered by 203.x.x.x (AU/Australia/pppx-x.static.internode.on.net): 5 in the last 300 secs - Thu Oct 25 09:45:04 2012

The apache module identified request from your IP as suspcious and blocked the IP on the server for better security.

[Thu Oct 25 09:45:01 2012] [error] [client 203.x.x.x] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "120"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "118.88.27.90"] [uri "/~USERNAME/admin/themes/OneEleven/includes/jquery.cookie.min.js"] [unique_id "UIh9fXZYG1oAAFCyTowAAAAE"]

Please ensure that file admin/themes/OneEleven/includes/jquery.cookie.min.js is updated or correct. The firewall on the server considering it as suspicious.

We have not received any complaints from other client but I think its related to theme one eleven you can discuss it with theme vendor.

Hi,

I am using a WordPress plugin called WP Super Popup that has been blocked by mod_security

The logs for an example are:
"[Sun Jul 10 11:17:42 2011] [error] [client 83.132.3.107] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.badooporcas.com"] [uri "/wp-content/plugins/wp-super-popup/jquery.cookie-min.js"] [unique_id "Thl8RlFcy0gAABYIRmsAAAAH"]
[Sun Jul 10 11:18:56 2011] [error] [client 83.132.3.107] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.badooporcas.com"] [uri "/wp-content/plugins/wp-super-popup/jquery.cookie-min.js"] [unique_id "Thl8kFFcy0gAABYIRnkAAAAH"]
[Sun Jul 10 11:18:57 2011] [error] [client 83.132.3.107] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.badooporcas.com"] [uri "/wp-content/plugins/wp-super-popup/jquery.cookie-min.js"] [unique_id "Thl8kVFcy0gAAA6fYAQAAAAV"]
[Sun Jul 10 11:18:59 2011] [error] [client 83.132.3.107] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "1....etc"

I have contacted the author and I got the fowlling reply:

The warning by mod_security is a know issue due to a false positive:
the plugin has a js script called "jquery.cookie-min.js" and mod_sec
identifies the word "cookie" as a hack trial. On the next version of
the plugin I'll just release the jquery cookie plugin with a different
name

Andrew

Thanks for the info.....

I am not sure who the developer is but comments like he has made is half the reason why a lot of scripts out there are hacked and insecure, and why its a constant ongoing drama to keep servers secure.

I should also point out that Mod Security is not a firewall, as he seems to think

We run the rule that has been the cause of the problem to prevent this from occurring, and have done for years.

We have also seen first hand the damage that can be done on a server where a hacker has managed to inject via this file, and its not pretty.

I have whitelisted this rule for this site on the server which should resolve the problem for the time being however i would suggest you get the script upgraded to the latest version and also upgrade Jquery as its Jquery thats the cause of the problem here, and older versions have some massive holes in them and can do a lot of damage to a server if someone gains access thru the flaws in earlier releases of it


Regards

Steve Kemp
Fluccs - Australia's Online Solution