Download & Extend
Javascript Tools » Issues

scripts/pages violating mod security rules

Posted by webthingee on June 7, 2008 at 9:56pm
Project:Javascript Tools
Version:6.x-1.x-dev
Component:Jstools core
Category:bug report
Priority:normal
Assigned:Unassigned
Status:active

Issue Summary

One of my sites was shut down several times over the past few days.
One of the tech support peeps sent me the following info:

It seems one of your scripts/pages violating mod security rules.

[Fri Jun 06 02:13:36 2008] [error] [client 67.180.214.246] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\\\\b\\\\W*?=|abort\\\\b)|(?:l(?:owsrc\\\\b\\\\W*?\\\\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\\\\b\\\\W*? ..." at REQUEST_FILENAME. [id "950004"] [msg "Cross-site Scripting (XSS) Attack. Matched signature <.cookie>"] [severity "CRITICAL"] [hostname "xxxxx.xxxxxxxxxx.com"] [uri "/sites/all/modules/jstools/jquery.cookie.js"] [unique_id "M1EkpEo2R4cAACvitCsAAAAg"]

- thanks and goodluck!

Login or register to post comments

Comments

#1

Posted by nedjo on June 7, 2008 at 10:50pm

Thanks for the note. The jQuery cookie plugin is externally maintained. Could you try the latest version and see if the problem persists (and if there are new problems)?

See:
* http://plugins.jquery.com/project/cookie
* http://jquery.com/dev/svn/trunk/plugins/cookie/jquery.cookie.js?format=txt

#2

Posted by webthingee on June 8, 2008 at 2:25pm

thanks, I'll give that a go.

#3

Posted by Sepulman on June 16, 2008 at 10:19am

As your message says "Matched signature <.cookie>"]", mod_security trips up over the .cookie in the name of the jquery cookie js file. Simply rename the js file and adjust the module code to use the renamed name......

#4

Posted by webthingee on June 18, 2008 at 10:19pm

Sepulman,

Sounds like a logical fix... where do I do that? rename the file located in the module file? then in the module itself?

#5

Posted by najibx on October 20, 2008 at 7:08am
Version:5.x-1.1» 6.x-1.x-dev

hi, I can find other pages related this this issue. Mine is slightly different not sure, it's related to JS.

Access denied with code 406 (phase 2). Pattern match "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(? ..." at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "66"] [id "950001"] [msg "SQL Injection Attack. Matched signature <1=1>"] [severity "CRITICAL"]

For now, I have the rule removed, not sure either that's a good idea !