modsecurity warnings

[mdw]

I keep getting these errors when running the admin script for a storefront:

[Mon Jun 01 21:09:46 2009] [error] [client 70.146.99.44] ModSecurity: Access denied with code 400 (phase 2). Pattern match "(?:\\\\bhttp\\\\/(?:0\\\\.9|1\\\\.[01])|<(?:html|meta)\\\\b)" at ARGS:content. [id "950911"] [msg "HTTP Response Splitting Attack. Matched signature <<html>"] [severity "ALERT"] [hostname "www.elisecosmetics.com"] [uri "/admin.php"] [unique_id "SiR72UBH5fwAAFFEcgYAAAAU"]

[Mon Jun 01 21:24:07 2009] [error] [client 70.146.99.44] ModSecurity: Output filter: Error while forwarding response data (104): Connection reset by peer [hostname "www.elisecosmetics.com"] [uri "/admin.php?target=settings"] [unique_id "SiR-NUBH5fwAAFpwKDwAAAAR"]

Is this because safe mode is on? Something else?

 

[mdw]

one more example:

[Mon Jun 01 21:29:04 2009] [error] [client 70.146.99.44] ModSecurity: Output filter: Error while forwarding response data (104): Connection reset by peer [hostname "www.elisecosmetics.com"] [uri "/admin.php?target=settings"] [unique_id "SiSAW0BH5fwAAGF6ImUAAAAk"]

 

[mdw]

nobody?

 

[skypanther]

The mod_security settings are pretty tough nowadays. I have to ask for exceptions whenever I set up any sort of CMS based site. Submit a ticket, give them an approximate time when you attempted to make some sort of update, they'll investigate the logs at that time and determine which exception to make. It will take a few tries as various actions get blocked for various reasons. Eventually they always get it right for my sites, so I'm sure they can do it for you too.

Tim

 

[praveen]

Please update us through ticket. We will make mod security exclusion rule for this.

 

[mdw]

resolved