GetSimple Support Forum

Full Version: theme-edit, mod_security and xss injection attacks
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
My host has anti-xss attack security, which is fairly typical these days.
Which is causing me this problem when editing theme files.

mod_security: Access denied with code 403. Pattern match "<( |\\\\n)*script" at POST_PAYLOAD
[uri "/getsimple/admin/theme-edit.php?t=title&f=sidebar.php"] [unique_id "TnClK6wUChQAABaEgdA"]

I am still waiting on my work ticket, but I beleive this is caused by using actual script filenames as post or get variables. Typically this should always be avoided to prevent xss attacks and WILL cause false positives in detection software.

You should NEVER use real filenames as user variables in an querystring.

Does anyone have any suggestions to modify this to unique ids instead ?

Also can I suggest this be considered for change in future versions ?
Ok I jumped the gun on that, I still don't like the filename thing, Ive been locked down for stuff like that before.

But

Its actually the <Script> tags being caught for injections with SecFilter.

Instead of deleting my post I will just post a solution when I have one.
Then why don't you edit theme files locally and upload via ftp ?
Editing code in textarea is clumsy, although there's a plugin which colorize the syntax.
If your host allows it, you can override mod_security per .htaccess file.

This for example will disable it based on a specific IP match and if POST data.

SetEnvIf Remote_Addr ^xxx\.xxx\.xxx\.xxx$ MODSEC_ENABLE=Off
SetEnvIf Request_Method !^POST$ MODSEC_ENABLE=On

If not then you may have to get your host to allow a whitelist.

There are ways which you can then specify unique ids or files to include or exclude.