The following warnings occurred:
Warning [2] Undefined array key "allowautourl" - Line: 584 - File: inc/class_parser.php PHP 8.1.31 (Linux)
File Line Function
/inc/class_error.php 153 errorHandler->error
/inc/class_parser.php 584 errorHandler->error_callback
/inc/class_parser.php 228 postParser->parse_mycode
/printthread.php 203 postParser->parse_message
Warning [2] Undefined array key "allowautourl" - Line: 584 - File: inc/class_parser.php PHP 8.1.31 (Linux)
File Line Function
/inc/class_error.php 153 errorHandler->error
/inc/class_parser.php 584 errorHandler->error_callback
/inc/class_parser.php 228 postParser->parse_mycode
/printthread.php 203 postParser->parse_message
Warning [2] Undefined array key "allowautourl" - Line: 584 - File: inc/class_parser.php PHP 8.1.31 (Linux)
File Line Function
/inc/class_error.php 153 errorHandler->error
/inc/class_parser.php 584 errorHandler->error_callback
/inc/class_parser.php 228 postParser->parse_mycode
/printthread.php 203 postParser->parse_message
Warning [2] Undefined array key "allowautourl" - Line: 584 - File: inc/class_parser.php PHP 8.1.31 (Linux)
File Line Function
/inc/class_error.php 153 errorHandler->error
/inc/class_parser.php 584 errorHandler->error_callback
/inc/class_parser.php 228 postParser->parse_mycode
/printthread.php 203 postParser->parse_message



GetSimple Support Forum
theme-edit, mod_security and xss injection attacks - Printable Version

+- GetSimple Support Forum (http://get-simple.info/forums)
+-- Forum: GetSimple (http://get-simple.info/forums/forumdisplay.php?fid=3)
+--- Forum: General Questions and Problems (http://get-simple.info/forums/forumdisplay.php?fid=16)
+--- Thread: theme-edit, mod_security and xss injection attacks (/showthread.php?tid=2185)



theme-edit, mod_security and xss injection attacks - shawn_a - 2011-09-14

My host has anti-xss attack security, which is fairly typical these days.
Which is causing me this problem when editing theme files.

mod_security: Access denied with code 403. Pattern match "<( |\\\\n)*script" at POST_PAYLOAD
[uri "/getsimple/admin/theme-edit.php?t=title&f=sidebar.php"] [unique_id "TnClK6wUChQAABaEgdA"]

I am still waiting on my work ticket, but I beleive this is caused by using actual script filenames as post or get variables. Typically this should always be avoided to prevent xss attacks and WILL cause false positives in detection software.

You should NEVER use real filenames as user variables in an querystring.

Does anyone have any suggestions to modify this to unique ids instead ?

Also can I suggest this be considered for change in future versions ?


theme-edit, mod_security and xss injection attacks - shawn_a - 2011-09-14

Ok I jumped the gun on that, I still don't like the filename thing, Ive been locked down for stuff like that before.

But

Its actually the <Script> tags being caught for injections with SecFilter.

Instead of deleting my post I will just post a solution when I have one.


theme-edit, mod_security and xss injection attacks - yojoe - 2011-09-15

Then why don't you edit theme files locally and upload via ftp ?
Editing code in textarea is clumsy, although there's a plugin which colorize the syntax.


theme-edit, mod_security and xss injection attacks - shawn_a - 2011-09-15

If your host allows it, you can override mod_security per .htaccess file.

This for example will disable it based on a specific IP match and if POST data.

SetEnvIf Remote_Addr ^xxx\.xxx\.xxx\.xxx$ MODSEC_ENABLE=Off
SetEnvIf Request_Method !^POST$ MODSEC_ENABLE=On

If not then you may have to get your host to allow a whitelist.

There are ways which you can then specify unique ids or files to include or exclude.