The following warnings occurred:
Warning [2] Undefined array key "threadviews_countguests" - Line: 745 - File: showthread.php PHP 8.1.31 (Linux)
File Line Function
/inc/class_error.php 153 errorHandler->error
/showthread.php 745 errorHandler->error_callback
Warning [2] Undefined array key "allowautourl" - Line: 584 - File: inc/class_parser.php PHP 8.1.31 (Linux)
File Line Function
/inc/class_error.php 153 errorHandler->error
/inc/class_parser.php 584 errorHandler->error_callback
/inc/class_parser.php 228 postParser->parse_mycode
/inc/functions_post.php 830 postParser->parse_message
/showthread.php 916 build_postbit
Warning [2] Undefined array key "allowautourl" - Line: 584 - File: inc/class_parser.php PHP 8.1.31 (Linux)
File Line Function
/inc/class_error.php 153 errorHandler->error
/inc/class_parser.php 584 errorHandler->error_callback
/inc/class_parser.php 228 postParser->parse_mycode
/inc/functions_post.php 861 postParser->parse_message
/showthread.php 916 build_postbit
Warning [2] Undefined property: MyLanguage::$thread_modes - Line: 46 - File: showthread.php(1650) : eval()'d code PHP 8.1.31 (Linux)
File Line Function
/inc/class_error.php 153 errorHandler->error
/showthread.php(1650) : eval()'d code 46 errorHandler->error_callback
/showthread.php 1650 eval




Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
theme-edit, mod_security and xss injection attacks
#1
My host has anti-xss attack security, which is fairly typical these days.
Which is causing me this problem when editing theme files.

mod_security: Access denied with code 403. Pattern match "<( |\\\\n)*script" at POST_PAYLOAD
[uri "/getsimple/admin/theme-edit.php?t=title&f=sidebar.php"] [unique_id "TnClK6wUChQAABaEgdA"]

I am still waiting on my work ticket, but I beleive this is caused by using actual script filenames as post or get variables. Typically this should always be avoided to prevent xss attacks and WILL cause false positives in detection software.

You should NEVER use real filenames as user variables in an querystring.

Does anyone have any suggestions to modify this to unique ids instead ?

Also can I suggest this be considered for change in future versions ?
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply


Messages In This Thread
theme-edit, mod_security and xss injection attacks - by shawn_a - 2011-09-14, 23:40:30



Users browsing this thread: 2 Guest(s)