iframe triggering 340148

[aniagr]

Hi,

I have an ultrawebsitehosting.com account and apparently they use atomicorps. Recently I installed a wordpress theme that uses an iframe customizer and it has been blocking me at the firewall every time I try to customize something.

The hosting support people told me this:

"The security rule that was triggered was:
[Mon Sep 17 23:21:09 2012] [error] [client 24.22.185.91] Access denied with code 403 (phase 2). Pattern match "(< ((img iframe) src a href) (ogg|gopher|(ht|f)tps):/alert (< ((java|vb)script|applet|activex|chrome) >|" > |< /iframe|%env)" at ARGS:customized.
[id "340148"]
[msg "Atomicorp.com WAF Rules: Cross Site Scripting Attack"]
[severity "CRITICAL"] [hostname "agenciaempleadasdomesticas.com"] "

I contacted the people that sold me the Netix WP theme at WebfactoryLtd but they said
" Theme customizer is a built-in WP feature used on tens of thousand of servers and I've never heard it triggering a firewall rule. Yes, it uses iframes but it's a plain iframe, nothing special."

You can see how the customizer works here:
http://netix-wp.webfactoryltd.com/

I imagine asking for a rule exception is not so safe, so I was wondering if someone here could help me out?

Thank you!

[mikeshinn]

Sorry to hear about this. We can resolve this for you, but we need a little more information. We need to see the audit record, please see the URL below for instructions about how report a false positive:

https://www.atomicorp.com/wiki/index.ph ... _Positives

If you do not have access to your systems audit records, can you ask your hosting company to submit this to us as a false positive for you?