Atomicorp

Posted: **Fri Feb 11, 2011 9:20 am**

Hi, have a very strange problem, maybe someone can help...

We have a site which uses phpThumb to dynamically resize images. Some of the functionality also uses Ajax calls to populate various page areas based on user selection.

We just migrated this site to our ASL protected server, and it has been extremely problematic. It seems to generate 000400 events (Generic apache error) when browsing the site. It can work ok for a minute or so and then randomly images dont load or an ajax area gives a 'Forbidden' message. Then the site becomes unreachable as ASL blocks us for a minute or so.

I've tried disabling the rule but it continues to do this anyway. Also have reported it as a False Positive, but there has been no update now for a couple of days.

Does anyone have any idea why this would be an issue?

All our other sites use Phpthumb and Ajax no problems. Very odd

C

Posted: **Fri Feb 11, 2011 9:27 am**

Oh and this is a transcript example of the output via ASL for the event... domain changed to generic example for security purposes

Code: Select all

--1f987328-A--
[11/Feb/2011:13:04:03 +0000] VRX2a1BSeqYAAF3BqdEAAAAS XX.xx.xx.xx  50761 XX.xx.xx.xx 80
 
--1f987328-B--
GET /phpthumb/phpThumb.php?src=../uploads/jpg/W47d95cd74206f-03.jpg&w=340&q=100 HTTP/1.1
Accept: */*
Referer: http://www.mydomain.com/images
Accept-Language: en-GB
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
Accept-Encoding: gzip, deflate
Host: www.mydomain.com
Connection: Keep-Alive
Cookie: __utma=122705552.1498522015.1294686321.1294686321.1297429377.2; __utmz=122705552.1297429377.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=some_keywords; __utmb=122705552.4.10.1297429377; __utmc=122705552; PHPSESSID=lnomubsho2d6r0gh62ednolom7; sifrFetch=true
 
--1f987328-F--
HTTP/1.1 403 Forbidden
Content-Length: 301
Connection: close
Content-Type: text/html; charset=iso-8859-1
 
--1f987328-H--
Apache-Error: [file "mod_evasive20.c"] [line 246] [level 3] client denied by server configuration: /var/www/vhosts/mydomain.com/httpdocs/phpthumb/phpThumb.php, referer: http://www.mydomain.com/images
Stopwatch: 1297429443245675 6612 (- - -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); 201102101759.
Server: Apache/2.2.3 (CentOS)
 
--1f987328-Z--

Posted: **Fri Feb 11, 2011 10:59 am**

https://www.atomicorp.com/wiki/index.php/Mod_evasive

Posted: **Fri Feb 11, 2011 1:49 pm**

Mike, once again, to the rescue

Thanks dude. Makes perfect sense now. Beancounters adjusted. Running well!!

On a side note.. I need to add some pagination to that site lol.

Atomicorp

PhpThumb & AJAX trigger ASL

PhpThumb & AJAX trigger ASL

Re: PhpThumb & AJAX trigger ASL

Re: PhpThumb & AJAX trigger ASL

Re: PhpThumb & AJAX trigger ASL