I have 2 fields in a editable admin area.
1. youtube field = youtube video address
2. high res field = youtube video address.
I can save the record no issues as long as I don't use any http://www in the high res field only. I can do whatever I like in the youtube field. I should mention that neither of these fields are any different they are just text (varchar) fields, and they are put into an array and passed to an update mysql query. Nothing different about them at all.
I tried whitelisting youtube.com this had no effect. So my only other solution for now was to disable these two rules on that specific URL where this action can be done. But I'm kind of confused as to why. I looked at the post field name and changed that thinking maybe that had something to do with it, but none of the field names I used worked, and none of them even show up in the arguments for the rules themelves. I just don't get how if I'm trigging a remote file excution why the first youtube field wouldn't also trigger that rule. (it doesn't)
I should mention this server is running the latest August 20th rules, and mod_security 2.6.7
Below is the 403 errors.
Code: Select all
[Fri Aug 24 16:04:20 2012] [error] [client XXXXXXXXX] ModSecurity: Access denied with code 403 (phase 2). Match of "rx ://%{SERVER_NAME}/" against "MATCHED_VARS:hq" required. [file "/usr/local/apache/conf/modsec_rules/10_asl_rules.conf"] [line "493"] [id "340162"] [rev "274"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)"] [data "http://www.youtube.com/watch?v=xxxxxxxxxxx"] [severity "CRITICAL"] [hostname "XXXXXXXXX"] [uri "/video_admin/editvideo/836/home/"] [unique_id "UDgIdM26mkEAAEwaHvcAAAAB"]
[Fri Aug 24 16:12:30 2012] [error] [client xxxxxxxxxxxx] ModSecurity: Access denied with code 403 (phase 2). Match of "rx ://%{SERVER_NAME}/" against "MATCHED_VARS:hq" required. [file "/usr/local/apache/conf/modsec_rules/10_asl_rules.conf"] [line "542"] [id "340163"] [rev "274"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (MM)"] [data "http://www.youtube.com/watch?v=xxxxxxxxxxx"] [severity "CRITICAL"] [hostname "xxxxxxxxxxx"] [uri "/video_admin/editvideo/836/home/"] [unique_id "UDgKXs26mkEAAGRqFioAAAAF"]
Maybe I'm not understanding something though. Doesn't make any sense to me atm lol.
Any idea's?