REQUEST_HEADERS:Referer 340133
Posted: Mon Mar 28, 2016 2:12 am
Hi,
I am having issues when I do a search on my site and it looks like the referrer is triggering mod_security
[msg "Atomicorp.com WAF Rules: HTTP header PHP code injection attack"] [data "<? "] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "< ?[?%] ?|\\\\[ ?php" at REQUEST_HEADERS:Referer.
I am testing my script by seaching for "TEST <?" using a GET request which returns the correct results and doesn't trigger the rule, I am also using server side validation to remove dodgy strings etc.
The problem is that after doing a search if I click a link on my page it triggers mod_security as the referrer contains the query string "?pcid=0&s=&tr=0&pc=&kw=%3C%3F+test+me"
The question is
Is it safe to disable this rule?
Is it possible to do a PHP injection using a referrer?
OR
can I whitelist referrers from my own site?
Thanks
I am having issues when I do a search on my site and it looks like the referrer is triggering mod_security
[msg "Atomicorp.com WAF Rules: HTTP header PHP code injection attack"] [data "<? "] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "< ?[?%] ?|\\\\[ ?php" at REQUEST_HEADERS:Referer.
I am testing my script by seaching for "TEST <?" using a GET request which returns the correct results and doesn't trigger the rule, I am also using server side validation to remove dodgy strings etc.
The problem is that after doing a search if I click a link on my page it triggers mod_security as the referrer contains the query string "?pcid=0&s=&tr=0&pc=&kw=%3C%3F+test+me"
The question is
Is it safe to disable this rule?
Is it possible to do a PHP injection using a referrer?
OR
can I whitelist referrers from my own site?
Thanks