mod_secure and 1.3 RC2

[steveoc]

1.3 RC2 set off violation warnings from mod_secure and the firewall locked out my ip address. Here is the erro message:

[Tue Mar 10 22:20:36 2009] [error] [client 74.33.209.107] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(??:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(??:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "88"] [id "950006"] [msg "System Command Injection. Matched signature <; id>"] [severity "CRITICAL"] [hostname "openedweb.com"] [uri "/opengoo/index.php"] [unique_id "Sbcf9EZV56IAACYMf5oAAAAL"]

I don't know if this a problem that I should address with my mod_secure ruleset, or if it indicates an issue with OpenGoo.

Thanks,

Steve

I I

[ignacio]

Is this new to 1.3 RC2? What was the last version that worked correctly for you? Do you know how to read that error message? What is it saying?

Thanks.

[steveoc]

I will try the stable version and see if that works for me. I have also changed my mod_secure to the default setting.

I was just evaluating openGoo for K12 use in a non-production manner and thought I'd try the RC.

I am not sure what the message is saying other than the software was behaving in a manner that mod_secure regarded it a severre security threat.

[steveoc]

It seemed to do the came thing with Version 1.2.1. I had also changed to the default mod_secure ruleset.