apache mod_security 说 - 访问被拒绝错误
背景 -
我的网站代码托管在 Linux 服务器上。我的网站允许雇主进行新注册 (http://www.gymandspajobs.com/Employer/Employer. PHP)。填写的表单由文件夹“/javascript”中的 JavaScript 进行验证,如果发现信息正确,则通过 JavaScript HTTP 请求对象和 PHP 文件“somefile.php”提交数据。 php”保存在根目录下的文件夹“/somefolder”中进行数据库插入。
问题 -
当新用户尝试使用 Firefox 注册时(我在 WinXP SP2、Firefox - v3.5.2 中进行了测试),我收到的 HTTP 响应(我在 JavaScript 文件中点击)为 “您无权访问此服务器上的 /somefolder/somefile.php。”。
令人惊讶的是,相同的功能在 IE7 和 Chrome 中运行得非常好。
问题的最新更新 -
我联系了我的网络托管人员,在收到他们的回复后,我的问题似乎已经解决。
我们已禁用您的域的 mod_security 来修复它。我们已将以下行输入到您域的 httpdocs 目录下的 .htaccess 文件中。我们还已验证并成功提交雇主注册,没有任何问题。 ~~~~~ SecFilterEngine关闭~~~~~~
虽然问题已经解决,但我认为“SecFilterEngine off
”可能不是解决这个问题的最佳方案,因为它会损害安全性。因此,我问托管人员是否有办法保持 mod_security 开启,同时让我的功能正常工作……这是他们的答复……
问。有什么方法可以让我的代码在保持 mod_security 开启的情况下工作吗?
答。有可能的。但这并不容易。您必须修改文件中的代码,使 URI 不应具有模式“
<块引用>!(^application/x-www-form-urlencoded$|^multipart/form-data;)
”因为我们在 apache 错误日志中找到了此条目 -mod_security-action:403
mod_security-message:访问被拒绝,代码为 403。HEADER 处的模式匹配“
!(^application/x-www-form-urlencoded$|^multipart/form-data;)
”("内容类型”)
我通过 JavaScript 使用 HTTP 对象和 POST 方法 -
http.setRequestHeader('Content-Type','application/x-www-form-urlencoded')
请指导我需要在上面的代码行中进行哪些更改,以便 mod_security 可以保持打开状态,但我的注册表单将工作?
谢谢和问候,
-Rupak Kharvandikar-
Background -
I have my website code hosted on a linux server. My website allows new registrations for employers (http://www.gymandspajobs.com/Employer/Employer.php). The filled-up forms are verified by JavaScripts in the folder "/javascript" and if the information is found ok, the data is submitted via JavaScript HTTP request object and the PHP file "somefile.php" kept in the folder "/somefolder" under the root directory does the database inserts.
Problem -
When a new user tried to register using Firefox (I tested in WinXP SP2, Firefox - v3.5.2), the HTTP response I used to get (which I tapped in my JavaScript file) was
"You don't have permission to access /somefolder/somefile.php on this server." .
Surprisingly, the same functionality worked perfectly well in IE7 and Chrome.
Latest Update on the Problem -
I contacted my web hosting guys and my problem seems to have been solved after I received this reply from them.
We have disabled mod_security for your domain to fix it. We have entered the below lines to the .htaccess file under the httpdocs directory for your domain. We have also verified and successfully able to submit the Employer registration without any issues. ~~~~~ SecFilterEngine off ~~~~~
Though the problem has got solved, I think making "SecFilterEngine off
" may not be the best solution to this problem as it compromises security. Hence I asked the hosting guys if there is a way to keep mod_security ON and yet get my functionality to work...... here is their reply.....
Q. is there any way my code can work yet keeping mod_security ON?
Ans. It is possible. But it is not easy. You have to modify the code in the file in such a way that the URI should not have the pattern "
!(^application/x-www-form-urlencoded$|^multipart/form-data;)
" because we found this entry in the apache error logs -mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match "
!(^application/x-www-form-urlencoded$|^multipart/form-data;)
" at HEADER("Content-Type")
I am using the HTTP object and POST method via JavaScript as -
http.setRequestHeader('Content-Type','application/x-www-form-urlencoded')
Please guide me as to what changes do I need to do in the above line of code so that mod_security can be kept ON and yet my registration form will work?
Thanks and Regards,
-Rupak Kharvandikar-
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
在这种情况下,最好的办法就是将该特定警告视为误报,因为事实确实如此。请记住,mod_security 不支持内容编码,当您处理 WAF 时,误报是很正常的事情。
不过,仅仅为了一个误报而禁用所有 mod_security 规则是愚蠢的。查找正在触发的规则的 ID 并将其禁用“SecRuleRemoveById”。在我的框中,我创建了一个附加配置来放置我想要禁用的所有规则。
modsecurity_crs_60_myignores.conf
SecRuleRemoveById 960903
SecRuleRemoveById 970903
SecRuleRemoveById 970902
In this situation the best thing to do is to threat that specific warning as a false positive because it is. Remember that mod_security doesnt support content encoding and false positives is a very normal thing when you are dealing with WAF's.
Disabling all mod_security rules just for one false positive is dumb though. Look for the id of the rule that is getting triggered and disable it "SecRuleRemoveById". In my box I created an additional config to place all the rules i want to disable.
modsecurity_crs_60_myignores.conf
SecRuleRemoveById 960903
SecRuleRemoveById 970903
SecRuleRemoveById 970902
我成功地在 Firefox 中创建了一个帐户,没有出现任何问题。
I managed to create an account in Firefox without any issues.