Opened 11 years ago

Closed 11 years ago

#8027 closed bug (wontfix)

the cookie set by persistent tabs triggers false positive in mod_security

Reported by: neokio Owned by:
Priority: minor Milestone: 1.9.0
Component: ui.tabs Version: 1.8.5
Keywords: Cc:
Blocked by: Blocking:


Mod_Security is an open source intrusion detection and prevention engine. Most web hosts enable it by default, as it saves most people lots of grief. A few weeks ago, my host updated to the latest rule-set.

And now ... jQuery UI Tabs + tab state storage via cookies = Mod_Security "Access Denied". Why? Because the cookie looks like this: "ui-tabs-1=1" which contains 1=1. Any instance of "1=1" in an HTTP request or cookie triggers a "SQL Injection Attack" alarm.

Here is the Apache Mod_Security error:

Message: Access denied with code 406 (phase 2).
Pattern match "\b(\d+) ?= ?\1\b|[\'"](\w+)[\'"] ?= ?[\'"]\2\b" at REQUEST_HEADERS:Cookie.
[file "/usr/local/apache/conf/modsec2.user.conf"] [line "94"] [id "959901"]
[msg "SQL Injection Attack"] [data "1=1"]

Hope this is useful to someone!

Change History (2)

comment:1 Changed 11 years ago by Scott González

That seems like a really weak detection. You should probably file a bug with Mod_Security.

comment:2 Changed 11 years ago by Scott González

Resolution: wontfix
Status: newclosed

"Fixing" this would be a breaking change. Since the cookie option is being deprecated in 1.9, I don't see a reason to keep this ticket open.

Note: See TracTickets for help on using tickets.