PHPDevShell

406 Access Error (cookies?) with v3RC1

Bug #708935 reported by jsherk
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
PHPDevShell
Fix Released
Medium
TitanKing
PHPDevShell 3.0.0-stable "Rockefeller"

Bug Description

There was a previous bug reported that was affecting the tabs on the admin screen and where I was getting a 406 error and it turned out to be mod_rewrite blocking a cookie file with .cookie in the name.

Although I am having no problem with the tabs, I am getting a 406 error under certain circumstances, specifically when trying to save settings from the System Settings tab. Once I get the error, I cannot access phpds at all, until I clear all the cookies, at which time I have access again.

I will try to pinpoint the file that is causing the problem! Anymore .cookie files anywhere?

Thanks

Revision history for this message
jsherk (jeff-forerunnertv) wrote :

I found /themes/cloud/js/jquery.cookie.js

Not sure yet if this is the file causing problem (waiting on my host to get back to me), but this will probably cause a problem for somebody somewhere with an apache install if they are running mod_security, so maybe it should be changed! Or is this a jQuery file that would need to be changed in the jQUery source? If it's a phpds file then you should change the name to jquery_cookie.js or jquery-cookie.js

When I hear back from my host, I will confirm if that is the file still causing the problem or not.

Revision history for this message
jsherk (jeff-forerunnertv) wrote :

Ok, this does NOT appear to be related (that I can tell) to the .cookie issue! Here is the apache log report:

[Thu Jan 27 17:38:00 2011] [error] [client 11.111.111.111] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\b(\\d+) ?= ?\\1\\b|[\\'"](\\w+)[\\'"] ?= ?[\\'"]\\2\\b" at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "101"] [id "959901"] [msg "SQL Injection Attack"] [data "1=1"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [hostname "mydomain.com"] [uri "/phpds/index.php"] [unique_id "TUIB2EpW6YIAABOm6z8AAAAT"]

Revision history for this message
TitanKing (titan-phpdevshell) wrote :

You are right, this was fixed but for some reason this bug came back. I will rename the file again and push the fix.

Revision history for this message
TitanKing (titan-phpdevshell) wrote :

Ok, the file under themes/cloud/jquery.cookie.js is not in use anymore, but can still cause problems. It was deleted from the distro, you can safely delete yours too.

Changed in phpdevshell:
status: New → Fix Committed
milestone: none → 3.0.0-stable
importance: Undecided → Medium
assignee: nobody → TitanKing (titan-phpdevshell)
Revision history for this message
jsherk (jeff-forerunnertv) wrote :

I deleted the file, but I the problem is still there, so it has nothing to do with the .cookie file, but as something to do when trying to save changes to the System Settings tab.

It's related to mod_security2 (not mod_security) Rule ID: 959901

which has something to do with a mysql injection attack with regards to data that has "1=1",

Revision history for this message
TitanKing (titan-phpdevshell) wrote :

The thing is tabs uses cookie and cookie (now biscuit) file still uses the words cookie inside its code. I investigated the problem, others have had the same. It seems to be related to a false positive in mod_security2 with a copied and pasted set of rules. There is a bug in this specific one, I would suggest you remove this rule until we can get behind this if it causes allot of problems for you.

Revision history for this message
TitanKing (titan-phpdevshell) wrote :

I mean there is a bug in this specific rule 959901

Revision history for this message
jsherk (jeff-forerunnertv) wrote :

Ok, I will make an exception for that rule!

Thanks

TitanKing (titan-phpdevshell)
Changed in phpdevshell:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.