Apache mod_security and Newsletter and blog access error

By March 30, 2013 No Comments

Security is security, but too much security make the life very hard. Some users of Newsletter plugin reported that, after some work on administration side, they were locked out of the blog. With the collaboration of one of them, I discovered that his installation (or better his server) returned back an error as soon as the cookie ui-tabs-1=1 was set.

That cookie is set by jQuery UI Tabs used inside Newsletter administration panel.

The problem is the 1=1 recognized by mod_security as a SQL injection. Oh my God! This is where I found the description of this problem: http://bugs.jqueryui.com/ticket/8027.

Now, how to proceed?

For who is affected by this problem, they can ask the provider to relax the rules of mod_security in the meanwhile I’ll check if renaming all the Newsletter tabs can be a solution.

May be adding that few line on your .htaccess file (at beginning) can be of help (they disable the mod_security):

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off

Leave a Reply