Skip to main content
WordPress

Apache mod_security and Newsletter and blog access error

By March 30, 2013April 22nd, 2021No Comments

Security is security, but too much security makes life very hard. Some users of Newsletter plugin reported that, after some work on the administration side, they were locked out of the blog. With the collaboration of one of them, I discovered that his installation (or better his server) returned back an error as soon as the cookie ui-tabs-1=1 was set.

That cookie is set by jQuery UI Tabs used inside Newsletter administration panel.

The problem is the 1=1 recognized by mod_security as a SQL injection. Oh my God! This is where I found the description of this problem: http://bugs.jqueryui.com/ticket/8027.

Now, how to proceed?

For those who are affected by this problem, they can ask the provider to relax the rules of mod_security in the meanwhile I’ll check if renaming all the Newsletter tabs can be a solution.

May be adding that few lines on your .htaccess file (at the beginning) can be of help (they disable the mod_security):

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

Leave a Reply