Open ganar opened 5 years ago
That cookie is, as the name states, to remember and restore the active tab in admin.
Of course nothing malicious can happen with that nor is to be considered insecure but I get the annoyance of it being logged.
The value I’m storing is in json format, do you think base64 encoding it all would prevent mod security from yelling?
Of course nothing malicious can happen with that nor is to be considered insecure but I get the annoyance of it being logged.
Maybe I'm not being clear: the entire site —admin and frontend— gives an error 403 (access denied).
ModSecurity: Access denied with code 403
I was able to reproduce the error in the same server with two different installations of Grav. Readers from Argentina and Brazil got in touch with me to tell me that the website was down.
The value I’m storing is in json format, do you think base64 encoding it all would prevent mod security from yelling?
Maybe, look at the pattern match. I think it does not like the special characters
Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}
The mod_security configuration in Apache, on the CWP7.admin, generates a 403 access denied error when running Grav CMS:
This error only happens when visiting the website a second time, making it very hard to solve.
I manage to solve the issue setting up a special omission to the mod_security rule for grav, but this is only posible if you have access to the apache configuration.
I think this must be solved in the cookie.