In the file manager (browser) window, we're able to create directory with apostrophe in the name.
But when we click on the directory (in the tree) in order to list files, mod_security detects an error in the sql request.
I can give the exact error log privately. But here is the pattern that makes think mod_security it's a security alert :
Pattern match "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\| |\,]|\'|union._select._from)" at ARGS:node. [hostname "www.mydomainname.com"] [uri "/connectors/browser/directory.php"] [unique_id "the_unique_id"]
At the same time I get the mod_security error, I get an error dialog box (in modx manager) : "Forbidden - you do not have permission to access this document".
It's like the directory's name in the request is not escaped (?) (as I also think we should not be able to name directory with apostrophe).
mediaandco created Redmine issue ID 10335
Hi,
In the file manager (browser) window, we're able to create directory with apostrophe in the name.
But when we click on the directory (in the tree) in order to list files, mod_security detects an error in the sql request.
I can give the exact error log privately. But here is the pattern that makes think mod_security it's a security alert :
Pattern match "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\| |\,]|\'|union._select._from)" at ARGS:node. [hostname "www.mydomainname.com"] [uri "/connectors/browser/directory.php"] [unique_id "the_unique_id"]
At the same time I get the mod_security error, I get an error dialog box (in modx manager) : "Forbidden - you do not have permission to access this document".
It's like the directory's name in the request is not escaped (?) (as I also think we should not be able to name directory with apostrophe).
Thanks Vincent