Rampant '406 Not Acceptable'. ModSecurity?

Status
Not open for further replies.

bdjnks

New Member
Messages
7
Reaction score
0
Points
1
This is madness. I believe it's connected with ModSecurity. Please correct whatever has gone horribly wrong at your earliest convenience.

General:
Code:
Remote Address:198.91.81.2:80
Request URL:http://bitmote.com/admin/post.php
Request Method:POST
Status Code:406 Not Acceptable


Response Headers:
Code:
Age:0
Connection:keep-alive
Content-Length:384
Content-Type:text/html; charset=iso-8859-1
Date:Wed, 01 Jul 2015 22:04:20 GMT
X-Cache:MISS
X-Varnish:23854934


Request Headers:
Code:
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Content-Length:348
Content-Type:application/x-www-form-urlencoded
Cookie:...
DNT:1
Host:bitmote.com
Origin:http://bitmote.com
Referer:http://bitmote.com/admin/post.php?id=62
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36


Form Data:
Code:
post_title:Title
post_excerpt:
post_content:## testing

    function test() {
post_notes:
id:62
save:Save (s)
xd_check:...
post_status:-2
post_dt:2015-07-01 11:28
post_lang:en
post_format:markdown
cat_id:
new_cat_title:
new_cat_parent:
post_open_comment:1
post_open_tb:1
post_password:


This is a narrow test case, specifically designed for your debugging pleasure. In consideration of this thoughtful gift, please grant me the boon of a speedy resolution.

As a final note. Changing the post content one character results in success instead of this abject failure.
Code:
## testing

    function test(){


That works just fine.
 
Last edited:

bdjnks

New Member
Messages
7
Reaction score
0
Points
1
I case you were wondering, I'm not the only person posting to this forum recently regarding spurious 406 errors. I just hope, that unlike bex208x1 and hqforumx (twice), I am not left to languish in this prison of dead silence.

Absolutely any additional information is yours for the asking. Commiseration is welcome as well. The reply button, it's right there. You know you want to touch it.
 

glennemlee95

Member
Messages
59
Reaction score
2
Points
8
By chance are you trying to post something on WordPress that happens to have a few outbound links?
 

bdjnks

New Member
Messages
7
Reaction score
0
Points
1
Not at all. I use dotclear, not wordpress. No outbound links are being posted.

What's happening is simple. I'm posting some markdown containing a code block.

I narrowed the problem down to curly braces with whitespace around them. Evidently modsecurity seems to think this constitutes an attack.
 

hqforumx

Member
Messages
61
Reaction score
1
Points
8
I believe only @Corey can fix these mod security issues but its taking too long for them to fix these kind of errors -_- this is how you lose clients on webhost because of mod security...
 

bdjnks

New Member
Messages
7
Reaction score
0
Points
1
It's funny. When I do searches for ModSecurity, all I find are countless choruses chanting its praise. When I do searches for the problems caused by ModSecurity, all I find are innumerable unfortunates stumbling through the dark lamenting their misfortune.
 

bdjnks

New Member
Messages
7
Reaction score
0
Points
1
On a serious note, I've used x10hosting for years now, and I've had very few complaints. So thanks for that.

Why am I popping up now, when ModSecurity was installed many moons ago? Well, I haven't been actively updating my site. I mean, I saw these errors previously, and they prevented me from updating certain posts with code in them, but I figured it was temporary, and I didn't have time to investigate.

These past few days I've been revamping things, and when my attempts to upload a new code heavy post failed, I decided to look into it. Discovering the culprit took an entire day.

The irritation that caused is likely why my first post is so snarky. Please don't hold it against me.

Anyway, I've been looking into alternative hosts today, and I've got to say, in terms of free, it's slim pickings and scams galore. I don't want to switch hosts. It's a hassle.

Help me not have to do that.
 

glennemlee95

Member
Messages
59
Reaction score
2
Points
8
Not at all. I use dotclear, not wordpress. No outbound links are being posted.

What's happening is simple. I'm posting some markdown containing a code block.

I narrowed the problem down to curly braces with whitespace around them. Evidently modsecurity seems to think this constitutes an attack.
Ah, I see then. So mod_security thinks you're trying to inject content via XSS it seems then. I'll go to my dark corner now.
 

bdjnks

New Member
Messages
7
Reaction score
0
Points
1
Want to verify this absurdity for yourself? It's trivial.

Head over to the official ModSecurity Core Rule Set Demo and attempt to POST the text:
Code:
## testing

    function test() {


In response you'll receive this lovely claim: "Anomaly Score Exceeded (score 5): Remote Command Execution (RCE) Attempt"

Infuriating.
 

bdjnks

New Member
Messages
7
Reaction score
0
Points
1
In case anyone is following this, I submitted a bug report to ModSecurity CRS. The response was basically "not a bug" / "won't fix".

I am indeed in the process of switching hosts now. It's been good times.
 

caftpx10

Well-Known Member
Messages
1,534
Reaction score
114
Points
63
If this was added not too long ago then "users" like @Corey should be able to exclude the rule being triggered under your account.
 
Status
Not open for further replies.
Top