Rampant '406 Not Acceptable'. ModSecurity?

bdjnks · Jul 1, 2015

This is madness. I believe it's connected with ModSecurity. Please correct whatever has gone horribly wrong at your earliest convenience.

General:

Code:

Remote Address:198.91.81.2:80
Request URL:http://bitmote.com/admin/post.php
Request Method:POST
Status Code:406 Not Acceptable

Response Headers:

Code:

Age:0
Connection:keep-alive
Content-Length:384
Content-Type:text/html; charset=iso-8859-1
Date:Wed, 01 Jul 2015 22:04:20 GMT
X-Cache:MISS
X-Varnish:23854934

Request Headers:

Code:

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Content-Length:348
Content-Type:application/x-www-form-urlencoded
Cookie:...
DNT:1
Host:bitmote.com
Origin:http://bitmote.com
Referer:http://bitmote.com/admin/post.php?id=62
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36

Form Data:

Code:

post_title:Title
post_excerpt:
post_content:## testing

    function test() {
post_notes:
id:62
save:Save (s)
xd_check:...
post_status:-2
post_dt:2015-07-01 11:28
post_lang:en
post_format:markdown
cat_id:
new_cat_title:
new_cat_parent:
post_open_comment:1
post_open_tb:1
post_password:

This is a narrow test case, specifically designed for your debugging pleasure. In consideration of this thoughtful gift, please grant me the boon of a speedy resolution.

As a final note. Changing the post content one character results in success instead of this abject failure.

Code:

## testing

    function test(){

That works just fine.

bdjnks · Jul 2, 2015

I case you were wondering, I'm not the only person posting to this forum recently regarding spurious 406 errors. I just hope, that unlike bex208x1 and hqforumx (twice), I am not left to languish in this prison of dead silence.

Absolutely any additional information is yours for the asking. Commiseration is welcome as well. The reply button, it's right there. You know you want to touch it.

glennemlee95 · Jul 2, 2015

By chance are you trying to post something on WordPress that happens to have a few outbound links?

bdjnks · Jul 2, 2015

Not at all. I use dotclear, not wordpress. No outbound links are being posted.

What's happening is simple. I'm posting some markdown containing a code block.

I narrowed the problem down to curly braces with whitespace around them. Evidently modsecurity seems to think this constitutes an attack.

hqforumx · Jul 2, 2015

I believe only @Corey can fix these mod security issues but its taking too long for them to fix these kind of errors -_- this is how you lose clients on webhost because of mod security...

bdjnks · Jul 2, 2015

It's funny. When I do searches for ModSecurity, all I find are countless choruses chanting its praise. When I do searches for the problems caused by ModSecurity, all I find are innumerable unfortunates stumbling through the dark lamenting their misfortune.

hqforumx · Jul 2, 2015

bdjnks said:
It's funny. When I do searches for ModSecurity, all I find are countless choruses chanting its praise. When I do searches for the problems caused by ModSecurity, all I find are innumerable unfortunates stumbling through the dark lamenting their misfortune.

https://x10hosting.com/community/threads/read-to-all-staff-team.197067/

bdjnks · Jul 2, 2015

On a serious note, I've used x10hosting for years now, and I've had very few complaints. So thanks for that.

Why am I popping up now, when ModSecurity was installed many moons ago? Well, I haven't been actively updating my site. I mean, I saw these errors previously, and they prevented me from updating certain posts with code in them, but I figured it was temporary, and I didn't have time to investigate.

These past few days I've been revamping things, and when my attempts to upload a new code heavy post failed, I decided to look into it. Discovering the culprit took an entire day.

The irritation that caused is likely why my first post is so snarky. Please don't hold it against me.

Anyway, I've been looking into alternative hosts today, and I've got to say, in terms of free, it's slim pickings and scams galore. I don't want to switch hosts. It's a hassle.

Help me not have to do that.

glennemlee95 · Jul 3, 2015

bdjnks said:
Not at all. I use dotclear, not wordpress. No outbound links are being posted.

What's happening is simple. I'm posting some markdown containing a code block.

I narrowed the problem down to curly braces with whitespace around them. Evidently modsecurity seems to think this constitutes an attack.

Ah, I see then. So mod_security thinks you're trying to inject content via XSS it seems then. I'll go to my dark corner now.

bdjnks · Jul 3, 2015

Want to verify this absurdity for yourself? It's trivial.

Head over to the official ModSecurity Core Rule Set Demo and attempt to POST the text:

Code:

## testing

    function test() {

In response you'll receive this lovely claim: "Anomaly Score Exceeded (score 5): Remote Command Execution (RCE) Attempt"

Infuriating.

bdjnks · Jul 3, 2015

In case anyone is following this, I submitted a bug report to ModSecurity CRS. The response was basically "not a bug" / "won't fix".

I am indeed in the process of switching hosts now. It's been good times.

caftpx10 · Jul 3, 2015

If this was added not too long ago then "users" like @Corey should be able to exclude the rule being triggered under your account.

Rampant '406 Not Acceptable'. ModSecurity?

bdjnks

New Member

bdjnks

New Member

glennemlee95

Member

bdjnks

New Member

hqforumx

Member

bdjnks

New Member

hqforumx

Member

bdjnks

New Member

glennemlee95

Member

bdjnks

New Member

bdjnks

New Member

caftpx10

Well-Known Member

Free Web Hosting

Our Community

Legal