WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Certain strings posted in WP 2.0.5 result in 503 server error (6 posts)

  1. sairuh
    Member
    Posted 7 years ago #

    Hello,

    I've recently upgraded from WordPress 2.0.4 to 2.0.5, and was wondering if what I've encountered is a known bug: I tried to post an article on my WordPress-driven test site containing the following content (it was a code snippet):

    widget.system();

    I've been using MarsEdit 1.1.2 for posting without problems, but this time I got an error stating that I couldn't post because the server reported a 503 error.

    So I checked my web server error.log file, and noticed that quite a few strings (including "system") are blocked (I've removed my site info as it is a private test server):

    [error] [client A.B.C.D] mod_security: Access denied with code 503. Pattern match "(echo( |\\\\(|\\\\').*\\\\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\\\\(.*\\\\)\\\\;" at POST_PAYLOAD [severity "EMERGENCY"] [hostname "www.BAR.FOO"] [uri "/xmlrpc.php"]

    Is this a known issue that will be fixed in an upcoming WordPress release? I've worked around it by substituting a numeric character entity for the s's in "system," but it'd be good to know if there is (or will be) a better fix.

    Thanks!

  2. whooami
    Member
    Posted 7 years ago #

    thats mod_security in action, completely unrelated to WP, ie not a bug, wont be fixed.

    http://www.modsecurity.org/

  3. sairuh
    Member
    Posted 7 years ago #

    Thanks for the clarification --good thing it isn't specific to WordPress.

    I'm not familiar with the inner workings of Apache (or security matters), so I was wondering if there might be a better workaround other than my numeric char entity substitution? Something that wouldn't lessen server security, of course...

  4. whooami
    Member
    Posted 7 years ago #

    Google is your best friend :)

    http://www.google.com/search?hl=en&q=disabling+mod_security&btnG=Google+Search

    since you included the caveat regarding lessening security, Ill hand you a gimme .. create an .htaccess, in it put the following:

    SecFilterEngine Off

    Upload that .htaccess with that one line to your wp-admin directory.

    You will have disabled mod_security for anyone using the backend, while still retaining its usage for comments, etc..

  5. sairuh
    Member
    Posted 7 years ago #

    Swell! Thanks for the Google reminder, too. ;)

    Indeed, I do need to exercise using .htaccess more now. With this I'll test selectively turning off bits of mod_security and so forth.

  6. greggster
    Member
    Posted 7 years ago #

    I tried adding "SecFilterEngine Off" but then my php code with ExecPHP was plain-text displaying - found this worked - use nested includes - see my post here - http://mochabomb.com/blog/archives/107

Topic Closed

This topic has been closed to new replies.

About this Topic