POST to endpoint triggers mod_security rule

  • Resolved leonboot

    (@leonboot)


    8 months, 3 weeks ago

    The Burst Statistics plug-in seems to do a POST to an endpoint.php script on each page. The content type specified in the POST request is text/plain. This triggers a common mod_security rule, which is active by default on any Plesk server with mod_security enabled. This leads to the IP address of any visitor being banned within a few page requests. The irony is that the data being posted is actually JSON wrapped in a string. Could the code be changed so that the POST actually uses application/json as content type?

    Offending request:
    POST /wp-content/plugins/burst-statistics/endpoint.php HTTP/1.0
    Host: [REDACTED-HOSTNAME]
    X-Real-IP: [REDACTED-IP]
    X-Accel-Internal: /internal-nginx-static-location
    Connection: close
    Content-Length: 356
    origin: [REDACTED-URL]
    user-agent: [REDACTED-USER-AGENT]
    content-type: text/plain;charset=UTF-8
    accept: */*
    referer: [REDACTED-URL]
    accept-encoding: gzip, deflate, br
    accept-language: en-US,en;q=0.9
    cookie: burst_uid=[REDACTED-HASH]

    Server response:
    HTTP/1.1 200 OK
    X-Powered-By: PHP/8.2.20
    Upgrade: h2,h2c
    Connection: Upgrade, close
    Content-Length: 0
    Content-Type: text/html; charset=UTF-8

    Mod_security error message:
    Message: Warning. Match of "pmFromFile userdata_wl_content_type" against "TX:0" required. [file "/etc/apache2/modsecurity.d/rules/comodo_free/10_HTTP_HTTP.conf"] [line "17"] [id "210710"] [rev "5"] [msg "COMODO WAF: Request content type is not allowed by policy. Please update file userdata_wl_content_type.||[REDACTED-URL]]|F|2"] [data "TX:0=text/plain"] [severity "CRITICAL"] [tag "CWAF"] [tag "HTTP"]
Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘POST to endpoint triggers mod_security rule’ is closed to new replies.