Certain strings posted in WP 2.0.5 result in 503 server error

  • Resolved sairuh

    (@sairuh)


    18 years, 4 months ago

    Hello,

    I’ve recently upgraded from WordPress 2.0.4 to 2.0.5, and was wondering if what I’ve encountered is a known bug: I tried to post an article on my WordPress-driven test site containing the following content (it was a code snippet):

    widget.system();

    I’ve been using MarsEdit 1.1.2 for posting without problems, but this time I got an error stating that I couldn’t post because the server reported a 503 error.

    So I checked my web server error.log file, and noticed that quite a few strings (including “system”) are blocked (I’ve removed my site info as it is a private test server):

    [error] [client A.B.C.D] mod_security: Access denied with code 503. Pattern match “(echo( |\\\\(|\\\\’).*\\\\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\\\\(.*\\\\)\\\\;” at POST_PAYLOAD [severity “EMERGENCY”] [hostname “www.BAR.FOO”] [uri “/xmlrpc.php”]

    Is this a known issue that will be fixed in an upcoming WordPress release? I’ve worked around it by substituting a numeric character entity for the s’s in “system,” but it’d be good to know if there is (or will be) a better fix.

    Thanks!

Viewing 5 replies - 1 through 5 (of 5 total)

  • thats mod_security in action, completely unrelated to WP, ie not a bug, wont be fixed.

    https://www.modsecurity.org/

    Thread Starter sairuh

    (@sairuh)

    Thanks for the clarification –good thing it isn’t specific to WordPress.

    I’m not familiar with the inner workings of Apache (or security matters), so I was wondering if there might be a better workaround other than my numeric char entity substitution? Something that wouldn’t lessen server security, of course…

    Google is your best friend ??

    https://www.google.com/search?hl=en&q=disabling+mod_security&btnG=Google+Search

    since you included the caveat regarding lessening security, Ill hand you a gimme .. create an .htaccess, in it put the following:

    SecFilterEngine Off

    Upload that .htaccess with that one line to your wp-admin directory.

    You will have disabled mod_security for anyone using the backend, while still retaining its usage for comments, etc..

    Thread Starter sairuh

    (@sairuh)

    Swell! Thanks for the Google reminder, too. ??

    Indeed, I do need to exercise using .htaccess more now. With this I’ll test selectively turning off bits of mod_security and so forth.

    greggster

    (@greggster)

    I tried adding “SecFilterEngine Off” but then my php code with ExecPHP was plain-text displaying – found this worked – use nested includes – see my post here – https://mochabomb.com/blog/archives/107

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Certain strings posted in WP 2.0.5 result in 503 server error’ is closed to new replies.