Christian Ridderström wrote:
Hi,
I looked at the error log while trying to edit an arbitrary page
LyX/LyxFunctions, and when I press save in the edit form, this shows
up in the log
[Thu Mar 26 00:18:34 2009] [error] [client 201.38.240.167]
ModSecurity: Access denied with code 400 (phase 2). Pattern match
"\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:text. [id
"950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity
"WARNING"] [hostname "wiki.lyx.org"] [uri
"/LyX/LyxFunctions?action=edit"] [unique_id "t-bZsNTJRSsAAFdQ568AAAAB"]
It's a bit strange to me, especially as the first request that
generates the web page with the edit form looks the same, i.e.
/LyX/LyxFunctions?action=edit
The difference between the two requests could be that first one is a
GET, whereas the second one is a POST.
That's weird. The pattern seems, among other things, to be check for a
&, and I don't see one. Are other args being passed?
rh
