Apache Modsec Rule

[THL]

I keep getting a rule flagged up in apache error logs..

[Sun Nov 20 18:04:47 2011] [error] [client 81.107.65.165] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(< ?(?:(?:java|vb)?script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|" ?> ?<|" ?[a-z]+ ?<.*>|> ?"? ?(>|<)|< ?/?i?frame|%env)" at REQUEST_URI. [file "/usr/local/apache/conf/turtle-rules/modsec/10_asl_rules.conf"] [line "886"] [id "340147"] [rev "81"] [msg "Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Generic XSS filter"] [data "http:/"] [severity "CRITICAL"] [hostname "www.mysite.com"] [uri "/forums/public/min/index.php"] [unique_id "TsmHj0g01WAAAE0v3IMAAAAE"]


What is this file used for /forums/public/min/index.php

[Luis Manson]

the seccond line of that file says:

Front controller for default Minify implementation

its the one that minifies the CSS if you have that option enabled

[Gary.]

Just edit the mod_sec config file and you can either remove the full line, or you can bypass that rule by commenting it out with #

If you wish to keep the rule then just edit the virtual host and below, replacing the correct path and domain:

<Directory /var/www/vhosts/domain.com/httpdocs/(dir)>

SecRuleRemoveById 340147

</Directory>

Once edited and saved restart apache, One you restarted apache run:

/usr/sbin/apachectl configtest

Job done :smile: