ModSecurity: Access denied with code 406 (phase 2). Pattern match

Haven’t blogged in a long while but trying to start and thought this may be useful to some people coming in from searches.

Had a frustrating problem with ModSecurity being a bit over protective of a server recently.

I had installed Web Invoice – Invoicing and billing for WordPress and every time i went into the backend of my website, the website would go down as my IP address had been blocked from the server.

Looking through the logs i found

[Tue Mar 01 15:49:17 2011] [error] [client 78.144.59.18] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.***.co.uk"] [uri "/wp-content/plugins/web-invoice/js/jquery.cookie.js"] [unique_id "vSSsv1n-hF8AAARu-LYAAAAF"]

After some googleing and a vauge understanding of what was going on i found that ModSecurity was blocking access to the file because it contained the word “Cookie”

To fix this i renamed the file

/wp-content/plugins/web-invoice/js/jquery.cookie.js

to

/wp-content/plugins/web-invoice/js/jquery.wookie.js

And then edited the php file

/wp-content/plugins/web-invoice/web-invoice.php

on line 725 from

wp_enqueue_script(‘jquery-cookie’,$this->uri.”/js/jquery.cookie.js”, array(‘jquery’));

to

wp_enqueue_script(‘jquery-cookie’,$this->uri.”/js/jquery.wookie.js”, array(‘jquery’));

Problem solved and i can get on with invoicing people without the headache of the server thinking i’m attacking it!

Please drop a comment if this has helped you.

One thought on “ModSecurity: Access denied with code 406 (phase 2). Pattern match

Leave a Reply

Your email address will not be published. Required fields are marked *