ModSecurity Error: UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS

ModSecurity is an open source web application firewall. Working embedded in the web server, or standalone as a network appliance, it detects and prevents attacks against web applications. ModSecurity most of time embed with Apache webserver to block malicious request to the server. But recently I found an annoying false positive block with ModeSecurity. The error is like this:

Access denied with code 403 (phase 2). Match of "rx ://%{SERVER_NAME}/" against "ARGS:review[]" required. [file "/usr/local/apache/conf/modsec2/10_asl_rules.conf"] [line "497"] [id "340162"] [rev "287"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)"] [data "http://www.ivankristianto.com/save-your-gmail-inbox-space-by-delete-old-attachments/"] [severity "CRITICAL"] 

I created a test case that you can try it [here] (http://www.ivankristianto.com/examples/modescurity/), if you submit an URL with http:// then you will get an Error of 403: Forbidden. But if you submit an URL without http:// then it will working.

Until now i cannot solve this without turning off the ModSecurity, which i won’t. The only workaround is when submitted i removed the http:// via javascript.

If you know how please let me know from the comment form below. Thanks

Give me your feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.