Apache Mod Security Remote File Injection Attempt jEditable

Another server migration and another error with one of my applications!

This took ages to figure out and needs to be remembered. With the latest version of mod security you can’t run any AJax calls that pass just a URL as a variable.

For example value=http://vimeo.com throws the following error with mod_security.

[shell]
[msg "Atomicorp.com UNSUPPORTED DELAYED Rules: URL detected as argument, possible Remote File Injection attempt detected"] [data "TX:1"] [severity "CRITICAL"]
[/shell]

Even if the URL is escaped it still throws this error which is very annoying. The only way I could fix it was by applying this patch to jEditable around line 335.

[code]
submitdata[settings.name] = input.val().replace(‘http’, ‘ http’);
[/code]

This basically adds white space to the first occurrence of http which means the AjAx URL that is now submitted looks like value=+http://vimeo.com etc. By just having the + lets me beat mod security. Then on your server end if you run a trim() function you won’t get any white space of death anyway.

Phew…