Remoting is not working with mod-security installed
This is due to an "
Request Missing an Accept Header" error.
to fix this add the following code to the 000-ispconfig.vhost (at the bottom)
Code:
<LocationMatch "/remote/index.php">
SecRuleRemoveById 960015
</LocationMatch>
==================
Since I only want to enable rules for the PHP files which need to be excluded I have the following ruleset for
WordPress:
Code:
<LocationMatch "/">
SecRuleRemoveById 910006 # Google robot activity - Useful in someways but noisy for sites where you want them crawled
SecRuleRemoveById 960015 # Request Missing an Accept Header - Allow for Google Reader
</LocationMatch>
<LocationMatch "/wp-admin/post.php">
SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
SecRuleRemoveById 950004 # Disable XSS
</LocationMatch>
<LocationMatch "/wp-admin/admin-ajax.php">
SecRuleRemoveById 950004 # Disable XSS
</LocationMatch>
<LocationMatch "(/wp-admin/|/wp-login.php)">
SecRuleRemoveById 950005 # Remote File Access Attempt - Probably no need to be disabled by everyone; it allows me putting /etc/ and other linux paths in posts.
SecRuleRemoveById 950117 # Remote File Inclusion Attack - Disable to allow http:// to be passed in args
</LocationMatch>
<LocationMatch "(/wp-admin/options.php|/wp-admin/theme-editor.php|/wp-content/plugins/)">
SecRuleRemoveById 950907 # System Command Injection
SecRuleRemoveById 950005 # Remote File Access Attempt - Probably no need to be disabled by everyone; it allows me putting /etc/ and other linux paths in posts.
SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
SecRuleRemoveById 959006 # SQL Injection Attack -
SecRuleRemoveById 960008 # Request Missing a Host Header
SecRuleRemoveById 960011 # GET or HEAD requests with bodies
SecRuleRemoveById 960904 # Request Containing Content, but Missing Content-Type header
SecRuleRemoveById phpids-17 # Detects JavaScript object properties and methods
SecRuleRemoveById phpids-20 # Detects JavaScript language constructs
SecRuleRemoveById phpids-21 # Detects very basic XSS probings
SecRuleRemoveById phpids-30 # Detects common XSS concatenation patterns 1/2
SecRuleRemoveById phpids-61 # Detects url injections and RFE attempts
</LocationMatch>
<LocationMatch "/wp-includes/">
SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
SecRuleRemoveById 959006 # SQL Injection Attack -
SecRuleRemoveById 960010 # Request content type is not allowed by policy - Allows for amongst other things spell check to work on admin area
SecRuleRemoveById 960012 # Require Content-Length to be provided with every POST request - Same as above
SecRuleRemoveById phpids-17 # Detects JavaScript object properties and methods
SecRuleRemoveById phpids-20 # Detects JavaScript language constructs
SecRuleRemoveById phpids-21 # Detects very basic XSS probings
SecRuleRemoveById phpids-30 # Detects common XSS concatenation patterns 1/2
SecRuleRemoveById phpids-61 # Detects url injections and RFE attempts
</LocationMatch>
English | 
Deutsch
SpeedyB
Linear Mode
Recent comments
14 hours 19 min ago
17 hours 14 min ago
18 hours 28 min ago
19 hours 52 min ago
21 hours 30 min ago
22 hours 58 min ago
1 day 12 min ago
1 day 16 hours ago
1 day 16 hours ago
1 day 20 hours ago