Access denied by security policy

GugUser · 2013-07-15 13:13:18

Since a few days I have problems with an existing installation. My work is blocked by the following message:

Access denied by security policy

Your request is blocked by a security policy rule.

Please contact the support team, support@domain.ch and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

I wanted to save a Textpattern form which contained the following snippet:

<txp:if_custom_field name="Telefon">
	<p class="tel work">
		<a href="tel:+41<txp:php> $tel = custom_field(array('name' => 'Telefon')); $tel = preg_replace('/(^0|\s)/', '', $tel); echo $tel; </txp:php>">
			<txp:php> $tel = custom_field(array('name' => 'Telefon')); $tel = preg_replace('/(^0)/', '+41 (0)', $tel); echo $tel;</txp:php>
		</a>
	</p>
</txp:if_custom_field>

The support of the hosting company responded with the argument that it is a security risk to transmit PHP via POST.

The log shows the following:

[Mon Jul 15 13:38:17 2013] [error] [client IP deleted] ModSecurity: Access denied with code 510 (phase 2). Match of “rx (/wp-login\\\\.php\\\\?vaultpress=true|/site-content/|^/admin/editform)” against “REQUEST_URI” required. [file “/usr/local/apache2/conf/mod_security2/asl_rules/10_asl_rules.conf”] [line “722”] [id “340095”] [rev “40”] [msg “Atomicorp.com Rules: Possible PHP function in Argument – this may be an attack.”] [data “preg_replace(‘”] [severity “CRITICAL”] [hostname “domain.com”] [uri “/textpattern/index.php”] [unique_id “UePfKX8AAAIAAC1b-pQAAAAU”]

But, according to my knowledge, the forms in Textpattern are send with POST. How can I continue working with Textpattern, if the hoster sets these limits? Is Textpattern a security risk? ;-)

What is the opinion of security experts like, for example, Jukka about this?

Last edited by GugUser (2013-07-15 13:20:27)

Gocom · 2013-07-15 13:39:59

If they don’t want to disable the filtering for Textpattern, the only option is to change hosting provider. With strict security filtering you won’t be able to use the web based editors.

Last edited by Gocom (2013-07-15 13:41:32)

etc · 2013-07-15 13:56:52

Can’t you wrap preg_replace into rah_function?

GugUser · 2013-07-15 14:04:02

etc wrote:

Can’t you wrap preg_replace into rah_function?

Yes, it would be part of a solution. But, it seems, that the company will disable the filtering for the Textpattern Admin.

Thank you for your answers, Jukka and Oleg.

Textpattern CMS

Textpattern CMS support forum

#1 2013-07-15 13:13:18

Access denied by security policy

#2 2013-07-15 13:39:59

Re: Access denied by security policy

#3 2013-07-15 13:56:52

Re: Access denied by security policy

#4 2013-07-15 14:04:02

Re: Access denied by security policy

Board footer