[wp-hackers] What would strip $_POST before 'init' runs?

Brian Layman wp-hackers at thecodecave.com
Thu Jul 19 20:38:43 UTC 2012


yeah I was going to suggest the same thing, but as you are displaying a 
google form, I wasn't sure if you could do that.  However, if you could 
hash/base64_encode your field values before they are submitted, you 
maybe could get past mod_sec.

Brian Layman

On 7/19/2012 4:20 PM, Mike Walsh wrote:

> On Thu, Jul 19, 2012 at 11:02 AM, Hal Burgiss <hal at burgiss.net> wrote:
>
>> On Thu, Jul 19, 2012 at 7:41 AM, Dion Hulse (dd32) <wordpress at dd32.id.au
>>> wrote:
>>> mod_Security itself is a major PITA most of the time, I'm not saying
>>> it's useless, but that doesn't make it a pain when you come up against
>>> it.
>>>
>> I agree. I had it installed on our servers, and uninstalled it due to the
>> number of false positives and the continual work arounds.  In some
>> environments, it might be great. The concept is great, but the
>> implementation can be  problematic.
>>
>>
> Based on what I've seen, I agree!  Unfortunately sometimes people have no
> idea that their hosting provider is even doing this.  Having never run into
> it before, it took a while for me to sort it out.
>
> I was considering trying to add some jQuery to "encode" the form parameters
> so there isn't any chance of a URL being caught but so far I haven't come
> up with anything that does anything meaningful.  I have managed to flag
> when a 403 is caught and added a message so at least it is a little cleaner.
>



More information about the wp-hackers mailing list