<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; ">Hi modsecurity list, <DIV><BR class="khtml-block-placeholder"></DIV><DIV>I seem to have a little problem with the excludes<DIV><BR class="khtml-block-placeholder"></DIV><DIV>I have this in my Audit log: </DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>==6d394431==============================                                                       </DIV><DIV>Request: www.foo.com 127.0.0.1 - - [11/Oct/2007:09:25:57 +0200] "POST /index.php?option=com_cmsrealty&amp;Itemid=4&amp;openrealty=616374696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d696e3d74727565 HTTP/1.1" 403 285 "<A href="http://www.foo.com/component/option,com_cmsrealty/Itemid,4/openrealty,616374696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d696e3d74727565/">http://www.foo.com/component/option,com_cmsrealty/Itemid,4/openrealty,616374696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d696e3d74727565/</A>" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7" - "-"                                                   ----------------------------------------                                                       POST /index.php?option=com_cmsrealty&amp;Itemid=4&amp;openrealty=616374696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d696e3d74727565 HTTP/1.1                                    Host: <A href="http://www.foo.com">www.foo.com</A>                                                               User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7                                                                                           Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5</DIV><DIV>Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3</DIV><DIV>Accept-Encoding: gzip,deflate</DIV><DIV>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7</DIV><DIV>Keep-Alive: 300</DIV><DIV>Connection: keep-alive</DIV><DIV>Referer: <A href="http://www.foo.com/component/option,com_cmsrealty/Itemid,4/openrealty,616374696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d696e3d74727565/">http://www.foo.com/component/option,com_cmsrealty/Itemid,4/openrealty,616374696f6e3d656469745f6c697374696e677326616d703b656469743d3336392661646d696e3d74727565/</A></DIV><DIV>Content-Type: application/x-www-form-urlencoded</DIV><DIV>Content-Length: 510</DIV><DIV>mod_security-action: 403</DIV><DIV>mod_security-message: Access denied with code 403. Pattern match "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"] [rev "1"] [msg "Generic SQL injection protection"] [severity "CRITICAL"]</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>510</DIV><DIV>action=update_listing&amp;edit=369&amp;title=Altbau-Miete&amp;pclass%5B%5D=4&amp;featured=no&amp;edit_active=yes&amp;mlsexport=no&amp;or_owner=9&amp;notes=&amp;Adresse=Staudgasse&amp;Stadt=Wien&amp;Postleitzahl=1180&amp;Preis=530&amp;betr_kosten=&amp;miete=&amp;full_desc=Nette+Kleine+Zimmer+und+Kabinett+Wohnung%2C+Einbauk%FCche%2C+sehr+ger%E4umig%2C+Fliesenbad%2C+Toilette+Etagenheizung.Ruhelage+und+AKH+N%E4he&amp;Zimmer=2&amp;Badezimmer=1&amp;year_built=1970&amp;sq_feet=45&amp;status=Aktiv&amp;home_features%5B%5D=Einbauk%FCche&amp;home_features%5B%5D=Gasetagenheizung&amp;home_features%5B%5D=Lift</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>HTTP/1.1 403 Forbidden</DIV><DIV>Content-Length: 285</DIV><DIV>Keep-Alive: timeout=15, max=89</DIV><DIV>Connection: Keep-Alive</DIV><DIV>Content-Type: text/html; charset=iso-8859-1</DIV><DIV>--6d394431--</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>but in excludes.conf I have added:</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV># cms_realty</DIV><DIV>&lt;LocationMatch "/index.php\?option=com_cmsrealty.*"&gt;</DIV><DIV>SecFilterRemove 300015</DIV><DIV>&lt;/LocationMatch&gt;</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I don't understand why this is still blocking. What am I doing wrong? </DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Regards, Cristian</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR><DIV> <SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Monaco; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><DIV>--</DIV><DIV>Cristian Livadaru</DIV><DIV><A href="http://livadaru.net">http://livadaru.net</A></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><BR class="Apple-interchange-newline"></SPAN> </DIV><BR></DIV></DIV></BODY></HTML>