Including URL in body trips Mod_Security "HTTP Request Smuggling Attack" rule #2738
Replies: 1 comment 3 replies
-
|
The presence of a URL is not request smuggling (it's not even in an HTTP context), so it sounds like a badly formulated rule. |
Beta Was this translation helpful? Give feedback.
-
|
One thing is unclear though – at what point is this blocked? The sending of the email, or the submission of a request (including the troublesome URLs) that is then used to build an email? If it's the latter it might be understandable why mod_sec might get involved, but for simply sending email I'm surprised it even gets the chance to get involved. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @Synchro - I contacted the hosting support and they are entering an exception in the rule. Not sure that's "the" answer they need, but at least it keeps me moving. |
Beta Was this translation helpful? Give feedback.
-
|
Ahh... in the log it appears to be in the POST from the form where the message is created by an admin: |
Beta Was this translation helpful? Give feedback.
-
I am using PHPMailer on a private website requiring log in to access info/features. One feature available to the admins on the site is the ability to send email communications (using PHPMailer) to all or segments of the approved users.
When a URL is included (to the same website nonetheless) in the body of the message, it triggers a mod_security rule on the server and the message is blocked.
Can anyone suggest or think of a way to encode the url so it doesn't get flagged as an HTTP Request Smuggling Attack outside of disabling the rule in mod_security?
Beta Was this translation helpful? Give feedback.
All reactions