@PhilD
I am sorry it took awhile. I installed a fresh joomla instance downloaded from official site and I get exactly the same errors like with the live site. So my assumption is that we can rule the hack out. I checked the logs more thoroughly and the "access denied" I posted is accompanied by other two versions. I send a question to the mod_sec mail list but there was no answer, so I really don't know what to do anymore (Review apache settings, php settings? I already ruled out .htdocs and folder permissions).
With this rule on I can't save any article as backend or frontend admin (or editor):
Code: Select all
--47c73d34-H--
Message: Access denied with code 403 (phase 2). Found 13 byte(s) in ARGS:text outside range: 0 255. [file "/etc/apache2/conf.d/mod-security.conf"] [line "31"]
Action: Intercepted (phase 2)
Stopwatch: 1267650139142347 42225 (40668* 41207 -)
Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/).
Server: Apache/2.2.9
--47c73d34-Z--
With this rule on I can't save a specific two articles (I noticed 2, maybe there's more) that is currently unpublished:
Code: Select all
--b572952b-H--
Message: Access denied with code 403 (phase 2). Invalid URL Encoding: Non-hexadecimal digits used at ARGS:text. [file "/etc/apache2/conf.d/mod-security.conf"] [line "27"]
Action: Intercepted (phase 2)
Stopwatch: 1267649993708438 20598 (19009* 19412 -)
Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/).
Server: Apache/2.2.9
--b572952b-Z--
This is an "access denied" from site log (the other two were from mod_sec audit log), which is happening quite often:
Code: Select all
[Mon Mar 01 18:29:30 2010] [error] [client 192.168.1.1] ModSecurity: Access denied with code 403 (phase 2). Match of "rx (^application/x-www-form-urlencoded$|^multipart/form-data;)" against "REQUEST_HEADERS:Content-Type" required. [file "/etc/apache2/conf.d/mod-security.conf"] [line "39"] [hostname "myhost"] [uri "/index.php"] [unique_id "S4v5en8AAAEAAA3zCDwAAAAJ"]
If I turn this three rules off (I know it's a sec issue) everything works normally. Do you have any other ideas how to solve this annoyance. Thx