Scott,

Someone on a domain is running joomla. On a logout they get 403 errors. I have attached the audits. At first I saw user=Administrator, I got them to change that as I thought that may trigger as its a bad name to use.

This was still using the user Administrator:

--79faf266-A--
[09/Dec/2007:10:30:10 +1100] voRjTn8AAAEAAEObvqgAAAAK 99.252.176.157 2111 203.206.129.143 80
--79faf266-B--
POST /joomla/index.php?option=logout HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.scannerdesk.com/joomla/
Accept-Language: en-ca
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: www.scannerdesk.com
Content-Length: 113
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: jalUserName=Administrator; jalUrl=http://; mosvisitor=1; locale=en-US; no_frames=deleted; no_frames_root_page=deleted; no_frames_login_page=deleted; no_frames_logout_page=deleted; 46d9160fc83c78792f06b38283db05cd=5491510bebdc0f98f26ff716f30aa663

--79faf266-C--
Submit=Logout&option=logout&op2=logout&lang=english&return=http%3A%2F%2Fwww.scannerdesk.com%2Fjoomla%2F&message=0
--79faf266-F--
HTTP/1.1 403 Forbidden
Content-Length: 406
Connection: close
Content-Type: text/html; charset=iso-8859-1

--79faf266-H--
Message: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "194"] [id "340025"] [rev "3"] [msg "Generic PHP code injection protection via ARGS"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "rx (/imp/login\\.php|/services/maintenance\\.php)" against "REQUEST_HEADERS:Referer" required.
Action: Intercepted (phase 2)
Apache-Handler: php5-script
Stopwatch: 1197156610630478 273114 (266760* 268298 -)
Producer: ModSecurity v2.5.0-dev2 (Apache 2.x)
Server: Apache/2.2.6 (Fedora)

--79faf266-Z--



Now using another user, you will see there is no admin name, but it triggers a hit.

--27df1f03-A--
[09/Dec/2007:10:35:37 +1100] 0f1iCH8AAAEAAD8zpAsAAAAR 99.252.176.157 2338 203.206.129.143 80
--27df1f03-B--
POST /joomla/index.php?option=logout HTTP/1.1
Host: www.scannerdesk.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.scannerdesk.com/joomla/
Cookie: mosvisitor=1; 46d9160fc83c78792f06b38283db05cd=353ffc445031e785b513b4a8c331feae
Content-Type: application/x-www-form-urlencoded
Content-Length: 113

--27df1f03-C--
Submit=Logout&option=logout&op2=logout&lang=english&return=http%3A%2F%2Fwww.scannerdesk.com%2Fjoomla%2F&message=0
--27df1f03-F--
HTTP/1.1 403 Forbidden
Content-Length: 406
Connection: close
Content-Type: text/html; charset=iso-8859-1

--27df1f03-H--
Message: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "194"] [id "340025"] [rev "3"] [msg "Generic PHP code injection protection via ARGS"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "rx (/imp/login\\.php|/services/maintenance\\.php)" against "REQUEST_HEADERS:Referer" required.
Action: Intercepted (phase 2)
Apache-Handler: php5-script
Stopwatch: 1197156937327112 270004 (263644* 265096 -)
Producer: ModSecurity v2.5.0-dev2 (Apache 2.x)
Server: Apache/2.2.6 (Fedora)

--27df1f03-Z--


Thanks Scott

Can you send this to support? That way we can track this by you, rather than me trying to cut and paste all this into the bug tracking system. I think Ive made 3 separate accounts for you already because of pasting errors.

Hi Scott,

No problems I will send to support.

The email is titled:

Joomla logout is triggering mod_sec


I also reported another joomla issue with certain page updates. That email is titled:

Joomla triggers mod_sec on page update

Thanks!

David

Thanks!