Triggered mod-security issue, had to delete

Did they happen to provide any further information that you could share? This is the first time I have heard of this. Mod-Security looks to be firewall software.

rss llama uses WordPress’s Fetchfeed function to grab rss data from other sites. https://codex.www.ads-software.com/Function_Reference/fetch_feed

It also uses mail() to send emails for the submit link, if enabled. https://php.net/manual/en/function.mail.php

It doesn’t do anything else outside of the domain beyond those two functions. I don’t have a setup for testing on Multi-site but, if it does have a problem on multi it would be a first too. The code is there for anyone to look at if they think something malicious is inside.

I am at a loss on what to suggest or do right now if they flag it yet provide no information of what it thinks is wrong, or perhaps they need to update their software to not have false triggers, idk.

Thank you very much for letting me know this is happening! I will try to get with them and update when I learn more.

I will copy what they sent me. I don’t understand it either.

From my host

However as per the logs, the two plugin that seem to cause mod_security issue are ‘miniorange-login-openid’ and ‘rss-llama’.

=======
root@cp [/home/toniengl/public_html/wp-content/plugins]# ll | wc -l
228
=======

That’s all I got. It means nothing to me.

I have and use a lot of plugins. There are likely other elements involved. Not just your plugin, but maybe something in my sites. I posted this in case it comes up again. I wouldn’t sweat it for my site – it’s got a lot of crazy crap going on.

You can mark this as resolved for now.
If something else happens or I get more info, I will post it here. If you have more questions I will try to answer them.

I am completely new to ModSecurity and OWASP. I do wonder, are you using CPanel to manage your hosting? I am and I don’t see anything having to do with ModSecurity. I assume my host doesn’t have it installed.

I wanted to share what I found that makes the most sense. Some talk of editing the ModSecurity on the host, or having the host do it. One of them talks about if there is a call to a file that has the word ‘cookie’ in it then it triggers. Both my plugin and the other you mention have the same jquery.cookie.js filename included. I am going to change this in the next update to not have cookie in the file name but not sure how to test it yet..

https://www.ads-software.com/support/topic/plugin-triggers-mod_security-xss-rule

If you wanted to offer a begger a hand it would be two file edits to test if this is in fact the case. my problem, being the begger, is that I don’t have access to ModSecurity to tell us yay or nay. But, you do have access to my plugin files on your server I assume?

In the main plugin file called rss-llama.php, the following code:

wp_enqueue_script( "rss_llama_cookie", $this->rss_llama_url . "js/jquery.cookie.js", array("jquery"), "1.4.1", false );

would need to change to this: basically just the filename.

wp_enqueue_script( "rss_llama_cookie", $this->rss_llama_url . "js/rss-llama-wafer.js", array("jquery"), "1.4.1", false );

and then the file named jquery.cookie.js located in the /js folder would need to be renamed to rss-llama-wafer.js, so it matches the file call. Then, a deactive/reactive the plugin to see. that would be amazing if that is all it was.

But then, it also sounds like it is something that the WordPress and ModSecurity developters still need to work out with their error definitions, but would be nice to find out exactly what it is that triggers mine if not others. I hate to think I am doing something wrong here.

https://www.ads-software.com/support/topic/mod_security-for-wordpress
https://stackoverflow.com/questions/21483100/mod-security2-rules-for-wordpress

Version 0.6 is now available which includes the filename fix.