Thread:Project:Support desk/Are there forbidden character sequences that can cause 404 errors?/reply (3)

I got to the bottom of this issue on Dreamhost.com. They are running the 'Apache "mod_security" module. The module scans incoming and outgoing documents to detect/block web attacks. It guards against is a trojan horse attack through which the user tries to retrieve information about a file system.

If ...even a static page, then mod_security will block that display for fear somebody has tried to snoop into the system.
 * 1) "drwxr" or
 * 2) "uid" or
 * 3) "gid" appear in a page...

I have been asking if there is a way to create a special exception to this policy for a particular web page, but have not found a way. It is easy to exempt a particular IP client from mod_security, but not so easy to customize the particular phrases for which it scans. If this were convenient or easy to fix, I expect we would see more on how to do it. As it is, I see only frightening comments which indicate that customizing mod_security is even more difficult than customizing mod_rewrite, and even then, I'd have to be root to get around the problem.

And here's the worst part of the whole thing. The mod_security system intentionally gives back a vague/misleading error message in order to prevent the attacker from knowing that mod_security has thwarted them. All in all, this makes it almost impossible to be a "part time" web page writer.

My effort to write a little note about the meaning of "ls -la" on Linux has cost me about 12 hours of exploration.