Thread:Project:Support desk/Are there forbidden character sequences that can cause 404 errors?/reply (3)

I got to the bottom of this issue on Dreamhost.com. They are running the Apache "mod_security" module, which I had not heard of before. It scans incoming and outgoing documents to detect/block web attacks. One of the things it guards against is a trojan horse attack through which the user tries to retrieve information about a file system. Basically, if "drwxr" or "uid" or "gid" appear in a page, even a static page, then mod_security will block that display for fear somebody has tried to snoop into the system.

I have been asking if there is a way to create a special exception to this policy for a particular web page, but have not found a way. It is easy to exempt a particular IP client from mod_security, but not so easy to customize the particular phrases for which it scans. If this were convenient or easy to fix, I expect we would see more on how to do it. As it is, I see only frightening comments which indicate that customizing mod_security is even more difficult than customizing mod_rewrite, and even then, I'd have to be root to get around the problem.

And here's the worst part of the whole thing. The mod_security system gives intentionally gives back a vague/misleading error message in order to prevent the attacker from knowing that mod_security has thwarted them. All in all, this makes it almost impossible to be a "part time" web page writer. My effort to write a little note about the meaning of "ls -la" on Linux has cost me about 12 hours of exploration.