I don’t know how to bring this to attention of the ACF developers, but possibly the way they pass the arguments for the Options page could be changed to a more secure method?
It’s interesting to note that the description of the RuleID is:
Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (admin.php)
So, clearly ModSecurity is viewing the way that the Options Page saves URL values as an injection attempt. So, I don’t really want to disable these rules if it is making us vulnerable to a file injection of some sort
It would be better if ACF could change the way the values are saved. If we use a regular page to save some URL fields, then we don’t run into this problem – only if we use the Options Page. So, clearly it’s possible to save URL values in ACF fields without triggering this injection attempt rule (as is evidenced by a standard page with custom ACF fields being able to save URL values without issue).
Welcome to the Advanced Custom Fields community forum.
Browse through ideas, snippets of code, questions and answers between fellow ACF users
Helping others is a great way to earn karma, gain badges and help ACF development!
© 2022 Advanced Custom Fields.