I don’t know how to bring this to attention of the ACF developers, but possibly the way they pass the arguments for the Options page could be changed to a more secure method?
It’s interesting to note that the description of the RuleID is:
Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (admin.php)
So, clearly ModSecurity is viewing the way that the Options Page saves URL values as an injection attempt. So, I don’t really want to disable these rules if it is making us vulnerable to a file injection of some sort
It would be better if ACF could change the way the values are saved. If we use a regular page to save some URL fields, then we don’t run into this problem – only if we use the Options Page. So, clearly it’s possible to save URL values in ACF fields without triggering this injection attempt rule (as is evidenced by a standard page with custom ACF fields being able to save URL values without issue).
Had this exact same problem, and the solution ended up being to modify two rules in our ModSecurity settings.
We’re with liquidweb, and they are the ones who figured this out. Thanks to @raygulick for steering us in the right direction!
I don’t know ModSecurity at all, so I don’t know if the rule ID’s are a standardized thing, or if they are unique to each server setup, but for us, the two rules were:
340464, and 340465
The “Justification” for both of these rules were identical:
Match of "rx ://%{SERVER_NAME}/" against "ARGS:acf[field_52881450ecaab]" required.
Had a similar problem as this, and the solution ended up being to modify two rules in our ModSecurity settings.
We’re with liquidweb, and they are the ones who figured this out.
I don’t know ModSecurity at all, so I don’t know if the rule ID’s are a standardized thing, or if they are unique to each server setup, but for us, the two rules were:
340464, and 340465
The “Justification” for both of these rules were identical:
Match of "rx ://%{SERVER_NAME}/" against "ARGS:acf[field_52881450ecaab]" required.
