jquery.cookie.js

I am desperate to find some help with a possible security issue on my server. I run 2 instances of WordPress, using Download Manager (Free). The download pages are not public pages; they are password-protected.

However, I am frequently finding users IP addresses being flagged and blocked with a Critical Alert for cross site scripting – that points to: /wp-content/plugins/download-manager/js/jquery.cookie.js

I see references to the jquery.cookie.js file being outdated in this plugin. Is that a possible security issue?

I run mod security on my server, and need to know if safe to disable the lfd rule that is causing general users to be blocked from accessing the server (not specifically the download-manager files).
`

Thank you, Shaon! I am trying that now and will watch to see if the lfd alerts quiet down (will let you know).

What is strange though, the alert is being triggered even for those users/visitors who are unlikely to be anywhere near the download manager page(s). That’s what concerns me a bit.

Note: I went to an older, test install of my site that has not yet been updated to the new version of Download Manager. It does not appear to contain the jquery.cookie.js file at all.

Google search suggests that Mod_Security has a long known issue with flagging file names with cookie in them. This may be the issue?

Hi Shaon,
I did remove the jquery.cookie.js file but am still getting the same lfd alerts (and user IPs blocked) in reference to that file. I suspect the plugin calls to the jquery.cookie.js file maybe?

This is how the repeated critical notifications appear:

Log entries:

[Fri Dec 05 20:27:31 2014] [error] [client 72.88.27.154] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "111"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "MYSITE.COM"] [uri "/wp-content/plugins/download-manager/js/jquery.cookie.js"] [unique_id "VIJpk0tmGDsAADfJFp0AAAAC]

Thanks, no I do not see the file anywhere, as I deleted it.
The notifications are coming from my server via email alerts (Using CSF/LFD firewall)

I would ignore, or even disable this specific mod_security rule, but seems risky to turn off in the event of legitimate issues or warnings.
But it is frustrating to have people getting locked out regularly, when I know they are not hackers or doing anything but trying to go read a blog post 😉