Home / Topics / Download Manager Free / jquery.cookie.js

jquery.cookie.js

Viewing 7 posts - 1 through 7 (of 7 total)
Dec 2, 2014 at 4:18 am #23116

aly22
Member

I am desperate to find some help with a possible security issue on my server. I run 2 instances of WordPress, using Download Manager (Free). The download pages are not public pages; they are password-protected.

However, I am frequently finding users IP addresses being flagged and blocked with a Critical Alert for cross site scripting – that points to: /wp-content/plugins/download-manager/js/jquery.cookie.js

I see references to the jquery.cookie.js file being outdated in this plugin. Is that a possible security issue?

I run mod security on my server, and need to know if safe to disable the lfd rule that is causing general users to be blocked from accessing the server (not specifically the download-manager files).
`

Dec 2, 2014 at 8:34 am #23122

Shahjada
Keymaster

simply delete /wp-content/plugins/download-manager/js/jquery.cookie.js for now, I’ll check and update the file with next update of the plugin

Dec 2, 2014 at 9:21 pm #23178

aly22
Member

Thank you, Shaon! I am trying that now and will watch to see if the lfd alerts quiet down (will let you know).

What is strange though, the alert is being triggered even for those users/visitors who are unlikely to be anywhere near the download manager page(s). That’s what concerns me a bit.

Note: I went to an older, test install of my site that has not yet been updated to the new version of Download Manager. It does not appear to contain the jquery.cookie.js file at all.

Google search suggests that Mod_Security has a long known issue with flagging file names with cookie in them. This may be the issue?

Dec 3, 2014 at 10:36 am #23194

Shahjada
Keymaster

yes, that is it, when filename has word “cookie”.

Dec 6, 2014 at 2:53 am #23332

aly22
Member

Hi Shaon,
I did remove the jquery.cookie.js file but am still getting the same lfd alerts (and user IPs blocked) in reference to that file. I suspect the plugin calls to the jquery.cookie.js file maybe?

This is how the repeated critical notifications appear:

Log entries:

[Fri Dec 05 20:27:31 2014] [error] [client 72.88.27.154] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "111"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "MYSITE.COM"] [uri "/wp-content/plugins/download-manager/js/jquery.cookie.js"] [unique_id "VIJpk0tmGDsAADfJFp0AAAAC]
Dec 6, 2014 at 6:01 am #23335

Shahjada
Keymaster

Still pointing the file /wp-content/plugins/download-manager/js/jquery.cookie.js. BTW, if you are seeing it in browser, then it could be from browser cache.

Dec 7, 2014 at 2:07 am #23345

aly22
Member

Thanks, no I do not see the file anywhere, as I deleted it.
The notifications are coming from my server via email alerts (Using CSF/LFD firewall)

I would ignore, or even disable this specific mod_security rule, but seems risky to turn off in the event of legitimate issues or warnings.
But it is frustrating to have people getting locked out regularly, when I know they are not hackers or doing anything but trying to go read a blog post ๐Ÿ˜‰

Viewing 7 posts - 1 through 7 (of 7 total)

The topic ‘jquery.cookie.js’ is closed to new replies.