• Registered: 2020-01-01
  • Posts: 2

Topic: Juicebox and OWASP rules

Hi,

The other day when I viewed my site I got error message saying that Juicebox could not find the config file.  So checked on the forum to see if other people were having or had problems with this.  Saw in one post that support could not access the file direct which was that person problem.
So tried to access the config file direct got error message blocked by Web Application Firewall.
Check on my hosting no option for any firewall.  Emailed the tech support for my hosting.  Various emails bouncing back and forward of what is the problem.  Reply we have passed this on to the technical team.  Checked website now unable to access it at all.  Queried why is the site unavailable.
Turns out that the Juicebox coding is hitting OWASP rule 930130 so my site has been taken down.
Been advised the best solution is that the config.xml file be renamed to something that is not on https://github.com/coreruleset/corerule … files.data
Is this an easy fix?

  • Registered: 2012-04-24
  • Posts: 5,986

Re: Juicebox and OWASP rules

Unfortunately, the name of the configuration file ('config.xml') is not user-changeable. It is hardcoded into the 'juicebox.js' JavaScript file which is packed and obfuscated. (Juicebox would need to be modified by the developers and repackaged to change the name of the configuration file. Also, for consistency, all of the Juicebox plugins and Showkase would need to be modified, too, which would be quite a considerable task.)

Is there maybe a way to make an exception for the name 'config.xml' on your web server (perhaps in a '.htaccess' file)?
If your web host is not willing to make an exception for the Juicebox 'config.xml' file, then I'm not sure there's a workaround.

If I can think of anything that would help, I'll be sure to post back to let you know.