Title: BUG: Triggering “Path traversal attack /../” modsecurity rule. Last modified: June 4, 2021 --- # BUG: Triggering “Path traversal attack /../” modsecurity rule. * Resolved [webbirddigital](https://wordpress.org/support/users/webbirddigital/) * (@webbirddigital) * [4 years, 12 months ago](https://wordpress.org/support/topic/bug-triggering-path-traversal-attack-modsecurity-rule/) * This plugin appears to load some assets using path-traversal for some reason ( I can only assume lazy development) which is triggering Modsecurity rules and resulting in users being blocked by the server firewall. * The following URLs are affected: /wp-content/plugins/woocommerce-google-adwords- conversion-tracking-tag/classes/../js/public/wooptpm.js /wp-content/plugins/woocommerce- google-adwords-conversion-tracking-tag/classes/pixels/../../js/public/google- ads.js * These should be corrected to: /wp-content/plugins/woocommerce-google-adwords- conversion-tracking-tag/js/public/wooptpm.js /wp-content/plugins/woocommerce- google-adwords-conversion-tracking-tag/js/public/google-ads.js Viewing 7 replies - 1 through 7 (of 7 total) * Plugin Author [alekv](https://wordpress.org/support/users/alekv/) * (@alekv) * [4 years, 12 months ago](https://wordpress.org/support/topic/bug-triggering-path-traversal-attack-modsecurity-rule/#post-14519049) * > (I can only assume lazy development) * Not really the way how you motivate any developer to do something for you. * There is a reason for this traversal and has to do with the local testing setup. * > which is triggering Modsecurity rules and resulting in users being blocked > by the server firewall. * You have to ask yourself why the firewall is blocking this and if not the firewall rules are too strict. Because traversals are common, even if not super nice, I agree with that. * Besides, I never have come across this issue. So I’ll have a look into improving this. * Does this affect only back-end users or also front-end users? * Thread Starter [webbirddigital](https://wordpress.org/support/users/webbirddigital/) * (@webbirddigital) * [4 years, 12 months ago](https://wordpress.org/support/topic/bug-triggering-path-traversal-attack-modsecurity-rule/#post-14519060) * > Does this affect only back-end users or also front-end users? * This is affecting front-end users. * Note that we are using the standard modsecurity ruleset which comes preinstalled on WMH/cPanel servers. By default rules are set to alert only, but it is recommended that they are enabled on production servers. * > Not really the way how you motivate any developer to do something for you. > > There is a reason for this traversal and has to do with the local testing setup. * It would motivate me 😉 Sorry if this came across offensively, that wasn’t my intention (it just was meant as a bit of a jab). - This reply was modified 4 years, 12 months ago by [webbirddigital](https://wordpress.org/support/users/webbirddigital/). * Plugin Author [alekv](https://wordpress.org/support/users/alekv/) * (@alekv) * [4 years, 12 months ago](https://wordpress.org/support/topic/bug-triggering-path-traversal-attack-modsecurity-rule/#post-14519251) * > By default rules are set to alert only, but it is recommended that they are > enabled on production servers. * Ok. I suggest to keep it that only on alert for production too until I come up with a solution. But that won’t be today. Earliest next week. * I already tried finding a way. But since I use symlinks in my dev and testing setup the path traversal was so far the only way I’ve come up with to get everything working properly. That means finding another solution without the path traversal will take some time. * I’ll let you know once I have found a workaround. * > It would motivate me 😉 Sorry if this came across offensively, that wasn’t > my intention (it just was meant as a bit of a jab). * No problem. * Plugin Author [alekv](https://wordpress.org/support/users/alekv/) * (@alekv) * [4 years, 11 months ago](https://wordpress.org/support/topic/bug-triggering-path-traversal-attack-modsecurity-rule/#post-14521519) * [@webbirddigital](https://wordpress.org/support/users/webbirddigital/) * Lucky us. I found a way to reference the files properly without changing or breaking my entire testing setup. * If you want to beta test it, drop me an email to [support@woopt.com](https://wordpress.org/support/topic/bug-triggering-path-traversal-attack-modsecurity-rule/support@woopt.com?output_format=md) * Plugin Author [alekv](https://wordpress.org/support/users/alekv/) * (@alekv) * [4 years, 11 months ago](https://wordpress.org/support/topic/bug-triggering-path-traversal-attack-modsecurity-rule/#post-14544560) * The path traversal has been removed in the now published version 1.10.6 * Please let me know if the server warning is gone now. * Thread Starter [webbirddigital](https://wordpress.org/support/users/webbirddigital/) * (@webbirddigital) * [4 years, 11 months ago](https://wordpress.org/support/topic/bug-triggering-path-traversal-attack-modsecurity-rule/#post-14556222) * Perfect! Confirmed fixed from our end. * Plugin Author [alekv](https://wordpress.org/support/users/alekv/) * (@alekv) * [4 years, 11 months ago](https://wordpress.org/support/topic/bug-triggering-path-traversal-attack-modsecurity-rule/#post-14556552) * Great. Thanks for the feedback! Viewing 7 replies - 1 through 7 (of 7 total) The topic ‘BUG: Triggering “Path traversal attack /../” modsecurity rule.’ is closed to new replies. * ![](https://ps.w.org/woocommerce-google-adwords-conversion-tracking-tag/assets/ icon-256x256.png?rev=2704744) * [Pixel Manager for WooCommerce – Conversion Tracking, Google Ads, GA4, TikTok, Dynamic Remarketing](https://wordpress.org/plugins/woocommerce-google-adwords-conversion-tracking-tag/) * [Frequently Asked Questions](https://wordpress.org/plugins/woocommerce-google-adwords-conversion-tracking-tag/#faq) * [Support Threads](https://wordpress.org/support/plugin/woocommerce-google-adwords-conversion-tracking-tag/) * [Active Topics](https://wordpress.org/support/plugin/woocommerce-google-adwords-conversion-tracking-tag/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/woocommerce-google-adwords-conversion-tracking-tag/unresolved/) * [Reviews](https://wordpress.org/support/plugin/woocommerce-google-adwords-conversion-tracking-tag/reviews/) * 7 replies * 2 participants * Last reply from: [alekv](https://wordpress.org/support/users/alekv/) * Last activity: [4 years, 11 months ago](https://wordpress.org/support/topic/bug-triggering-path-traversal-attack-modsecurity-rule/#post-14556552) * Status: resolved