I have a python cgi script that does the following:
- With a browser pointing to http://www.mydomain.com/myscript.cgi, an html form is loaded containing a welcome message and form fields followed by a Submit1 and a Reset button. When the user clicks on Submit1, a confirmation page is loaded, and when the user clicks on Reset, the form is reloaded with all user entries cleared. So far, so good.
- The confirmation page is a new html form that contains a "Please confirm your inputs" message with the form fields as completed by the user, followed by a Submit2 and a Reset button. On this second page, the user can make changes or leave inputs as is. The next step is to click on Submit2 to confirm or on Reset to start over.
This is where the script breaks. If the user clicks on Submit2 or on Reset, apache loads a "Forbidden / you do not have access to myscript.cgi" page in the browser. Checking the error log, modsecurity warns of an sql injection attack. (On my lab PC everything works but I've logged the IP of my lab PC into the modsecurity config file.)
What to do? To narrow down the issue, we should focus on the Reset button behavior (why it works on the first page but fails on the second). TIA for your feedback.