Copy/Edit Shortcode styles – Forbidden

  • Resolved Vipa

    (@vipa)


    5 years, 10 months ago

    Hi David,

    I tried to follow the instructions of this thread:

    Can the gallery be made responsive?

    When I copied the default style and then tried to edit it I got:
    Forbidden
    You do not have permission to access this document.

    Any ideas what this could be?

    Thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter Vipa

    (@vipa)

    I figured it out, it was mod_security.
    I will post the error, maybe there is something you can do to prevent this.

    
[Thu May 16 16:02:46.292860 2019] [:error] [pid 19488:tid 140113661105920] [client x.x.x.x:37410] [client x.x.x.x] ModSecurity: Warning. Pattern match "image\\\\/svg\\\\+xml|text\\\\/(?:css|html|(?:x-)?(?:(?:ecma|java|vb)script|scriptlet)).|.application\\\\/x-shockwave-flash" at ARGS_POST:mla_template_item[sections][styles]. [file "/etc/apache2/modsecurity.d/rules/comodo/07_XSS_XSS.conf"] [line "75"] [id "212740"] [rev "5"] [msg "COMODO WAF: XSS Attack Detected||www.domain.tld|F|2"] [data "Matched Data: text/css' found within ARGS_POST:mla_template_item[sections][styles]: <styletype='text/css'>"] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"] [hostname "www.domain.tld"] [uri "/wp-admin/options-general.php"] [unique_id "XN1ths1cd@mZbV8dQdGhcwAAAAc"], referer: https://www.domain.tld/wp-admin/options-general.php?mla_admin_action=single_item_edit_display&mla_admin_nonce=824122c6df&page=mla-settings-menu-shortcodes&mla_tab=shortcodes&mla_item_ID=3
    Plugin Author David Lingren

    (@dglingren)

    Thanks for your report; I regret the trouble you’re having with modifying the style templates.

    I am running Apache 2.4.23 (Win64) OpenSSL/1.0.2j PHP/7.0.27, and I do not see a mod_security available in that configuration. Thus, I am unable to reproduce the problem. Can you tell me what web server, version and OS platform you are using so I can investigate further? Thanks!

    Thread Starter Vipa

    (@vipa)

    Hi David,

    thanks for your reply.

    ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the “Swiss Army Knife” of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections.

    If I interprete the log entry correctly there was a false positive because of this part:
    image\\\\/svg\\\\+xml|text\\\\/(?:css|html|(?:x-)?(?:(?:ecma|java|vb)script|scriptlet)).|.application\\\\/x-shockwave-flash

    I am running:
    Ubuntu: 18.04.2 LTS?
    Plesk Onyx: 17.8.11 Update Nr. 53
    modsecurity: 2.9.2
    Apache: 2.4.29
    PHP: 7.2.18 FPM
    WordPress: 5.2
    Media Assistant: 2.79

    Plugin Author David Lingren

    (@dglingren)

    Thank you for your detective work and for the additional details.

    As you wrote, the ModSecurity rule is matching the <style type='text/css'> tag in the template and falsely interpreting it as an attack. This behavior isn’t unique to MLA – I believe you’d get the same result from adding the tag to post/page content.

    Given the unique nature of the problem I do not have any plans at this time to implement a workaround. You could take this up with the ModSecurity support staff to see if they have any suggestions.

    You can also add your custom styles to your theme’s CSS file and use mla_style=none to suppress MLA’s default styles.

    I am marking this topic resolved because MLA is working as intended and you have another way to accomplish your objective. Please update the topic if you have any problems or further questions regarding the above suggestions. Thanks for your understanding.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Copy/Edit Shortcode styles – Forbidden’ is closed to new replies.