Theme editor posts blocked by mod security rules

  • Resolved mcomposed

    (@mcomposed)


    2 years, 4 months ago

    Site editor posts are failing for a client in production. Their server error logs say it is because of an old known (but fixed) type juggling vulnerability. The linked sucuri article states the vulnerability was introduced in 4.7.0 and resolved in 4.7.2. The affected site is running WordPress 6.0.1. And of course, this is not an issue on development or staging servers.

    Is this just a symptom of outdated mod_security rules? Thanks for any extra eyes on this.

    Example Request
    URL: /wp-json/wp/v2/templates/our-fse-theme//front-page?_locale=user
    payload: {“id”:”our-fse-theme//front-page”,”content”:”redacted for brevity”}

    Error log snippet

    [Tue Jul 12 12:20:29.438954 2022] [:error] [pid 17412] [client 24.63.218.17, 1] ModSecurity: Warning. Pattern match "\\\\D+" at TX:1. [file "/etc/apache2/mod_security/custom/wpjuggling.conf"] [line "41"] [id "3074"] [msg "ID field contains e"] [uri "/wp-json/wp/v2/templates/our-fse-theme/front-page"] [unique_id "Ys3Jfe0k9YTy1x504TE9ugAAAC0"]
[Tue Jul 12 12:20:29.439019 2022] [:error] [pid 17412] [client 24.63.218.17, 1] ModSecurity: Access denied with code 403 (phase 2). Operator GT matched 0 at TX:wptj_score. [file "/etc/apache2/mod_security/custom/wpjuggling.conf"] [line "48"] [id "3079"] [msg "Wordpress TypeJuggling Exploit - Score0; see https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html"] [uri "/wp-json/wp/v2/templates/our-fse-theme/front-page"] [unique_id "Ys3Jfe0k9YTy1x504TE9ugAAAC0"]
Viewing 1 replies (of 1 total)
  • Moderator bcworkz

    (@bcworkz)

    It’s not uncommon for modSecurity to intercept the more uncommon WP requests. The type juggling bit is likely a false positive. The host needs to whitelist any legitimate requests that are running afoul of modSecurity.

Viewing 1 replies (of 1 total)
  • The topic ‘Theme editor posts blocked by mod security rules’ is closed to new replies.