swissspaceboy

Hello,

Following the update to 7.11.1, my permalinks got broken again. Most of my pages are pointing to the blog page. I applied the fix that you proposed to switch to plain, save, and change to postname + save. Let’s see how this works during the next plugin update if my links get broken.

You got a chance to look at my diag log that I have sent you?

Thanks,

Didier.

Thanks.

Yes, we disabled this rule in our WAF. I have no warning message anymore.

We can close this ticket.

Didier.

Hello,

Not better with the latest version 4.5.0. The warning message is still present. ModSec firewall is enabled on this site, with the rule enabled.

Didier.

Hi,

So this is firewall rule that gets fired for your plugin:

[Tue Nov 14 02:09:43.465445 2023] [error] [client 185.67.193.35] ModSecurity: Access denied with code 403, [Rule: 'MATCHED_VAR' '@rx [A-Z]'] [id "77318019"] [msg "IM360 WAF: Authenticated Privilege Escalation in All in One SEO < 4.1.5.3 plugin for WordPress (CVE-2021-25036)||T:APACHE||MV:/wp-json/aioseo/v1/||"] [severity "CRITICAL"] [tag "wp_plugin"] [hostname "www.talentbox.solutions"] [uri "/wp-json/aioseo/v1/"], referer: 

I am using a much later version of the plugin, so this rule is not valid anymore right? Can you do something with this? How to proceed further?

At least you know that all users with ModSec enabled and this standard rule, will have problems with your plugin.

Didier.

• This reply was modified 11 months, 1 week ago by swissspaceboy.

Hi,

We found the problem. It is the mod_Security module that gives the 403 forbidden error. This module is enabled by default by the hoster.

Can you check that please for the plugin to support the ModSecurity firewall?

Thanks,

Didier.

I would gladly whitelist this URL, if I knew where it is coming from. Interesting to see that the other URL is working fine. I will check with my hoster if they have an idea.

Hello,

Thanks for the error message. That’s the one that we all get.

For Imunify360, you were able to continue or we need to whitelist your IP?

Didier.

Hi Peter,

It is really WordFence update that is causing an issue. Today you delivered 7.10.7. So I checked my website and permalinks are OK. I update manually the plugin version, and some pages point again wrongly to my blog page. My blog page does not show any posts.

I exported the diag report for you. Check it out, please.

Strange is that after the report, and WITHOUT flushing the permalinks, the website is behaving correctly. I don’t know if the diag report does something or not. Really strange…

I do not have access to database logs. Also, I don’t like to play around by changing the permalink structure from plain to postname. It will screw up my site if I have a problem during this change. I’ll try it on a staging area first if I can reproduce there. I didn’t check it yet.

Didier.

Hello.

1. as I expected, the link with trailing slash https://www.talentbox.solutions/wp-json/aioseo/v1/ is forbidden, as directory browsing is not allowed. For security reasons, it is recommended to disable that.
2. I do not know yet who is giving this 403 error for this directory browsing. I disabled all mod rewrites and I still have the error.
3. My hoster gets also the 403 error, and this is not a surprise for them. Cf #1.
4. My hoster can see for your imunify360 error. What is the error message, please?

Didier.

Thanks. I am checking with my hoster if they can explain these 403 forbidden errors.

I will report back.

Didier.

hmm.. I never got this problem.

What reconfiguration of the WAF? I don’t have other problems when updating the plugin. Can you provide more details?

Didier.

Hello,

Except Wordfence, I have no other security things in place to add a rule. I don’t where this 403 is coming from. It is not Wordfence as I disabled it.

https://www.talentbox.solutions/wp-json/aioseo/v1/ -> 403

https://www.talentbox.solutions/wp-json/aioseo/v1 -> works fine (without the trailing slash).

Any idea what could impact the usage of this trailing slash in the URL?

Didier.

Hi,

I spend a couple of hours checking this thing.

I don’t think that the wildcard * is a valid parameter. When I try it on other plugins/namespaces of my websites, I got also the 404 error. I tried on another website (not mine!) and I also get 404 errors when using this wildcard. Try

https://maheshwaghmare.com/wp-json/akismet/*

https://maheshwaghmare.com/wp-json/akismet/v1 is working fine.

For AIOSEO, when I use the URL below, I get results back from the registered endpoints.

Can you double check if this wildcard /aioseo/* is correct?

https://www.talentbox.solutions/wp-json/aioseo/v1

namespace "aioseo/v1"
routes
/aioseo/v1 {…}
/aioseo/v1/options {…}
/aioseo/v1/ping {…}
/aioseo/v1/post {…}
/aioseo/v1/post/(?P[\d]+)/first-attached-image {…}
/aioseo/v1/user/(?P[\d]+)/image {…}
/aioseo/v1/tags {…}
/aioseo/v1/htaccess {…}
/aioseo/v1/post/(?P[\d]+)/disable-primary-term-education {…}
/aioseo/v1/post/(?P[\d]+)/disable-link-format-education {…}
/aioseo/v1/post/(?P[\d]+)/update-internal-link-count {…}
/aioseo/v1/postscreen {…}
/aioseo/v1/termscreen {…}
/aioseo/v1/keyphrases {…}
/aioseo/v1/analyze {…}
/aioseo/v1/analyze-headline {…}
/aioseo/v1/analyze-headline/delete {…}
/aioseo/v1/analyze/delete-site {…}
/aioseo/v1/clear-log {…}
/aioseo/v1/connect {…}
/aioseo/v1/connect-pro {…}
/aioseo/v1/connect-url {…}
/aioseo/v1/backup {…}
/aioseo/v1/backup/restore {…}
/aioseo/v1/email-debug-info {…}
/aioseo/v1/migration/fix-blank-formats {…}
/aioseo/v1/notification/blog-visibility-reminder {…}
/aioseo/v1/notification/description-format-reminder {…}
/aioseo/v1/notification/conflicting-plugins-reminder {…}
/aioseo/v1/notification/install-addons-reminder {…}
/aioseo/v1/notification/install-aioseo-image-seo-reminder {…}
/aioseo/v1/notification/install-aioseo-local-business-reminder {…}
/aioseo/v1/notification/install-aioseo-news-sitemap-reminder {…}
/aioseo/v1/notification/install-aioseo-video-sitemap-reminder {…}
/aioseo/v1/notification/install-mi-reminder {…}
/aioseo/v1/notification/install-om-reminder {…}
/aioseo/v1/notification/v3-migration-custom-field-reminder {…}
/aioseo/v1/notification/v3-migration-schema-number-reminder {…}
/aioseo/v1/notifications/dismiss {…}
/aioseo/v1/objects {…}
/aioseo/v1/plugins/deactivate {…}
/aioseo/v1/plugins/install {…}
/aioseo/v1/plugins/upgrade {…}
/aioseo/v1/reset-settings {…}
/aioseo/v1/settings/export {…}
/aioseo/v1/settings/hide-setup-wizard {…}
/aioseo/v1/settings/hide-upgrade-bar {…}
/aioseo/v1/settings/import {…}
/aioseo/v1/settings/import/(?P[\d]+) {…}
/aioseo/v1/settings/import-plugins {…}
/aioseo/v1/settings/toggle-card {…}
/aioseo/v1/settings/toggle-radio {…}
/aioseo/v1/settings/dismiss-alert {…}
/aioseo/v1/settings/items-per-page {…}
/aioseo/v1/settings/do-task {…}
/aioseo/v1/sitemap/deactivate-conflicting-plugins {…}
/aioseo/v1/sitemap/delete-static-files {…}
/aioseo/v1/sitemap/validate-html-sitemap-slug {…}
/aioseo/v1/tools/delete-robots-txt {…}
/aioseo/v1/tools/import-robots-txt {…}
/aioseo/v1/wizard {…}
/aioseo/v1/integration/semrush/authenticate {…}
/aioseo/v1/integration/semrush/refresh {…}
/aioseo/v1/integration/semrush/keyphrases {…}
/aioseo/v1/integration/wpcode/snippets {…}
_links {…}

ok, I don’t why Insomnia is considered as a bad bot, but I whitelisted for you. Please check again. I hope it goes through now.

Didier.