WordPress.org

1. caratage
   Member
   Posted 1 year ago #
   

   Dear all,

   I stumbled upon a strange behaviour in WP 3.3.1 MS. Ok, here's what I did: I tried to add a new user. I am in the admin as registrations from the front-end are disabled. I have successfully added users before, but this time something went wrong:

   Add User - 1st Attempt

   1. I am in the user admin area of the respective blog, my capabilities are SuperAdmin.
   2. I click "Add New", so it takes me to /wp-admin/user-new.php
   3. I want to add a new user, so I use the 2nd form
   4. I supply the username and email, select the role and Add New User
   5. I get an error 403 Forbidden

   Add User - 2nd Attempt

   1. I am in the user admin area of the network, my capabilities are SuperAdmin.
   2. I click "Add New", so it takes me to /wp-admin/network/user-new.php
   3. Just one form to fill here
   4. I supply the username and email, and Add User
   5. I get an error 403 Forbidden

   Hey, what's up? Permissions?

   Ok, let's do CHMOD wp-admin to 777. Repeated the above steps.

   Again Error 403
   
   I start to google a bit, find about and this mod_security thing and add some .htaccess magic.

   <IfModule mod_security.c>
     SecFilterEngine Off
   </IfModule>

   Repeated the above steps.

   Oh, again Error 403
   
   I google a bit more, find about and this mod_env thing and add some.htaccess magic.

   <IfModule mod_env.c>
       SetEnv MODSEC_ENABLE Off
       PassEnv MODSEC_ENABLE
   </IfModule>

   Repeated the above steps.

   Oh no, not again Error 403
   
   Ok. Rewind. Fully Rewind.

   Add User - 3rd Attempt

   1. Overwrite wp-admin with pristine one to restore permissions to default
   2. Remove .htaccess magic
   3. Let's try register another test user (user test, email test@mydomain.com) from the blog. Hey, it worked! Happy
   4. Let's try register another test user (user test, email test@mydomain.com) from network Hey, it worked! Happy
   5. Let's try register the real user (user myrealuser, email myrealuser@yahoo.com) ....

   BOOM: Error 403

   Just thinking: Are there any filters preventing myrealuser or myrealuser@yahoo.com from being registered?

   Yes: I remember that in the network admin (/wp-admin/network/settings.php), you can supply banned names from registering sites. Maybe that is true for usernames as well? But myrealuser is a trivial name and not included in that list...

   Add User - 4th Attempt

   1. Let's try register another test user (user myrealuser, email test@mydomain.com) from the blog or from the network. Hey, it worked! Happy
   2. Let's change myrealuser's email to myrealuser@yahoo.com

   Error 403, still getting Error 403 Forbidden
   

   So my question: Has anyone had a similar problem registering users with a @yahoo.com address? Does a blacklist/spam filter for registering user emails exist?

   Any help or hint greatly appreciated!

2. Ipstenu (Mika Epstein)
   Half-Elf Support Rogue & Mod
   Posted 1 year ago #
   

   Mod Security cannot be turned off via .htaccess in most modern installs of Apache.

   Check your server's error log. You should be able to check if it's mod security and, if so, you need to add something like this to your whitelist for mod_sec :/

   ## WordPress
   <LocationMatch "/index.php">
   SecRuleRemoveById 300015 300016 300017
   </LocationMatch>
   
   <LocationMatch "/wp-admin/post.php">
   SecRuleRemoveById 300015 300016 300017
   </LocationMatch>
   <LocationMatch "/wp-admin/admin-ajax.php">
   SecRuleRemoveById 300015 300016 300017
   SecRuleRemoveById 300013
   </LocationMatch>
   <LocationMatch "/wp-admin/page.php">
   SecRuleRemoveById 300015 300016 300017
   </LocationMatch>

3. caratage
   Member
   Posted 1 year ago #
   

   Would that also be the case if error 403 is only happening in combination with certain email addresses/domains? As I said, I can register most users, just a few cause the error.

   So I put the above in /usr/local/apache/conf/modsec2/whitelist.conf?
   And my LocationMatch for /wp-admin/user-new.php?
   Will I have to change those numbers as described here?

   But yeah, will try your solution out first. Let's see if my hosting provider allows me to do so (cheap virtual server without root or SSH)...

4. Ipstenu (Mika Epstein)
   Half-Elf Support Rogue & Mod
   Posted 1 year ago #
   

   Would that also be the case if error 403 is only happening in combination with certain email addresses/domains? As I said, I can register most users, just a few cause the error.

   Yes. Because mod security is looking for a pattern of words/letters that tell it OMG! Evil! And it's possible yahoo.com is banned somehow. If it was WP's blacklist, you'd get a different error.

   That post you linked to is a great one.

   I recently added this to mine to make it shut up about posts.
   

   SecRule REQUEST_URI "/wp-admin/post.php"
   phase:1,nolog,allow,ctl:ruleEngine=Off

5. caratage
   Member
   Posted 1 year ago #
   

   Ok, will try that out as soon I find some time... Thanks for the ideas. Will post here again with results.

Topic Closed

This topic has been closed to new replies.