Support » Localhost Installs » pasted text results in “access denied”–why?

  • Resolved rmalderson3

    (@rmalderson3)


    I have a brand new installation of WordPress 5.9.2 on my VPS, accessed via ssh from macOS for administration and Safari for testing (logging in to the “admin” page).

    From the Pages>New Page link, I can enter a title and some sample text, and when I hit the Preview button the results show up nicely.

    If instead of typing the text in from my keyboard I paste it in from another window (Emacs, LibreOffice, Preview, doesn’t matter), when I hit the Preview button (or try to save the page, or any other reasonable action), I get a 403-Forbidden-you-don’t-have-access page.

    I thought it was because .htaccess was empty (fresh install), but putting the usual ModSecurity incantation into .htaccess makes no difference.

    All of the on-line help I can find via search engines points to .htaccess (and makes unreasonable assumptions such as “cPanel access).

    Where should I be looking, and what should I be looking for?

Viewing 12 replies - 1 through 12 (of 12 total)
  • Vijay Hardaha

    (@vijayhardaha)

    Rename the htaccess file and see if you can access the home page or not.
    If you can’t then issue is not from htaccess. If you can access the homepage then created new htaccess file and add the fresh htaccess code in it.

    htaccess

    Do you see any errors in your browser’s console (other than the 403 HTTP response)? And are there any errors logged by your webserver?

    If you don’t find anything in your logs, turn on WordPress debugging or use the query monitor plugin:

    Debugging in WordPress

    Thread Starter rmalderson3

    (@rmalderson3)

    I installed the query monitor plugin, but apparently it does not have reasonable defaults for reporting things like access violations, and I am in the process of learning PHP and the like (which is why I wanted to play with WordPress at all) so I do not understand the cryptic instructions regarding turning on various bits of debugging.

    I also tried turning on WordPress debugging, per the Debugging in WordPress page, which *did* trigger an error report from the query monitor (“WP_DEBUG already turned on”), but nothing else that I can interpret.

    I just want to set up a little blog, folks. I’m not looking to become a WP developer; I’ve already had a 50 year career in IT and systems engineering. What is WP trying to tell me when it throws that 403 at me???

    Hey, are you just copying text and passing it into the wordpress editor, or are you also including links, images that are hosted on someone’s website?

    If you’re including links as embed and images to load content from another website then the Hotlink protection issue might cause 403 sometimes. You wanna double check your content.

    If that’s not the case then if you’re using any CDN then disable it then check if it solves the issue or reaches to hosting support to know the cause of such thing.

    Thread Starter rmalderson3

    (@rmalderson3)

    Hey, are you just copying text and passing it into the wordpress editor, or are you also including links, images that are hosted on someone’s website?

    if you’re using any CDN then disable it

    As I said in the original post, I am just trying to paste some plain ASCII (8-bit Unicode subset) text into a post and preview it.

    I had to look up “CDN” to be sure that I could honestly say that I am not using any such thing. This is my first attempt at using WordPress. (Well, I installed it a few months ago, got it completely wound around the axle, deleted it and started again.) Why would I have complicated matters with a CDN of any kind?

    I am just trying to paste some plain ASCII (8-bit Unicode subset) text into a post

    As per this input, It could be the problem of ModSecurity where the server Firewall doesn’t allow such codes.
    I recommend you contact hosting support and explain your use case and ask them to check if the Server is blocking such codes. The server keeps all the logs of these kinds of blocks for a reason.
    Hosting support can help you to solve this.

    Thread Starter rmalderson3

    (@rmalderson3)

    There is no “hosting support”. This is a VPS on which I have installed PHP, MariaDB, and Apache (along with Postfix and Dovecot for e-mail), and layered WordPress on top of those installations.
    I installed ModSecurity following the steps in the relevant documentation.

    What am I looking for in which log?

    Sorry, but I have no experience with managing VPS hosting. You’ll have to look around on the web for that or check the documentation where you originally followed the steps to install it.

    Thread Starter rmalderson3

    (@rmalderson3)

    VPS hosting is irrelevant. I could install WordPress on my Macintosh on my desk.
    Perhaps someone with experience in self-hosted installations should chime in.

    In any case, I have had a look at the logs, and find the following (for example) in the ssl_error log for yesterday:

    [Fri Mar 18 15:40:42.754737 2022] [:error] [pid 536254:tid 140146821244672] [client 172.92.68.182:60441] [client 172.92.68.182] ModSecurity: Warning. Pattern match "(?:\\\\$(?:\\\\((?:\\\\(.*\\\\)|.*)\\\\)|\\\\{.*\\\\})|[<>]\\\\(.*\\\\))" at ARGS:data[wp_autosave][content]. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "366"] [id "932130"] [msg "Remote Command Execution: Unix Shell Expression Found"] [data "Matched Data: >(corrected version originally answered on quora.com february 11 2016)</em> how was the proto-indo-european language reconstructed? in order to answer this question we have to look at the historical background in which the earliest research in what we now call indo-european historical linguistics took place. first off we have to recognize that people familiar with more than one language saw resemblances between and among them even where none actually existed. for example the ancient romans ..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88 [hostname "www.alderson.science"] [uri "/wordpress/wp-admin/admin-ajax.php"] [unique_id "YjUKasT5cUoLjsr5qeN57gAAAM4"], referer: https://www.alderson.science/wordpress/wp-admin/post-new.php?post_type=page

    It looks as though something in the pasted text text is matching an attack vector. ???

    Thread Starter rmalderson3

    (@rmalderson3)

    Continuing the saga: I added a ModSecurity exclusion, first to …/local_rules/modsecurity_localrules.conf and after that failed on restart, to …/activated_rules/whitelist.conf which also failed on restart. I realize that this is not a ModSecurity support page, but since the places I garnered this information were found by searching for “modsecurity rules wordpress” I think I can say that I’m probably not the first person to encounter this.

    The rules I added were

    `<LocationMatch “/wp-admin/page.php”>
    SecRuleRemoveById 932130
    </LocationMatch>

    <LocationMatch “/wp-admin/post.php”>
    SecRuleRemoveById 932130
    </LocationMatch>

    <LocationMatch “/wp-admin/admin-ajax.php”>
    SecRuleRemoveById 932130
    </LocationMatch>`

    The following excerpt shows the failure.

    journalctl -xe
    Mar 21 18:31:32 mail.alderson.science httpd[636168]: AH00526: Syntax error on line 13 of /etc/httpd/modsecurity.d/activated_rules/whitelist.conf:
    Mar 21 18:31:32 mail.alderson.science httpd[636168]: ModSecurity: No action id present within the rule
    Mar 21 18:31:32 mail.alderson.science systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
    Mar 21 18:31:32 mail.alderson.science systemd[1]: httpd.service: Failed with result ‘exit-code’.
    — Subject: Unit failed
    — Defined-By: systemd
    — Support: https://access.redhat.com/support

    — The unit httpd.service has entered the ‘failed’ state with result ‘exit-code’.
    Mar 21 18:31:32 mail.alderson.science systemd[1]: Failed to start The Apache HTTP Server.
    — Subject: Unit httpd.service has failed
    — Defined-By: systemd
    — Support: https://access.redhat.com/support

    — Unit httpd.service has failed.

    — The result is failed.

    Thread Starter rmalderson3

    (@rmalderson3)

    OK, no one wants to take a stab at this. Fine.

    While I can’t get modsecurity to accept the SecRuleRemoveById exceptions, I did get it to go “detection only”, which did indeed allow insertion and publishing of my first post.

    Too bad.

Viewing 12 replies - 1 through 12 (of 12 total)
  • You must be logged in to reply to this topic.