UPDATE – I was wrong about there being no mod_security issue.
In fact, I was looking at the wrong server’s mod_security log when I started this thread.
However, I did in fact discover an incompatibility between Mojo Under Construction and Comodo’s mod_security rule ID 214560
As follows from the server mod sec log:
(I’ve replaced the actual site domain with example.com for security purposes)
[Fri Jan 08 21:44:49.445538 2016] [:error] ModSecurity: Access denied with code 403 (phase 4). Pattern match “(?i)(String\\\\.fromCharCode\\\\(.*?){4,}” at RESPONSE_BODY. [file “/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/14_Outgoing_FilterGen.conf”] [line “28”] [id “214560”] [rev “1”] [msg “COMODO WAF: Potential Obfuscated Javascript in Output – Excessive fromCharCode”] [data “Matched Data: String.fromCharCode(55356,56806,55356,56826),0,0),d.toDataURL().length>3e3):\\x22diversity\\x22===a?(e.fillText(String.fromCharCode(55356,57221),0,0),c=e.getImageData(16,16,1,1).data.toString(),e.fillText(String.fromCharCode(55356,57221,55356,57343),0,0),c!==e.getImageData(16,16,1,1).data.toString()):(\\x22simple\\x22===a?e.fillText(String.fromCharCode( found within RESPONSE_BODY: <!DOCTYPE html>\\x0a<!–[if IE 8]>\\x0a<html xmlns=\\x22http://www.w3.org/1999/xhtml\\x22 class=\\x22ie8 wp-toolbar\\x22 …”] [severity “CRITICAL”] [hostname “example.com”] [uri “/wp-admin/index.php”]
[Fri Jan 08 21:44:49.446001 2016] [:error] ModSecurity: Warning. Operator GE matched 4 at TX:outgoing_points. [file “/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/21_Outgoing_FiltersEnd.conf”] [line “38”] [id “214940”] [rev “1”] [msg “COMODO WAF: Outbound Points Exceeded (points 5)”] [hostname “flavorpull.com”] [uri “/403.shtml”]
Disabling COMODO mod_security rules makes the issue go away, but also removes the added security provided by COMODO mod_security.
Any ideas from your side?
I’m happy to help with testing if you like.
