Support » Plugin: NinjaFirewall (WP Edition) - Advanced Security » You don’t have permission to access /wp-admin/admin.php

  • Resolved wp_kc

    (@wp_kc)


    I moved my web sites from a VPS with Ubuntu 12.04/Apache 2.4/PHP 5.6 to a VPS with Debian 9/Apache 2.4/PHP 7.0. Everything is working except when I press the submit button on the Firewall Policy page. I get this…

    Forbidden
    
    You don't have permission to access /wp-admin/admin.php on this server.

    Saving setting on any of the other settings pages for Ninjafirewall work fine. So far I have not been able to find any clues in the server logs, or debug files when WP_DEBUG turned on.

    Is there anything special about the Firewall Policies page that might cause that?

    One other possibility is the new server has mod_security2 installed on it. I don’t think that was on the old server.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Sure enough, I tracked it down to mod_security2. Here is what is in the logs when you try to save settings on the Firewall Policies page.

    
    ModSecurity: Warning. Pattern match "(?i)(?:\\\\W|^)(?:javascript:(?:[\\\\s\\\\S]+[=\\\\\\\\(\\\\[\\\\.<]|[\\\\s\\\\S]*?(?:\\\\bname\\\\b|\\\\[ux]\\\\d))|data:(?:(?:[a-z]\\\\w+\\\\/\\\\w[\\\\w+-]+\\\\w)?[;,]|[\\\\s\\\\S]*?;[\\\\s\\\\S]*?\\\\b(?:base64|charset=)|[\\\\s\\\\S]*?,[\\\\s\\\\S]*?<[\\\\s\\\\S]*?\\\\w[\\\\s\\\\S]*?>))|@\\\\W*?i\\\\W*?m\\\\W*?p\\\\W*? ..." at ARGS:nfw_options[csp_backend_data]. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "300"] [id "941170"] [rev "3"] [msg "NoScript XSS InjectionChecker: Attribute Injection"] [data "Matched Data:  data:; found within ARGS:nfw_options[csp_backend_data]: script-src 'self' 'unsafe-inline' 'unsafe-eval' *.videopress.com *.google.com *.wp.com; style-src 'self' 'unsafe-inline' *.googleapis.com *.google.com *.jquery.com; connect-src 'self'; media-src 'self' *.youtube.com *.w.org; child-src 'self' *.videopress.com *.google.com; object-src 'self'; form-action 'self'; img-src 'self' *.gravatar.com *.wp.com *.w.org *.cldup.com woocommerce.com data:;"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [mat [hostname "example.com"] [uri "/wp-admin/admin.php"] [unique_id "WWC2lwozdh0AAN02Ft0AAAAG"], referer: https://www.example.com/wp-admin/admin.php?page=nfsubpolicies
    
    ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.example.com"] [uri "/wp-admin/admin.php"] [unique_id "WWC2lwozdh0AAN02Ft0AAAAG"], referer: https://www.example.com/wp-admin/admin.php?page=nfsubpolicies
    

    So apparently the recommended rules for mod_security2 interpret the posted data from the policies page as a XSS attack! Temporarily disabling mod_security2 allowed me to save the firewall policies.

    Plugin Author nintechnet

    (@nintechnet)

    It comes from the “Set Content-Security-Policy for the WordPress admin dashboard” data that is wrongly flagged as an XSS threat.
    You can disable that rule (id: 949110) from Modsecurity.

    Thank-you. I usually set-it-and-forget-it on the firewall policies, so I disabled it just long enough to set the policies on the 3 web sites running on the server, then re-enabled it. It doesn’t seem to hurt anything else.

    Perhaps this is a new item to add to the FAQ (or not-so-FAQ) in case others run into the same problem.

    • This reply was modified 2 years, 7 months ago by wp_kc. Reason: bad grammar
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘You don’t have permission to access /wp-admin/admin.php’ is closed to new replies.