commenting on password-protected page fails

  • Resolved S Page

    (@skierpage)


    2 years, 1 month ago

    (The password on the page is “sekret”)

    I want to have some private pages that people are able to comment on. On my Dreamhost-hosted WP installation, after you “Leave a Reply” you’re left at an empty wp-comments-post.php URL. My Apache error log contains
    ModSecurity: Rule 6fb25f23bad8 [id "942360"][file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line "444"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "www.skierpage.com"] [uri "/wordpress/wp-comments-post.php"]
    This happens whether I’m logged in or supply a username and e-mail. Is leaving a comment on a password-protected page supposed to work? Could it be a problem with my site theme (oldTwenty Ten with CSS mods to fix mobile issues) on 6.0.2? Commenting on a password-protected blog post fails as well.

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)

  • I just tested this in an installation without any plugins and with a default theme: it works.

    If it does not work for you, it may be due to a plugin you use or your theme. Unfortunately, the error message does not say anything about it.

    Thread Starter S Page

    (@skierpage)

    @threadi, thanks for confirming it’s not you, it’s not WP, it’s me ??

    I turned on PHP debugging and got no output. Which makes some sense; if you read the line from the Apache error.log carefully, the Apache ModSecurity module is having trouble running a particular line in a configuration file /dh/apache2/template/etc/mod_sec3_CRS/REQUEST-942-APPLICATION-ATTACK-SQLI.conf, and I think the failure occurs before the web server even gets to running any PHP code. This config file is the OWASP ModSecurity Core Rule Set ver.3.3.2, and around line 444 is rule id 942360 which does indeed have an extremely complicated regular expression in it (that aims to detect “concatenated basic SQL injection and SQLLFI attempts”).

    It seems Dreamhost configures its shared web hosting web server with complicated security rules that the web server can’t handle, which certain WordPress web requests can trigger. I’ll take it up with Dreamhost. Thanks again.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘commenting on password-protected page fails’ is closed to new replies.