String “.htaccess” triggers my WAF, resulting in 403 Forbidden

  • Hello,

    I have a tricky bug but very serious for WordPress.

    I get the “403 Forbidden” error when modifying a post that has a schema enabled. After a lot of testing, it is the firewall of my server via ModSecurity (Immunify360) that fires this rule:

    IM360 WAF: Remote File Access Attempt

    So I am not able to save a post! This happens on one specific post only.

    The problem is when a text contains the word “.htaccess”, and this text is written in the schema attribute “Article Body” (might be elsewhere but I didn’t test that). When this attribute contains the htaccess word, you can save once, but after that I cannot modify anymore. I get the 403 error systematically.

    Test case:

    1. create a post
    2. content of the post : .htaccess (with the dot!)
    3. Save the post
    4. go to schema, disable the auto-fetch to see the value “.htaccess” in the “article body” attribute
    5. save the post
    6. try to modify the post content by adding some text
    7. I get the 403 forbidden error each time
    8. when I try to delete the word “.htaccess”, I get the 403 error all the time. I am completely unable to modify my post.

    For the moment, I can disable my firewall when I want to modify my post. But this needs a fix in your plugin I think. Are you doing some remote file access guys when saving or modifying a post??

    This is the full error when the WAF rule kicks in:

    Message: Access denied with code 403 (phase 2). Test 'ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:code|!ARGS:/content/|!ARGS:/description/|!ARGS:/install\[values\]\[\w+\]\[fileDenyPattern\]/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:wpTextbox1|!ARGS:force|!REQUEST_COOKIES:/^ph_/|!ARGS:images[]|!ARGS:/^misc-htaccess_/|!ARGS:aiowps_save_htaccess|!ARGS:submithtaccess|!ARGS:contextpath|!ARGS:response' against '(?:(?<!\w)(?:\.(?:ht(?:access|group|passwd)|www_{0,1}acl)|boot\.ini|global\.asa|httpd\.conf)\b|\.\/etc\/|^\/etc\/)' is true. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-litespeed/012_i360_1_generic.conf"] [line "66"] [id "77211190"] [msg "IM360 WAF: Remote File Access Attempt|

    Thanks,

    Didier.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Magazine3

    (@magazine3)

    Can you please share a short video of the issue for reference purposes? So that we will go through it and get back to you shortly.

    Thread Starter swissspaceboy

    (@swissspaceboy)

    Hi,

    No, I will not share a video. This will take me 1 hour of my time. I provided the clear reproduction steps. Follow those. If you have a question on one of the steps from 1 to 8, please ask me.

    Best regards,

    Didier.

    Plugin Author Magazine3

    (@magazine3)

    Please share it, So that we will check it and get back to you ASAP!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘String “.htaccess” triggers my WAF, resulting in 403 Forbidden’ is closed to new replies.