[wp-trac] [WordPress Trac] #45190: Blank screen for WP 5.0 beta on a web host with a Mod_Security conflict

Sun Oct 28 19:23:51 UTC 2018

#45190: Blank screen for WP 5.0 beta on a web host with a Mod_Security conflict
--------------------------+---------------------
 Reporter:  designsimply  |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  5.0
Component:  Editor        |     Version:
 Severity:  normal        |  Resolution:
 Keywords:  dev-feedback  |     Focuses:
--------------------------+---------------------

Comment (by Clorith):

 There is an existing issue logged for this at
 https://github.com/WordPress/gutenberg/issues/10075

 I'll just fill out with some other mod_sec rules we've observed for
 maximum coverage:

 {{{
 ModSecurity: Access denied with code 403 (phase 2). Match of "within
 %{tx.allowed_request_content_type}" against "TX:0" required. [file
 "/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_30_http_policy.conf"]
 [line "63"] [id "960010"] [msg "Request content type is not allowed by
 policy"] [data "application/json"] [severity "WARNING"] [tag
 "POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag
 "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname
 "www.domain.com"] [uri "/wp-json/wp/v2/posts/6/autosaves"] [unique_id
 "W3dK9goASzoAABfURiAAAAA-"]
 }}}

 {{{
 ModSecurity: [file
 "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"]
 [line "301"] [id "340149"] [rev "152"] [msg "Protected by Atomicorp.com
 Basic Non-Realtime WAF Rules: Potential Cross Site Scripting Attack"]
 [data "ecmascript"] [severity "CRITICAL"] Access denied with code 403
 (phase 2). Pattern match "(?:< ?i?frame ?src ?=
 ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|(?:\\\\.add|\\\\@)import
 |asfunction\\\\:|background-
 image\\\\:|e(?:cma|xec)script|\\\\.fromcharcode|get(?:parentfolder|specialfolder)|\\\\.innerhtml|\\\\<
 ?input|(?:/|<) ?(?:java|live|j|vb)script!s| ..." at REQUEST_URI. [hostname
 "dev.partzorg.nl"] [uri "/wp-content/plugins/gutenberg/vendor/wp-polyfill-
 ecmascript.min.2ae96136.js"] [unique_id "W59N9ACZ95d3fNdTxLlY8gAAAAY"],
 referer: http://dev.partzorg.nl/wp-admin/post.php?post=407&action=edit
 }}}

 {{{
 ModSecurity: Access denied with code 403 (phase 2). Match of "ge 1"
 against "&REQUEST_COOKIES_NAMES:/^wordpress_([0-9a-fA-f]{32})$/" required.
 [file "/usr/local/cwaf/rules/28_Apps_WordPress.conf"] [line "127"] [id
 "225170"] [rev "1"] [msg "COMODO WAF: Sensitive Information Disclosure
 Vulnerability in WordPress 4.7 (CVE-2017-5487)||my-domain-name|F|2"]
 [severity "CRITICAL"] [tag "CWAF"] [tag "WordPress"] [hostname "my-domain-
 name"] [uri "/wp-json/wp/v2/users"] [unique_id
 "WqDSpFczAjtKrcDim5CqlAAAAGA"], referer: http://my-domain-name/wp-admin
 /post-new.php?post_type=page
 }}}

 Those were the three I could recall the topics for, I don't know specific
 hosts, but I'm seeing one default plesk rule at least.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/45190#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform