-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL commands in post content cause failure to save and trigger ConfigServer Security & Firewall (solved by sending some API requests as a JSON blob instead of form encoded data to try to avoid triggering some modsec rules, see 5971) #5867
Comments
Thank you for the detailed report, @SuperGeniusZeb! As is mentioned in your logs, rule 300015 is a "generic SQL injection protection" rule, which is known to cause problems for WordPress (or any CMS, for that matter). The usual way to get modsec working with WordPress is to whitelist the handful of URLs that could trigger this (or similar) rules. Could you have a look in your modsec config files (probably found somewhere under
There will likely be similar rules for other locations, I'm particularly interested in anything that applies to |
@pento Actually, the requests worked in Gutenberg 2.2, but stopped working in 2.3 and onward. I have reworded that sentence at the start of the issue to be more clear. Tomorrow I will try and see what I can find in the modsec config files and post it here. |
@pento In the modsec rules file ( labelled "Modsec2 rules v0.7-5" in a comment at the top... I don't know what the specific file name is since I don't know how to get a view the directory structure of the server or if I even have access), I found these sections that reference WordPress and/or SQL: Also, I took a quick look through the commits made after the release of Gutenberg 2.2 (the last version that does not have this issue), and I noticed these commits, which I think are the ones most likely to be related to the issue: e3da1a1 25de703 86dbc73 23fed49 c7a7583 5777c0f 699d427 |
Issue Overview
Starting with Gutenberg 2.3 and still in 2.5, I have had an issue where I was unable to save / publish posts containing phrases that correspond to certain SQL commands, including:
(Note that these phrases have to be in lowercase to trigger the error.)
Trying to save a post containing any of these phrases will fail, giving the "Updating failed" notification. I'm using the latest version of WordPress (4.9.4) and I have tested this without any plugins installed and with the Twenty Seventeen theme, I've tested it with posts, pages, and custom post types, and I've tested it on both Firefox Nightly and Chromium. The error happens on all of them. This error does not occur with Gutenberg 2.2, and it does not occur with the Classic Editor.
When I check the JavaScript console on Chromium, I see this error:
This does not happen for everyone, but it happens consistently for me. I know it has something to do with the firewall on my server detecting the SQL phrases in the post content. My website is using HTTPS. My server host is Liquid Web. It has ConfigServer Security & Firewall enabled. Originally, after multiple subsequent tries to save a post containing one of the SQL phrases, my IP would be banned from the server. I had to whitelist it in the
csf.allow
file of the firewall in order to keep testing and narrow down the issue. I checked some of the logs, and here is what I found after trying to save a post containing the phrase "alter table":In
/usr/local/apache/logs/error_log
:In
/usr/local/apache/logs/modsec_audit.log
:Steps to Reproduce
Expected Behavior
The post should save properly and shouldn't give any HTTP status code 500 errors.
Current Behavior
Trying to save a post containing the previously listed SQL commands will fail, and the "Updating failed" notification will appear. An HTTP status code 500 error will occur.
Possible Solution
It definitely has something to do with the server firewall detecting SQL phrases in the post content and thinking that some kind of SQL injection attack is trying to be performed. Also, in one of the previously linked logs, I noticed
Expires: Wed, 11 Jan 1984 05:00:00 GMT
... I would guess that expiration date is unintentional, since 1984 was a considerably long time ago; I am not sure if that has any relevance or not, but I thought I would point it out.Related Issues and/or PRs
#5675
Pinging @pento, as requested.
The text was updated successfully, but these errors were encountered: