XH 1.6.3: Saving page data

A place to report and discuss bugs - please mention CMSimple-version, server, platform and browser version
cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: XH 1.6.3: Saving page data

Post by cmb » Wed Apr 27, 2016 9:00 am

kurtm wrote:After my ISP upgraded me to a new server I'm having similar problems getting the "Invalid CSRF token!XH-ERROR: Invalid CSRF token!" error.
This might be caused by a fatal PHP error, which terminates CMSimple_XH prematurely. I suggest that you enable debug-mode, and look for errors which are displayed in admin mode.
kurtm wrote:Also the "pagemanager" plugin gets a 403 error when trying to save. Similarly the "Settings/Language" configuration file save fails with 403 error.
This could be caused by mod_security or some similar security feature that your ISP has enabled. Pagemanager, for instance, does pass XML to the server, which simply might trigger that security check to be triggered. I suggest you ask your ISP to have a look at the respective error logs (if you can't have at look at these yourself), and tweak the security settings accordingly.
kurtm wrote:The version is CMSimple MOD 1.5.3a.
I don't know which version/variant this is, but CMSimple_XH 1.5.3 has known security issues, and unless they're fixed in CMSimple MOD 1.5.3a, you might be better off not to use it.
Christoph M. Becker – Plugins for CMSimple_XH

kurtm
Posts: 50
Joined: Tue Sep 03, 2013 12:29 am
Location: New Zealand

Re: XH 1.6.3: Saving page data

Post by kurtm » Sat Jul 02, 2016 1:10 am

As the problem didn't stop me from maintaining the site I didn't do anything about it until a few days ago. Now I have the answer.
As was mentioned by Chris, the problem was caused by my ISP increasing the security settings. Here is the log entry relating to the problem.
CMSimple_XH Ver 1.6.7 Pagemanager Ver 2.0.5

Code: Select all

[Fri Jun 24 12:12:17 2016] [error] [client 202.154.159.167] ModSecurity:
[file "/usr/local/cwaf/rules/07_XSS_XSS.conf"]
[line "232"]
[id "212810"]
[rev "1"]
[msg "COMODO WAF: XSS Attack Detected|new.danishsociety.org.nz|"]
[data "Matched Data: <![cdata[ found within ARGS:xml: <?xml version=\\x221.0\\x22 encoding=\\x22utf-8\\x22?><root><item id=\\x22pagemanager-0\\x22 title=\\x22home\\x22 data-pdattr=\\x221\\x22 class=\\x22\\x22 rel=\\x22\\x22><content><name><![cdata[home]]></name></content></item><item id=\\x22pagemanager-1\\x22 title=\\x22about\\x22 data-pdattr=\\x221\\x22 class=\\x22\\x22 rel=\\x22\\x22 state=\\x22closed\\x22><content><name><![cdata[about]]></name></content><item id=\\x22pagemanager-2\\x22 title=\\x22contact\\x22 data-pdattr=\\x221\\x22 class..."] Access denied with code 403 (phase 2). Pattern match "<\\\\!\\\\[cdata\\\\[|]]>" at ARGS:xml.
[hostname "new.danishsociety.org.nz"]
[uri "/"]
[unique_id "V2x64X8AAAEAAzQ7gfsAAAAJ"]
Maybe a simple fix to future version of Pagemanager could resolve this. In the mean time my ISP has changed the setting for the specific sites I use CMSimple_XH on.
Have fun!
Kurt

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: XH 1.6.3: Saving page data

Post by cmb » Sat Jul 02, 2016 10:37 am

kurtm wrote:Maybe a simple fix to future version of Pagemanager could resolve this.
Well, not really a simple fix, but I'm planning to change the format from XML to JSON anyway for Pagemanager_XH 3, what would solve this issue, but ModSecurity might report other false positives then. I have to admin that ModSecurity has a great practical value, but actually it's trying to solve an unsolvable problem (namely to detect bad input without any knowledge about the usage of this input), what always may result in false positives (and false negatives, too).
Christoph M. Becker – Plugins for CMSimple_XH

Post Reply