Monday, March 08, 2021

Eroror 404 saving Elementor Html Widget - Solution

Hi,

So, I encountered a situation where trying to save a piece of HTML & JS using an HTML widget in Elementor was returning a 404 error, not only that but after retrying several times I got blocked from the site.

Making a long story short, it turned out that the hosting company was running some software called mod security or modsec for short, and my code was interpreted as an sql injection attack on the site I was trying to edit.

So how do you work around this? how do you debug this if you encounter a similar issue?

1) Ask your hosting service to have alook in their modsec logs and find your ip to see why you are being blocked - they will send you something that looks like this (I did change the red parts and some of the numbers/tokens for security reasons).

[Sun Mar 07 14:11:15.331211 2021] [:error] [pid 119***5:tid 472*****20384] [client 11.22.33.44:5555] [client 11.22.33.44] ModSecurity: Access denied with code 403 (phase 2). Pattern match "LONG BUT INCOMPLETE REGEXP ..." at ARGS:actions. [file "/etc/apache2/conf.d/modsec/modsec/11_asl_adv_rules.conf"] [line "117"] [id "331028"] [rev "13"] [msg "Atomicorp.com WAF Rules:  Unauthorized SQL access to database Detected."] [data "SOME PART OF YOU HTML CODE"] [tag "SQLi"] [hostname "YOURDOMAINNAMEHERE"] [uri "/path-to-wp-admin/admin-ajax.php"] [unique_id "YETc4k********M1I-Ru7wACBwk"], referer: https://YOURDOMAINNAMEHERE/path-to-wp-admin/post.php?post=POSTIDHERE&action=elementor


2) You can see the file and line number of the rule  that you have hit and its id and revision,
     [file "/etc/apache2/conf.d/modsec/modsec/11_asl_adv_rules.conf"] [line "117"] [id "331028"] [rev "13"]

since it seems that those rules are being commercially sold by Atomicorp.com I am not publishing the actual pattern of the rule, but I did ask the hosting service and they where kind enough to share the full  rule with me - from the rule I extracted the Regex that comes after ARGS:wptextbox1 " in the full text for the rule up untill the " \ 

3) I went to https://regex101.com/  and pasted the regular expression in the appropriate text box and the code that I was trying to add to the site as part of the HTML widget. (make sure to remove surrounding " of the regexp pattern.

4) On the right side you will be able to see the match information showing you exactly what parts of your code trigger the security rule. (clicking a match will take you to the appropriate place in the code).

5) knowing this will hopefully allow you to go and modify your code so as not to trigger this rule.

In my case it was a JavaScript variable that the rule did not like its suffix together with the fact that there was an opening parenthesis less that 100 characters after it....

Good luck and leave me a not if it helped or if you have any additional Q's on this.

Eyal




Posted by Eyal Peleg at 10:36 AM 0 comments
Labels: , , , , , ,
Subscribe to: Posts (Atom)
 
Clicky Web Analytics