Results 1 to 6 of 6

Thread: TinyMCE + Wordpress + Mod_Security/WAF

  1. #1
    Join Date
    Sep 2007
    Posts
    38

    TinyMCE + Wordpress + Mod_Security/WAF

    Hello,

    Have a problem with a wordpress install with tinymce getting the following error:

    Untitled-3.jpg

    Centos 6.9, Apache 2.4.34, MySQL 5.6.38, Php 5.6.37.

    csf v12.06, Comodo WAF 2.23

    Already tried bypassing mod_security which had no effect. Not seeing the ip's that get the error in the Apache error log.

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,208
    Hello,

    Check .htaccess file for possible security hardening which denies loading files from wp-includes/

  3. #3
    Join Date
    Sep 2007
    Posts
    38
    Just the normal Wordpress code it seems.

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress

  4. #4
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,208
    .htaccess in wp-includes/? Settings in apache's virtual host file?

    Permissions? Files/directory owners?

  5. #5
    Join Date
    Sep 2007
    Posts
    38
    Permissions are 644, the user and group are all set properly to the user account.

    htaccess in wp-includes is:
    <Files wp-tinymce.php>
    allow from all
    </Files>
    <Files ms-files.php>
    allow from all
    </Files>
    <FilesMatch "\.(?ihp)$">
    <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
    </IfModule>
    <IfModule mod_authz_core.c>
    Require all denied
    </IfModule>
    </FilesMatch>
    <Files wp-tinymce.php>
    Allow from all
    </Files>
    <Files ms-files.php>
    Allow from all
    </Files>

    Virtual hosts shouldn't have been modified... should be stock Directadmin.

  6. #6
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,208
    Here is it:


    Code:
    <FilesMatch "\.(?i:php)$">
       <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
       </IfModule>
       <IfModule mod_authz_core.c>
            Require all denied
       </IfModule>
    </FilesMatch>
    <Files wp-tinymce.php>
          Allow from all
    </Files>
    you might remove it.

    But it's up to you to keep the installation updated and secured...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •