TinyMCE + Wordpress + Mod_Security/WAF

[quadium]

Hello,

Have a problem with a wordpress install with tinymce getting the following error:



Centos 6.9, Apache 2.4.34, MySQL 5.6.38, Php 5.6.37.

csf v12.06, Comodo WAF 2.23

Already tried bypassing mod_security which had no effect. Not seeing the ip's that get the error in the Apache error log.

 

[zEitEr]

Hello,

Check .htaccess file for possible security hardening which denies loading files from wp-includes/

 

[quadium]

Just the normal Wordpress code it seems.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

 

[zEitEr]

.htaccess in wp-includes/? Settings in apache's virtual host file?

Permissions? Files/directory owners?

 

[quadium]

Permissions are 644, the user and group are all set properly to the user account.

htaccess in wp-includes is:
<Files wp-tinymce.php>
allow from all
</Files>
<Files ms-files.php>
allow from all
</Files>
<FilesMatch "\.(?ihp)$">
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
</IfModule>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</FilesMatch>
<Files wp-tinymce.php>
Allow from all
</Files>
<Files ms-files.php>
Allow from all
</Files>

Virtual hosts shouldn't have been modified... should be stock Directadmin.

 

[zEitEr]

Here is it:

<FilesMatch "\.(?i:php)$">
[COLOR=#ff0000]   <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
   </IfModule>[/COLOR]
[COLOR=#ff0000]   <IfModule mod_authz_core.c>
        Require all denied
   </IfModule>[/COLOR]
</FilesMatch>
<Files wp-tinymce.php>
      Allow from all
</Files>

you might remove it.

But it's up to you to keep the installation updated and secured...