WordPress post produces: "Updating failed. The response is not a valid JSON response." for one particular link within post

[matteoraggi]

I can't link to chaturbate from wordpress hosting that is using modesecurity, because it block is and I can't save the pages with a link going to chaturbate, and wordpress is giving this error to me: "Updating failed. The response is not a valid JSON response." I don't understand why that website is blocked and not other similar websites like bongacams or stripchat..

[martinhsv]

@matteoraggi ,

What makes you think ModSecurity is causing that? Do you audit log content and debug log content that leads you to believe that?

[matteoraggi]

There are no errors in the log, but if I try to update a wordpress post with a link going to chaturbate then I can't save, instead with all other links it works.. if I disable ModSecurity, then it works, but I don't want to disable ModSecurity because it is useful and alos my cpanel forcem e to disable it for all the websites and not only one..

[martinhsv]

I see. In that case, can you provide more information? There is a list of things to supply in the issue template, including things like versions being used, configuration, and log output (especially helpful is DebugLog output at level 9).

[matteoraggi]

I tryed also to disable all the pugins and enable and siable https and I changed php from 7.x to 8.1 wordpress 6.0 and the hosting is a shared hosting with fastcomet. what else can I tell you? the link is going to an affiliate link of chaturbate: https://chaturbate.com/in/?tour=LQps&campaign=Xdfseb9Vd&track=default&room=username I tryed also to change the wordpress theme, but still the same error.

[martinhsv]

The most basic question: What version of ModSecurity are you using? What web server (e.g. Apache HTTP Server or nginx) and version are you using ?

Have a look at the issue template (whichever one at https://github.com/SpiderLabs/ModSecurity/issues/new/choose pertains to you), and add whatever you're able.

Can you provide DebugLog output (at level 9)?

What are the steps to reproduce? Are you adding the link by simply including it in an ordinary post and then saving it? Or are you using some other plugin(s) to do that?

[matteoraggi]

Yes, I just add the link to a text and then whe nI click on the update button, it not save and give alsways the same error. I disabled all the plugins to be sure that they not create the issue. I go to search for the other informations and then I let you know..

[matteoraggi]

The fastcomet support gave me these informations: ea-apache24-mod_security2-2.9.3-18.el8.cloudlinux.x86_64 And the webserver is LiteSpeed, the exact version being:

6.0.12 And now that I disabled modsecurity it works!

[martinhsv]

@matteoraggi ,

I tried your use case with ModSecurity v2.9.3 and was not able to reproduce your issue. I can, however, produce that error message in certain configurations, without having installed ModSecurity at all, and without using that particular link.

That error message appears to be produced in recent versions of WordPress in a wide set of circumstances, with a variety of workarounds suggested, such as changing your Permalinks structure or switching to the Classic Editor.

While I can understand your suspicion about ModSecurity given your experiment of turning it off, given the many ways WordPress can produce this error, I'm not convinced that ModSecurity is actually causing your problem (although it may be an incidental trigger).

With no audit log messages (I assume you're using RelevantOnly), ModSecurity ordinarily shouldn't be doing anything to interfere with traffic. (Incidentally, when you say "disable modsecurity" I assume you mean SecRuleEngine Off -- if that's the case you could also try DetectionOnly)

Suggestions: 1) Inquire further about this from the WordPress perspective; perhaps experts with that Application can give you tips on diagnosing 2) Move immediately to trying one or more of the suggestions online for dealing with that error message 3) Accept the anomaly and turn off ModSecurity -- but only when you need to (temporarily, and perhaps only the URL of concern at that time) 4) While I have said that this doesn't smell like a probable ModSecurity effect, I also cannot entirely rule out the possibility of a ModSecurity bug that is causing this. If you want to proceed with investigating this further, I would need much more information to do anything (and my time, in any case, will be quite limited). Things like: a) audit log output of the relevant transactions (SecAuditEngine On) with all Parts b) DebugLog output at level 9 c) complete configuration and installation information (it's not even clear to me from your previous reports, whether ModSecurity is installed as a reverse proxy, with the LiteSpeed server separate). d) packet captures for an update that works and one that does not

[matteoraggi]

I remember well that also with classic editor I was continuig to have the same issue. Mod security was disabled from cpanel, I don't know more about other details.. Maybe one day I will try to get these informations from fastcomet, thanks a lot!

[Pikamander2]

@martinhsv - We were running into the same error message with Gutenberg in which the HTML comment tags that Gutenberg uses for paragraph block metadata were triggering some kind of ModSecurity error, causing the wp-json request to be an HTML-based 403 error page rather than a normal JSON response.

Our host is Namecheap and we're working with them to try to get it whitelisted on our account (or ideally permanently fixed). Is there any kind of specific file I should point them towards fixing so that other people don't encounter the same issue?

[martinhsv]

Hello @Pikamander2 ,

How do you know there is 'some kind of ModSecurity error'? Do you see messages to that effect in either of ModSecurity's audit log or debug log? Or are you inferring it is a ModSecurity error in the same way that the OP did?

If it is the former, providing the relevant output would helpful to diagnosing your situation.

If it is the latter, if you want to provide a pcap of the HTTP transaction, I could have a look at it for anything that might be noteworthy. (If you wish to share that, to avoid putting any sensitive information in a public forum, it may be advisable do so via the email address listed at https://github.com/SpiderLabs/ModSecurity#security-issue .)

[vrocks]

This error has to do with modsecurity and possibly the Imunify360 rules being used by the cpanel hosting provider instead of the OWASP rules.

It blocks any form post data containing: chaturbate.com livejasmin.com

You can make a php form that submits to itself and does nothing other than have 1 input. Put either domain into that input. Walla... 403 forbidden. Disable modsecurity. Walla... no error.

Unfortunately, if your hosting provider is using Imunify360 they are not going to turn it off for you.

And when I switch to my OWASP rules and turn modsecurity back on, no more error.

Modify the .htaccess file by adding this to it: <IfModule mod_security2.c> SecRuleEngine On SecRuleRemoveById 77316844 </IfModule>

If you have many blogs on the same server, modify the .htaccess file in the home directory of your user, or it's web directory.

[martinhsv]

Thanks for noting that, @vrocks . That may be helpful to others being restricted by their ruleset.