[Resolved] My Update Button is not enabled – I can't update my archive

[Author]

Posts

[paulL-16]

I am trying to: bring up an archive (Credit Union Archive) and remove the title (Astra keeps showing the archive title)

Link to a page where the issue can be seen: Dev1.CreditUnionGuide.com

I expected to see: the Update button enabled and ready to allow me to update the archive

Instead, I got: the disabled Update button. I removed all unnecessary plugins and themes (only Astra and 2021 default theme). This does not fix the problem (by the way, I don't have this problem on my local machine.) It looks like Dreamhost thinks Toolset is violating their security settings.

Here is the error from the log:

[Wed Sep 29 22:13:09.704415 2021] [:error] [pid 6118:tid 3743289460480] [client 73.129.133.194:1039] [client 73.129.133.194] ModSecurity: Access denied with code 418 (phase 2). Operator GE matched 7 at TX:anomaly_score. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 20)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "dev1.creditunionguide.com"] [uri "/wp-json/toolset-views/v1/views/14741"] [unique_id "YVVHZd-qlS3XoBTrOXmL8wAAAA8"], referer: hidden link

[Nigel Supporter Languages: English (English ) Spanish (Español ) Timezone: Europe/London (GMT+01:00)]

Could you please contact your host and ask for more details.

In the browser console I see they are returning 418 "I'm a teapot" error codes in response to the REST API requests sent by Toolset, breaking its functionality.

If they are able to explain specifically why they are blocking these requests then we may be in a position to do something about it.

[paulL-16]

I sent the question to Dreamhost and I am waiting for their response.

[paulL-16]

Hello Nigel!

I contacted Dreamhost and they said it was WP specific and not their issue. They seem to recognize the '418 I'm a teapot' error. They also gave me the link to some explanation on StackOverflow:

https://stackoverflow.com/questions/52340027/is-418-im-a-teapot-really-an-http-response-code/52340087

They also directed me to a Toolset document:

https://toolset.com/documentation/programmer-reference/toolset-integration-with-the-rest-api/

I turned on Toolset API option under Custom Content to expose custom fields (in the error log, maybe?) I don't have any way to attach the error log to this form so I copy a few latest error messages at the bottom of this form.

By the way, I don't have this problem on my laptop. Everything works the way it should until I migrate the archive to Dreamhost.

[Thu Sep 30 18:41:03.588852 2021] [:error] [pid 8488:tid 3743432136448] [client 73.129.133.194:12629] [client 73.129.133.194] ModSecurity: Rule 367a8631738 [id "932115"][file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "294"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "dev1.creditunionguide.com"] [uri "/wp-json/toolset-views/v1/views/14741"] [unique_id "YVZnL7fOJ5ZeKnzHAvzbNQAAAEM"], referer: hidden link

[Thu Sep 30 18:41:03.701527 2021] [:error] [pid 8488:tid 3743432136448] [client 73.129.133.194:12629] [client 73.129.133.194] ModSecurity: Rule 367a95c2400 [id "942190"][file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line "183"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "dev1.creditunionguide.com"] [uri "/wp-json/toolset-views/v1/views/14741"] [unique_id "YVZnL7fOJ5ZeKnzHAvzbNQAAAEM"], referer: hidden link

[Thu Sep 30 18:41:03.706144 2021] [:error] [pid 8488:tid 3743432136448] [client 73.129.133.194:12629] [client 73.129.133.194] ModSecurity: Rule 367a93b4100 [id "942270"][file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line "296"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "dev1.creditunionguide.com"] [uri "/wp-json/toolset-views/v1/views/14741"] [unique_id "YVZnL7fOJ5ZeKnzHAvzbNQAAAEM"], referer: hidden link

[Thu Sep 30 18:41:03.706300 2021] [:error] [pid 8488:tid 3743432136448] [client 73.129.133.194:12629] [client 73.129.133.194] ModSecurity: Rule 367a93b4100 [id "942270"][file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line "296"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "dev1.creditunionguide.com"] [uri "/wp-json/toolset-views/v1/views/14741"] [unique_id "YVZnL7fOJ5ZeKnzHAvzbNQAAAEM"], referer: hidden link

[Thu Sep 30 18:41:03.706428 2021] [:error] [pid 8488:tid 3743432136448] [client 73.129.133.194:12629] [client 73.129.133.194] ModSecurity: Rule 367a93b4100 [id "942270"][file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line "296"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "dev1.creditunionguide.com"] [uri "/wp-json/toolset-views/v1/views/14741"] [unique_id "YVZnL7fOJ5ZeKnzHAvzbNQAAAEM"], referer: hidden link

[Thu Sep 30 18:41:03.706558 2021] [:error] [pid 8488:tid 3743432136448] [client 73.129.133.194:12629] [client 73.129.133.194] ModSecurity: Rule 367a93b4100 [id "942270"][file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line "296"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "dev1.creditunionguide.com"] [uri "/wp-json/toolset-views/v1/views/14741"] [unique_id "YVZnL7fOJ5ZeKnzHAvzbNQAAAEM"], referer: hidden link

[Thu Sep 30 18:41:03.706664 2021] [:error] [pid 8488:tid 3743432136448] [client 73.129.133.194:12629] [client 73.129.133.194] ModSecurity: Rule 367a93b4100 [id "942270"][file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line "296"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "dev1.creditunionguide.com"] [uri "/wp-json/toolset-views/v1/views/14741"] [unique_id "YVZnL7fOJ5ZeKnzHAvzbNQAAAEM"], referer: hidden link

[Thu Sep 30 18:41:03.801779 2021] [:error] [pid 8488:tid 3743432136448] [client 73.129.133.194:12629] [client 73.129.133.194] ModSecurity: Access denied with code 418 (phase 2). Operator GE matched 7 at TX:anomaly_score. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 20)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "dev1.creditunionguide.com"] [uri "/wp-json/toolset-views/v1/views/14741"] [unique_id "YVZnL7fOJ5ZeKnzHAvzbNQAAAEM"], referer: hidden link

Thanks,
Paul

[Nigel Supporter Languages: English (English ) Spanish (Español ) Timezone: Europe/London (GMT+01:00)]

Sorry you are caught in the middle of this, those extra log details make it clear that this occurs because of the server ModSecurity settings, I'm not sure why they would deflect you and tell you it's a WordPress thing.

Those settings refer to the use of regular expressions and from what I read are aimed at preventing DDoS attacks, effectively they are identifying Toolset editing an archive as a false positive.

The only solution here is for them to alter the server settings to be less restrictive. This doesn't happen with any other host, and I guess they have a lower PCRE limits than other hosts.

[Jamal Supporter Languages: English (English ) French (Français ) Timezone: Africa/Casablanca (GMT+01:00)]

Hello there. This is Jamal from the Toolset Support team. If you don't mind, I'll continue with you on this ticket.

Maybe, if we migrate your website to our online platform(hosted in CloudWays) and the issue is not reproduced, this could convince the Dreamhost team to further investigate the SecurityMod from their side!
Would you allow me to migrate the website?

I am afraid, if the SecurityMod does not allow these recurrent requests to the REST API, you won't be able to use Toolset Blocks.
In that case, you may consider using the legacy editor, which does not rely on the REST API.
You can activate the legacy editor in Toolset->Settings->General(tab)->Editing experience.

[paulL-16]

Hello Jamal!

Sure, if you want to migrate it to your server. I'm not sure if it's going to solve my problem.

Dreamhost already stated that it wasn't their problem, and my take is that they will not make changes just to satisfy one client. However, I was able to disable mod_security and the issue went away.

Unfortunately, I can't turn off mod_security on production site. The issue was caused by Toolset code. Somehow, Dreamhost determines that your code does not pass the OWASP ModSecurity checking and it stops the call right there, where it should be stopped.

Dreamhost is quite popular, and if I can't run Toolset plugin on this hosting, then I imagine other Toolset customers would experience the same problem. It's hard for me to think that I'm the first one reporting this problem. So, I would hope Toolset to make necessary changes to pass the OWASP ModSecurity checking.

If you'd like, I can leave dev1.creditunionguide.com for Toolset to test out the code.

Thanks,
Paul

[Jamal Supporter Languages: English (English ) French (Français ) Timezone: Africa/Casablanca (GMT+01:00)]

Hello Paul,

Migrating won't fix the issue on your server, but it will demonstrate to your hosting provider support that the issue is not actually a WordPress/Toolset problem. It is the strict security restrictions on the server.

For example, on the migrated copy of your site on our server, this issue does not appear. You can check it with your credentials(the same as the live site) hidden link

We can't be responsible for how servers are configured. It is up to you, the server owner, to manage it to serve the app(WordPress/Toolset). Please reach to your hosting provider and ask them to exclude the WordPress JSON API endpoints (/wp-json/)

If you can configure the security rules, I suggest that you check the following articles. They are specific to WordPress. Keep in mind that Toolset will use the WordPress JSON API.
- hidden link
- hidden link
- hidden link

I'll remain at your disposal for any further questions.

[paulL-16]

Jamal,

I do appreciate your help regarding the error. However, I respectfully disagree with you on your assessment regarding the extra security settings on Dreamhost. Please be advise that we have security breaches because someone, somehow, neglected to make the necessary coding or settings to ensure that all his or her code covers all possible angles. All it takes is one little mistake and someone will pay the price.

Toolset should take this opportunity and reevaluate its code to make sure it is in compliance with OWASP rules. Granted OWASP is not always right, but, at least, it is better than having no checking at all. If your code works on one server and does not work on another server, then it certainly is an indication that something is not right. In my opinion, instead of trying to justify how right or correct your code is, Toolset should, at least, try to find out what it can do to make its code function better.

In any event, we have spent enough time chasing this issue around long enough. For two weeks, we thought we made a mistake and that might have broken the page. But now, knowing what really happens, we wish we chose another product instead. Well, it is water under bridge at the moment, so we have decided to move on and write our own code. I am sure it would take us less time to complete the project than waiting for Toolset to make the necessary corrections to its code.

Thank for your time!

Paul

[Jamal Supporter Languages: English (English ) French (Français ) Timezone: Africa/Casablanca (GMT+01:00)]

Hello Paul and thank you for your feedback. Here, at OTGS, be it Toolset, WPML, or our other services, we consider security and safety a priority, We meticulously inspect our code and review it. We did not get any security breach report ever.
But we can't do someone's else job. We did not get any security breach report ever. Because we

I wonder if you are aware of the OSI model hidden link
WordPress and Toolset are at the application level(layer 7), whereas the restrictions on your hosting provider are on the 3rd(at most the 4th or 5th level) level. That is simply out of our control. We, simply, can't do someone's else job.

And you are right, All it takes is one little mistake and someone will pay the price.
I am confident to say, this time we are not making any mistakes. We cannot be responsible for someone else's mistake.

Of course, it is your money and your decision to choose products or service providers. We promise that the money you put into our products is worth it. And we are confident, this security issue(actually, it is a false positive) is not on us.
Finally, you decide. We'll remain at your disposal for any question or request.