Posts: 166
Threads: 7
Joined: Jan 2013
I'm finding mod_security blocking some of my content in components and giving me a 'page not found' error, rather than saving the component. It particularly seems to hate <script></script> tags, regardless of the tag content.
Obviously I can try asking my host for help, or even move elsewhere, but I thought it may be worth asking here first on the offchance someone else has had a similar problem.
Strangely I never get the same problem when saving the exact same code into a page via 'edit page' (script view), so that made me wonder if there was a solution via GS?
Posts: 6,266
Threads: 181
Joined: Sep 2011
https://github.com/GetSimpleCMS/GetSimpleCMS/issues/517
you can disable mod_sec for specific ips, if your host allows it, you can also disable specific rules, if your host error log mentions it.
It has to do with the script reflecting back to the browser, being in an input stream and output stream or something probably.
We probably need a way to encode this all before sending it to bypass these kinds of filters.
Posts: 166
Threads: 7
Joined: Jan 2013
Thanks shaun_a, I sort of guessed that, so thanks for the confirmation. My current host is 'thinking' about if they can help, so it could cause me a lot of trouble if I need to move :-(
Wow it would be great to find a solution for the future if some encoding method could be considered for future versions as I may be getting a similar problem on another GS site with the Catalog Plugin.
Have you any thoughts on why my problem code that throws an error in components, seems to save ok if in page contents?
Posts: 6,266
Threads: 181
Joined: Sep 2011
did you try the htaccess rule i posted in that github issue ?
It works for me
Posts: 166
Threads: 7
Joined: Jan 2013
(2015-02-13, 07:07:50)shawn_a Wrote: did you try the htaccess rule i posted in that github issue ?
It works for me
Yes I tried that, but didn't work and I think it is no longer and option in new versions of mod_sec. I've managed to get my host to include an exception for me, so it is all working. I also got them to do the same for my similar problem with GS-Catalog plugin, so I'm a happy bunny again.
For the future, with servers setting getting ever more secure, if it would be possible to incorporate a way of avoiding the problem.
Thanks again for your help