firewall is blocking changes in Autoptimize

  • Resolved FrankD

    (@frankddo)


    2 months, 1 week ago

    Hi!
    I noticed, that I can’t save any changes in this plugin anymore.
    The web application firewall blocks any changes.

    Here the log file:
    ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf"] [line "193"] [id "340007"] [rev "48"] [msg "Atomicorp.com WAF Rules: Generic Path Recursion denied"] [data "/../,ARGS:autoptimize_css_defer_inline"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "(?i)(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8 …" at ARGS:autoptimize_css_defer_inline. [hostname "www.xxx.net"] [uri "/wp-admin/options.php"] [unique_id "aX3x4ao32OiFIxZ4MFfzcQAAAAs"], referer: https://www.xxx.net/wp-admin/options-general.php?page=autoptimize

    Autoptimize worked for years before without problems, so maybe it’s a bug in the firewall?

    best regards, Frank

    • This topic was modified 2 months, 1 week ago by FrankD.
    • This topic was modified 2 months, 1 week ago by FrankD.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Optimizing Matters

    (@optimizingmatters)

    2 months, 1 week ago

    It’s not Autoptimize or a but in the WAF as which WAF rule is triggered by which string in the “above the fold CSS” you’re copy/ pasting in the settings page.

    the most likely reason why “web appliction firewalls” block CSS the “above the fold CSS” contains urls/ paths like e.g. wp-content/themes/css/../images/bgimg.png where the ../ could (falsely) be considered as a directory traversal attack by an over-zealous security component (web application firewall).

    the solution is to translate those paths/ urls to the correct one, e.g. using the same example as above wp-content/themes/images/bgimg.png

    hope this helps,
    frank

    Thread Starter FrankD

    (@frankddo)

    2 months, 1 week ago

    Everything is fixed now and working as expected, I had to deinstall the plugin and reinstall.
    I used the same settings like before (without any “special” copy/paste coding, just the simple setup.
    I really don’t know where the error came from.

    thanks, Frank

    Plugin Author Optimizing Matters

    (@optimizingmatters)

    2 months, 1 week ago

    strange, as in the WAF warning you posted I see

    [msg "Atomicorp.com WAF Rules: Generic Path Recursion denied"] [data "/../,ARGS:autoptimize_css_defer_inline"]

    so that implies you were using the “Eliminate render-blocking CSS?” option with “above the fold CSS” set which indeed is saved in the autoptimize_css_defer_inline option? and indeed Generic Path Recursion denied confirms the problem was with “path recursion” so /../ in the above the fold CSS?

    but it works, so all is well 🙂

    enjoy the rest of your weekend!
    frank

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.