Clash with ModSecurity AtomiCorp causes White screen on all Gutenberg page and post editors #10075
Comments
|
I should mention that previous versions of Gutenberg worked on this site. |
|
Thank you for including JavaScript console details! This is the important bit:
This means it's possible there is a security rule blocking that script in particular. Do you know of any security plugins or server-side security settings which could be blocking that script? May I ask where your website is hosted? |
designsimply
added
the
[Type] Help Request
|
Hi, when testing I deactivated WP Wordfence plugin to eliminate that as a cause. The server is a VPS running the latest version of Plesk on CentOS6, with a variety of standard security systems. For example: ModSecurity with the Atomic basic rule set ( https://www.modsecurity.org/ ) also the Plesk Firewall , Cloudflare security shield. All quite normal stuff and everything was working perfectly well with the previous version of Gutenberg I had on this site, which may have been a 3.6.x No changes have been made to the server in that time. |
|
Investigating further, there's certainly a 403 on this file. And checking permissions it's set (along with its siblings) as 0644 rw-r--r--. The folder is 0755 I tried the file as 0755 and even 0775 and it didn't improve matters. |
|
OK, I found the issue, Many users will have this problem, at least any of those using the Atomiccorp ruleset which is VERY standard
https://www.atomicorp.com/plesk/ https://wiki.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules |
|
This same problem -- white screen with no sidebar -- is also occurring for me, for both pages and posts. Gutenberg 3.8.0 is installed. Any idea how a person who is not computer-literate can fix this? |
|
Hah! Gutenberg has made me a liar. It is just really slow to begin to work. Thought I had given it plenty of time, and I had logged off then back on. However, giving it still more time and logging off (then back on) a second time was the magic that made it work. |
|
It will be difficult for you to fix if you do not have access to modify the ModSecurity ruleset exceptions for Apache. @designsimply has mistakenly tagged this thread as a request for help. This is not correct. The problem is briefly stated as This is a new problem with Gutenberg and needs addressing by the Gutenberg team to prevent the rule being triggered (It's detected as an iFrame XSS attack). Many WP site owners do not have access to modify the ModSecurity ruleset, nor the expertise. Consequently, many WP site owners will begin to experience this issue due to the popularity of Plesk resellers running the ModSecurity Atomicorp ruleset. |
|
Appreciate the reply, and I understand that this could be an ongoing
problem. Thank you for the information!
…On Thu, Sep 20, 2018, 5:27 PM Steve-Pheriche ***@***.***> wrote:
It will be difficult for you to fix if you do not have access to modify
the ModSecurity ruleset exceptions for Apache.
@designsimply <https://github.com/designsimply> has mistakenly tagged
this thread as a request for help. This is not correct.
This is a report of a Gutenberg implementation which causes a clash with
common server security settings and will trigger Gutenberg to fail in those
cases.
The problem is briefly stated as
*Gutenberg Polyfill js triggers ModSecurity basic ruleset 403 and
Gutenberg failure*
This is an error with Gutenberg and needs addressing by the Gutenberg team
to prevent the rule being triggered (It's detected as an iFrame XSS
attack). Many WP site owners do not have access to modify the ModSecurity
ruleset, nor the expertise. Consequently, many WP site owners will begin to
experience this issue due to the popularity of Plesk resellers running the
ModSecurity Atomicorp ruleset.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#10075 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ApcQiE2FvUmhIMxDYtHYDo27CW_4Q-OAks5udAhLgaJpZM4WyfJH>
.
|
|
Can vouch that ModSecurity caused the white screen issue due to 404 of the Only option available via my cPanel is to completely disabled ModSecurity entirely for the WP domain, as I haven't found any rule configuration options. Obviously non-ideal, but it restored the Gutenberg edit screen. Will probably revert to the classic editor for now instead. |
|
Got it. Thanks! I can probably figure out how to do that, if the problem
persists. I also installed the classic editor as a fallback, and I was
trying Gutenberg on a "practice page." As a non-techie person, I figured I
would need extra time to learn the new system. Thanks again! - Amy
…On Sun, Sep 23, 2018, 9:10 PM Sean W ***@***.***> wrote:
Can vouch that ModSecurity caused the white screen issue due to 404 of the
wp-polyfill-ecmascript.min.2ae96136.js file with my Site5 hosted site.
Only option available via my cPanel is to completely disabled ModSecurity
entirely for the WP domain, as I haven't found any rule configuration
options. Obviously non-ideal, but it restored the Gutenberg edit screen.
Will probably revert to the classic editor for now instead.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#10075 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ApcQiPlXPPqqMUSpXWxXSVjQ16gsuTRrks5ueDEGgaJpZM4WyfJH>
.
|
|
From the mod_security log (Web Application Firewall in Plesk):
|
|
I also have this issue, ModSecurity in Plesk like the others. Does anyone know a fix or work around? I only got this error when moving from local dev to my staging server on Plesk. @designsimply this isn't really a help request but a legitimate implementation error that may affect a large number of users, including those with no ability or knowledge to fix it. |
|
The brutal workaround for those with access to either Plesk or WHM is to deactivate the XSS rule globally for the domain. In Plesk this is done by Obviously, this is not ideal as it deactivates the ModSecurity XSS rule for the domain. It's my (possibly incorrect) understanding it's possible to approach AtomicCorp with a false positive and that they will whitelist the file. I may be mistaken on this. |
steveangstrom
changed the title
|
Yes, adding the ID to that area worked here for me, but Steve beat me to posting it here. I don't like this either, but it is better than alternatives like setting the Web application firewall mode to either "Detect Only" or "Off". |
|
If you have access to Plesk Settings for Apache/Nginx for the domain, you can make an exception for just gutenberg instead of setting it off for the whole domain, by using the next code: |
|
Just wanted to note that I'm getting white screen errors by default with Gutenberg on Plesk installs now too. This caused even more confusion by repeatedly adding my IP to the ban list before I realised what was happening. Domain Error Log: Console Error: Definitely agree that this has potential for a widespread issue as it is the recommended setup inside Plesk. For now the ID exception has helped. If you are in control of the installation you can set the workaround on a server wide basis... How to Disable Conflicting Rule Server-Wide
|
|
I've reported it to AtomiCorp: https://support.atomicorp.com/hc/en-us/requests/17815 |
|
Exact same problem for me - white editor screen. I have hosting by Site5. When I turn off ModSecurity for the server, problem goes away. I hope the Gutenberg team can rewrite the code to avoid the scenario of Polyfill JS being detected by ModSecurity. There will be lots of users encountering this problem once Gutenberg is dropped in WP core. |
|
Same problem here with the nightly build. Would it be easier to just rename the polyfill file? These AtomicCorp rule IDs also seem to impact loading Gutenberg specific scripts:
|
|
I think we need to rename the file. I'm not sure it's reasonable to expect every host to be aware of this and customize their ModSec rules for it prior to rollout. |
Thanks for this info! Where can I add this for nginx? Does it just go into the "Additional nginx directives" field? The above looks like an Apache directive. |
|
In Plesk I just inserted the security rule number 33340149 to be ignored, but left the firewall on for all other rules. Gutenberg now works fine. |
|
@peterluit In #11216 we addressed the |
Describe the bug
When editing a post with Gutenberg 3.8.0 I only see a white screen with no sidebar
(after investigation) THE CAUSE: is a clash with Apache ModSecurity (AtomicCorp) which sees the iFrame JS insertion as a cross site scripting attempt.
To Reproduce
Steps to reproduce the behavior: (edited to reflect new info)
Expected behavior
I expect to see Gutenberg
Desktop
ALSO
Plugins:
Gutenberg Version 3.8.0
Error Log Monitor Version 1.6.2 | By Janis Elsts |
Wordfence Security Version 7.1.12
WP Super Cache Version 1.6.4
WPForms Lite Version 1.4.9
Console
The text was updated successfully, but these errors were encountered: