Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AH01623: client method denied by server configuration: 'PUT' #5632

Closed
phamhung77 opened this issue Mar 15, 2018 · 10 comments
Closed

AH01623: client method denied by server configuration: 'PUT' #5632

phamhung77 opened this issue Mar 15, 2018 · 10 comments
Labels
REST API Interaction Related to REST API [Status] Needs More Info Follow-up required in order to be actionable.

Comments

@phamhung77
Copy link

I posted on WP forum a week ago, but no one answers.

[Thu Mar 15 11:17:40.299034 2018] [allowmethods:error] [pid 23959:tid 140642478888704] [client my-ip-address:2809] AH01623: client method denied by server configuration: 'PUT' to /home/username/domains/my-domain/public_html/wp-json, referer: http://my-domain/wp-admin/post-new.php?post_type=page
With version 2.4.0, still get the same error when creating a new page then save.

@jeffpaul
Copy link
Member

@phamhung77 can you confirm that this is a clean WordPress install with no additional plugins/themes?

@phamhung77
Copy link
Author

I do have some other plugins. However, when I switched to classic editor, I can create pages just fine. So, it should be something wrong in Gutenberg.

@jeffpaul
Copy link
Member

@phamhung77 it could still be a conflict with Gutenberg and something that's installed on your instance. Can you confirm your WordPress version and any installed themes/plugins? In parallel, would you be able to test on a clean WordPress + Gutenberg install to see if you still get the same error? Any additional details you can provide will help in our triage of the issue... thanks!

@phamhung77
Copy link
Author

Fine, as you wished :) A fresh WordPress installation with no plugin, only Gutenberg, and Twenty Seventeen theme. The same problem

[Wed Mar 21 21:58:57.421203 2018] [:error] [pid 17978:tid 140642185242368] [client my-ip-address:10207] [client my-ip-address] ModSecurity: Access denied with code 403 (phase 2). Match of "ge 1" against "&REQUEST_COOKIES_NAMES:/^wordpress_([0-9a-fA-f]{32})$/" required. [file "/usr/local/cwaf/rules/28_Apps_WordPress.conf"] [line "127"] [id "225170"] [rev "1"] [msg "COMODO WAF: Sensitive Information Disclosure Vulnerability in WordPress 4.7 (CVE-2017-5487)||my-domain-name|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "WordPress"] [hostname "my-domain-name"] [uri "/wp-json/wp/v2/users"] [unique_id "WrLHkWp09nxDxXSctVoFTgAAAGc"], referer: http://my-domain-name/wp-admin/post-new.php?post_type=page
[Wed Mar 21 21:59:02.779658 2018] [allowmethods:error] [pid 17978:tid 140642428630784] [client my-ip-address:10074] AH01623: client method denied by server configuration: 'PUT' to /home/hosting-username/domains/my-domain-name/public_html/wp-json, referer: http://my-domain-name/wp-admin/post-new.php?post_type=page

@pento
Copy link
Member

pento commented Mar 22, 2018

Thanks for the bug report, @phamhung77!

I think I have a fix for this, could I get you to test #5741?

If you don't have a development environment setup, you can also test with Gutenberg 2.4, by copy/pasting this function and hook into your install.

@phamhung77
Copy link
Author

Thanks for the patch. It seems to fix the PUT error message, but still including security warning like above.

@pento
Copy link
Member

pento commented Mar 23, 2018

Thanks for the feedback, @phamhung77. You should disable that security rule, as it's trying to protect against an issue that was fixed in WordPress 4.7.2.

@phamhung77
Copy link
Author

No, I don't think that I would like to disable the rule, because it's only appearing when using Gutenberg. That means somewhere in the Gutenberg code contains the problem, not WordPress itself.

@pento
Copy link
Member

pento commented Mar 25, 2018

@phamhung77: That's up to you, but there's no way for Gutenberg or WordPress to work around this: any application that tries to send a valid REST request that violates this rule will fail, this isn't a Gutenberg bug, Gutenberg just exposed the overly broad rule by virtue of being the first Core WordPress feature that makes significant use of the REST API.

Cloudflare have have to make similar changes to their security rules, any WAF that uses a rule this one will need to change.

@pento
Copy link
Member

pento commented May 3, 2018

I'm in contact with Comodo directly to updated their WAF rules, there's nothing else we can do from here.

@pento pento closed this as completed May 3, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
REST API Interaction Related to REST API [Status] Needs More Info Follow-up required in order to be actionable.
Projects
None yet
Development

No branches or pull requests

4 participants