Unable to save resource after changing template

I was having a Non-Saving loop of death problem myself, except it was with resources that contained Javascript. I found a mechanism in cPanel that lets me toggle ModSecurity and now it works.

Edit, ModSecurity off, Save, ModSecurity on, put my feet up.

Thanks.

Markz - zaphodx - did you find a solution? I have reported the same problem in the past, and still haven't found a satisfactory solution.

I have MODX sites on three servers. Two are fine; the third a nightmare. All because of a clash with ModSec. Yes, Sabrecho is right, you can disable ModSec, edit in MODX, save the edit, then re-enable ModSec, but that is no solution for the client. What is the client to do?

Not sure what is breaching the ModSec rules. Seems to occur only on resources that have TVs set to rich text, I guess when TinyMCE is installed. Have tried to test without TinyMCE, but haven't managed because of some MODX weirdness (core/cache insists on loading TinyMCE even after TinyMCE has been completely uninstalled and removed and the core/cache has been deleted).

So its back to the hosting company to meekly ask them to look for the ModSec rules that are clashing, and whitelisting them.

The problem is that I have done that with this site in the past, but the problem keeps coming back, perhaps because the whitelist gets deleted or because new rules get installed that duplicate the problem.

It is a recurring nightmare.

What I would like to know is:

1. How dangerous is it to just permanently disable ModSec for a MODX site that is kept up to date?

2. Is there hosting somewhere that can guarantee that this sort of nonsense will not occur?

3. Is there an alternative to TinyMCE that doesn't fall foul of ModSec and can be installed (the one linked to previously in this thread won't install on the site I am working on now - it downloads, but does not install)?

Hello interesting others are having trouble, and funny I didn't find this thread earlier. I am also having very similar problems, and I am working with my hoster to disable specific rules, to avoid completely disabling modsec as we are calling it

My site ^probably triggered modsec when I loaded up a number of MIGX fields on ^one page with a lot of description text. I actually have two pages with quite a bit of text, one of them has really way too much text lol. If we figure this out maybe later developers can avoid this problem by using multiple resources or something. I should probably re-design the site but...have been going through this process...

The problem is a bunch of keywords repeated triggers modsec because it *looks* like maybe injected code. As I understand

Its been a slog. Only one rule gets triggered each time, nothing else fires so its been a slow painful process, but we seem to be getting there.

I found that each of snippets, chunks templates and resources have possible triggers of modsec. If the ultimate cause is too much text in one place, it still shows up in other places, for instance I intentionally made a super short template when I couldn't save templates, and it didn't make any difference, still had an error.

The behavior can range from completely useless site, so maybe you login but can't see stuff or edit anything. Later we drilled down and primarily the effect was that, on save, it stops really quickly with no success message and also of course no save.

Recently its been different, where just one or two resources will not save, and the saving dialog just rolls and rolls and never ends.

HTH

I've never had, or heard of, a problem with mod_security on any of the hosts recommended here (even on their shared hosting sites): https://bobsguides.com/modx-friendly-hosts.html, although that doesn't mean others haven't.

Some hosts use very picky mod_security rules, especially on their shared hosting, even going so far as to block content containing specific words and/or script tags. They also update the mod_security rules often and the new rule sets sometimes override exceptions they've set for you.

As platforms go, MODX is quite secure and sanitizes the $_REQUEST, $_GET, and $_POST arrays on every request. It also uses a site token to authenticate requests to potentially vulnerable code like processors.

I'm not aware of any MODX site that was hacked in a way that would have been caught by mod_security. I would be comfortable with mod_security turned off for the Manager directory, which might solve your problem. It's the securest part of MODX and no extras ever put code there.

The only real danger, imo, with having mod_security off, even for the whole site, is installing an extra that has a security vulnerability, which is quite rare and is usually caught before it's had a chance to be exploited. The only exception I can think of is the old reflect issue, which occurred many years ago.

nuan88, don't use MIGX, and on the site that became unusable for me the only extra was TinyMCE.

As Bob Ray says so rightly, the problem is the ModSec chaps keep moving the goalposts every few months, it seems. With my sites, I started off with two or three rules on the whitelist. This is the whitelist now:

77134609
77136489
77138364
77139398
77140173
77218500
77134609
212000
212620
212870
212890
218500
77133854
77134134
77134556
77135735
77135976
77136158
77136715
77137337
77137651
77137972
77138295
77138488
77138563
77139386
77211700
77134609
77136489
77138364
77139398
77140173
77218500
77134609

Bob's suggestion of disabling ModSec only for the manager directory seems interesting. No way to do that in my shared hosting CPanels, but I have asked the hosting company if that is an option.

Also extremely helpful, Bob, is your saying you would be comfortable turning ModSec off. I was having suicidal thoughts yesterday thinking I must find a way to keep ModSec on. But if I can actually switch the damn thing off, life might become livable again.

Agree that this is modsec being irritating and pointlessly annoying

Quote from: cottagestuff at May 20, 2018, 07:00 AM

Bob's suggestion of disabling ModSec only for the manager directory seems interesting. No way to do that in my shared hosting CPanels, but I have asked the hosting company if that is an option.

My hoster says this is impossible...they basically said you can't do that

BobRay, I deleted the info before but you have now heard of a modsec problem on one of the shared accounts of one of those approved hosters. Its quite possible that modsec recently jacked up the rules again.

cottagestuff thanks for your info, I myself can't find my list but its definitely getting longer and longer.

And I still believe the issue is a lot of text, I don't care about MIGX or TinyMCE, its all text as far as modsec is concerned. The extra could theoretically affect how modsec perceives the text but I sort of doubt it, because that sort of defies the whole point. If the extra could affect modsec's perception of the text then a virus or injection would learn to do so to avoid detection.

I could be way off here. You found the distinction was between resources using TinyMCE and those not, but that says to me, resources with text, and without. But afaik this is a text-based search looking for keywords, and the hoster chooses the keyword list I believe! So they ramp up some long list which probably protects no one but brings us trouble. And each of those rules are very simple, I guess, just this keyword or that, or number of times, or whatever. Even if their damn text-scanner times out it brings an error, their overly-sensitive scanner, then it times out, so you have to crank up the allotted time. To go through the text that I put there. So pointless.

I could be totally wrong here, I don't know, but the problem did seem to start right about the time I started loading up one page in particular with text.

Given where we are, I might just disable it. Its been an entire month of bs, entirely sick of it and not at all happy with my hoster. [ed. note: nuan88 last edited this post 6 years, 9 months ago.]

Quote from: BobRay at May 19, 2018, 09:38 PM

I'm not aware of any MODX site that was hacked in a way that would have been caught by mod_security. I would be comfortable with mod_security turned off for the Manager directory, which might solve your problem. It's the securest part of MODX and no extras ever put code there.

Please tell me how to tell this approved hoster how to do this. They have at times been incredibly dense and claim it can't be done

Quote from hoster:

It is not possible to disable it for a specific folder, just for an entire domain name.

UPDATE: Hoster says the problem is due to the new Comodo WAF Rules, and asks for patience as we maintain the highest level of security. They are going to have to make a specific whitelist for sites that have problems, I would expect. They don't advise disabling it.

I think the moral of the story is don't build up large amounts of text on single resources. If that text was distributed it might not trigger. I don't know whether I will modify my site but that may be the lesson. [ed. note: nuan88 last edited this post 6 years, 9 months ago.]

Who is your host?

If, out of curiosity, you want to see what's setting mod_security off, you can try doing a binary search of the content in an object that won't save.

Cut half the text to the clipboard. If the object saves, the problem is in the half you cut. If not put it back and cut the other half.

Hopefully, you then know which have the problem is in. Cut the first half of that problem half, then the second half. Keep narrowing your search until you've found the offending line of text. Some of the rules are just ridiculous. One use reported that mod_security refused to save a resource containing the word 'casino' -- I kid you not.

I have seen reports of hosts who disabled mod_security for the Manager directory, but I haven't seen this personally.

Well I don't want to name them, they have been working on it and its a small community. I don't feel its productive.

Actually it appears they finally solved it today, but I haven't been able to verify completely yet. I sent a very stern message yesterday lol. Sometimes you gotta get everyone on the right page. There was progress but it was always followed by remaining problems.

However I am still worried as it could easily break later, and I haven't even gotten all the text content in there yet.

So, I am breaking the content up into multiple resources. I thought to maintain the idea of the user seeing one page with everything there, but I am just going to go with the more traditional approach. Hope it helps.