Subscribe: RSS
  • I was having a Non-Saving loop of death problem myself, except it was with resources that contained Javascript. I found a mechanism in cPanel that lets me toggle ModSecurity and now it works.

    Edit, ModSecurity off, Save, ModSecurity on, put my feet up. smiley

    Thanks.
      "The problem with troubleshooting is sometimes trouble shoots back." - Unk.
    • cottagestuff Reply #12, 1 month ago
      Markz - zaphodx - did you find a solution? I have reported the same problem in the past, and still haven't found a satisfactory solution.

      I have MODX sites on three servers. Two are fine; the third a nightmare. All because of a clash with ModSec. Yes, Sabrecho is right, you can disable ModSec, edit in MODX, save the edit, then re-enable ModSec, but that is no solution for the client. What is the client to do?

      Not sure what is breaching the ModSec rules. Seems to occur only on resources that have TVs set to rich text, I guess when TinyMCE is installed. Have tried to test without TinyMCE, but haven't managed because of some MODX weirdness (core/cache insists on loading TinyMCE even after TinyMCE has been completely uninstalled and removed and the core/cache has been deleted).

      So its back to the hosting company to meekly ask them to look for the ModSec rules that are clashing, and whitelisting them.

      The problem is that I have done that with this site in the past, but the problem keeps coming back, perhaps because the whitelist gets deleted or because new rules get installed that duplicate the problem.

      It is a recurring nightmare.

      What I would like to know is:

      1. How dangerous is it to just permanently disable ModSec for a MODX site that is kept up to date?

      2. Is there hosting somewhere that can guarantee that this sort of nonsense will not occur?

      3. Is there an alternative to TinyMCE that doesn't fall foul of ModSec and can be installed (the one linked to previously in this thread won't install on the site I am working on now - it downloads, but does not install)?
      • Hello interesting others are having trouble, and funny I didn't find this thread earlier. I am also having very similar problems, and I am working with my hoster to disable specific rules, to avoid completely disabling modsec as we are calling it wink

        My site ^probably triggered modsec when I loaded up a number of MIGX fields on ^one page with a lot of description text. I actually have two pages with quite a bit of text, one of them has really way too much text lol. If we figure this out maybe later developers can avoid this problem by using multiple resources or something. I should probably re-design the site but...have been going through this process...

        The problem is a bunch of keywords repeated triggers modsec because it *looks* like maybe injected code. As I understand

        Its been a slog. Only one rule gets triggered each time, nothing else fires so its been a slow painful process, but we seem to be getting there.

        I found that each of snippets, chunks templates and resources have possible triggers of modsec. If the ultimate cause is too much text in one place, it still shows up in other places, for instance I intentionally made a super short template when I couldn't save templates, and it didn't make any difference, still had an error.

        The behavior can range from completely useless site, so maybe you login but can't see stuff or edit anything. Later we drilled down and primarily the effect was that, on save, it stops really quickly with no success message and also of course no save.

        Recently its been different, where just one or two resources will not save, and the saving dialog just rolls and rolls and never ends.

        HTH
        • I've never had, or heard of, a problem with mod_security on any of the hosts recommended here (even on their shared hosting sites): https://bobsguides.com/modx-friendly-hosts.html, although that doesn't mean others haven't.

          Some hosts use very picky mod_security rules, especially on their shared hosting, even going so far as to block content containing specific words and/or script tags. They also update the mod_security rules often and the new rule sets sometimes override exceptions they've set for you.

          As platforms go, MODX is quite secure and sanitizes the $_REQUEST, $_GET, and $_POST arrays on every request. It also uses a site token to authenticate requests to potentially vulnerable code like processors.

          I'm not aware of any MODX site that was hacked in a way that would have been caught by mod_security. I would be comfortable with mod_security turned off for the Manager directory, which might solve your problem. It's the securest part of MODX and no extras ever put code there.

          The only real danger, imo, with having mod_security off, even for the whole site, is installing an extra that has a security vulnerability, which is quite rare and is usually caught before it's had a chance to be exploited. The only exception I can think of is the old reflect issue, which occurred many years ago.
            Get my Book: MODX:The Official Guide
            MODX info for everyone: http://bobsguides.com/MODx.html
            My MODX Extras
            Bob's Guides is now hosted at A2 MODX Hosting
          • cottagestuff Reply #15, 1 month ago
            nuan88, don't use MIGX, and on the site that became unusable for me the only extra was TinyMCE.

            As Bob Ray says so rightly, the problem is the ModSec chaps keep moving the goalposts every few months, it seems. With my sites, I started off with two or three rules on the whitelist. This is the whitelist now:

            77134609
            77136489
            77138364
            77139398
            77140173
            77218500
            77134609
            212000
            212620
            212870
            212890
            218500
            77133854
            77134134
            77134556
            77135735
            77135976
            77136158
            77136715
            77137337
            77137651
            77137972
            77138295
            77138488
            77138563
            77139386
            77211700
            77134609
            77136489
            77138364
            77139398
            77140173
            77218500
            77134609

            Bob's suggestion of disabling ModSec only for the manager directory seems interesting. No way to do that in my shared hosting CPanels, but I have asked the hosting company if that is an option.

            Also extremely helpful, Bob, is your saying you would be comfortable turning ModSec off. I was having suicidal thoughts yesterday thinking I must find a way to keep ModSec on. But if I can actually switch the damn thing off, life might become livable again.
            • Agree that this is modsec being irritating and pointlessly annoying

              Quote from: cottagestuff at May 20, 2018, 07:00 AM

              Bob's suggestion of disabling ModSec only for the manager directory seems interesting. No way to do that in my shared hosting CPanels, but I have asked the hosting company if that is an option.


              My hoster says this is impossible...they basically said you can't do that

              BobRay, I deleted the info before but you have now heard of a modsec problem on one of the shared accounts of one of those approved hosters. Its quite possible that modsec recently jacked up the rules again.

              cottagestuff thanks for your info, I myself can't find my list but its definitely getting longer and longer.

              And I still believe the issue is a lot of text, I don't care about MIGX or TinyMCE, its all text as far as modsec is concerned. The extra could theoretically affect how modsec perceives the text but I sort of doubt it, because that sort of defies the whole point. If the extra could affect modsec's perception of the text then a virus or injection would learn to do so to avoid detection.

              I could be way off here. You found the distinction was between resources using TinyMCE and those not, but that says to me, resources with text, and without. But afaik this is a text-based search looking for keywords, and the hoster chooses the keyword list I believe! So they ramp up some long list which probably protects no one but brings us trouble. And each of those rules are very simple, I guess, just this keyword or that, or number of times, or whatever. Even if their damn text-scanner times out it brings an error, their overly-sensitive scanner, then it times out, so you have to crank up the allotted time. To go through the text that I put there. So pointless.

              I could be totally wrong here, I don't know, but the problem did seem to start right about the time I started loading up one page in particular with text.

              Given where we are, I might just disable it. Its been an entire month of bs, entirely sick of it and not at all happy with my hoster. [ed. note: nuan88 last edited this post 1 month ago.]
              • Quote from: BobRay at May 19, 2018, 09:38 PM


                I'm not aware of any MODX site that was hacked in a way that would have been caught by mod_security. I would be comfortable with mod_security turned off for the Manager directory, which might solve your problem. It's the securest part of MODX and no extras ever put code there.

                Please tell me how to tell this approved hoster how to do this. They have at times been incredibly dense and claim it can't be done

                Quote from hoster:
                It is not possible to disable it for a specific folder, just for an entire domain name.

                UPDATE: Hoster says the problem is due to the new Comodo WAF Rules, and asks for patience as we maintain the highest level of security. They are going to have to make a specific whitelist for sites that have problems, I would expect. They don't advise disabling it.

                I think the moral of the story is don't build up large amounts of text on single resources. If that text was distributed it might not trigger. I don't know whether I will modify my site but that may be the lesson. [ed. note: nuan88 last edited this post 1 month ago.]
                • Who is your host?

                  If, out of curiosity, you want to see what's setting mod_security off, you can try doing a binary search of the content in an object that won't save.

                  Cut half the text to the clipboard. If the object saves, the problem is in the half you cut. If not put it back and cut the other half.

                  Hopefully, you then know which have the problem is in. Cut the first half of that problem half, then the second half. Keep narrowing your search until you've found the offending line of text. Some of the rules are just ridiculous. One use reported that mod_security refused to save a resource containing the word 'casino' -- I kid you not.

                  I have seen reports of hosts who disabled mod_security for the Manager directory, but I haven't seen this personally.
                    Get my Book: MODX:The Official Guide
                    MODX info for everyone: http://bobsguides.com/MODx.html
                    My MODX Extras
                    Bob's Guides is now hosted at A2 MODX Hosting
                  • Well I don't want to name them, they have been working on it and its a small community. I don't feel its productive.

                    Actually it appears they finally solved it today, but I haven't been able to verify completely yet. I sent a very stern message yesterday lol. Sometimes you gotta get everyone on the right page. There was progress but it was always followed by remaining problems.

                    However I am still worried as it could easily break later, and I haven't even gotten all the text content in there yet.

                    So, I am breaking the content up into multiple resources. I thought to maintain the idea of the user seeing one page with everything there, but I am just going to go with the more traditional approach. Hope it helps.