Anyone Else Have ModSecurity Issue?

GetSirius · June 11, 2022, 10:14pm

This is related to a previous question. I have an issue with a site that is currently being built, just upgraded from 8.something to 9.1.1. Also have the same issue with a 5.something version. I just installed v9.1.1 using Softaculous with sample content as a test, same issue.

When I do an edit that contains an inline CSS style, written by concrete, a 403 error happens when I save the block. This appears to be caused by ModSecurity. I can turn ModSecurity off and it will work. That does not sound like a proper cure for this issue.

What my web host told me to do: “…Even though it sounds like a false positive the vendor should consider patching it up with security updates.”

Really?

Does anyone else have this issue?
I would think that if it is only ModSecurity causing the issue, lots of folks would have the same issue.

Comments?
In the past I have really liked this host company, Total Choice Hosting, been with them for over a decade. Do I need to abandon them and find another host in order to use concrete?

fixt.org · June 12, 2022, 4:15pm

Turning off is probably not the best solution. Since you’ve confirmed it’s related to ModSecurity, you should be able to whitelist the rule ID causing the problem. This is how it’s done with CWP:

Your server may have a similar GUI option. If not, I’m sure it can be done via a shell command line, but I don’t have the expertise to advise on that method.

EvanCooper · June 23, 2022, 5:47pm

This is the correct answer - typically you can allowlist the rule that’s causing issues without turning off mod_security wholesale.