Support Forum
Support Forum
Offline
Getting this error when I try to edit a Post Title as an Admin with all permissions. When I try to open the forum toolset. see screenshots. Thank you!!
April 17, 2017 7:41 am | spaErrError | 1 | security
Nonce Security Alert
spForumToolsMenu: failed nonce check
| action | spForumTopicTools |
| targetaction | topictools |
| topic | 217 |
| forum | 54 |
| page | 1 |
| _wpnonce | e4e7e1b116 |
Offline
It is not an error although I see we have labeled it an error in the log which I will open a ticket on to get changed. Because it is not an error as such.
WordPress utilises a system of what they call a nonce (described in the WP documentation here: https://codex.wordpress.org/Wo.....ess_Nonces). This can time out as the documentation states - which then stops the action being carried out. The popup you see here is simply an explanatory aid to explain why the action can not be completed.
Re-loading the page creates a new nonce which then remains available until that too times out. These nonces are used throughout WP and all plugins are encouraged to also use them for the best site security.
If you are seeing the popup every time you reload the page and repeat the action then in all likelyhood you have a scripting conflict of some kind that is preventing the nonce check and the AJAX from functioning.
The way to check for this is to open the browsers web console - have it set for errors - load the page and then click the button. This will show any errors encountered in the console. If you are unsure how to use the console it is very easy and this quick guide should help.
 |
YELLOW
SWORDFISH
|
Offline
ok well I have tried this and all I get is this which isn't making sense to me. Can you help point me in the right direction? Thanks!
Access to Font at 'https://figtreelive.com/wp-content/plugins/wc-shortcodes/public/assets/fonts/fontawesome-webfont.woff?v=4.6.3' from origin 'http://figtreelive.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://figtreelive.com' is therefore not allowed access.
bootstrap.min.js:11 Uncaught TypeError: Cannot read property 'documentElement' of null
at i.show (bootstrap.min.js:11)
at i.enter (bootstrap.min.js:11)
at HTMLDocument.d (jquery.js:2)
at HTMLDocument.handle (jquery.js:3)
at HTMLDocument.dispatch (jquery.js:3)
at HTMLDocument.r.handle (jquery.js:3)
jquery.js:2 Uncaught Error: cannot call methods on button prior to initialization; attempted to call method 'enable'
at Function.error (http://figtreelive.com/wp-incl.....2.4:2:1814)
at HTMLAnchorElement.<anonymous> (http://figtreelive.com/wp-incl......4:11:2115)
at Function.each (http://figtreelive.com/wp-incl.....2.4:2:2881)
at jQuery.fn.init.each (http://figtreelive.com/wp-incl.....12.4:2:846)
at jQuery.fn.init.a.fn.(anonymous function) [as button] (http://figtreelive.com/wp-includes/js/jquery/ui/widget.min.js?ver=1.11.4:11:1857)
at l.Uploader.<anonymous> (http://figtreelive.com/wp-content/sp-resources/forum-plugins/plupload/resou…load/jquery.ui.plupload.min.js?ver=299bc00d57a51c279171c25ed0e92150:1:6356)
at l.Uploader.dispatchEvent (http://figtreelive.com/wp-content/sp-resources/forum-plugins/plupload/resou…jscript/plupload.full.min.js?ver=299bc00d57a51c279171c25ed0e92150:29:16049)
at l.Uploader.trigger (http://figtreelive.com/wp-content/sp-resources/forum-plugins/plupload/resou…jscript/plupload.full.min.js?ver=299bc00d57a51c279171c25ed0e92150:13:18487)
at http://figtreelive.com/wp-content/sp-resources/forum-plugins/plupload/resou…jscript/plupload.full.min.js?ver=299bc00d57a51c279171c25ed0e92150:29:13788
at http://figtreelive.com/wp-content/sp-resources/forum-plugins/plupload/resou…/jscript/plupload.full.min.js?ver=299bc00d57a51c279171c25ed0e92150:29:7101
figtreelive.com/:1 Access to Font at 'https://figtreelive.com/wp-content/plugins/wc-shortcodes/public/assets/fonts/fontawesome-webfont.ttf?v=4.6.3' from origin 'http://figtreelive.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://figtreelive.com' is therefore not allowed access.
Offline
I should imagine there are more problems than just the forum toolset. A few errors buried in there - some, by the looks of things, to do with the use of Bootstrap - not supported by WordPress.
I think we will need to see so we can look ate the sources. How about at least - for starters - a link to the forum page if guests are allowed to view it.
By the way - if this has worked before - and you do not say it has or not - then the only question is what has changed to break it?
|
YELLOW
SWORDFISH
|
Offline
here is our link - https://figtreelive.com/forum/
this happened when we moved the site to a new server.
I can provide you with Admin login details if you need. just let me know how to send those to you.
thanks for your help
Offline
It is a bit hard to see what is going in with so much javascript being loaded (your site might be the record in terms of what I have seen!). But there is clearly a problem with the bootstrap.js file which is being loaded by your WP theme. It is causing multiple script errors every page load and on every ajax call being made from a page. Thus the errors accumulate.
I am not sure how you go about fixing this. If it were me I would put the site into maintenance mode for 10 minutes and swap the WP theme for one of the WP default themes to see if that resolves the problem. Swap it back of course but it would inform us where the problem lies.
There must have been more than simply moving the site to a new server. The problems I am seeing here are more fundamental I believe.
|
YELLOW
SWORDFISH
|
Offline
ok so I tried deactivating theme and trying a default and that did not fix it. I looked at the error log and see this
[:error] [pid 32736:tid ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "243"] [id "340102"] [rev "3"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: cross site scripting attempt"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "rx (/(?:scripts|staff)/index\\\\.php\\\\?(?:action|_m)=)" against "REQUEST_URI" required. [hostname "figtreelive.com"] [uri "/forum/click-here-to-learn-how-to-use-figtretalkelive-com/click-here-to-learn-how-to-use-healthtalklive-com-features/<script type=\\"text/javascript\\">jQuery(document).ready(function() {spjDialogHtml('', '<div style=\\"margin: 5px; border: 2px solid red; padding: 10px;\\"><p><img src=\\"https://figtreelive.com/wp-content/plugins/simple-press/admin/resources/images/sp_Message.png\\" alt=\\"\\" style=\\"float:left; margin: -4px 10px 0 0;\\" /><b>Access denied - security check failed<br />Unable to complete the request</b></p><p><b>Please reload the page and retry the operation</b></p></div>', 'Security Alert', 0, 0, 'center', '');});</script>"] [unique_id "WRP0vFFXgY-4BFLZtLdolgAAAIA"], referer: http://figtreelive.com/forum/click-here-to-learn-how-to-use-figtretalkelive-com/click-here-to-learn-how-to-use-healthtalklive-com-features/
Any ideas?
Thanks
Offline
appears mod security might be making a false positive there and blocking it... its basically not very good...
personally, i would disable it... but thats your call.. if you want to keep it, you can ask your host to whitelist the url so it doesnt block the action...
Visit Cruise Talk Central and Mr Papa's World
Offline
ok I have had the host disable the ModSecurity. But the site is still not letting us delete posts. It comes up with the same error as before.
Can I provide you with our site login for you to help us debug? We have tried everything and can't get it fixed.
if we can't fix this we are going to have to move away from Simple Press and to another solution.
How can I send our site login to you?
Thanks for all your help
Offline
If you are coming up with same error, I highly question whether mod security isn disabled. The error message clearly says mod security is blocking it.
That said, we would be happy to take a look. Please send temp credentials via private message here to yellow swordfish and mr papa. The temp account should be a wp admin and have sp admin capabilities. In the private message please link back to this topic so we know what it's about.
We also may need ftp access in order to add some debug code but let's not worry about that right now.
Visit Cruise Talk Central and Mr Papa's World
All RSS1 Guest(s)