Support Forum

Advanced Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
general-topic
Forum Toolset Security Error
Avatar
Johnie Yawn
Member
Free Members
sp_UserOfflineSmall Offline
Apr 17, 2017 - 10:49 am

Getting this error when I try to edit a Post Title as an Admin with all permissions. When I try to open the forum toolset. see screenshots. Thank you!! 

Screen-Shot-2017-04-17-at-10.48.12-AM.pngImage EnlargerScreen-Shot-2017-04-17-at-10.48.00-AM.pngImage Enlarger

 

April 17, 2017 7:41 am | spaErrError | 1 | security


Nonce Security Alert
spForumToolsMenu: failed nonce check

action spForumTopicTools
targetaction topictools
topic 217
forum 54
page 1
_wpnonce e4e7e1b116
Avatar
Yellow Swordfish
Glinton, England
SP Master
sp_UserOfflineSmall Offline
Apr 17, 2017 - 12:49 pm

It is not an error although I see we have labeled it an error in the log which I will open a ticket on to get changed. Because it is not an error as such.

WordPress utilises a system of what they call a nonce (described in the WP documentation here: https://codex.wordpress.org/Wo.....ess_Nonces). This can time out as the documentation states - which then stops the action being carried out. The popup you see here is simply an explanatory aid to explain why the action can not be completed.

Re-loading the page creates a new nonce which then remains available until that too times out. These nonces are used throughout WP and all plugins are encouraged to also use them for the best site security.

If you are seeing the popup every time you reload the page and repeat the action then in all likelyhood you have a scripting conflict of some kind that is preventing the nonce check and the AJAX from functioning.

The way to check for this is to open the browsers web console - have it set for errors - load the page and then click the button. This will show any errors encountered in the console. If you are unsure how to use the console it is very easy and this quick guide should help.

andy-signature.png
YELLOW
SWORDFISH
Avatar
Johnie Yawn
Member
Free Members
sp_UserOfflineSmall Offline
Apr 23, 2017 - 12:52 am

ok well I have tried this and all I get is this which isn't making sense to me. Can you help point me in the right direction? Thanks! 

 

Access to Font at 'https://figtreelive.com/wp-content/plugins/wc-shortcodes/public/assets/fonts/fontawesome-webfont.woff?v=4.6.3' from origin 'http://figtreelive.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://figtreelive.com' is therefore not allowed access.
bootstrap.min.js:11 Uncaught TypeError: Cannot read property 'documentElement' of null
at i.show (bootstrap.min.js:11)
at i.enter (bootstrap.min.js:11)
at HTMLDocument.d (jquery.js:2)
at HTMLDocument.handle (jquery.js:3)
at HTMLDocument.dispatch (jquery.js:3)
at HTMLDocument.r.handle (jquery.js:3)
jquery.js:2 Uncaught Error: cannot call methods on button prior to initialization; attempted to call method 'enable'
at Function.error (http://figtreelive.com/wp-incl.....2.4:2:1814)
at HTMLAnchorElement.<anonymous> (http://figtreelive.com/wp-incl......4:11:2115)
at Function.each (http://figtreelive.com/wp-incl.....2.4:2:2881)
at jQuery.fn.init.each (http://figtreelive.com/wp-incl.....12.4:2:846)
at jQuery.fn.init.a.fn.(anonymous function) [as button] (http://figtreelive.com/wp-includes/js/jquery/ui/widget.min.js?ver=1.11.4:11:1857)
at l.Uploader.<anonymous> (http://figtreelive.com/wp-content/sp-resources/forum-plugins/plupload/resou…load/jquery.ui.plupload.min.js?ver=299bc00d57a51c279171c25ed0e92150:1:6356)
at l.Uploader.dispatchEvent (http://figtreelive.com/wp-content/sp-resources/forum-plugins/plupload/resou…jscript/plupload.full.min.js?ver=299bc00d57a51c279171c25ed0e92150:29:16049)
at l.Uploader.trigger (http://figtreelive.com/wp-content/sp-resources/forum-plugins/plupload/resou…jscript/plupload.full.min.js?ver=299bc00d57a51c279171c25ed0e92150:13:18487)
at http://figtreelive.com/wp-content/sp-resources/forum-plugins/plupload/resou…jscript/plupload.full.min.js?ver=299bc00d57a51c279171c25ed0e92150:29:13788
at http://figtreelive.com/wp-content/sp-resources/forum-plugins/plupload/resou…/jscript/plupload.full.min.js?ver=299bc00d57a51c279171c25ed0e92150:29:7101
figtreelive.com/:1 Access to Font at 'https://figtreelive.com/wp-content/plugins/wc-shortcodes/public/assets/fonts/fontawesome-webfont.ttf?v=4.6.3' from origin 'http://figtreelive.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://figtreelive.com' is therefore not allowed access.

Avatar
Yellow Swordfish
Glinton, England
SP Master
sp_UserOfflineSmall Offline
Apr 23, 2017 - 11:48 am

I should imagine there are more problems than just the forum toolset. A few errors buried in there - some, by the looks of things, to do with the use of Bootstrap - not supported by WordPress.

I think we will need to see so we can look ate the sources. How about at least - for starters - a link to the forum page if guests are allowed to view it.

By the way - if this has worked before - and you do not say it has or not -  then the only question is what has changed to break it?

andy-signature.png
YELLOW
SWORDFISH
Avatar
Johnie Yawn
Member
Free Members
sp_UserOfflineSmall Offline
May 1, 2017 - 10:46 am

here is our link - https://figtreelive.com/forum/

this happened when we moved the site to a new server. 

I can provide you with Admin login details if you need. just let me know how to send those to you. 

thanks for your help 

Avatar
Yellow Swordfish
Glinton, England
SP Master
sp_UserOfflineSmall Offline
May 1, 2017 - 4:23 pm

It is a bit hard to see what is going in with so much javascript being loaded (your site might be the record in terms of what I have seen!). But there is clearly a problem with the bootstrap.js file which is being loaded by your WP theme. It is causing multiple script errors every page load and on every ajax call being made from a page. Thus the errors accumulate.

I am not sure how you go about fixing this. If it were me I would put the site into maintenance mode for 10 minutes and swap the WP theme for one of the WP default themes to see if that resolves the problem. Swap it back of course but it would inform us where the problem lies.

There must have been more than simply moving the site to a new server. The problems I am seeing here are more fundamental I believe.

andy-signature.png
YELLOW
SWORDFISH
Avatar
Johnie Yawn
Member
Free Members
sp_UserOfflineSmall Offline
May 11, 2017 - 1:30 am

ok so I tried deactivating theme and trying a default and that did not fix it. I looked at the error log and see this 

 

 [:error] [pid 32736:tid  ModSecurity:  [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "243"] [id "340102"] [rev "3"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: cross site scripting attempt"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "rx (/(?:scripts|staff)/index\\\\.php\\\\?(?:action|_m)=)" against "REQUEST_URI" required. [hostname "figtreelive.com"] [uri "/forum/click-here-to-learn-how-to-use-figtretalkelive-com/click-here-to-learn-how-to-use-healthtalklive-com-features/<script type=\\"text/javascript\\">jQuery(document).ready(function() {spjDialogHtml('', '<div style=\\"margin: 5px; border: 2px solid red; padding: 10px;\\"><p><img src=\\"https://figtreelive.com/wp-content/plugins/simple-press/admin/resources/images/sp_Message.png\\" alt=\\"\\" style=\\"float:left; margin: -4px 10px 0 0;\\" /><b>Access denied - security check failed<br />Unable to complete the request</b></p><p><b>Please reload the page and retry the operation</b></p></div>', 'Security Alert', 0, 0, 'center', '');});</script>"] [unique_id "WRP0vFFXgY-4BFLZtLdolgAAAIA"], referer: http://figtreelive.com/forum/click-here-to-learn-how-to-use-figtretalkelive-com/click-here-to-learn-how-to-use-healthtalklive-com-features/

 

Any ideas? 

Thanks

Avatar
Mr Papa
Simi Valley, CA
SP Master
Free Members
sp_UserOfflineSmall Offline
May 11, 2017 - 9:30 am

appears mod security might be making a false positive there and blocking it...  its basically not very good...

personally, i would disable it... but thats your call.. if you want to keep it, you can ask your host to whitelist the url so it doesnt block the action...

Avatar
Johnie Yawn
Member
Free Members
sp_UserOfflineSmall Offline
May 17, 2017 - 7:33 pm

ok I have had the host disable the ModSecurity. But the site is still not letting us delete posts. It comes up with the same error as before. 

Can I provide you with our site login for you to help us debug? We have tried everything and can't get it fixed. 

if we can't fix this we are going to have to move away from Simple Press and to another solution. 

How can I send our site login to you?

Thanks for all your help 

Avatar
Mr Papa
Simi Valley, CA
SP Master
Free Members
sp_UserOfflineSmall Offline
May 17, 2017 - 10:34 pm

If you are coming up with same error, I highly question whether mod security isn disabled.  The error message clearly says mod security is blocking it. 

That said, we would be happy to take a look.  Please send temp credentials via private message here to yellow swordfish and mr papa.  The temp account should be a wp admin and have sp admin capabilities.  In the private message please link back to this topic so we know what it's about. 

We also may need ftp access in order to add some debug code but let's not worry about that right now. 

Forum Timezone: Europe/Stockholm
Most Users Ever Online: 1170
Currently Online:
Guest(s) 1
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Mr Papa: 19448
Ike: 2086
Brandon: 864
kvr28: 804
jim: 639
FidoSysop: 577
Conrad_Farlow: 531
fiddlerman: 358
Stefano Prete: 325
Member Stats:
Guest Posters: 616
Members: 17342
Moderators: 0
Admins: 4
Forum Stats:
Groups: 7
Forums: 17
Topics: 10116
Posts: 79581