Luis,
Thank you for the message. I am running this on a Linux server and enabled mod_rewrite, which was an option I selected during the setup. I also uploaded the .htaccess file, although I did not modify it as the rewrite rules look like they are enabled by default.
I can submit other pages in the admin (create new pages, update look and feel, update my password, etc). It is just the System settings submission that is giving me the error. Looking at the HTTP headers the error I see is: HTTP/1.1 404 Not Found
I did some more digging (with the awesome support people at Vivio Technologies) and think we may have found something. I am running Comodo WAF and when I disable that for the domain, I was able to submit the system settings page. When I re-enable it I cannot. It turns out it was failing on these two rules:
213020: COMODO WAF: IE XSS Filters - Attack Detected.
211650: COMODO WAF: Detects MSSQL code execution and information gathering attempts
Here is the error message that get sent to me (I changed the domain name for sharing purposes):
[Sun Feb 14 21:58:11 2016] [error] [client 50.178.111.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i:(?:\\sexec\\s+xp_cmdshell)|(?:[\”’\\xc3\\x82\\xc2\\xb4\\xc3\\xa2\\xc2\\x80\\xc2\\x99\\xc3\\xa2\\xc2\\x80\\xc2\\x98]\\\\s*?!\\\\s*?[\\"'
\xc3\x82\xc2\xb4\xc3\xa2\xc2\x80\xc2\x99\xc3\xa2\xc2\x80\xc2\x98\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|data …" at ARGS:cb_editors_ckeditor_toolbar. [file “/var/cpanel/cwaf/rules/23_SQL_SQLi.conf”] [line “30”] [id “211650”] [msg “COMODO WAF: Detects MSSQL code execution and information gathering attempts”] [data “Matched Data: \x22Select\x22 found within ARGS:cb_editors_ckeditor_toolbar: [\x0d\x0a{ \x22name\x22: \x22document\x22, \x22items\x22 : [ \x22Source\x22,\x22-\x22,\x22Maximize\x22,\x22ShowBlocks\x22 ] },\x0d\x0a{ \x22name\x22: \x22clipboard\x22, \x22items\x22 : [ \x22Cut\x22,\x22Copy\x22,\x22Paste\x22,\x22PasteText\x22,\x22PasteFromWord\x22,\x22-\x22,\x22Undo\x22,\x22Redo\x22 ] },\x0d\x0a{ \x22name\x22: \x22editing\x22, \x22items\x22 : [ \x22Find\x22,\x22Replace\x22,\x22SpellChecker\x22] },\x0d\ [hostname “www.domain.com”] [uri “/cbadmin/settings/save”] [unique_id “VsFM09BN0FIAAE9G8JYAAAAB”]
[Sun Feb 14 21:58:37 2016] [error] [client 50.178.111.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i:(?:\\sexec\\s+xp_cmdshell)|(?:[\”’\\xc3\\x82\\xc2\\xb4\\xc3\\xa2\\xc2\\x80\\xc2\\x99\\xc3\\xa2\\xc2\\x80\\xc2\\x98]\\\\s*?!\\\\s*?[\\"'
\xc3\x82\xc2\xb4\xc3\xa2\xc2\x80\xc2\x99\xc3\xa2\xc2\x80\xc2\x98\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|data …” at ARGS:cb_editors_ckeditor_toolbar. [file “/var/cpanel/cwaf/rules/23_SQL_SQLi.conf”] [line “30”] [id “211650”] [msg “COMODO WAF: Detects MSSQL code execution and information gathering attempts”] [data “Matched Data: \x22Select\x22 found within ARGS:cb_editors_ckeditor_toolbar: [\x0d\x0a{ \x22name\x22: \x22document\x22, \x22items\x22 : [ \x22Source\x22,\x22-\x22,\x22Maximize\x22,\x22ShowBlocks\x22 ] },\x0d\x0a{ \x22name\x22: \x22clipboard\x22, \x22items\x22 : [ \x22Cut\x22,\x22Copy\x22,\x22Paste\x22,\x22PasteText\x22,\x22PasteFromWord\x22,\x22-\x22,\x22Undo\x22,\x22Redo\x22 ] },\x0d\x0a{ \x22name\x22: \x22editing\x22, \x22items\x22 : [ \x22Find\x22,\x22Replace\x22,\x22SpellChecker\x22] },\x0d\ [hostname “www.domain.com”] [uri “/cbadmin/settings/save”] [unique_id “VsFM7dBN0FIAAE7MyT8AAAAA”]
[Sun Feb 14 22:05:29 2016] [error] [client 50.178.111.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i:(?:\\sexec\\s+xp_cmdshell)|(?:[\”’\\xc3\\x82\\xc2\\xb4\\xc3\\xa2\\xc2\\x80\\xc2\\x99\\xc3\\xa2\\xc2\\x80\\xc2\\x98]\\\\s*?!\\\\s*?[\\"'
\xc3\x82\xc2\xb4\xc3\xa2\xc2\x80\xc2\x99\xc3\xa2\xc2\x80\xc2\x98\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|data …” at ARGS:cb_editors_ckeditor_toolbar. [file “/var/cpanel/cwaf/rules/23_SQL_SQLi.conf”] [line “27”] [id “211650”] [rev “2”] [msg “COMODO WAF: Detects MSSQL code execution and information gathering attempts”] [data “Matched Data: \x22Select\x22 found within ARGS:cb_editors_ckeditor_toolbar: [\x0d\x0a{ \x22name\x22: \x22document\x22, \x22items\x22 : [ \x22Source\x22,\x22-\x22,\x22Maximize\x22,\x22ShowBlocks\x22 ] },\x0d\x0a{ \x22name\x22: \x22clipboard\x22, \x22items\x22 : [ \x22Cut\x22,\x22Copy\x22,\x22Paste\x22,\x22PasteText\x22,\x22PasteFromWord\x22,\x22-\x22,\x22Undo\x22,\x22Redo\x22 ] },\x0d\x0a{ \x22name\x22: \x22editing\x22, \x22items\x22 : [ \x22Find\x22,\x22Replace\x22,\x22SpellChecker\x2 [hostname “www.domain.com”] [uri “/cbadmin/settings/save”] [unique_id “VsFOiNBN0FIAAGz5wWwAAAAE”]
[Sun Feb 14 22:08:09 2016] [error] [client 50.178.111.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i:(?:\\sexec\\s+xp_cmdshell)|(?:[\”’\\xc3\\x82\\xc2\\xb4\\xc3\\xa2\\xc2\\x80\\xc2\\x99\\xc3\\xa2\\xc2\\x80\\xc2\\x98]\\\\s*?!\\\\s*?[\\"'
\xc3\x82\xc2\xb4\xc3\xa2\xc2\x80\xc2\x99\xc3\xa2\xc2\x80\xc2\x98\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|data …” at ARGS:cb_editors_ckeditor_toolbar. [file “/var/cpanel/cwaf/rules/23_SQL_SQLi.conf”] [line “27”] [id “211650”] [rev “2”] [msg “COMODO WAF: Detects MSSQL code execution and information gathering attempts”] [data “Matched Data: \x22Select\x22 found within ARGS:cb_editors_ckeditor_toolbar: [\x0d\x0a{ \x22name\x22: \x22document\x22, \x22items\x22 : [ \x22Source\x22,\x22-\x22,\x22Maximize\x22,\x22ShowBlocks\x22 ] },\x0d\x0a{ \x22name\x22: \x22clipboard\x22, \x22items\x22 : [ \x22Cut\x22,\x22Copy\x22,\x22Paste\x22,\x22PasteText\x22,\x22PasteFromWord\x22,\x22-\x22,\x22Undo\x22,\x22Redo\x22 ] },\x0d\x0a{ \x22name\x22: \x22editing\x22, \x22items\x22 : [ \x22Find\x22,\x22Replace\x22,\x22SpellChecker\x2 [hostname “www.domain.com”] [uri “/cbadmin/settings/save”] [unique_id “VsFPKNBN0FIAAG6OaogAAAAC”]
[Sun Feb 14 22:08:45 2016] [error] [client 50.178.111.223] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i:(?:\\sexec\\s+xp_cmdshell)|(?:[\”’\\xc3\\x82\\xc2\\xb4\\xc3\\xa2\\xc2\\x80\\xc2\\x99\\xc3\\xa2\\xc2\\x80\\xc2\\x98]\\\\s*?!\\\\s*?[\\"'
\xc3\x82\xc2\xb4\xc3\xa2\xc2\x80\xc2\x99\xc3\xa2\xc2\x80\xc2\x98\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|data …” at ARGS:cb_editors_ckeditor_toolbar. [file “/var/cpanel/cwaf/rules/23_SQL_SQLi.conf”] [line “27”] [id “211650”] [rev “2”] [msg “COMODO WAF: Detects MSSQL code execution and information gathering attempts”] [data "Matched Data: \x22Select\x22 found within ARGS:cb_editors_ckeditor_toolbar: [\x0d\x0a{ \x22name\x22: \x22document\x22, \x22items\x22 : [ \x22Source\x22,\x22-\x22,\x22Maximize\x22,\x22ShowBlocks\x22 ] },\x0d\x0a{ \x22name\x22: \x22clipboard\x22, \x22items\x22 : [ \x22Cut\x22,\x22Copy\x22,\x22Paste\x22,\x22PasteText\x22,\x22PasteFromWord\x22,\x22-\x22,\x22Undo\x22,\x22Redo\x22 ] },\x0d\x0a{ \x22name\x22: \x22editing\x22, \x22items\x22 : [ \x22Find\x22,\x22Replace\x22,\x22SpellChecker\x2 [hostname “www.domain.com”] [uri “/cbadmin/settings/save”] [unique_id “VsFPTNBN0FIAAG8fCjAAAAAH”]
For now I have those two rules disabled and things are working. I will try and see what might be causing this. I can’t imagine I would be the only one running this configuration but I couldn’t find any references to the error in the Google Group. If you want to email me privately to discuss further, that would be fine as I don’t want to share too much specifics here. Thank you for your help.
-Daniel
Daniel Garcia
daniel@garciadev.com