Anyone Use ConcreteCMS? I have an issue, you may have an issue also.

[sirius]

Wondering if there is anyone else at TCH using concreteCMS?

I have used concrete for years, though I am far from an expert. Suddenly an issue has come up where ModSecurity is blocking some page edits. I can not edit a block using an inline CSS style. When I try to save, a "403 Forbidden" error is returned. TCH and my testing show that ModSecurity is the issue. I have been advised to ask TCH to modify ModSecurity rules to allow but TCH says they can not do such a thing due to security issues. I can turn ModSecurity off and the edits will work, but that does not seem like the proper thing to do.

This issue exists with a fresh install of the newest version, 9.1.1 installed today via softaculous, an install that used 8.5.6, the same 8.5.6 upgraded to 9.1.1, and a 5.6.4.0 version, every install I have at TCH (all on the same shared server). I don't have access to another host company at the moment so can not test off of TCH servers. 

Does anyone else have this issue?

It appears to me that this issue makes concreteCMS useless on a TCH server.

Thank you for any replies.

[TCH-Dick]

Hi,

Unfortunately, if Concrete CMS is triggering ModSecurity then you will find that it does so on any host choosing to run most core rules. We have seen in the past where this CMS has issued updates to fix triggering ModSecurity but I am not sure if that is something you can rely on happening quickly. 

It is always a good idea to leave ModSecurity enabled in your account, but we do provide an option to disable it as sometimes there is no other reasonable option. In your case, I have asked our techs to disable two rules for your cPanel user only. We do not normally offer this type of exclusion often as it requires manual maintenance of rules for every user requiring them, but all clients are free to ask.

Someone will update ticket shortly about the specific rules that are being disabled. Please note that we can not guarantee these rules will remain disabled due to updates and should be considered temporary.  I also recommend reaching out to Concrete CMS and request they work to implement changes.

 

[sirius]

Thank you for the reply. I do not think it is so that I " will find that it does so on any host choosing to run most core rules" as I have made an exact copy of this install of Concrete and moved it to a shared hosting account at TCH, it worked fine. 

Also, it is not just Concrete having this issue, as I said in my help ticket, CMS Made Simple (fresh install) has the issue as does osCommerce. An install of osCommerce on shared hosting works fine, but on my Reseller account the osCommerce that has been there for quite a time suddenly can not be edited.