Forum
Cannot display extended diagnostics
I've suddenly found that I can no longer display the extended diagnostics panels for any of my hosted Perch or Runway sites. I can't recall the last time I checked one of them, so can't tell from when this happened. The problem is happening on all Perch sites (3.1.1 or 2.8.34) and Runway sites (3.1.1 or 3.0.11), so my suspicions are that something's changed at the hosting that is causing this.
For Perch sites, a URL containing /core/settings/diagnostics/ works fine but /core/settings/diagnostics/?extended produces a 403 Forbidden error and 'You don't have permission to access /perch/core/settings/diagnostics/index.php on this server.'. For Perch Runway sites, a 404 error is displayed.
Can you tell me what /?extended is doing that might be causing the problem so I can narrow down the cause and fault?
Has your host installed any security filtering that might be blocking the page?
I'm not aware of any changes, and have a lot of control over the hosting (its a VPS). What would the 'extended' page be doing over/above the 'basic' diagnostics page? I can then give my host a few clues as to where the issue might be. Incidentally, the Perch installs are in a variety of PHP versions (5.6 to 7.1) and the issue is there on every one I've randomly tried,
I think the fact that it is all sites on your VPS and no-one else is reporting this says it's probably something to do with that environment. I'd suggest asking them or poking round the error logs to see what you can find.
The problem has been solved, and I've documented it below as I'm sure other people may hit the same problem if they use CPanel hosting, which uses the OWASP rule set for mod sec (ModSecurity).
The Perch or Runway extended diagnostics page triggers rule 951220 which relates to SQL data leakage. The severity of the rule break further triggered rule 980140. The issue is logged in the main apache error log (usually something like /var/log/apache2/error_log) for the relevant account on the server. We then whitelisted both rules for a test account and the extended diagnostics page now displays correctly.
We're now either going to whitelist those rules individually for each Perch site we host, or do a global whitelist of them. We're taking advice on that right now. I guess that the rule set was recently updated and has caused this, as we've always had mod sec running but not seen this problem until very recently.
Hope this info helps others. I'd be interested to know if there's any change that could be made to the way the extended diagnostics page requests the info it needs, such that it doesn't trigger the rules? Or maybe the rule has been badly written by QWASP? If either Drew or Rachel need the detailed apache2/error_log entry, let me know and I'll email it over.
Graham
The point of that report is to expose that technical information, so there's no plans to change it at the moment.
No problem. I guess that QWASP just updated the rules and these got implemented on a recent CPanel update. Anyway, hopefully useful if someone else hits the same problem soon.