Effects (my environment):
Running php 8.2 for webtrees 2.1.22
Running php 8.3 for webtrees 2.2
Standard Install (out of the box) mod security (no custom rules)
Both Firefox and Chrome
Cpanel/WHM 126.0.16
AlmaLinux V8.10.0
Apache 2.4
Both the users side and the admin console sign out buttons get blocked by Mod Security (no custom rules). I was able to fix the admin console side sign out by moding the code in resources/views/layouts administration.phtml as follows.
After line 66
`
<!-- original code -->
<!--
<a class="nav-link" href="#" data-wt-post-url="<?= e(route(Logout::class)) ?>" data-wt-reload-url="<?= e(route(HomePage::class)) ?>"><?= I18N::translate('Sign out') ?></a>
-->
<!-- mod by dave -->
<form name="signout_form" id="signout_form" method="POST" action="<?= e(route(Logout::class)) ?>">
<input class="nav-link" type="submit" name="logout_submit" id="logout_submit" value="<?= I18N::translate('sign out'); ?>">
</form>
<?php
redirect(e(route(HomePage::class)));
?>
`
To explain my code, the form executes the signout and since the form does not include the redirect as in the original code, i added the redirect after.
As far as the user side sign out button goes, i was not able to correct the issue because the user side button is dynamically created. However, here is the entry in the mod security log which triggers when the user sign out button is clicked.
Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "92"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [ver "OWASP_CRS/3.3.7"] [tag "event-correlation"]
It also produces a 403 forbidden in the web console view
POST https://example.com/index.php?route=%2Flogout 403 (Forbidden)
e.httpPost @ webtrees.min.js?v=2.1.22:1
(anonymous) @ webtrees.min.js?v=2.1.22:1
and
webtrees.min.js?v=2.1.22:1 Fetch failed loading: POST "https://example.com/index.php?route=%2Flogout".
e.httpPost @ webtrees.min.js?v=2.1.22:1
(anonymous) @ webtrees.min.js?v=2.1.22:1
Have not been able to make the user sign out button work propertly, so i created this issue.
Dave :)
Effects (my environment):
Running php 8.2 for webtrees 2.1.22
Running php 8.3 for webtrees 2.2
Standard Install (out of the box) mod security (no custom rules)
Both Firefox and Chrome
Cpanel/WHM 126.0.16
AlmaLinux V8.10.0
Apache 2.4
Both the users side and the admin console sign out buttons get blocked by Mod Security (no custom rules). I was able to fix the admin console side sign out by moding the code in resources/views/layouts administration.phtml as follows.
After line 66
`
`
To explain my code, the form executes the signout and since the form does not include the redirect as in the original code, i added the redirect after.
As far as the user side sign out button goes, i was not able to correct the issue because the user side button is dynamically created. However, here is the entry in the mod security log which triggers when the user sign out button is clicked.
It also produces a 403 forbidden in the web console view
and
Have not been able to make the user sign out button work propertly, so i created this issue.
Dave :)