solved Lucid Skin Error gets my server blocked on Chrome and Safari

Hello. So, after the exchange about FollowMe not being a great skin for blogs, I went with a blogging skin, Lucid. Installed it, have been working with it... I am using the dark style of the skin and wanted to find out where the color for the font on the blog post information is - because it's dark gray on a black background. This has happened to me twice tonight... I scrolled on the Skin Style page - from the admin_log.css and tried to go to "base.css"

I get a 403 error and am then banned from going to my own site for a few hours, using Chrome (I can still get there using Safari). Here is the error I receive, when I try to circumvent the web address and just go straight to the IP addrress:

74.208.166.135 normally uses encryption to protect your information. When Google Chrome tried to connect to 74.208.166.135 this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be 74.208.166.135, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit 74.208.166.135 right now because the website sent scrambled credentials that Google Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later."

I reinstalled an SSL certificate earlier and turned off the "force to https" and turned it back on, which either fixed it or coincided with the period of time that Chrome blocked/banned me. But, considering this has happened twice when I did the same thing using the Jamroom software, there has to be something odd happening when I try to navigate to other parts of the Lucid style information...

And when I tried using Safari to navigate to any other *.css file in the list, I got the 403 error and I'm now unable to get to my website via Safari. I can, however, still access my server console - which, I can't do in Chrome.

So, I'm unable to do anything on my website for the rest of the night, I guess.

Thanks.
updated by @jrblack1175: 04/25/20 08:38:52AM

Never seen that before. Got a URL to to take a look at? Send it to support at jamroom dot net if you dont want to put it publicly.

I don’t know how to give you a url to my admin console w/o credentials?

I sent the requested info to the email... Any luck? Did you reproduce the error?

What happens when the selection in the "CSS File" option is selected is the:
jrCore_create_media_directory()

function is called that tries to create a new media directory which should be created at:
/public_html/data/media/0/0

and if that cant be created you should see it in the error log at:
/public_html/data/logs/error_log

My current best guess is the apache2 user does not have write permissions for that location and that's whats causing the error.

--edit--
It looks like the block can be navigated around by using the CONTAINER TABS plugin in firefox:
https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/

just open as a different user and the block is no longer in place.
updated by @michael: 04/23/20 09:02:07PM

Um, I don't need to navigate around the block by installing a third browser. I need to be able to update the style in the template without getting blocked from my server - in 2 different browsers, btw. On multiple occasions.

And if that's not a possibility - to update the COLOR OF THE TEXT on a skin, then there's some serious issues with that skin... How about I try to see if I can replicate the same error in another skin? Or maybe you can tell me which skin works with this software - since Follow Me wasn't a good choice because "it's not really for blogs" and Lucid isn't a good choice because it has a fatal error when trying to change the color of text.

Same problem with Elastic2. I try to go to a different .css file in the drop-down list and get blocked. I'm done.

I navigated to the media directory. It exists, and all kinds of files are in there, including my custom header file. So, it makes 0 sense that there's no write capabilities to that file. Clearly, when I used another part of the UI to upload those new files, it was able to write to that folder and put the images in there. So, it's not my server. It's a bug.

its not a skin issue. its a server issue. The issue is the server is not allowing its own process (the one that is running the site) to write to the file system.

Then what its doing is blocking the user at the browser level.

Its not a bug, it reads "Server Error - 403 Forbidden". Unless its a bug in the area of the path creation which could be possible because its in a sub-directory. I can check that out.

Are you able to access your servers error logs? Could you see if there is any information about what its complaining about?

I can access my server error logs:

GET /jamroom/core/skin_admin/style/skin=jrElastic2/file=admin_menu.css/section=advanced HTTP/1.0

GET /error_docs/styles.css HTTP/1.0

GET /jamroom/profile/get_pulse_counts/__ajax=1 HTTP/1.0

[client 212.102.50.92] ModSecurity: Warning. Pattern match "(?i)\\\\b(?:s(?:tyle|rc)|href)\\\\b[\\\\s\\\\S]*?=" at REQUEST_COOKIES:jr_location_url. [file "/etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "814"] [id "941150"] [rev "2"] [msg "XSS Filter - Category 5: Disallowed HTML Attributes"] [data "Matched Data: style/skin= found within REQUEST_COOKIES:jr_location_url: https://blissfulignorance.com/jamroom/core/skin_admin/style/skin=jrElastic2/file=admin_menu.css/section=advanced"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [tag "paranoia-level/2"] [hostname "blissfulignorance.com"] [uri "/jamroom/core/skin_admin/style/skin=jrElastic2/file=admin_menu.css/section=advanced"] [unique_id "XqKB@2FlBtC7TcJy@diYUQAAAA8"], referer: https://blissfulignorance.com/jamroom/core/skin_admin/style/skin=jrElastic2

[client 212.102.50.92] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "blissfulignorance.com"] [uri "/jamroom/core/skin_admin/style/skin=jrElastic2/file=admin_menu.css/section=advanced"] [unique_id "XqKB@2FlBtC7TcJy@diYUQAAAA8"], referer: https://blissfulignorance.com/jamroom/core/skin_admin/style/skin=jrElastic2

I read that as "Plesk" (a web hosting control script) has installed some extra security measures to protect itself on your server and that one of its rules:
Which to me means that any piece of software that has a url that contains
is going to trigger that issue.

Just to follow up here that this is NOT a Jamroom issue - this is mod_security catching a legitimate Jamroom URL and thinking it is a problem. This is an Apache mod_security problem - not a Jamroom problem.


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net

Seems like the skin is throwing some invalid OWASP errors. And to be fair, I have installed other software with css styles, and don’t have the same problem.

But, thanks for all your help.
updated by @jrblack1175: 04/25/20 09:21:35AM

The errors aren't coming from the skin, they're coming from another piece of software that is running on your server: Plesk

Wikipedia: Plesk
https://en.wikipedia.org/wiki/Plesk

Plesk is software installed into the server to add a graphical interface to navigate server operations.

You're version of it has added extra security rules to the server. Its those extra rules that are the cause of the issue.

The new rules it has added state: "No site on this server is allowed to have a url that contains this set of letters in its url 'style/skin=' ".

Unfortunately for Jamroom we do have a url that contains those letters, so we trigger the issue.

It is correct that we could re-write how jamroom works to make sure we don't use that series of letters.