Random ramblings and ravings of Richy B
In an effort to prove to myself that I am actually trying to do work this month, I’m making a note of all the bugs in 3rd party software I find.
Today is a bug reported the developers of the miniOrange Broken Link Checker | Finder WordPress Plugin on the 11th June 2022 through the WordPress plugin forum about database syntax issues being caused in the version 2.1 of that plugin.
I’ve spent a while migrating all of our non-.uk domain names to Google Domains – only for Google to announce that as of September 7th 2023 they are stopping all new domain registrations and moving the public domain registrations over to Squarespace (Google domains managed 9 years before being killed by Google).
We were paying £10/year for .com (and .net and .dev) domain name purchases/renewals with Google – but what are the “current market prices”?
(I was starting to migrate domains over to WordPress (mainly for the free year of renewal), but finding out that they don’t support DNSSEC and that there isn’t an ETA for its implementation means I might have to look elsewhere.)
| Domain provider | .com price (one year) | Notes | Thanks to |
|---|---|---|---|
| Cloudflare | £7.47 | Price converted from $9.15 USD. Does support DNSEC. Domains must use Cloudflare’s authoritative DNS provider. | |
| WordPress | £10.00 | Currently offering free transfer+1 year renewal for domains currently with Google Domains. Does not support DNSSEC. | |
| ResellerClub | £10.44 | Price converted from $12.79. Available to resellers only. | |
| Amazon Route 53 | £10.63 | Price converted from $13.00 | |
| ClouDNS | £10.93 | Price converted from $13.39 USD. Does support DNSSEC. | |
| Dynadot | £10.99 | ||
| OpenSRS | £11.23 | Price converted from $13.75 USD. Available to resellers only. | |
| Namecheap | £11.40 | New customer pricing of £4.87. | Neil Turner via Mastodon |
| DNSimple | £11.86 | Price converted from $14.50 USD. Requires a free subscription. Does support DNSSEC. | |
| Shopify | £12.28 | Price converted from $15.00 USD. Might be limited to using Shopify’s platform. | |
| 20i | £12.49 | Does support DNSSEC. Reseller pricing £10.49 (reseller package costs £47.99/month) | |
| OpenProvider | £12.76 | Price converted from $15.58 USD. Members pricing £8.00 (membership costs $49.99/year) | |
| OVHCloud | £12.95 | First year registration: £10.19 Does support DNSSEC | |
| Hetzner | £13.55 | Price converted from €15.60 EUR. | |
| Hover | £14.73 | Price converted from $17.99 USD First year registration £13.10. | |
| EasyDNS | £15.51 | Price converted from $19.00 USD. | |
| Squarespace | £16.00 | New provider for Google Domains customers. First year registration £9.60 | |
| Hostgator | £16.37 | Price converted from $19.99 USD First year registration £10.61. | |
| Joker | £16.62 | ||
| HeartInternet | £16.78 | Advertised prices exclude VAT. First year registration £11.98 | |
| Mythic Beasts | £17.40 | Advertised prices exclude VAT. Does support DNSSEC. | Jonathan Matthews via Mastodon |
| Bluehost | £18.00 | Price converted from $21.99. First year registration £10.91 | |
| Ionos | £18.00 | First year registration £1.20. | Howard Cheng via Mastodon |
| Domain.com | £18.00 | Price converted from $21.99. | |
| Network Solutions | £20.48 | Price converted from $25. I brought my first domain from them in 1998 – NS has been sold 4 times since! | |
| Easily | £20.89 | Advertised prices exclude VAT | |
| 123-Reg | £20.38 | Advertised prices exclude VAT. First year registration £5.99 | |
| GoDaddy | £21.56 | Advertised prices exclude VAT. First year registration £10.78. | |
| Glauca | £22.65 | ||
| Namesco | £23.98 | Advertised prices exclude VAT. First year registration £11.98 | |
| Gandi | £23.99 | First year registration £16.54. | Philip John via Mastodon |
Prices shown in £ GBP/Pound Sterling and are based on publicly available “single year renewal” prices at the date I added them to the table (with any different registration pricing noted).
Where possible, all prices include UK VAT/Tax and have been converted from any other currencies to GBP using Xe.com where the site itself did not provide currency conversion.
I can’t be held responsible for any errors, omissions, out of date information etc etc – I did my best! 😀
Edited 25th September 2023:
Like many people at the moment (due to Elon Musk’s purchase of Twitter), I’m moving from my nearly 14 year old Twitter account @rbairwell to Mastodon where I’m currently at @rbairwell@mastodon.org.uk . I was also pointed towards @pfefferle@mastodon.social‘s WordPress plugin ActivityPub For WordPress which allows me to put my blog directly “on the Fediverse” and allow you to follow it at @richyb@blog.rac.me.uk .
However, after installing it the plugin and then trying to follow my blog, I just got a “Withdraw follow request” prompt in Mastodon – and, even after giving it a few minutes to account for server lag, my follow didn’t show up in WordPress->Users->Followers (Fediverse). If you want, you can just skip to the solution for root users .
My initial thought was that it was mod_security (a web-application firewall for the web site) which might be intercepting and blocking the request for security purposes. Turns out I was correct first time! Looking at my cPanel WHM's Security Center->ModSecurity Tools->Hits List, I found out that the requests were being blocked by rule 920420 of the OWASP Core Ruleset which was causing the following messages:
| Field | Data |
|---|---|
| Rule id | 920420: Request content type is not allowed by policy |
| Severity | Critical |
| Status | 403 |
| Request | POST /wp-json/activitypub/1.0/users/3/inbox |
| Action Description | Warning. |
| Justification | Match of “within %{tx.allowed_request_content_type}” against “TX:content_type” required. |
Searching the mod security audit log for the request URL using grep /wp-json/activitypub/ /var/log/apache2/modsec_audit.log gave me the “incident id/file location”:
blog.rac.me.uk xxx.xxx.xxx.xxx - - [xx/xxx/xxxx:xx:xx:xx +0000] "POST /wp-json/activitypub/1.0/users/3/inbox HTTP/1.1" 403 4077 "-" "-" Y2z65HnPJZ2EEJpVH6GcggAAAA8 "-" /xxxxx/20221110/20221110-1321/20221110-132140-Y2z65HnPJZ2EEJpVH6GcggAAAA8 0 5109 md5:39bb07d5be0cc904943570b3a39fddbclooking at /var/log/apache2/modsec_audit/xxxxx/20221110/20221110-1321/20221110-132140-Y2z65HnPJZ2EEJpVH6GcggAAAA8 showed me
...
--daee5752-B--
POST /wp-json/activitypub/1.0/users/3/inbox HTTP/1.1
Host: blog.rac.me.uk
...
Content-Type: application/activity+json
...
--daee5752-H--
...
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client xxx.xxx.xxx.xxx] ModSecurity: Warning. Match of "within %{tx.allowed_request_content_type}" against "TX:content_type" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "956"] [id "920420"] [msg "Request content type is not allowed by policy"] [data "|application/activity+json|"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"] [hostname "blog.rac.me.uk"] [uri "/wp-json/activitypub/1.0/users/3/inbox"] [unique_id "Y2z65HnPJZ2EEJpVH6GcggAAAA8"]Showing me that the ActivityPub protocol makes requests using the Content-type of application/activity+json which isn’t normally allowed with the OWASP Core Ruleset (OWASP CRS/3.3.2).
If you do not have root accessto your server, you might just have the option to turn off mod_security totally for your domain which will restore access.
If you do have root access, you’ll be able to view rule 92040in either your control panel (WHM users->Security Center->ModSecurity Tools->Rules List) or in your server at the listed path ( /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf ). However, you’ll find that it lists:
# In case Content-Type header can be parsed, check the mime-type against
# the policy defined in the 'allowed_request_content_type' variable.
# To change your policy, edit crs-setup.conf and activate rule 900220.
SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
"id:1,\
phase:2,\
block,\
capture,\
t:none,\
msg:'Request content type is not allowed by policy',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.content_type=|%{tx.0}|',\
chain"
SecRule TX:content_type "!@within %{tx.allowed_request_content_type}" \
"t:lowercase,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
But not the list of actually content-types allowed. Whilst these are defined in rule 901162 (found by searching for “tx.allowed_request_content_type“), you shouldn’t really modify the “vendor supplied rules”.
it’s best to add your own rule 900220 which is within crs-setup.conf. But it’s not advisable to change that file (in /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/crs-setup.conf on my cPanel server) on cPanel servers as it might get updated/changed by cPanel itself.
Therefore, I’ve just created a new rule within mod_security (again WHM->Security Center->ModSecurity Tools->Rules List->Add Rule ) to match it with the additional content type listed:
SecAction \
"id:900220,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/activity+json|'"Note that the list of content types are separated by spaces, but are actually each enclosed by the pipe symbol – the pipe ( | ) isn’t the separator!
I deployed and restarted Apache and tried to follow myself again, and it all started working (and about 2 minutes after I posted this, it showed up in my timeline)
Hope it helps somebody else!
I recently purchased something from an online shop which was using the Volusion e-commerce shopping cart system and I had a problem making payments using my credit/debit card details. I contacted them and had a few nice chat with the owner and I’ve just sent him the following message which should help him fix the Volusion issue and give him options for the future.
In an effort to prove to myself that I am actually trying to do work this month, I’m making a note of all the bugs in 3rd party software I find.
Today is a bug reported to cPanel Inc on the 4th June 2022 under their tracking request ID 94452913 affecting their WordPress Toolkit cPanel module which has a problem with slashes in plugin names.