403 forbidden when editing list emails

nadworks

Active Member
Something strange has kicked in, which I'm sure has previously worked fine:
I'm suddenly unable to save edited list emails (not campaigns, but the responses such as "subscribe confirm email", "unsubscribe confirm email"...). The pages are fine, but when I save any amends to the existing email templates, I'm getting...

Forbidden
You don't have permission to access /customer/index.php/lists/listID/page/subscribe-confirm-email on this server.

I get this for all list on all customer accounts, regardless of "impersonating" or directly logging in.
Mod_security has been disabled. I have also disabled the WP Wordfence plugin on the main domain.

Slightly lost. Am I missing something glaringly obvious?
 
Last edited:
Tested a few things. The email only saves if I remove the < style > block and any < div >.
Needless to say that no responsive email can be built without those elements and my email code is 100% valid and neat.
It accepts < table > and its children only.

Also, these email templates have been in use for a very very long time. All I did was change the wording in the text and then re-save. So I would have been able to successfully save them previously.

Is this a new thing? Has this to do with my permissions? My server? Anything that changed on the latest MailWizz release? A bug?
 
Last edited:
Forbidden
You don't have permission to access /customer/index.php/lists/listID/page/subscribe-confirm-email on this server.
This is for sure mod_security.
not sure how exactly you have disabled it, but apparently it is still active.

Does it happen the same when you create a html template in templates area in backend?
 
Sadly it's not mod_security as I mentioned above. It's disabled and I just had that double-checked.

Please also see my 2nd post about the type of HTML code that is accepted vs. makes it fail. How come the use of < div > and < style > stops the email template from being saved, triggering a permission error, while the removal of these let's it through? Plus the fact that the existing templates had all these elements and have now become uneditable.

So as I said before:
  • mod_security is disabled
  • Wordfence disabled
Can anyone replicate this?
 
Does it happen the same when you create a html template in templates area in backend?
Everything at the backend works perfectly fine. I can edit and create Email Templates for the Gallery and also edit and create under the Settings > Email Templates section without any problems.
 
I've just impersonated another client account and attempted to make a simple text edit on the subscribe confirm email and got this after saving:

Not Implemented
POST to /customer/index.php/lists/listID/page/subscribe-confirm-email not supported.
 
Ok, we've fixed it... not sure what it was exactly, but we restarted the apache and all is working fine again.
Apologies for the panic. Glad it's sorted. Worth noting if anyone else ever runs into this problem.
 
I have run into the same problem after upgrading from an old version of mailwizz. It doesnt let me access email templates. Disabling mod_security is not recommended as it is an essential tool in repeling web attacks. I'll try to add some exception rules to it and see if it solves the problem.
 
This was the error when you entered email templates:
ModSecurity: Access denied with code 403 (phase 2). Pattern match "<meta.{0,}?charset\\\\/{0,}=" at ARGS_POST:CustomerEmailTemplate[content]. [file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/07_XSS_XSS.conf"] [line "125"] [id "212970"] [rev "6"] [msg "COMODO WAF: IE XSS Filters - Attack Detected.|****|F|2"] [data "Matched Data: <metacharset= found within ARGS_POST:CustomerEmailTemplate[content]: <html><head><metacharset=\\x22utf-8\\x22><title></title><metaname=\\x22viewport\\x22content=\\x22width=device-width,initial-scale=1\\x22><style>@importurl(\\x22https://fonts.googleapis.com/css?family=opensans:300,400,600,800\\x22);</style><style>.wrapper{width:100%}"] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"] [hostname "*****"] [uri "/backend/email-templates/gallery/create"] [unique_id "Y@ZVdU7gnjOCKC7T6HWudwAAAV4"], referer:

Excluding the rule with id '212970' solved the issue. I have an email template builder extension that may be the cause :)
 
Back
Top