Unable to save new Subscribe page

I have a phpList installation alongside a Wordpress installation. Both work OK, except…
When I attempt to save a Subscribe page (under the Config menu), when I click on the “Save changes” button at the end of the form, I am redirected to the page-not-found page of my Wordpress installation.
I have checked the .htaccess file at the root (i.e. in the folder containing both “lists” and “wp_raw” folders) and I think it is OK. I have not had this redirect problem with any other phplist admin feature.
Any ideas?
Thanks,
David R.
P.S. My website is under a subdomain. Not sure if that is important.

@david.rand this could be caused by some anti-malware software not liking the content of the data being submitted.
Do you have the wordpress wordfence plugin? That has a firewall component which might be the cause.
Another possibility is the apache mod security module.

No, I do not have Wordfence.
I do not think I have any control over the apache mod security module. I think my web host manages that.

@duncanc You were right! I found that I am able to disable ModSecurity on the subdomain I am using. And now I am able to save the Subscribe page!

That partially solves the problem. ModSecurity should be left on, but at least now I know that I can deactivate it temporarily to save a new Subscribe page.

I will contact my hosting provider to ask for more details about ModSecurity.

Thanks!

1 Like

I have this problem with the Wordfence plugin. It’s returning a 403 when I try to create or update the subscribe page.
The fix is to go to the WF tools and look at the live traffic. You can see reports like:
http://domain.com/lists/admin/?page=spageedit&tk=7f6247868521344ae7c91647368c166f and was blocked by firewall for XSS: Cross Site Scripting in POST body: footer=%3C%2Fdiv%3E%0D%0A%3C%2Fdiv%3E%0D%0A%3C%2Fdiv%3E%3C!--%20ENDOF%20%23mainContent--%3E%0D%0A%3C%2Fdiv%…
If you expand the report, there is an option to “WHITELIST PARAM FROM FIREWALL”.
You may need to do this a couple of times, but should produce a couple of rules in your WF firewall like:


Ideally, PHPList could fix the script so it doesn’t look like an XSS attack vector :wink: