Rogier Lankhorst
Forum Replies Created
-
Hi @kasalingo,
Thanks for reporting the issue. We have indeed found an issue in the conditions, caused by an update to the filtering options. We have a fix ready, it will be included in the next update.
@keeleon This is due to a security configuration by your server, we don’t have any control over that within Burst.
I don’t know much about Mod Security, so I’ve checked with AI what possible solutions there are for such an issue. Let me know if this is helpful!
————-
This is a well-known ModSecurity/JSON parsing conflict. The error “Cannot add scalar value without an associated key” means ModSecurity’s request body processor is trying to parse the JSON payload sent by Burst Statistics to
/wp-json/burst/v1/track/, but the JSON structure contains array-style or scalar values at the root level that confuse the parser.The cleanest fix is a targeted rule that overrides the body processor for that specific URI, keeping all other rules intact.
Option 1: Switch the body processor to URLENCODED for that endpoint (recommended)
Add this to your custom ModSecurity rules file (e.g.
/etc/modsecurity/custom-rules.confor inside a.conffile in yourmodsecurity.d/directory):apache
SecRule REQUEST_URI "@beginsWith /wp-json/burst/v1/track" \ "id:9009001,\ phase:1,\ pass,\ nolog,\ ctl:requestBodyProcessor=URLENCODED"This tells ModSecurity to treat the body as plain URL-encoded data instead of trying to parse it as JSON, so no parsing error occurs and the request goes through. All other rules keep running.
Option 2: Disable request body inspection for that URI only
If option 1 doesn’t fully resolve it:
apache
SecRule REQUEST_URI "@beginsWith /wp-json/burst/v1/track" \ "id:9009001,\ phase:1,\ pass,\ nolog,\ ctl:requestBodyAccess=Off"This turns off body inspection entirely for that endpoint. Slightly broader, but still highly targeted since it only applies to that one URI.
Resolved by mail support.
As this is regarding the premium plugin, we’re not allowed to discuss it on this forum, as per the forum rules.
A patch for the issue will be released shortly. For now, users can use the general filters instead of clicking the “desktop” filter on the devices block.
If you deactivate WordFence, does it resolve the issue?
Can you share a link to this site so I can take a look? If there’s an issue with tracking I should be able to see what the problem is from the front-end.
You’re right, after some digging I found that our articles are not up to date, I have updated the articles:
Good to hear you like Burst Statistics! We don’t have a default lifetime license offer on our website, but we can always discuss. As we’re not allowed to discuss premium plugins on this forum, please contact us directly at support(at)burst-statistics.com.
Glad to hear it’s resolved!
Yes, because the combined script is generated dynamically, it is stored in the uploads/burst/js directory. You could consider excluding that specific directory from your rules, that should fix the issue most likely.
- This reply was modified 1 month, 1 week ago by Rogier Lankhorst.
Awesome! Glad it’s been resolved!
Can you share the .htaccess contents of this website? And possibly the URL of the website? It looks like there is a specific rule on the uploads directory that blocks loading the .js file, but this rule is not applied to the plugins directory.
Can you copy the console errors in the browser, by right clicking on the screen, then click “inspect element”, “console”, then copy the errors you see there (instructions for Chrome).
This should tell us more.
This is probably due to caching, either in your browser or on your server. Can you try in an anonymous browser window?
@lekkerbezig I’ve done some tests, but with default WordPress user roles there’s nothing in itself that prevents tracking. Possibly the templates for logged-in pages do not have the correct WordPress hooks required for the scripts to hook into. But hard to say without knowing the setup in more detail.
What is your setup? If I can recreate your configuration I can probably tell you more.
I think that blocking the tracking when AdGuard is active is exactly what they intend to do. But it should not block the back-end scripts and our website of course. We’ll see if they respond!
@slavomir12 thanks for the information! Interesting. I suspect this is because AdGuard just blocks anything that has ‘burst’ included in the javascript source. Because anything on our site loads over a domain with ‘burst’ in it, all resources are blocked.
Same goes for the back-end scripts. These load over the burst-statistics plugin directory, which apparently gets flagged.
I don’t think there’s anything we can do to fix such brute force blocking.
Hi @slavomir12,
Thanks for your report. I have tested Burst Statistics on a multisite environment just now, but the dashboard loaded without issues. So I wasn’t able to reproduce the problem.
If you can open the console in your browser (right click on screen, “inspect element”, “console”), then copy the errors you see there, and paste them here, I can check if there’s something that points us to the cause of the issue.