I know there are several threads about ModSecurity, but many are old and the issue is not clear.
I have seen that there is some code in the htaccess file that disables ModSecurity, so I'm wondering if the problem arises only when you turn on "pretty URLs" (that's when htaccess is needed) or if it's a problem in general anyway.
I have been using MyBB on a development server, I haven' really used it a lot or tested everything, but I've never come across any issues with ModSecurity (which is installed and it works). Will turning on "pretty URLs" cause any problems? Is it really still an issue today? I was thinking of turning it on, enabling the htaccess file, and removing the part that disables ModSecurity (so keeping ModSecurity on). I just don't think that disabling ModSecurity is a good idea. I don't think I've seen another popular web application that needs to disable ModSecurity in order to work. I think that if MyBB really cares about security, they should try to avoid the possible incompatibilities with ModSecurity and avoid disabling it.
So what's the situation now?
(2018-10-05, 08:33 PM)reed Wrote: [ -> ]I know there are several threads about ModSecurity, but many are old and the issue is not clear.
I have seen that there is some code in the htaccess file that disables ModSecurity, so I'm wondering if the problem arises only when you turn on "pretty URLs" (that's when htaccess is needed) or if it's a problem in general anyway.
I have been using MyBB on a development server, I haven' really used it a lot or tested everything, but I've never come across any issues with ModSecurity (which is installed and it works). Will turning on "pretty URLs" cause any problems? Is it really still an issue today? I was thinking of turning it on, enabling the htaccess file, and removing the part that disables ModSecurity (so keeping ModSecurity on). I just don't think that disabling ModSecurity is a good idea. I don't think I've seen another popular web application that needs to disable ModSecurity in order to work. I think that if MyBB really cares about security, they should try to avoid the possible incompatibilities with ModSecurity and avoid disabling it.
So what's the situation now?
It's not so much the fault of MyBB software itself, it's the hosting companies that have enabled ModSecurity for whatever reason.
So, it's up to us Admins to contact the hosting company to turn off the ModSecurity or allow us to turn it off by another method.
Placing the blame on MyBB software is incorrect.
I have a button in cPanel and can turn it on or off for each domain.
But why should it be turned off? That's the point, it should NOT be turned off. It's useful to prevent some attacks and it's good to have it on. If it causes trouble on some occasions, the user can contact the hosting provider, or can try to fine tune the rules, or can disable a specific rule, or finally decide to turn off ModSecurity completely. If the problems arise very frequently for a lot of people, then there must be something wrong with either ModSecurity or MyBB that developers should try to fix. I've never seen any popular CMSs disable ModSecurity by default, and they all work ok. Why? If it's just to avoid some occasional problems with some (maybe badly developed?) plugins, then the code in the htaccess should be removed. Otherwise, as I said, there's something wrong either with ModSecurity or MyBB, because no other popular web application needs to disable ModSecurity by default.
(2018-10-06, 07:55 PM)reed Wrote: [ -> ]But why should it be turned off? That's the point, it should NOT be turned off. It's useful to prevent some attacks and it's good to have it on. If it causes trouble on some occasions, the user can contact the hosting provider, or can try to fine tune the rules, or can disable a specific rule, or finally decide to turn off ModSecurity completely. If the problems arise very frequently for a lot of people, then there must be something wrong with either ModSecurity or MyBB that developers should try to fix. I've never seen any popular CMSs disable ModSecurity by default, and they all work ok. Why? If it's just to avoid some occasional problems with some (maybe badly developed?) plugins, then the code in the htaccess should be removed. Otherwise, as I said, there's something wrong either with ModSecurity or MyBB, because no other popular web application needs to disable ModSecurity by default.
Sorry I can't answer that. All I know is that when it was put in place by my host, it stopped me making changes to my MyBB custom pages. I have turned it off as I create a new custom page each month, and I didn't see the point in having it turned on.
I'm not getting involved in which is "badly developed" as for me it's fine the way it is.
mod_security doesn't have a clue about what's running on your site or what is secure in which context or not
it's just a dumb filter. and entirely customizable but no one does that - and on some shared hosts - you can't customize it in the first place, even if you wanted to
so you have such a dumb filter in place and you're a tech oriented forum and you want to talk about SQL queries... well bad luck buddy
https://github.com/SpiderLabs/ModSecurit...stom_Rules Wrote:It is inevitable; you will run into some False Positive hits when using web application firewalls. This is not something that is unique to ModSecurity. All web application firewalls will generate false positives from time to time.
a false positive in the context of a forum means: you spend a lot of time writing a post, then you click submit, and *poof* it's gone. server says thank you, but this looked somewhat dangerous, so I did the safe thing and binned it for you.
and to a forum software that is kind of unacceptable
if you want to "fix" that we'd have to work around mod security by encoding / encrypting messages we send to the server in a way mod_security doesn't understand and thus can't filter. Which means breaking the forum for users who have javascript disabled, and is just a lousy way of doing things altogether as it breaks mod_security for people who actually - know how to use it properly, and would enable it regardless of what MyBB's default htaccess does.
There isn't a single piece of software you can just plug in and bam, it's secure. That's not how security works.