MyBB Community Forums

Uploaded a revised one.

Negative answer from Cirtexhosting again

Quote:Hello,

I've checked in the mod_security log and its denied your forum request. The reason for blocking seems like Vulnerability. So you can need to patch or upgrade your script.

=====
# Rule 310019: Xaraya "module" Local File Inclusion Vulnerability
SecRule REQUEST_URI "/index\.php" chain
SecRule ARGS:module "(\.\./\.\.|/)"
====


--------------------------------------------------------
Regards,
CirtexHosting

---

(2008-11-13, 06:31 PM)DennisTT Wrote: [ -> ]Please try this: upload to admin/index.php.

This should change the module separator from / to @, which hopefully works with mod_security. This is untested so some things may break (esp. with form submissions, I haven't been able to test everything).

Thanks Dennis, I'll try it as soon as possible.

Burn

---

The new admin/index.php works great so far. I will populate the board with my phpbb data during the weekend and give it a test drive. Thanks Dennis!

Burn

---

I tried to change the password of my Administrator account:

.../mybb/admin/index.php?module=user/users

Password changed but failed to load page.

DennisTT:

Quote:This is untested so some things may break (esp. with form submissions, I haven't been able to test everything).

Correct


Avatar gallery doesn't load:

Quote:Forbidden

You don't have permission to access /mybb/admin/index.php on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

I'll get back to you when thoroughly testet.

Burn

My Suggestion: Change hosts.

It looks like they're trying to protect from file inclusion vulnerabilities with mod_security but they're being too aggressive about it and sacrificing a service you are paying them to provide.

It's like a email spam blocker program that doesn't even allow you to read your legitimate emails.

Ryan

Tested the forum over the weekend and as DennisTT said it fails with form submissions. Changes are made when submitting the form, but destination page fails to load.

Since I can't expect DennisTT to "hack" the admin/index.php just for me, so I can continue with my host, I'm now looking for a new host.

I'm still trying to convince them to tune their mod_security to let MyBB through though. Since moving host means moving 10 live sites and all their email forwarders, accounts, and databases etc etc... this is not something I'm looking forward to.

Burn

Working on this because my hosting has the mod_security2.
To fix the destination page, add this code to admin/inc/functions.php:

// based on DennisTT Code
// change url with / to @
function admin_cp_module_sep_change($contents)
{
	$ACP_MODULE_SEP = "@";
	$contents = preg_replace('#(.+?)module=([a-z_]+)/([a-z_]+)(.*?)#i', '$1module=$2'.$ACP_MODULE_SEP.'$3$4', $contents);
	return $contents;

}

And in the admin_redirect function add a call to this function:

function admin_redirect($url)
{
// new function call
	$url = admin_cp_module_sep_change($url);
	if(!headers_sent())
	{
		$url = str_replace("&", "&", $url);
		header("Location: $url");
	}
	else
	{
		echo "<meta http-equiv=\"refresh\" content=\"0; url={$url}\">";
	}
	exit;
}

This code is for test so if there is problems talk about here

Byron H.

I am using the index.php that DennisTT provided and the addtional code provided by silenceway and so far everything is working. I am hosted on a hostgator shared server.

I quit using myBB back in 08 when this first became an issue as I am sure many people did. Not because I couldn't force it to work by being whitelisted but because I should not have to have my provider disable a security feature so my software will work. I think it is important for myBB to understand that they need to be reasonable and make the software work with mod_security or it will turn away more than it gains. No other forum software that I have tried has had a problem with mod_security so it's not unreasonable to ask that myBB work with it.

I acknowledge and appreciate the hard work done on this program and the dedication of those involved for no pay.

Just Saying.
Tony

IIRC that file caused other errors, something with forms not submitting properly or something.

I think the mod_security issue will be addressed in a future release, but from what I've heard, it's only a problem when configured incorrectly; I have it working fine on one of my hosts.

I have nothing negative to report thus far and it does let you do just about everything so for those of us who have this issue, it is better than nothing. I am hoping the issue is addressed in some future version or perhaps even a mod for a work-around but for now I can at least use the software again =)

I haven't used MyBB in a year or so because of these issues and it's really sad to see it still exists. It's a complete turn-off. I should not have to have my host disable a security program on my server to get this forum to work. END OF DISCUSSION.

Will be using SMF instead which is very sad considering how much I loved the functionality of MyBB when it actually worked for me.

(2009-10-28, 04:37 PM)jaroo Wrote: [ -> ]I haven't used MyBB in a year or so because of these issues and it's really sad to see it still exists. It's a complete turn-off. I should not have to have my host disable a security program on my server to get this forum to work. END OF DISCUSSION.

Will be using SMF instead which is very sad considering how much I loved the functionality of MyBB when it actually worked for me.

I agree. mod_security is very important module that fixes lots of apache security problems and is quickly become defacto module to use. MyBB should quickly find a fix to ensure it's compatible. The advice to turn off a security feature just so MyBB can work is backward thinking. mod_security is not a fringe module.

I was exploited heavily on my site about a month ago and my server was penetrated by a php shell. If I had been able to run mod_security it would not have happened. Security has to be important for this project or people may decide not to use it.

I'd like a more official response on what MyBB is doing about this problem. The "get a new host" responses are imho insulting to those that want secure hosting.