(2009-10-28, 04:43 PM)labrocca Wrote: [ -> ] (2009-10-28, 04:37 PM)jaroo Wrote: [ -> ]I haven't used MyBB in a year or so because of these issues and it's really sad to see it still exists. It's a complete turn-off. I should not have to have my host disable a security program on my server to get this forum to work. END OF DISCUSSION.
Will be using SMF instead which is very sad considering how much I loved the functionality of MyBB when it actually worked for me.
I agree. mod_security is very important module that fixes lots of apache security problems and is quickly become defacto module to use. MyBB should quickly find a fix to ensure it's compatible. The advice to turn off a security feature just so MyBB can work is backward thinking. mod_security is not a fringe module.
I was exploited heavily on my site about a month ago and my server was penetrated by a php shell. If I had been able to run mod_security it would not have happened. Security has to be important for this project or people may decide not to use it.
I'd like a more official response on what MyBB is doing about this problem. The "get a new host" responses are imho insulting to those that want secure hosting.
Exactly! I am not going to get a new host to run certain software if the problem could be solved by the software creator. That is insane! It would be much easier and make a hell of a lot more sense for the creators of MyBB to just fix the issue on their end (because it can be done). This problem has been going on for FAR too long.
To tell anyone to get a new host if they won't disable a security feature is the most ridiculous thing I've heard and is by no way "support".
There is a lot of work entailed to change all URLs to a different format. And what about all the plugins that are hooked into the ACP? They'll need changed too.
Ryan provided the only viable option for MyBB 1.4 at the moment.
(2009-10-28, 04:55 PM)jaroo Wrote: [ -> ] (2009-10-28, 04:43 PM)labrocca Wrote: [ -> ] (2009-10-28, 04:37 PM)jaroo Wrote: [ -> ]I haven't used MyBB in a year or so because of these issues and it's really sad to see it still exists. It's a complete turn-off. I should not have to have my host disable a security program on my server to get this forum to work. END OF DISCUSSION.
Will be using SMF instead which is very sad considering how much I loved the functionality of MyBB when it actually worked for me.
I agree. mod_security is very important module that fixes lots of apache security problems and is quickly become defacto module to use. MyBB should quickly find a fix to ensure it's compatible. The advice to turn off a security feature just so MyBB can work is backward thinking. mod_security is not a fringe module.
I was exploited heavily on my site about a month ago and my server was penetrated by a php shell. If I had been able to run mod_security it would not have happened. Security has to be important for this project or people may decide not to use it.
I'd like a more official response on what MyBB is doing about this problem. The "get a new host" responses are imho insulting to those that want secure hosting.
Exactly! I am not going to get a new host to run certain software if the problem could be solved by the software creator. That is insane! It would be much easier and make a hell of a lot more sense for the creators of MyBB to just fix the issue on their end (because it can be done). This problem has been going on for FAR too long.
To tell anyone to get a new host if they won't disable a security feature is the most ridiculous thing I've heard and is by no way "support".
I don't think you realise how idiotic most shared hosts are :p they expect wordpress and joomla, and don't take into account other stuff
(2009-10-28, 05:01 PM)Tomm M Wrote: [ -> ]There is a lot of work entailed to change all URLs to a different format. And what about all the plugins that are hooked into the ACP? They'll need changed too.
Ryan provided the only viable option for MyBB 1.4 at the moment.
As I said, I haven't used MyBB in over a year. Fixing this issue has taken this long? Please. Ridiculous.
Quote:There is a lot of work entailed to change all URLs to a different format. And what about all the plugins that are hooked into the ACP? They'll need changed too.
Yes I am aware. I took an afternoon trying to come up with a solution. Because the solution is difficult imho that means even more so it should be addressed asap. It won't get easier as time passes and more plugins break.
If I have to rewrite all my plugin admincp urls then so be it. I'd like to see MyBB mod_security compatible. However I have not seen an official statement on that being the case from MyBB.
(2009-10-28, 05:12 PM)jaroo Wrote: [ -> ] (2009-10-28, 05:01 PM)Tomm M Wrote: [ -> ]There is a lot of work entailed to change all URLs to a different format. And what about all the plugins that are hooked into the ACP? They'll need changed too.
Ryan provided the only viable option for MyBB 1.4 at the moment.
As I said, I haven't used MyBB in over a year. Fixing this issue has taken this long? Please. Ridiculous.
We're not going to completely re-write the ACP again mid way through 1.4. I also have mod_security on one of my hosts and the ACP works fine.
Disclaimer: I've not read the whole thread... so... keep that in mind:
Have you tried whitelisting your own domain/disabling mod_sec for your account using .htaccess?
From:
http://www.liewcf.com/archives/2008/05/h...cess-file/
Quote:Disable mod_security in .htaccess file
1. If you do not have one yet, an .htaccess file in the folder of your web application
2. To disable mod_security COMPLETELY, add the following line to the .htaccess file:
SecFilterEngine Off
OR, to disable HTTP POST scanning only, use the following instead:
SecFilterScanPOST Off
3. Save the file and test your web application to check whether disabling mod_security has solved your problem.
I recommend you to try SecFilterScanPOST Off first, instead of disabling mod_security completely.
You can also turn it off just for specific urls if I remember correctly.
Of course, mod_sec2 doesn't allow htaccess overrides anymore, so if thats what you have you're not able to do this. As I said, I didn't read the whole thread. Time limited right now.
(2009-10-28, 08:25 PM)MattRogowski Wrote: [ -> ]We're not going to completely re-write the ACP again mid way through 1.4. I also have mod_security on one of my hosts and the ACP works fine.
I have to agree with Matt - I know that we have mod_security installed here at work, and I haven't modified the ACP urls in the MyBB system I use. I have no idea how it works, but I'm assuming shared hosts are a little overzealous with the security rules.
(2009-10-28, 05:12 PM)jaroo Wrote: [ -> ]As I said, I haven't used MyBB in over a year. Fixing this issue has taken this long? Please. Ridiculous.
In that year that you haven't used MyBB, we haven't changed versions. Obviously the decision was taken to keep plugins rather than breaking them mid-way into a major branch. 1.6 is a feature upgrade, a "service pack" I guess, rather than a new piece of software and so won't be mod_security compatible. 2.0 is an entirely new piece of software, so I'm sure plans will have changed.
I've never had a problem with mod_security and MyBB, but if you have custom rules you can disable them for the folder you are having a problem with by adding the following rule to mod_security:
<LocationMatch '/mybb/admin'>
SecRuleRemoveById ######,######
</LocationMatch>
(Replace /mybb/admin with problem folder and ###### with offending rule, both can be found in the mod_security logs.)
I had to do this with phpMyAdmin because of issues with certain table names that appeared in the URL which made it look like an injection attack.
Of course you can probably do the same in .htaccess if you do not have root access to the server but if you're using shared hosting then chances are if the host has any clue about security .htaccess will not work either.
The point is.. I SHOULD NOT HAVE TO DISABLE A SECURITY FEATURE ANYWHERE to get MyBB to work. I have spoken to my host about the configuration of Mod Security on their server and they have assured me it has been setup just fine.
Why would I expect them to change a setting to get one piece of software to work when EVERY OTHER piece of software works just fine with it enabled.
If you KNOW your software conflicts with such a popular security feature, why not be intelligent about it and fix it to work with it enabled instead of telling people they have bad hosts if their host won't disable the security feature. ASININE!!
This has been a complete joke and waste of time. Obviously if you haven't "changed versions" in a year's time (which by the way I said it was OVER a year. Not sure exactly on the time) what is the point of continuing on with 1.4. Start working on the next release which will have this fix. Common sense, really! Really pathetic that is hasn't been done already.
Oh and by the way, in the time since I haven't used MyBB, I've switched hosts twice and both times, I tried the software again. Same problem. Who woulda thought?