C5 and modsecurity
Permalink 1 user found helpful
Hi
We are installing a new site for a client under C5, using their existing server. The hosting guy is using modsecurity, a software firewall, to prevent sql injection.http://www.modsecurity.org
Therefore it's impossible to add any http:// to anything within C5, because modsecurity considers it as a hacking possibility.
They say we need to put C5 into a folder then they will make a policy allowing everything from this folder, however the new C5 will be located at root, for obvious SEM reasons, we don't want a redirection.
Does anyone has a feedback about a similar problem ?
We told the guy C5 was pretty much safe, he replied "there is no warranty that in a few month or years we will not discover a security hole in a CMS, and when it is discovered it will be too late and sites or servers will be hacked. How many times did we have to clean up servers because of such holes in CMS during the last 9 years, I can't even count, but in the last 2 years none, since we have used mod security.
The best solution is to have a folder for admin protected with login and pass, and this repertory will be authorized for mod security.
I see in the logs of mod security many attempts of php injection, even on sites that do not have php, only html, and logs keep on coming because robots are coming from sites to sites and test if they can do php injection.
I will not change this security policy, I prefer to lose one client who does not want to accept it, than lose the other 50 because they have been hacked.
Every good coder places his admin programs in a separate folder, all CMS do it, wether it is joomla, prestashop; magento or thelia..."
What do you think ? Any input about C5 security regarding sql injection ?
We are installing a new site for a client under C5, using their existing server. The hosting guy is using modsecurity, a software firewall, to prevent sql injection.http://www.modsecurity.org
Therefore it's impossible to add any http:// to anything within C5, because modsecurity considers it as a hacking possibility.
They say we need to put C5 into a folder then they will make a policy allowing everything from this folder, however the new C5 will be located at root, for obvious SEM reasons, we don't want a redirection.
Does anyone has a feedback about a similar problem ?
We told the guy C5 was pretty much safe, he replied "there is no warranty that in a few month or years we will not discover a security hole in a CMS, and when it is discovered it will be too late and sites or servers will be hacked. How many times did we have to clean up servers because of such holes in CMS during the last 9 years, I can't even count, but in the last 2 years none, since we have used mod security.
The best solution is to have a folder for admin protected with login and pass, and this repertory will be authorized for mod security.
I see in the logs of mod security many attempts of php injection, even on sites that do not have php, only html, and logs keep on coming because robots are coming from sites to sites and test if they can do php injection.
I will not change this security policy, I prefer to lose one client who does not want to accept it, than lose the other 50 because they have been hacked.
Every good coder places his admin programs in a separate folder, all CMS do it, wether it is joomla, prestashop; magento or thelia..."
What do you think ? Any input about C5 security regarding sql injection ?
Thanks Remo, that's perfectly clear. I think the guy will not hear it that way though...
probably not and installing suexec isn't something which is done in 5 minutes..
At the end, I doubt something will change anytime soon. It might be possible to modify concrete5 to work with mod_security, but I don't have time to do that.. It's boring work and takes a while and since I don't have that problem - let me be selfish (:
I might fix it if I have a big customer with the same problem... At the end it's sometimes about money /-:
At the end, I doubt something will change anytime soon. It might be possible to modify concrete5 to work with mod_security, but I don't have time to do that.. It's boring work and takes a while and since I don't have that problem - let me be selfish (:
I might fix it if I have a big customer with the same problem... At the end it's sometimes about money /-:
Sure thing. I guess we'll convince the client to change hosting... besides we haven't had any xss or similar exploit on C5 websites in one year, even those not upgraded :P
Just found this, my host is using mod_security and I had to put the 'mod_security off' code into every htaccess file
I don't really understand what it's all about, is there a way I can secure my sites after I have turned mod_security off?
Or do I understand this right that there is no need to since c5 uses bind variables, whatever these are?
Thanks a lot
I don't really understand what it's all about, is there a way I can secure my sites after I have turned mod_security off?
Or do I understand this right that there is no need to since c5 uses bind variables, whatever these are?
Thanks a lot
Having an admin zone in a separate folder might be a solution, but not for c5 and saying it has been badly designed is rubish. So is "all CMS do it". CodeIgniter, Concrete5 and lots of other framework use a single php script to redirect all calls, this has a lot of advantages.
As far as I've seen (there is a post about it in this forum) the only problem is the "%" character which isn't always encoded when c5 saves data.
If I were offering hostings (I did in the past) I'd simply use suexec, this way a hacked hosting customer doesn't affect other customers on the same server. This way you can have a single customer without mod_security and would never lose other customers due to hacking problems...
mod_security is nice but it's well known to cause tons of problems with all kinds of software and all hosters I've worked with disable it if it does...