View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0015379||phpList 3 application||Security||public||01-12-09 16:28||21-06-18 13:05|
|Target Version||next major|
|Summary||0015379: make phpList work well with Apache mod_security enabled|
|Description||When activating mod_security for Apache on the server running phplist, mod_security gets upset with a lot of things using the vanilla configuration for mod_security. Especially updating the "Footer of public pages" and running fckeditor is blocked. Is there a supported configuration of mod_security for phhlist?|
|Tags||No tags attached.|
I've experimented a little with mod_security, and I think it's going to be impossible to try to work around the rules it has.
For example, if you save the config "unsubscribeurl" mod_security blocks it, because it encounters a URL and marks it as a "remote url inclusion" problem.
I think it may be possible to use mod_security for the frontend, but even then, if you have for example an attribute that says "your website" and you allow your users to enter the URL of their site, then it would block that.
But coding the phpList backend with mod_security will be virtually impossible. I think it is best to white list the backend URL and add IP restrictions to it, if you want to be secure.
mod-security can be switched off at a domain, script, or folder level using htaccess - SMF forums has that as part of their installation help files. I have it working like that on one of my hosting accounts - not had a single issue since implementing it.
I think Michiel is getting too eager to say "too difficult, won't fix" - I've seen hundreds of similar responses from him while trawling through Mantis tonight. Maybe you need to do a WordPress type event and schedule a "Bug Blitz" week roping in the user community to clear as many Mantis tickets as possible?
I've set up mod-security on my local machine Ubuntu 12.10
Server version: Apache/2.2.22 (Ubuntu)
Server built: Mar 8 2013 15:53:07
Running the dev-trunk, and browsing around for a few minutes interestingly enough has not thrown any errors yet. So, I will keep it on, and see if I get any issues, which I can then resolve when they come along.