The MU forums have moved to WordPress.org

mod_security (13 posts)

  1. gnukerman
    Inactive
    Posted 17 years ago #

    Could you provide us the changes you have made that is now preventing WPMU from working properly in relation to mod_security.

    No editing, spamword updates, blacklist updates, theme editing....or any other editing can now be performed.

    ??

  2. donncha
    Key Master
    Posted 17 years ago #

    When did it last work with mod_security working? Does anything show up in the logfiles?

  3. gnukerman
    Inactive
    Posted 17 years ago #

    It works fine with the 2005-03-15 WPMU, but none of the latest ones. Any function that edits and/or adds data results in a 404, but no errors in the logs.

    My mod rules are updated as often as new ones are released, but I continually check making sure they aren't disallowing certain functions in WPMU.

    Very puzzling.

  4. gnukerman
    Inactive
    Posted 17 years ago #

    donncha. wonder if you could email me with mod_security rules to check that will enable wpmu to work correctly without compromising server security.

    seems there are several rules ms has in place that prevent wpmu working properly with it's current coding on a FC1 server.

  5. gnukerman
    Inactive
    Posted 17 years ago #

    k

  6. donncha
    Key Master
    Posted 17 years ago #

    Unfortunately I've never used mod_security and I don't have the time to learn a new package right now. Can you experiment on a dev server and post some details here?

  7. gnukerman
    Inactive
    Posted 17 years ago #

    I can do that, and will keep you up-to-date, but not in the forums.

    Curious, though... With the whole project in mind, how can it be developed without server security in mind?

    Currently, the mod_security rules that need to be modified leave server(s)/client(s)/domain(s) open to possible hacks/access attempts and security problems.

    Sometime ago, this issue came up (on the old forums) and we modified the security rules only to end up with successful hacks on several WPMU sites.

    We have no plans to modify our security apps and/or rules to further test WPMU on any production server, thus we will no longer provide WPMU to anyone until this issue is resolved.

  8. donncha
    Key Master
    Posted 17 years ago #

    Security is very important - that's why Smarty is operating in safe mode and why I took several options out of the backend.
    If you come across exploitable security holes (I'm sure they're there if you look hard enough!) then email me at the usual address, donncha @ linux.ie and I'll fix them!

  9. gnukerman
    Inactive
    Posted 17 years ago #

    No problem :at all: letting you know what exists.

    SMARTY doesn't cover it all, though.

    Our concern is having to "modify" security rules to allow WPMU to function properly on a normal install without modification of the current and/or updated rules.

    Our last two updates of rules rendered WPMU inaccessible or left us open to possible risks (with two actual accesses through WPMU sites)

    Yes, I'm anal when it comes to our server. Yes, I'm unwilling to change the mod:rules to allow WPMU to function properly.

    BUT, I'm a WPMU supportor and wish to promote, serve and protect WPMU to the end.

    There are particular calls that violate current and probably future mod rules that we hope can be addressed and worked into future WPMU releases.

    In addition we hope all OS can be worked in. We know, recognized and reward you and all of the development team and hope this is going to become the standard.

    Just hear us for a positive result and not as a criticism.

    We're here for you and the project.

  10. gnukerman
    Inactive
    Posted 17 years ago #

    Sorry, but we are discontinuing any further hosting of WPMU until server security for all OS becomes part of the development of this project.

    We offer our apologies, but cannot take time to modify and/or monitor security flaws in the project while protecting our interests.

  11. donncha
    Key Master
    Posted 17 years ago #

    Can you email me those rules and descriptions of problems at donncha @ linux.ie please? I don't have any experience with mod_security so your help will be invaluable!

  12. gnukerman
    Inactive
    Posted 17 years ago #

    Sorry for the absence lately. Been much to busy to visit and comment and/or respond.

    We are also sorry to say that the latest of the WPMU snaps are now even less Plesk/Fedora friendly than the versions we have previously questioned problems with.

    Don't misunderstand me please, but are you guys trying to re-invent the wheel?

    Between the problems with mod_security and Plesk it would seem we will never have the option of using WPMU again.

    waa :(

  13. donncha
    Key Master
    Posted 17 years ago #

    If you help and report the problems I can help fix them. I've never used Plesk. Can you give me a Plesk-enabled account somewhere where I can test WPMU?

About this Topic

  • Started 2024 years ago by gnukerman
  • Latest reply from donncha