@peterhashair opened this Pull Request on September 26th 2021 Contributor

Description:

Fixes #3371

Add mod security check on the installation

  • curl a standard SQL injection in URL that normally blocks by ModSecurity and return 403 to detected if ModSecurity is enabled, but it could block by other WAF.

Review

@peterhashair commented on September 26th 2021 Contributor

Please be aware this mod security check only works with apache, and only hosting providers allow that action.

@peterhashair commented on September 29th 2021 Contributor

@sgiehl that not always worked, I tested on Plesk and Cpanel, that doesn't work, but on standard install, it works. Maybe we should use curl to test specify ModSecurity URL rules that will cause Matomo tracking problems or penitently cause problems instead.

@sgiehl commented on September 30th 2021 Member

I actually don't know the problems that may occur when using mod_security so not sure what the best approach would be

@peterhashair commented on October 5th 2021 Contributor

@tsteur any suggestion on that one, ModSecurity is deprecated by 2024. By research the common rule ModSecurity has is a SQL inject URL, but that could be blocked by WAF as well. Not sure the best approach to that one. 🤔

@tsteur commented on October 5th 2021 Member

@peterhashair I suggest we close the PR and I could close the issue for now as a wontfix. We scheduled the issue thinking it was easy to do but turns out it's real complicated and we don't have a reliable way to check for it easily so I would say it's not needed for now.

This Pull Request was closed on October 5th 2021
Powered by GitHub Issue Mirror