Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add mod security check on installation #18064

Closed
wants to merge 12 commits into from
Closed

add mod security check on installation #18064

wants to merge 12 commits into from

Conversation

peterhashair
Copy link
Contributor

@peterhashair peterhashair commented Sep 26, 2021
edited

Description:

Fixes #3371

Add mod security check on the installation

  • curl a standard SQL injection in URL that normally blocks by ModSecurity and return 403 to detected if ModSecurity is enabled, but it could block by other WAF.

Review

add mod security check
a189cee 
add mod security check
@peterhashair
Copy link
Contributor Author

peterhashair commented Sep 26, 2021
edited

Please be aware this mod security check only works with apache, and only hosting providers allow that action.

@peterhashair peterhashair linked an issue Sep 26, 2021 that may be closed by this pull request
New system check to warn that Piwik is not compatible with mod_security #3371
Closed
@peterhashair peterhashair added this to the 4.5.0 milestone Sep 27, 2021
@peterhashair peterhashair added Needs Review PRs that need a code review not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. labels Sep 27, 2021
@peterhashair peterhashair marked this pull request as ready for review September 27, 2021 00:42
@peterhashair peterhashair modified the milestones: 4.5.0, 4.6.0 Sep 27, 2021
Peter Zhang added 7 commits September 27, 2021 22:52
update lang and modsecruity check
08f9997 
update lanaguage and modsecruity
update translation and mod check to apache check
fa1d76b 
update translation and mod check to apache check
Merge branch '4.x-dev' into m-3371-mod-security-check
e0d0fdc
update screen shoot
91b782e 
update screen shoot
Merge branch '4.x-dev' into m-3371-mod-security-check
5a59d30
expected image looks wrong
f46a9af 
expected image looks wrong
Merge branch '4.x-dev' into m-3371-mod-security-check
68a596f 
# Conflicts:
#	plugins/Diagnostics/tests/UI/expected-screenshots/Diagnostics_page.png
sgiehl
sgiehl reviewed Sep 29, 2021
View reviewed changes
plugins/Diagnostics/Diagnostic/ModSecurityCheck.php Outdated
"<a href='https://matomo.org/faq/troubleshooting/faq_100/' target='_blank'>FAQ</a>");

// mod security is detected
if (function_exists('apache_get_modules') && in_array('mod_security', apache_get_modules())) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is anyone able to confirm that mod_security will appear in the apache modules when it's installed?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It won't when using php-fpm as then PHP has no direct "connection" to Apache. I can't say for another mode as I never used apache.

@peterhashair
Copy link
Contributor Author

@sgiehl that not always worked, I tested on Plesk and Cpanel, that doesn't work, but on standard install, it works. Maybe we should use curl to test specify ModSecurity URL rules that will cause Matomo tracking problems or penitently cause problems instead.

@sgiehl
Copy link
Member

sgiehl commented Sep 30, 2021

I actually don't know the problems that may occur when using mod_security so not sure what the best approach would be

Peter Zhang added 4 commits October 4, 2021 06:57
Merge branch '4.x-dev' into m-3371-mod-security-check
d05f48b
check mod security using curl
51bbf16 
use sql inject check mod security. mod security on should return 403
reset curl url
ce0b5a0 
reset curl url
Merge branch '4.x-dev' into m-3371-mod-security-check
804e562 
# Conflicts:
#	plugins/Diagnostics/config/config.php
#	plugins/Diagnostics/tests/UI/expected-screenshots/Diagnostics_page.png
#	plugins/Installation/tests/UI/expected-screenshots/Installation_system_check.png
@peterhashair
Copy link
Contributor Author

@tsteur any suggestion on that one, ModSecurity is deprecated by 2024. By research the common rule ModSecurity has is a SQL inject URL, but that could be blocked by WAF as well. Not sure the best approach to that one. 🤔

@tsteur
Copy link
Member

tsteur commented Oct 5, 2021

@peterhashair I suggest we close the PR and I could close the issue for now as a wontfix. We scheduled the issue thinking it was easy to do but turns out it's real complicated and we don't have a reliable way to check for it easily so I would say it's not needed for now.

@tsteur tsteur deleted the m-3371-mod-security-check branch October 5, 2021 04:47
@tsteur tsteur mentioned this pull request Oct 5, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sgiehl sgiehl sgiehl requested changes

@Findus23 Findus23 Findus23 left review comments

Assignees
No one assigned
Labels
Needs Review PRs that need a code review not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Projects
None yet
Milestone
4.6.0
Development

Successfully merging this pull request may close these issues.

New system check to warn that Piwik is not compatible with mod_security
4 participants
@peterhashair @sgiehl @tsteur @Findus23