xymox wrote: ↑
Sat Jul 28, 2018 11:37 pm
Maybe I am confuzed. The ModSeurity Core Ruleset project
that comes preinstalled with cpanel will always block the ACP because of the ../../adm/ reference ? This will always require a exclusion for the ACP to work on any CRS with the default rules that come with cpanel ?
Not in my case and I even double checked request header when logging into the ACP. Why this is occurring on your end I don't know.
Thats what I got from the description Paul ( Infrastructure Team Leader ) said ?
Paul's comments are only in relation to how phpBB works and your case.The discrepancy between your installation producing false positives and mine which doesn't illustrates the issues with trying to troubleshoot things likes this.
mod_security is widely used and if this was common issue you are having it would appear here more frequently, I'm going to suggest this is isolated issue somehow related to your setup. To reiterate this is not affecting me and it has to go through both Cloudflare's implementation of the OWASP ruleset and the default WHM/Cpanel install on my server.
mod_security w/OWASP is great tool but it is not something you simply install out of the box and expect to work everywhere. If you do a search you will find it flags a lot of things as false positives because it's impossible for them to account for how every web application works or what it does. The same thing applies to phpBB, it cannot account for every piece of security software, server configuration so on and so forth. This is not OWASP's fault and it's not phpBB's fault.
We can only offer guidance on how to fix your issue where these things are concerned. If you are going to run a VPS and manage it yourself it's your responsibility to tweak products like mod_security to fit your needs.