[Bb-trac] [bbPress] #1048: bbpress not compatible with mod_security
bbPress
bb-trac at lists.bbpress.org
Sun Feb 15 14:22:39 GMT 2009
#1048: bbpress not compatible with mod_security
----------------------------------+-----------------------------------------
Reporter: Arnoud ten Hoedt | Owner:
Type: enhancement | Status: new
Priority: low | Milestone:
Component: Installation/Upgrade | Version: 0.9.0.3
Severity: major | Keywords: mod_security
----------------------------------+-----------------------------------------
Hello,
Currently parts of the bbpress installation as well as some of the
dashboard management panels get blocked by mod_security.
Mod_security throws an error 500 internal server error, blocking all
scripts which have both GET request variables as well as URL's in the POST
data. (For example install.php?step=2 for wordpress integration, as well
as install.php?step=3 where you need to submit the forum url).
For installation I overcame by adding install_1.php, install_2.php,
install_3.php and install_4.php which set the _GET[step] and include the
main install.php. Then I did a ob_start/ob_get_clean/preg_replace to
translate all ?step=\d+ calls to the appropriate new scripts files.
In the bbpress dashboard I found a similar problem on the profile.php
page.
It would be easiest if id's and step & tab information would be removed
from the GET variables, and be added as hidden inputs. This would make a
big change for anybody using a more then zero security policy.
Kind regards
Arnoud
ps. Actual version is 0.9.0.4, but this one is not available in Trac it
seems.
--
Ticket URL: <http://trac.bbpress.org/ticket/1048>
bbPress <http://bbpress.org/>
Innovative forum development
More information about the Bb-trac
mailing list