Custom Code, Security Logging, Setup Wizard, htaccess File Editor not working

  • ResolvedPlugin Author AITpro

    (@aitpro)


    6 years, 9 months ago

    There has been an ongoing issue/problem with Mod Security that ships with newer versions of cPanel, which is continuing to get worse as more and more web hosts upgrade to the newer cPanel version. So in next BPS plugin version we have changed all of the BPS forms that Mod Security breaks.

    For more detailed information on the Mod Security problems please see this forum topic: https://forum.ait-pro.com/forums/topic/mod-security-common-known-problems/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author AITpro

    (@aitpro)

    6 years, 9 months ago

    Plugin Author AITpro

    (@aitpro)

    6 years, 9 months ago

    Also see this WIP forum topic > https://forum.ait-pro.com/forums/topic/xampp-mod-security-setup-owasp-modsecurity-core-rule-set-setup/.

    It appears that the best method to bypass Mod Security entirely is going to be openssl_encrypt encryption > https://www.php.net/manual/en/function.openssl-encrypt.php. This is still in the testing and development stage, but looks very promising so far.

    • This reply was modified 6 years, 9 months ago by AITpro.
    Plugin Author AITpro

    (@aitpro)

    6 years, 9 months ago

    Status Update:
    Mod Security CRS Ruleset Proofing: Pure js Encryption|Decryption method created
    Several Forms/Features in BPS and BPS Pro are being broken by the Mod Security CRS Ruleset installed on web hosts. In order to speed up the process of getting new BPS and BPS Pro versions released as quickly as possible we are fixing the most critical broken forms/features first and will be releasing several BPS and BPS Pro version releases in stages until all BPS and BPS Pro Forms/Features are no longer being broken by the Mod Security CRS Ruleset installed on web hosts.

    Completed:
    Custom Code:
    Root Custom Code: Mod Security CRS Proofed – Encryption|Decryption method completed
    Wp-admin Custom Code: Mod Security CRS Proofed – Encryption|Decryption method completed
    UAEG Custom Code (BPS Pro): Mod Security CRS Proofed – Encryption|Decryption method completed
    Custom Code Export: Mod Security CRS Proofed – Encryption|Decryption method completed

    • This reply was modified 6 years, 9 months ago by AITpro.
    Plugin Author AITpro

    (@aitpro)

    6 years, 9 months ago

    Status Update: These BPS and BPS Pro Forms are now ModSecurity Proof.

    Custom Code Page:
    Root Custom Code Form: ModSecurity CRS Proofed – Encryption|Decryption completed
    Wp-admin Custom Code Form: ModSecurity CRS Proofed – Encryption|Decryption completed
    UAEG Custom Code Form (BPS Pro): ModSecurity CRS Proofed – Encryption|Decryption completed
    Custom Code Export Form: ModSecurity CRS Proofed – Encryption|Decryption completed

    Details: ModSecurity incorrectly sees legitimate htaccess code as malicous. BPS now uses encryption and decryption to evade/bypass ModSecurity entirely.

    Security Modes Page:
    Root Folder BulletProof Mode (RBM) Activate Form: ModSecurity CRS Proofed – Encryption|Decryption completed
    Root Folder BulletProof Mode (RBM) Deactivate Form: ModSecurity CRS Proofed – Encryption|Decryption completed
    wp-admin Folder BulletProof Mode (WBM) Activate Form: ModSecurity CRS Proofed – Encryption|Decryption completed
    Plugin Firewall BulletProof Mode (PFW) Activate Form (BPS Pro): ModSecurity CRS Proofed – Encryption|Decryption completed
    Uploads Anti-Exploit Guard BulletProof Mode (UAEG) Form (BPS Pro): ModSecurity CRS Proofed – Encryption|Decryption completed

    Details: These Forms now decrypt encrypted htaccess code in the WP Database before processing file writing.

    htaccess File Editor Page:
    secure.htaccess Form: ModSecurity CRS Proofed – Encryption|Decryption completed
    default.htaccess Form: ModSecurity CRS Proofed – Encryption|Decryption completed
    wpadmin-secure.htaccess Form: ModSecurity CRS Proofed – Encryption|Decryption completed
    Your Current Plugins htaccess File Form (BPS Pro): ModSecurity CRS Proofed – Encryption|Decryption completed
    Your Current Uploads htaccess File Form (BPS Pro): ModSecurity CRS Proofed – Encryption|Decryption completed
    Your Current Root htaccess File Form: ModSecurity CRS Proofed – Encryption|Decryption completed
    Your Current wp-admin htaccess File Form: ModSecurity CRS Proofed – Encryption|Decryption completed

    Details: ModSecurity incorrectly sees legitimate htaccess code as malicous. BPS now uses encryption and decryption to evade/bypass ModSecurity entirely.

    My Notes Page:
    My Notes Form: ModSecurity CRS Proofed – Encryption|Decryption completed

    Details: ModSecurity incorrectly sees legitimate htaccess code as malicous. BPS now uses encryption and decryption to evade/bypass ModSecurity entirely.

    • This reply was modified 6 years, 9 months ago by AITpro.
    Plugin Author AITpro

    (@aitpro)

    6 years, 9 months ago

    BPS 3.6 has been released, which solves the most critical problems caused by OWASP ModSecurity CRS. A full list of completed and pending BPS issues can be found here > https://forum.ait-pro.com/forums/topic/xampp-mod-security-setup-owasp-modsecurity-core-rule-set-setup/#post-37778

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Custom Code, Security Logging, Setup Wizard, htaccess File Editor not working’ is closed to new replies.