Simple Machines Community Forum

SMF Support => SMF 2.0.x Support => Topic started by: haptcom on July 08, 2014, 01:22:10 AM

Title: Issue with GoDaddy Mod Sec
Post by: haptcom on July 08, 2014, 01:22:10 AM
Hi,

New to the forums, but noticed many are having the same issue!

I called godaddy and was given the famous runaround that they can disable it due to it being on a shared linux server.

BUT, I was able to find out what was causing it!!!!!

SMF is sending a shell exec and mod sec is blocking it!

Hope this info is helpful,

Kind Regards
Justin

Pennsylvania, US
Title: Re: Issue with GoDaddy Mod Sec
Post by: Sir Osis of Liver on July 08, 2014, 01:35:24 AM
Thanks for the info.  I've passed in on to the devs.
Title: Re: Issue with GoDaddy Mod Sec
Post by: Kindred on July 08, 2014, 12:36:55 PM
well, that makes things both better and worse.

better because we now know what they are doing...
worse because our use of shell_exec is completely compliant and permissible within the structure of a php script.  So, what it actually means is that GoDaddy has poorly configured their mod_security (which we suspected to begin with)
Title: Re: Issue with GoDaddy Mod Sec
Post by: ARG01 on July 08, 2014, 02:30:29 PM
Quote from: Kindred on July 08, 2014, 12:36:55 PM

...So, what it actually means is that GoDaddy has poorly configured their mod_security (which we suspected to begin with)

This was my initial thought.
Title: Re: Issue with GoDaddy Mod Sec
Post by: Arantor on July 08, 2014, 03:01:22 PM
You guys know that mod_security is nothing whatsoever to do with shell_exec, right?

mod_security is a set of rules that are applied to an incoming request. Anything that mod_security gets het up about is because of the request - and absolutely nothing to do with what happens once it gets to PHP (because mod_security has done its job by then), so once it hits PHP, shell_exec or nslookup or whatever else is going to be done to get hostname lookups, it's nothing to do with mod_security.

The odds are they're tweaking other configuration when 'disabling mod_security'.
Title: Re: Issue with GoDaddy Mod Sec
Post by: haptcom on July 08, 2014, 03:56:47 PM
I was told that server blocks all shell exec commands and thats why the add new category does not work

Is there a way to get rid of shell exec completely

(that is what they can gather from the logs.)
Title: Re: Issue with GoDaddy Mod Sec
Post by: Arantor on July 08, 2014, 03:58:40 PM
Nope.

shell_exec is run in a totally separate part of SMF and potentially runs on every page request to get the host name.

The add category is a mod_security issue, and shell_exec being removed will change nothing (as we have shown, time and time again)
Title: Re: Issue with GoDaddy Mod Sec
Post by: Kindred on July 08, 2014, 04:17:19 PM
ah - thanks Arantor...   I didn't actually know that.
(That's why I rely on experts to tell me things, when I don't know - so next time I do!)

Anyway...    guess we're back to the drawing board in terms of figuring out WTF GoDaddy has (mis)configured.  I really wish that they would just talk to us...
Title: Re: Issue with GoDaddy Mod Sec
Post by: Sir Osis of Liver on July 08, 2014, 04:31:55 PM
Has this problem been reported with any other host?
Title: Re: Issue with GoDaddy Mod Sec
Post by: Illori on July 08, 2014, 04:39:54 PM
Quote from: Krash on July 08, 2014, 04:31:55 PM
Has this problem been reported with any other host?


many hosts that have mod_security miss configured have this issue. some do have issues with shell_exec but those generally seem to be fewer.
Title: Re: Issue with GoDaddy Mod Sec
Post by: Arantor on July 08, 2014, 04:40:45 PM
Quote from: Krash on July 08, 2014, 04:31:55 PM
Has this problem been reported with any other host?


This particular issue specifically with mod_security seems to be localised to GoDaddy. Of course, mod_security issues are common to various hosts.
Title: Re: Issue with GoDaddy Mod Sec
Post by: HDB on July 08, 2014, 09:40:37 PM
I am trying to learn something from this as I use GoDaddy as my hosting provider on a shared Linux server. 

So far from this discussion I get it that "mod_security" is preventing "add new category" from working. When would this be an issue? Do I need to worry? Do you guys have some links that I can read on the side to get a better understanding?

Thanks in advance.
Title: Re: Issue with GoDaddy Mod Sec
Post by: Kindred on July 08, 2014, 09:59:09 PM
Well, it would be an issue when you try to add a new category.....
Title: Re: Issue with GoDaddy Mod Sec
Post by: HDB on July 08, 2014, 11:05:08 PM
Quote from: Kindred on July 08, 2014, 09:59:09 PM
Well, it would be an issue when you try to add a new category.....
Are you referring to a new board index category. Like a sub forum or child board?
Title: Re: Issue with GoDaddy Mod Sec
Post by: Kindred on July 09, 2014, 07:18:11 AM
no....   when you try to add a new category.  exactly what I said. not board, not child board. category.