http:///...-why-is-it-important

my host told me they can not make mod_security work with ON is is the developer work for this work with ON not they work.

It is no good that this setting is OFF he told me

When you guys going will fix this for have a safe business?

Sometimes with mod_security on i have had to go in and edit it so that a script will work, but many times it is just easier to turn it off than to mess with it.  Mod_security was written in the attempt to try to help with invalid submissions but again it gets in the way of valid submissions many times if left at default values and so its better to just turn it off.

Writing rules for mod_security is not an easy task, it is not something that the normal user can or will learn to do and so many times rather than also have to support teaching people how to write rules, its easier for the script to require it be turned off on the server. Many times it is for other reasons of which can be many but not having mod_security does not mean that you are any more open to malicious attacks than anyone else. Mod_security on or off does not stop them if they really want what you have.  

why many big host providers recommend have it ON and it is ON as default on many host i have used? 

is it just for fun they say it is not good have it OFF and that they not recommends have it OFF ?

i know everything is hard work to change code on software but that reason i not buy is enough to have this security software off because if oxwall want have good security then they would change the code but that is not number 1 in they list

i feel it is many hours spend at the code and like always nobody want do that for help users get better security that is not importen. 

i 100% sure that valid submission can work with mode_security if the code and script is written for fit this software. 

"Writing rules for mod_security is not an easy task"  

- what is easy? to post on this forum? 

everything can bee fixed it is just mather of how interested you are to get you software more secure for the users

"not having mod_security does not mean that you are any more open to malicious attacks than anyone else. Mod_security on or off does not stop them if they really want what you have. "

- if you think like that you never need anything from protecting you from hackers or you own software for developers access to it. you can open you business with wide open doors 24 hours and not worry about anything. i feel that last comment was not a smart comment and sorry about that but if think like that why have any security at all, just destroy all you password you not need them and everything that have with security to do firewalls and the list can bee long...you not need them if listen to Dave here...so why we use them?

my opinion is if comes to security nothing should bee ignored and taken seriously.

One of the things that mod_security does is helps to prevent sql injection, but this can be done just as effectively with properly written code such as escaping before saving to the database.  Mod_security is a good tool however it is high maintenance in many cases and you can get just as good a security without it, if you code your script properly.  

Over the years and this panic over seq injection and basic hacking has caused people to think of mod_security as a save all "omg i have to have it" to be safe.  This is not true and the feature is way overrated for its actual application.   

That is not to say that if you are a systems admin and a mod_security guru that you can have a tighter site, sure anything is possible, but the hours and days spent writing rule after rule after rule and making sure they work properly is simply not worth most peoples time unless your running a site such as a bank or intelligence or some other high security company in which are sold on the mod_security idea. 

Most software companies code for the majority, if the majority is high tech and high security then they code appropriately.  However if the majority is just the basic user on a basic shared or dedicated server then you really dont need all that, its overkill for what you are doing. 

You should be confident that the script is written in such a way that adding mod_security offers very little if no extra benefit for the type of business you are doing.  If that was the case then Oxwall sites around the world would have hacking issues out the wazoo.  But they don't and that is because mod_security is optional it is not a primary solution, it is just a tool you can use if you need to or require it.   But for Oxwall and many other software titles out there, it is not necessary. 

- is this my work to do is this not oxwall work to do?

""is simply not worth most peoples time unless your running a site such as a bank or intelligence or some other high security company in which are sold on the mod_security idea.""

- is not security worth on a dating site with 100 000 of members that use they credit card daily? and make they personal information avaliable not worth this security protection? plus all the money and all the time you spending for building up you business?  only banks need have it? lol i not think so at all.

"" for Oxwall and many other software titles out there, it is not necessary. ""

- agree fully, they not want have this security on they software if they wanted they would have it. 

you need see it from developers side here. it hard work for them use this and they would get limit access to data on websites and all plugins would bee checked for invalid submissions that could make you site in hands of another developer with out you know it. what you have to do now is fully trusting oxwall 100% because there no software that see invalid submissions right now on you website. you need fix that security you self they not want it because to much work or they not want stop having access to sites. you can judge that by you self wish one of this option or both option

i would like to know how many invalid submission i have on my website the problem is only they who make the software know this and they who makes the plugins if you not have security_mode ON and have a software that supports it.

one more thing it must bee easy make a plugin that makes invalid submissions and get control of a oxwall website totally. very good security with nothing to check this.

Almost everyone now days uses some kind of third party processor to process card payments to relieve them of the huge responsibility of PCI compliance.  So if you are not simply using Paypal or some other third party processor of which there are many then you are leaving yourself open to a huge vulnerability and you don't need to do that. It is not worth it to ever keep anyones CC info yourself.   I don't even see any reason that you would ever need to keep any kind of street address or location on the user either or any other identifiable data.  Again if you are then yes you probably need to be using a different kind of software for that data such as a CRM software on a dedicated secured server. 

I understand your concern but mod_security has been required off since as far back as i can remember with Oxwall, and you are not going to change that fact.  It is a requirement of the software and bottom line is if you are not happy or cannot accept that Marcus sir then your welcome to try a different software that meets your needs and allows mod_security.   That is just the way it is sir and you or i are not going to change that. 

Dave 

what about third part developers that can make plugins with invalid submissions?

you just jump over that totally and wanted no answer on that at all that means only you scare some security leak can comes out here about that mather how easy implemnt code now that have invalid submissions in a plugin here at oxwall and you website can bee in hands of another developer with out you know it. this why there is mod_security and this why you not want have it

with you strange attitude for change things to better at oxwall nothing will bee changed...we need more people that want change things to better not people like you that not want change things for 10 years, what software would you have if not want change things to better in 10 years? loool i not want think about it...me must bee in the lead with everything and that includes security to.

Security and SEO is most importen for we and people that use this software ,but not for you guys who sell it i know that thats why you defending it because you will still sell software with low security and seo that is no good and you no care because it not on your shoulders to fix that after someone buy the software and when i say buy the software i mean all plugins you really need for have a good oxwall website.

Since this is open source software, you' re free to change this on your own on your website.

Besides, there's no need to disable it completely, you can contact your provider and request to configure it properly. 

just image how easy it must bee to make a third part plugin that have invalid submission for take control of you oxwall website.

+1 what ross stated, you can keep it on but just configure it so that it works with your installation. 

Also i know that you are upset and i am sorry for that.  However, personal attacks and verbal abuse gets us nowhere. Your accusations are unfounded and baseless.  I will personally stack my code up against any programmers for security, quality and professionalism.   

The fact that i have plugins myself does not mean that i defend anything as i make very very little off of anything i sell, on a good month i "might" sell 1 plugin and usually a $6 one.   I offer the plugins because they are needed and i ask very little financial reward for that other than to just help pay for my time.  Everyone here knows and i have proven it in the past that if i feel something is wrong and unacceptable i speak up and speak my mind, but this is not one of those cases with regard to mod_security as it is just fine to run without it.

What i stated was not biased in anyway toward either side of this challenge. I only stated facts and those facts still remain that you can either accept that mod_security off is required by the software, or you can keep it on and configure it to work properly, or you can use a different software that meets your needs.  Those facts do not change just because you happen to be upset and wish to lash out.  

Again i am sorry you are upset and also sorry for my tone but you should not lash out and accuse people of such things just because you are upset.  The only attitude that needs to be changed is yours sir.   You were aware of the mod_security requirement when you installed the software, if you were not, then you did not read the requirements and that is not anyone's fault but yours sir.   You can throw a hissy fit all you want but those are the facts sir.   

If you want to continue to talk facts then we can do that and keep it professional, and i will be happy to continue our conversation.  However if you continue your baseless and unprofessional accusations then we can always lock this post and call the conversation over.  That choice is up to you sir.   I look forward to discussing this in a professional manner with you and i hope you will comply. However i am not sure what else can be said here as we have addressed the issue with you fully.  

Dave

i wait for other back me up here that not are developers and can see there is a problem with third part developers can make plugins with invalid submissions what means they can access to you website totally if they want. 

Right now there is nothing that can check if there is invalid submissions in the software or the plugins with mod_security off.

No host provider want to dig inside a software that they not build for make it work and i can totally understand that.

They have not make the software why should they start change the original software that other websites use just for pass security gaps for fit oxwall software. it would not bee fair and probably if they do that the safety would bee gone.'

I sorry you not taking this invalid submissions that can bee in the software or in the plugins that third part developers make with ignorance totally and not want have protection fully for that if it happens like you did not care at all and want continue have a software like that.

I know you upset because you make the code here and think everyone should trust you and we should trsut all other third part developers to that they not make invalid submissions in they plugin but in reallity you need ask you self how many can you trust on internet that you never see or know or even speak with. it is a security gap here that i notice and not try darkening it and defend it because it is like i said easy for a third party developers implement code that make invalid submissions because there is nothing that can check it now the tool is set to OFF.

accusations where you see them? i just tellng what can happens and that is what all secuirty is about what can happen and what we want bee protected from. i sorry you feel that as a accusation that shows you aware of the problem very well and take it like i accussing you for bringing this up here at oxwall. 

im not want darkening invalid submissions that can happen with no tools to protect you self from it.

but if you want continue darkening this security hole that i feel it is then do it i can continue long time to defend this subject. i feel i do nothing wrong to bring this up here you just try now say i accussing you to bee aware what can happen is not to accussing anyone it is for protecting you self from things that can happen and bring it up to surface and not the darkening it.

i see another post that someone was bring this up but it was ignored totally...nobody did answer him ...strange behavor but many strange things i seen here my 2 years soon so i not suprised he was ignored

sorry for my bad english i hope people can read this understand the concerns about how easy it is implement code for a developer that CAN have invalid submissions. when i say CAN i not accusing anyone. only developer know what is valid and not valid submission in they software .you are totally in hands of they who make the plugins.you need trust them 100% all the developers i feel that is not 2016 that is 1995.

i will take a break from this subject and let other people post here about this subject because i feel as alone customer i would not hear my voice very much against this team of developers here.

i can continue forever post here but useless as alone you are nothing it same with the seo i read here as alone nothing happens but if there is many complains things maybe change if you lucky after 5 years or something like that at least this post maybe will come up again then :)

thanks for speaking my opinion out here about a security hole that concerns me very much and the team try to darkening as not importen

Marcus

Security is important to us all, i am not aware of any developer good or bad either in my personal dealings (and i have known some horrible ones) or with Oxwall that would ever put code into a plugin that would or could access your site without permission.  First their career would be over once the word spread of that, second Oxwall would never tolerate that action and would immediately shut down their account, thirdly i don't believe there is anything you have or most sites have that is worth that kind of betrayal, certainly not on this level.  They are not going to expose themselves just get an unauthorized peek into your members list, that kind of thinking falls under being paranoid. 

Also you would not need mod_security to catch them doing so "if" anyone did that. But there is a true and fast rule about the web that is taught in "web 101" class and the rule is simple and applies to everyone, it goes like this,  "If you don't want something that you have all over the web, then don't put it on the web". 

I will not say that you are worried over nothing simply because in the real world anything is possible, but i will say that you are way "over worried" about this.  You seem to think that you have this golden pond of information that every spy wants, it is simply not true for sites like this.   Criminals are going to go after big fish only and they will go after what they can get immediate cash for and not have to spend time finding a buyer.  If you feel that someone has or will hack into your server then there are plenty of things you can do without mod_security in order to catch them, your host can help you with that.    

Number one rule of any social site is this "never ever share personal information which can identify you or your location".  And this has been the staple for social sites around the world for as long as i can remember.  So if you are not telling your members this then it is you which are not doing what you need to do to keep members safe, this has nothing to do with mod_security or any other feature or plugin. 

Again you are considering mod_security as the mother of all Apache plugins and it is not and far from it, it is just a simple tool that you can use or not use at your discretion. 

I hope this helps.  

Dave

ps.. i am a volunteer on the Oxwall forums here. I hold no loyalty accept what is earned, and i get no royalty for that or anything as a volunteer. I am only loyal to Oxwall because i have used other software and i know what Oxwall offers and what it can do, not what it can't.   There are issues with every software on the market, you cant find one without an issue, and no company is perfect.  But until i know for a fact and have proof as you lead to that Oxwall no longer cares and is giving us junk then i will defend them.  Because i do not base my decisions here on anything but fact.