Hi, I have installed Q2A over an Ubuntu 22.04 with php 8.1, Apache2 and ModSecurity.
When I post a question/answer/comment the rule number 930110 in file /usr/share/modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf detects the presence of the string "../" in the qa_root argument and blocks the submission because it is similar to a path traversal attack.
I have deactivated this rule in my virtual site and things work, but I would prefer to have the site protected.
From a cursory analysis, it seems that the qa_root parameter is computed by qa-include/qa-index.php at line 163, where a relative path is built by repeating the string "../" in some cases.
Would Q2A work fine if this code is rewritten avoiding the generation of relative paths? Are they necessary somewhere?
Thanks
A
Hi, I have installed Q2A over an Ubuntu 22.04 with php 8.1, Apache2 and ModSecurity.
When I post a question/answer/comment the rule number 930110 in file /usr/share/modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf detects the presence of the string "../" in the qa_root argument and blocks the submission because it is similar to a path traversal attack.
I have deactivated this rule in my virtual site and things work, but I would prefer to have the site protected.
From a cursory analysis, it seems that the qa_root parameter is computed by qa-include/qa-index.php at line 163, where a relative path is built by repeating the string "../" in some cases.
Would Q2A work fine if this code is rewritten avoiding the generation of relative paths? Are they necessary somewhere?
Thanks
A