How Safe Are you From SQL Injection Without Mod Security on Xenforo 2?

[Brad Padgett]

I need an expert answer on this. Mod Security has been blocking legitimate traffic and even blocking google for around 6 months. I have to either find a way to tune the OWASP rule set or get rid of it completely.

I installed it because I thought it would protect me from SQL Injections. Currently I'm using Virtualmin/Webmin which doesn't have it pre-installed.

Also what are the benefits of having mod security without a ruleset entirely? Would that be an option?

A lot of people are getting error pages and google has seen an error on the site for 6 months. All my hard work is going down the drain.

Should I completely uninstall it? Could my site be SQL injected if I do? I use cloudflare Free Plan. Would that protect it instead?

 

[bzcomputers]

I'll give you my list of disabled OWASP rules, it may help. This list has allowed me to run the latest versions of both Wordpress and XenForo without any noticeable issue with site operations or with Google Search/Ranking. The last issue I found was nearly a year ago.

OWASP Mod Security Rules Disabled (Core Rule Set v3.0)

941160, 949110, 980130 – Wordpress would not allow page edits (2019-01-02)
340162, 340163 – Unable to upload or save resources (2019-01-02)
332039 – Blocking Google IPs from getting robots.txt file (2019-01-02)
300014, 300015, 300016 - triggered when adding new resources to download
300006 - triggered when url has ".../" returns a 500 server error which logs in Google Search Console; turn off rule and url gives 404 error as it should (2019-08-11)

Unknown – rules I had disabled prior to documenting reason it was required
300079
340149
340159
340157
340162
340163
340362
933100
933150

I'd be interested to see if you've come across any others.

 

[Paul B]

There are no known sql injection exploits with the current version of XF.

 

[arn]

Cloudflare won't help on the free plan. The $20/mo Pro plan does include a WAF: https://www.cloudflare.com/plans/ - I run my site behind the Cloudflare WAF and haven't had an issue with false positives, but you can turn on/off specific rules depending.

SQL injection specifically seems very unlikely with Xenforo. Obviously add-ons could open up other issues. And there are other exploits beyond SQL injections, and there have been small security updates over time patching up those smaller ones.

Since you have Mod Security already installed, it seems just removing the false positive rules would be better than just turning it all off.

arn

 

[djbaxter]

I have never used mod_security for anything. Dump it. More trouble than it's worth.

 

[shimspedy]

There are no known sql injection exploits with the current version of XF.

why don't you use XF out of the box ... it's more secure plus Cloudflare that an extra security

 

[Kirby]

XenForo 2 is pretty robust against SQL injections due to most queries being generated through the Entity & Finder system which ensures that values are properly escaped; this is a significant advancement over XenForo 1.5.

Though you have to keep in mind that this only holds true if all Add-ons follow the resource standard rules (especially # 6).
If they don't do that and execute arbitrary queries ... nobody knows what could happen.

 

[Masetrix]

We have completely deactivated Mod_security after 3 months of use. Our users reported problems all the time and even a long list of problematic rules causing errors did not improve but only caused new problems.

 

[eva2000]

Cloudflare won't help on the free plan. The $20/mo Pro plan does include a WAF: https://www.cloudflare.com/plans/ - I run my site behind the Cloudflare WAF and haven't had an issue with false positives, but you can turn on/off specific rules depending.

Yeah I also use Cloudflare with paid plans their WAF is handy and can be customised for your web apps and it just got faster too https://blog.cloudflare.com/making-the-waf-40-faster/



besides OWASP ruleset, Cloudflare also have their own curated ruleset from real world experience from 27+ million sites behind Cloudflare



Also on higher paid Cloudflare Enterprise plan you can also get Cloudflare to write you custom WAF rules for your specific usage cases

 

[Slavik]

For what its worth, mod sec is one of the biggest causes of ticket issues we receive and on a stock XenForo 2 board I think any possible (if any) benefit it would provide would be next to non-existent.

 

[Brad Padgett]

I really appreciate everyone's response from the first answer which could help me tune it all the way to @Slavik response which has surprised me quite a bit. I'm a bit nit picky and would have a hard time believing it wouldn't somehow prevent something from happening. I'm so tempted to just delete it but I want the best for my site and I was thinking of trying to tune it first.

I will see what the tuning does for me and if that doesn't do the trick then I will just delete it. I was not aware Xenforo 2 couldn't be SQL injected even if it didn't have mod security. I suppose @Slavik by that you mean it would have to be an add-on that would make the difference. The first answer appeared very educated. Will give it a try soon and if I still have problems then just delete it. Thank you all.

 

[Paul B]

Do a search on here for "Oops we ran into some problems".

The majority of those are due to mod_sec.

 

[TickTackk]

I was not aware Xenforo 2 couldn't be SQL injected even if it didn't have mod security.

Nobody ever said "couldn't".

 

[Slavik]

hard time believing it wouldn't somehow prevent something from happening

If you are in an environment with others that can upload otherwise unknown code (shared hosting) then it can be a stop-gap measure. But many people rely on it as an excuse to use poor and insecure coding practices. Likewise the WAF rules are only as good as the person implementing them.

Obviously the XenForo devs code to exceptional standards as can be seen by the very limited number of security issues encountered over all of XF1 and XF2. Security concerns are handed to senior devs within minutes of them being picked up and usually looked at immediately.

So the personal balance is down to you to strike, but on a personal VPS or otherwise self contained hosting solution, with just XenForo, I wouldnt bother with one.

 

[Brad Padgett]

If you are in an environment with others that can upload otherwise unknown code (shared hosting) then it can be a stop-gap measure. But many people rely on it as an excuse to use poor and insecure coding practices. Likewise the WAF rules are only as good as the person implementing them.

Obviously the XenForo devs code to exceptional standards as can be seen by the very limited number of security issues encountered over all of XF1 and XF2. Security concerns are handed to senior devs within minutes of them being picked up and usually looked at immediately.

So the personal balance is down to you to strike, but on a personal VPS or otherwise self contained hosting solution, with just XenForo, I wouldnt bother with one.

Yes I am on a VPS with 8 GB of RAM. I will go ahead and delete it. I can tell from your experienced reply that it's unlikely it will happen to me. I was hoping Cloudflare free plan with provide at least something to fall back on as far as security would go to prevent an injection though I'm not entirely sure if it would.

While @TickTackk said it's not impossible from the way the responses are sounding I am starting to think it would be very unlikely unless someone went towards extreme measures and put a lot of work into it. That is actually why I've decided to delete it. I'm actually just going to disable it and see if it fixes my issue with google.

I'll be clear about the main reason I asked the question at hand. It's because Google has had up to 5 bots on viewing an "unknown page" with an error in members online but this has been ongoing for almost 7 months non stop. I used to think it was because I took my site down for 1 year and then put it back up but all the links are the same and I don't see any reason why this would happen for 7 months straight. I thought @bzcomputers helped fix it but it's still happening.

@Slavik you'd be a champ if you had any idea why this was happening. It's not CSF firewall as I've already checked. Bots come online without the error but the majority of search engines have been showing errors. Bing included. I'm positive it's not any broken links. I checked webmaster tools and it's showing no errors at all. Strangely I thought Google webmaster tools would provide insight however that is not the case. Everything looks fine from that end.

 

[bevans84]

I don't know if this helps, but I run WordPress for the front end with WordFence installed. XF is in a subdirectory and I get blocked notices of sql injection attempts regularly on the XF installation through wordfence.
I doubt they would have been successful, but thought it was interesting.