svivian
commented
1 year ago I think it's complicated due to the fact Q2A can be in a subfolder, so we'd need to detect and add that to the path, e.g. /qa/path instead of ../path
In theory we may not need to send the qa_root at all in AJAX requests and be able to figure it out automatically, but again it's a bit complicated.
Hi, I have installed Q2A over an Ubuntu 22.04 with php 8.1, Apache2 and ModSecurity.
When I post a question/answer/comment the rule number 930110 in file /usr/share/modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf detects the presence of the string "../" in the qa_root argument and blocks the submission because it is similar to a path traversal attack.
I have deactivated this rule in my virtual site and things work, but I would prefer to have the site protected.
From a cursory analysis, it seems that the qa_root parameter is computed by qa-include/qa-index.php at line 163, where a relative path is built by repeating the string "../" in some cases. Would Q2A work fine if this code is rewritten avoiding the generation of relative paths? Are they necessary somewhere?
Thanks A