I'm sure they will fix it.
Its just that it would have been so much better if cpanel had said something like:
Something like the above would have saved sytem admins hours of work ( because most would not have installed it) fixing the rule set and explaining/apologising to countless clients why their CMS /WHMCS aren't working.
I absolutely agree with this. I love cPanel software, and I think cPanel support is great. I knew [in the back of my mind, really I did] that there was no way the 11.48 deployment of all the new ModSec stuff was going to go off well. You guys know a lot, but I really didn't have much faith that cPanel internally was going to vet all of these rules and make the necessary exceptions by default for common applications. I don't know of any ruleset other than Atomicorp rules [when configured per their recommendations on a cPanel server] that generate very few false positives, actually work, and give you confidence that it is working because you can test them and see the 403 errors.
I hate to criticize, but absent a paragraph such as the one Kernow suggested above, QA dropped the ball. The rules either work and block way too much legitimate hosting content, or they don't work, or they might work but give you no confidence that they are when you see notations in the error_log that rule processing failed, or UPCP updates break the functionality.
I have no doubt cPanel will get it right, but the general public should have been informed from the onset that there were likely to be issues and that if they used ModSecurity with cPanel's own configuration [and especially with the OWASP vendor], they should expect to have issues initially that may require support. This is specifically why I thought to ask before I updated my servers.
Incidentally, I didn't update any of my servers to 11.48 for this reason. I don't even have faith that the 11.48 will leave my current Atomicorp configuration 100% untouched. And a proper working modsecurity setup / ruleset is extremely important to me. I don't want to update to 11.48 and have to spend even 5 minutes on a server getting things to work should something go wrong as part of the update process. I might be willing to, but only if I'm told ahead of time that it might be a problem.
Mike
PS: There also does need to be a one-click option that is guaranteed 100% to restore the modsecurity configuration back to cPanel's default [that it would come with if you just installed 11.48 from scratch, sans any OWASP]. Having that available will at least allow somebody to get Apache back up and running if it fails on a restart because of bad rules or misconfiguration, or disable rules instantly if an admin suddenly gets an onslaught of complaints that its blocking a ton of legitimate activity. Of course, anybody running another configuration [like Atomicorp rules] should have their configurations backed up anyway.
