I installed SuiteCRM under HTTPS, using Softaculous in my WHM. So far, I am able to access the login page. However, every time I try to login, mod_security will block access. Please see warning message from mod_security below. Any advice to solve this issue is welcome.
211540: COMODO WAF: Blind SQL Injection Attack
Request: POST /index.php
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match “(?i:\b(?:t(?:able_name\b|extpos[^a-zA-Z0-9_]{1,}\()|(?:a(?:ll_objects|tt(?:rel|typ)id)|column_(?:id|name)|mb_users|object_(?:id|(?:nam|typ)e)|pg_(?:attribute|class)|rownum|s(?:ubstr(?:ing){0,1}|ys(?:c(?:at|o(?:lumn|nstraint)s)|dba|ibm|(?:filegroup|o …” at ARGS_NAMES:user_password.
I made a test install through Softaculous without changing user and password (user: admin, password: pass). No special characters in the password. Even so, mod_security blocks my login and warns about a Blind SQL Injection Attack. It seems SuiteCRM passwords are passed and stored into the SQL database in clear, without any sort of hashing to protect them from prying eyes. Please, is there anybody at SuiteCRM that could check this important security issue?