I agree with Christian. I will not use it in my actual environment, but it is an interesting feature. Of course, restricting directives like SecRuleEngine is a must.

Regards,
Aitor.


2013/2/25 Ryan Barnett <RBarnett@trustwave.com>

On 2/25/13 3:21 PM, "Christian Folini" <christian.folini@time-machine.ch>
wrote:

>Hello,
>
>I do not think I would use this feature, but I see
>the need in real world setups.
>
>The idea to add the feature again, but restrict it
>(-> compile time flags, disallow certain directives etc.)
>seems a good move.

Agreed.  Thanks for the feedback Christian.

-Ryan

>
>Regs,
>
>Christian Folini
>
>On Fri, Feb 22, 2013 at 05:06:57PM +0000, Ryan Barnett wrote:
>> We are seeking feedback from the community on the idea of re-enabling
>>Apache.htaccess support for ModSecurity.
>>https://www.modsecurity.org/tracker/browse/MODSEC-58.  This
>>functionality existed in the v1 branch of ModSecurity -
>>http://modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multip
>>age/03-configuration.html#N1027D.  It was removed due to valid security
>>concerns, namely that attackers could easily bypass the ModSecurity
>>protections if they could just upload a .htaccess file with ­
>>SecFilterEngine Off in itŠ
>>
>> While the security concerns are valid, we also realize that there are
>>many, many Hosting Providers who are using old ModSecurity v1 strictly
>>because they need this capability to allow their customers to use
>>.htaccess files for adding exceptions.  Without this feature, end users
>>are flooding the Help Desk/Support forums with requests to add
>>exceptions for ModSecurity rules for their sites.
>>
>> So, we are considering adding support for this feature back into
>>ModSecurity v2.7.x.  It will NOT be enabled by default and would require
>>the user to use a new --enable-htaccess-config configure flag and
>>re-compiling.  Users would have to understand the tradeoffs with regards
>>to security and allowing distributed configurtions in a multi-user
>>environment.
>>
>> Feedback:
>>
>>   1.  Is this a feature that you need?  Please let us know if adding
>>this capability is useful to you.  You can log into Jira and click on
>>the "VOTE" button for the open ticket above.
>>   2.  We are considering NOT allowing control of the SecRuleEngine or
>>SecAuditEngine directives as those would be controlled by the main
>>administrator.  Are there any other features that you feel should be
>>restricted for use with .htaccess file support?
>>
>> Based on community feedback, we will make a determination for adding
>>this back in.
>>
>> Thanks.
>>
>> --
>> Ryan Barnett
>> Trustwave SpiderLabs
>> ModSecurity Project Leader
>> OWASP ModSecurity CRS Project Leader
>>
>> ________________________________
>>
>> This transmission may contain information that is privileged,
>>confidential, and/or exempt from disclosure under applicable law. If you
>>are not the intended recipient, you are hereby notified that any
>>disclosure, copying, distribution, or use of the information contained
>>herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
>>received this transmission in error, please immediately contact the
>>sender and destroy the material in its entirety, whether in electronic
>>or hard copy format.
>
>>
>>-------------------------------------------------------------------------
>>-----
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_d2d_feb
>
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>
>


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



--
Aitor Pérez
Junior Web Developer at Global Incubator