Re: [mod-security-users] SecAudit Log Problem with Security on windows...
Brought to you by:
victorhora,
zimmerletw
From: Ivan R. <iva...@gm...> - 2006-05-07 20:50:44
|
On 5/7/06, Jcink Coolcat <jc...@gm...> wrote: > > Hi, > > I want to keep htaccess on but I have discovered a problem if I do so... = and > leave mod security up. > > > SecAuditEngine On > SecAuditLog "C:\Apache\www\lol.php" > > People can do this in htaccess. Goes right above the root folder. Is ther= e > any thing I can do to shut down their ability to do this? Because I think > this is a BIG BIG security risk. Someone could inject PHP into their > headers, trigger a security rule, get logged and well... there you go. > > I am on windows. Permissions are not an option, so I am asking if there i= s > some way to shut this down without disabling mod security. From the manual: "Although ModSecurity can be used in .htaccess files (AllowOverride Options is required to do this), it should not be enabled for use by parties you do not trust. If you are very paranoid you can disable this feature by compiling ModSecurity with -DDISABLE_HTACCESS_CONFIG (as a parameter to the apxs utility)." -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |