Hi Ryan:


Because it is a shared hosting environment, and hackers could upload .htaccess files into compromised accounts disabling mod_security, we have .htaccess manipulation of mod_security turned off.


Is there a way within the Apache configuration file to enable the same thing?


Thank you.


Peter M. Abraham
Support and Customer Care Department
Dynamic Net, Inc.
Helping companies do business on the Net
13 Cowpath
Denver, PA 17517
Toll Free Voice: 1-888-887-6727
International: 1-717-484-1062
FAX: 1-717-484-1162
Web:  http://www.dynamicnet.net/services/hsphere.htm

From: Ryan Barnett [mailto:rcbarnett@gmail.com]
Sent: Monday, September 28, 2009 12:32 PM
To: mod-security-users@lists.sourceforge.net; support.team@dynamicnet.net
Subject: Re: [mod-security-users] mod_security limiting to a specific admin.php file


See the 1.9 documentation for controlling ModSecurity dynamically - http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/03-configuration.html#N101B0. I am not sure if you can use the Apache SetEnvIf directive to match *both* the hostname and filename in one line so that you can set MODSEC_ENABLE to Off.


If you have mod_rewrite, you might try to use some RewriteCond rules and then set the ENV variable there. Something like this (untested) -


RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.yourhostname.com$
RewriteCond %{REQUEST_FILENAME} ^/admin\.php$
RewriteRule .* - [E=MODSEC_ENABLE=Off]

Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security

On Monday 28 September 2009 07:15:03 am Peter M. Abraham wrote:
> Greetings:
> In a shared hosting environment where there could be many admin.php files,
> is there a way to limit specific settings in mod_security 1.9 (we are still
> on Apache 1) to a specific admin.php that happens to be in the HTML root
> document directory of a domain name?
> ________________________________________________
> Peter M. Abraham