Hi Ryan:

 

Because it is a shared hosting environment, and hackers could upload .htaccess files into compromised accounts disabling mod_security, we have .htaccess manipulation of mod_security turned off.

 

Is there a way within the Apache configuration file to enable the same thing?

 

Thank you.

 

________________________________________________
Peter M. Abraham
Support and Customer Care Department
Dynamic Net, Inc.
Helping companies do business on the Net
13 Cowpath
Denver, PA 17517
Toll Free Voice: 1-888-887-6727
International: 1-717-484-1062
FAX: 1-717-484-1162
Web:  http://www.dynamicnet.net/services/hsphere.htm


From: Ryan Barnett [mailto:rcbarnett@gmail.com]
Sent: Monday, September 28, 2009 12:32 PM
To: mod-security-users@lists.sourceforge.net; support.team@dynamicnet.net
Subject: Re: [mod-security-users] mod_security limiting to a specific admin.php file

 

See the 1.9 documentation for controlling ModSecurity dynamically - http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/03-configuration.html#N101B0. I am not sure if you can use the Apache SetEnvIf directive to match *both* the hostname and filename in one line so that you can set MODSEC_ENABLE to Off.

 

If you have mod_rewrite, you might try to use some RewriteCond rules and then set the ENV variable there. Something like this (untested) -

 

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.yourhostname.com$
RewriteCond %{REQUEST_FILENAME} ^/admin\.php$
RewriteRule .* - [E=MODSEC_ENABLE=Off]

Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com

On Monday 28 September 2009 07:15:03 am Peter M. Abraham wrote:
> Greetings:
>
> In a shared hosting environment where there could be many admin.php files,
> is there a way to limit specific settings in mod_security 1.9 (we are still
> on Apache 1) to a specific admin.php that happens to be in the HTML root
> document directory of a domain name?
>
> ________________________________________________
> Peter M. Abraham