If I get you right, then you managed to read a file within
your php code, while your browser was denied
This is the expected behaviour and you have to configure
your application accordingly.
ModSecurity will only protect HTTP access to your
webserver. It can not protect you
from an application that reads files, it should not read.
So this is an application problem
and not a ModSecurity one.
I'm trying to make some files denied for any
user,expect if he have 0 UID. I tried this rule :
SCRIPT_FILENAME|REQUEST_BODY "^/home/user/important\.php$" chain
then, I can't log to this file from browser and
that's fine, but I can get it from php codes, so that's mean the REQUEST_BODY
any suggestions ?