Hi SoFy,
 
If I get you right, then you managed to read a file within your php code, while your browser was denied
direct access.
 
This is the expected behaviour and you have to configure your application accordingly.
ModSecurity will only protect HTTP access to your webserver. It can not protect you
from an application that reads files, it should not read. So this is an application problem
and not a ModSecurity one.
 
regs,
 
Christian


Von: mod-security-users-bounces@lists.sourceforge.net [mailto:mod-security-users-bounces@lists.sourceforge.net] Im Auftrag von SoFy DeNiro
Gesendet: Dienstag, 27. Mai 2008 15:15
An: mod-security-users@lists.sourceforge.net
Betreff: [mod-security-users] REQUEST_BODY question.

Hello,

I'm trying to make some files denied for any user,expect if he have 0 UID. I tried this rule :

SecRule SCRIPT_FILENAME|REQUEST_BODY "^/home/user/important\.php$" chain
SecRule "SCRIPT_UID "!^0$".

then, I can't log to this file from browser and that's fine, but I can get it from php codes, so that's mean the REQUEST_BODY didn't work..

any suggestions ?
Thanks.