Thread: Re: [mod-security-users] mod-security-users Digest, Vol 40, Issue 12
Brought to you by:
victorhora,
zimmerletw
From: Peter M. A. <sup...@dy...> - 2009-09-26 16:05:15
|
Greetings: In a shared hosting environment where there could be many admin.php files, is there a way to limit specific settings in mod_security 1.9 (we are still on Apache 1) to a specific admin.php that happens to be in the HTML root document directory of a domain name? ________________________________________________ Peter M. Abraham |
From: Peter M. A. <sup...@dy...> - 2009-09-28 11:15:19
|
Greetings: In a shared hosting environment where there could be many admin.php files, is there a way to limit specific settings in mod_security 1.9 (we are still on Apache 1) to a specific admin.php that happens to be in the HTML root document directory of a domain name? ________________________________________________ Peter M. Abraham |
From: Ryan B. <rya...@br...> - 2009-09-28 16:56:02
|
On Monday 28 September 2009 07:15:03 am Peter M. Abraham wrote: > Greetings: > > In a shared hosting environment where there could be many admin.php files, > is there a way to limit specific settings in mod_security 1.9 (we are still > on Apache 1) to a specific admin.php that happens to be in the HTML root > document directory of a domain name? > See the 1.9 documentation for controlling ModSecurity dynamically - http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html- multipage/03-configuration.html#N101B0. I am not sure if you can use the Apache SetEnvIf directive to match both the hostname and filename in one line so that you can set MODSEC_ENABLE to Off. If you have mod_rewrite, you might try to use some RewriteCond rules and then set the ENV variable there. Something like this (untested) - RewriteEngine On RewriteCond %{HTTP_HOST} ^www.yourhostname.com$ RewriteCond %{REQUEST_FILENAME} ^/admin\.php$ RewriteRule .* - [E=MODSEC_ENABLE=Off] -Ryan |
From: Peter M. A. <sup...@dy...> - 2009-09-28 17:20:12
|
Hi Ryan: Because it is a shared hosting environment, and hackers could upload .htaccess files into compromised accounts disabling mod_security, we have .htaccess manipulation of mod_security turned off. Is there a way within the Apache configuration file to enable the same thing? Thank you. ________________________________________________ Peter M. Abraham Support and Customer Care Department Dynamic Net, Inc. Helping companies do business on the Net 13 Cowpath Denver, PA 17517 Toll Free Voice: 1-888-887-6727 International: 1-717-484-1062 FAX: 1-717-484-1162 Web: http://www.dynamicnet.net/services/hsphere.htm <http://www.dynamicnet.net/> _____ From: Ryan Barnett [mailto:rcb...@gm...] Sent: Monday, September 28, 2009 12:32 PM To: mod...@li...; sup...@dy... Subject: Re: [mod-security-users] mod_security limiting to a specific admin.php file See the 1.9 documentation for controlling ModSecurity dynamically - http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multi page/03-configuration.html#N101B0. I am not sure if you can use the Apache SetEnvIf directive to match *both* the hostname and filename in one line so that you can set MODSEC_ENABLE to Off. If you have mod_rewrite, you might try to use some RewriteCond rules and then set the ENV variable there. Something like this (untested) - RewriteEngine On RewriteCond %{HTTP_HOST} ^www.yourhostname.com$ RewriteCond %{REQUEST_FILENAME} ^/admin\.php$ RewriteRule .* - [E=MODSEC_ENABLE=Off] Ryan C. Barnett WASC Distributed Open Proxy Honeypot Project Leader OWASP ModSecurity Core Rule Set Project Leader Tactical Web Application Security http://tacticalwebappsec.blogspot.com On Monday 28 September 2009 07:15:03 am Peter M. Abraham wrote: > Greetings: > > In a shared hosting environment where there could be many admin.php files, > is there a way to limit specific settings in mod_security 1.9 (we are still > on Apache 1) to a specific admin.php that happens to be in the HTML root > document directory of a domain name? > > ________________________________________________ > Peter M. Abraham |