Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to disable mod_security and mod_security2 in .htaccess

Tags:

ajax

php

apache

.htaccess

mod-security

I've created a Wordpress plugin which became popular but I'm getting lots of complaints that it's not working. After logging in to many user's WP websites(after asking for admin password) I noticed that the last problem I can't easily solve is mod_security and mod_security2 blocking some AJAX requests or .htaccess which is causing 500 error on some configurations.

So first of all why is this piece of code causing some servers to return 500 error

<IfModule mod_security2.c>
  SecRuleRemoveById 300015
  SecRuleRemoveById 300016
  SecRuleRemoveById 300017
  SecRuleRemoveById 950907
  SecRuleRemoveById 950005
  SecRuleRemoveById 950006
  SecRuleRemoveById 960008
  SecRuleRemoveById 960011
  SecRuleRemoveById 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61

on other servers removing rules by id this way is causing 500 error:

<IfModule mod_security.c>
  SecRuleRemoveById 300015
  ...
  SecRuleRemoveById phpids-61
</IfModule>

so for now the only working thing which is not causing any server to crash is

<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>

but it's not enough for servers with mod_security2 !

How to write a cross-server .htaccess file, and what IF conditions should I add to disable mod_security and mod_security2 anywhere where it applies and not cause 500 errors on other configurations?

Edit: Not only in Apache. Anywhere where .htaccess is used.

like image 703
Pawel Avatar asked Sep 30 '13 11:09

Pawel

People also ask

Should I disable Mod_security?

We will not recommend to disable Mod-Security on your account. Mod_security module helps to protect your website from various attacks. If mod-security is disabled on your account, your website will be at risk from vulnerabilities.

How do you check Mod_security is enabled or not?

It's relatively easy to see if you are running mod_security on a WHM server. If ModSecurity is installed, you'll see Mod Security listed under your plugins.

What is Mod_security used for?

ModSecurity is an open-source web-based firewall application (or WAF) supported by different web servers: Apache, Nginx and IIS. The module is configured to protect web applications from various attacks. ModSecurity supports flexible rule engine to perform both simple and complex operations.

1 Answers

Ryan C. Barnett, ModSecurity Community Manager claimed:

Support for .htaccess files was discontinued in 2.x as it raised too many security issues.

source: http://article.gmane.org/gmane.comp.apache.mod-security.user/3065

The only possible configuration that enable on htaccess are the following (since 2.7.3) but you need to ./configure --enable-htaccess-config:

  • SecAction

  • SecRule

  • SecRuleRemoveByMsg

  • SecRuleRemoveByTag

  • SecRuleRemoveById

  • SecRuleUpdateActionById

  • SecRuleUpdateTargetById
  • SecRuleUpdateTargetByTag
  • SecRuleUpdateTargetByMsg

https://github.com/SpiderLabs/ModSecurity/blob/876d4f5f9558595c00f40af25ea6216386f15cd7/CHANGES#L69

like image 80
Kakawait Avatar answered Sep 28 '22 03:09

Kakawait
Sign in to Comment

Related questions

Is it possible to pull data from HTML5's local storage and save to server database?
nginx -> php5-fpm: Error in php not logged (anywhere!)
safely using the eval function in php: modifying user input to avoid security issues
If jQuery AJAX data is sent/received, is it possible to only receive SOME of the data?
Memcached - Why data is not stored?
PHP mail() function sucess, but didn't receive any email
How to generate xml in codeigniter
Joomla 3.0 MVC file upload in custom component backend
PHP - Store information with NO database
UnexpectedValueException in session_start() php failing SPLObjectStorage serialization
Angularjs $http.post, passing array to PHP
Laravel - call_user_func_array() expects parameter 1 to be a valid callback
Routes in Codeigniter - 404 Page Not Found
Why is override_function coming back as an undefined function
Remove a symlink with PHP on Windows
mysql query need to be optimized
Somehow 1 does not equal 1 (PHP)
Yii count model with relation
meaning of the letter "~" in regex [duplicate]
Browser Cache issues in Laravel 4 Application

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!