'Re: [mod-security-users] mod_security limiting to a specific'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mod-security-users
Subject:    Re: [mod-security-users] mod_security limiting to a specific
From:       "Peter M. Abraham" <support.team () dynamicnet ! net>
Date:       2009-09-28 17:19:58
Message-ID: 3A9B9262BDF94EAAB4282A59E558945E () dynamicnet ! local
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi Ryan:

 

Because it is a shared hosting environment, and hackers could upload
.htaccess files into compromised accounts disabling mod_security, we have
.htaccess manipulation of mod_security turned off.

 

Is there a way within the Apache configuration file to enable the same
thing?

 

Thank you.

 

________________________________________________
Peter M. Abraham
Support and Customer Care Department
Dynamic Net, Inc.
Helping companies do business on the Net
13 Cowpath
Denver, PA 17517
Toll Free Voice: 1-888-887-6727
International: 1-717-484-1062
FAX: 1-717-484-1162
Web:  http://www.dynamicnet.net/services/hsphere.htm
<http://www.dynamicnet.net/> 

  _____  

From: Ryan Barnett [mailto:rcbarnett@gmail.com] 
Sent: Monday, September 28, 2009 12:32 PM
To: mod-security-users@lists.sourceforge.net; support.team@dynamicnet.net
Subject: Re: [mod-security-users] mod_security limiting to a specific
admin.php file

 

See the 1.9 documentation for controlling ModSecurity dynamically -
http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multi
page/03-configuration.html#N101B0. I am not sure if you can use the Apache
SetEnvIf directive to match *both* the hostname and filename in one line so
that you can set MODSEC_ENABLE to Off.



 

If you have mod_rewrite, you might try to use some RewriteCond rules and
then set the ENV variable there. Something like this (untested) -



 

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.yourhostname.com$
RewriteCond %{REQUEST_FILENAME} ^/admin\.php$
RewriteRule .* - [E=MODSEC_ENABLE=Off]

Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com

On Monday 28 September 2009 07:15:03 am Peter M. Abraham wrote:
> Greetings:
>
> In a shared hosting environment where there could be many admin.php files,
> is there a way to limit specific settings in mod_security 1.9 (we are
still
> on Apache 1) to a specific admin.php that happens to be in the HTML root
> document directory of a domain name?
>
> ________________________________________________
> Peter M. Abraham



 


[Attachment #5 (text/html)]

<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:st1="urn:schemas-microsoft-com:office:smarttags" \
xmlns="http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
 namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="PostalCode"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
 name="State"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
 name="City"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
 name="place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--p
	{white-space: pre-wrap;}
li
	{white-space: pre-wrap;}

 /* Font Definitions */
 @font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
	{font-family:"DejaVu Sans";
	panose-1:0 0 0 0 0 0 0 0 0 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
p
	{mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman";}
span.EmailStyle18
	{mso-style-type:personal-reply;
	font-family:Arial;
	color:navy;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>

<meta name=qrichtext content=1>
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Hi Ryan:<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Because it is a shared hosting
environment, and hackers could upload .htaccess files into compromised accounts
disabling mod_security, we have .htaccess manipulation of mod_security turned
off.<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Is there a way within the Apache
configuration file to enable the same thing?<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Thank you.<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<div>

<div>

<p><font size=2 color=navy face="Times New Roman"><span style='font-size:10.0pt;
color:navy'>________________________________________________<br>
Peter M. Abraham<br>
Support and Customer Care Department<br>
Dynamic Net, Inc.<br>
Helping companies do business on the Net<br>
13 Cowpath<br>
<st1:place w:st="on"><st1:City w:st="on">Denver</st1:City>, <st1:State \
w:st="on">PA</st1:State>  <st1:PostalCode \
w:st="on">17517</st1:PostalCode></st1:place><br> Toll Free Voice: 1-888-887-6727<br>
International: 1-717-484-1062<br>
FAX: 1-717-484-1162<br>
Web: &nbsp;<a href="http://www.dynamicnet.net/services/hsphere.htm">http://www.dynamicnet.net/services/hsphere.htm</a></span></font><font
 color=navy><span style='color:navy'><a \
href="http://www.dynamicnet.net/"></a></span></font><o:p></o:p></p>

</div>

</div>

<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>

<div>

<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>

<hr size=2 width="100%" align=center tabindex=-1>

</span></font></div>

<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> Ryan Barnett
[mailto:rcbarnett@gmail.com] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Monday, September 28, 2009
12:32 PM<br>
<b><span style='font-weight:bold'>To:</span></b>
mod-security-users@lists.sourceforge.net; support.team@dynamicnet.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [mod-security-users]
mod_security limiting to a specific admin.php file</span></font><o:p></o:p></p>

</div>

<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=1 face="DejaVu Sans"><span style='font-size:9.0pt;
font-family:"DejaVu Sans"'>See the 1.9 documentation for controlling
ModSecurity dynamically -
http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/03-configuration.html#N101B0.
 I am not sure if you can use the Apache SetEnvIf directive to match *both* the
hostname and filename in one line so that you can set MODSEC_ENABLE to Off.<br>
<br>
<o:p></o:p></span></font></p>

<p style='margin:0in;margin-bottom:.0001pt'><font size=1 face="DejaVu Sans"><span
style='font-size:9.0pt;font-family:"DejaVu Sans"'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=1 face="DejaVu Sans"><span style='font-size:9.0pt;
font-family:"DejaVu Sans"'>If you have mod_rewrite, you might try to use some
RewriteCond rules and then set the ENV variable there. Something like this
(untested) -<br>
<br>
<o:p></o:p></span></font></p>

<p style='margin:0in;margin-bottom:.0001pt'><font size=1 face="DejaVu Sans"><span
style='font-size:9.0pt;font-family:"DejaVu Sans"'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=1 face="DejaVu Sans"><span style='font-size:9.0pt;
font-family:"DejaVu Sans"'>RewriteEngine On<br>
RewriteCond %{HTTP_HOST} ^www.yourhostname.com$<br>
RewriteCond %{REQUEST_FILENAME} ^/admin\.php$<br>
RewriteRule .* - [E=MODSEC_ENABLE=Off]<br>
<br>
Ryan C. Barnett<br>
WASC Distributed Open Proxy Honeypot Project Leader<br>
OWASP ModSecurity Core Rule Set Project Leader<br>
Tactical Web Application Security<br>
http://tacticalwebappsec.blogspot.com<br>
<br>
On Monday 28 September 2009 07:15:03 am Peter M. Abraham wrote:<br>
&gt; Greetings:<br>
&gt;<br>
&gt; In a shared hosting environment where there could be many admin.php files,<br>
&gt; is there a way to limit specific settings in mod_security 1.9 (we are
still<br>
&gt; on Apache 1) to a specific admin.php that happens to be in the HTML root<br>
&gt; document directory of a domain name?<br>
&gt;<br>
&gt; ________________________________________________<br>
&gt; Peter M. Abraham<br>
<br>
<o:p></o:p></span></font></p>

<p style='margin:0in;margin-bottom:.0001pt'><font size=1 face="DejaVu Sans"><span
style='font-size:9.0pt;font-family:"DejaVu Sans"'><o:p>&nbsp;</o:p></span></font></p>

</div>

</div>

</body>

</html>



------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf

_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic