LiteSpeed Support Forums

LiteSpeed Support Forums (http://www.litespeedtech.com/support/forum/index.php)
-   Feedback/Feature Requests (http://www.litespeedtech.com/support/forum/forumdisplay.php?f=10)
-   -   [Resolved] Turn off ModSecurity directives in htaccess (http://www.litespeedtech.com/support/forum/showthread.php?t=3767)

IrPr 02-07-2010 02:50 AM
[Resolved] Turn off ModSecurity directives in htaccess
 
Hi there,

It seems that ModSecurity it could be disabled in htaccess using this directive:
Code:
SecFilterEngine Off
Well, It means an attacker can easily bypass modsec rules using htaccess file
Tested myself and it's possible to disable and bypass modsec rules by htaccess, and to me, its a very big security hole

I found here that its possible to disable htaccess support for ModSecurity during compile:

Quote:
If you do not trust your users (e.g. running in a web hosting environment) then you should never allow them access to ModSecurity. The .htaccess facility is useful for limited administration control decentralisation, keeping ModSecurity configuration with the application code. But it is not meant to be used in situations when the users may want to subvert the configuration. If you are running a hostile environment you should turn off the .htaccess facility completely by custom-compiling ModSecurity with the -DDISABLE_HTACCESS_CONFIG switch.
Now im asking for a feature to disable/enable ModSec rules support inside htaccess files to be implemented in LSWS admin console

Regards.

mistwang 02-07-2010 08:51 PM
add to our to do list.

IrPr 09-08-2010 07:20 PM
Quote:
Originally Posted by mistwang (Post 18519)
add to our to do list.
Any update ?

NiteWave 10-02-2010 10:34 AM
now in 4.0.17, mod_security directive in .htaccess can be disabled, configuration is at server level, in admin console. please download and test ... not formally release yet but may be soon.

IrPr 10-02-2010 11:58 AM
Quote:
Originally Posted by NiteWave (Post 21578)
now in 4.0.17, mod_security directive in .htaccess can be disabled, configuration is at server level, in admin console. please download and test ... not formally release yet but may be soon.
Special thanks
tested and its working properly

Regards

IrPr 11-25-2010 12:37 PM
Hi there

I'm using apache/cPanel httpd.conf
How to disable mod_security directives support in .htaccess ?

NiteWave 11-25-2010 09:06 PM
tested on our cPanel box, the setting:

admin console->Server->Request Filter->Disable .htaccess Override:Yes

apply for virtual hosts defined in apache httpd.conf.

IrPr 11-26-2010 03:23 AM
Quote:
Originally Posted by NiteWave (Post 22281)
tested on our cPanel box, the setting:

admin console->Server->Request Filter->Disable .htaccess Override:Yes

apply for virtual hosts defined in apache httpd.conf.
Great, works like a charm!

Thanks in advance


All times are GMT -7. The time now is 06:06 PM.