02-07-2010, 02:50 AM
|
|
Senior Member
|
|
Join Date: Jul 2008
Posts: 147
|
|
[Resolved] Turn off ModSecurity directives in htaccess
Hi there,
It seems that ModSecurity it could be disabled in htaccess using this directive:
Code:
SecFilterEngine Off
Well, It means an attacker can easily bypass modsec rules using htaccess file
Tested myself and it's possible to disable and bypass modsec rules by htaccess, and to me, its a very big security hole
I found here that its possible to disable htaccess support for ModSecurity during compile:
Quote:
|
If you do not trust your users (e.g. running in a web hosting environment) then you should never allow them access to ModSecurity. The .htaccess facility is useful for limited administration control decentralisation, keeping ModSecurity configuration with the application code. But it is not meant to be used in situations when the users may want to subvert the configuration. If you are running a hostile environment you should turn off the .htaccess facility completely by custom-compiling ModSecurity with the -DDISABLE_HTACCESS_CONFIG switch.
|
Now im asking for a feature to disable/enable ModSec rules support inside htaccess files to be implemented in LSWS admin console
Regards.
Last edited by NiteWave; 10-02-2010 at 10:20 PM..
|
Threaded Mode