logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Need help... mod_security - security issue... php....

 
Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules



View previous topic :: View next topic  
Author Message
Jcink



Joined: 06 Mar 2006
Posts: 23

PostPosted: Mon 08 May '06 0:40    Post subject: Need help... mod_security - security issue... php.... Reply with quote

Hello,

I am sorry but I am an extreme newbie at compiling and the like. I recently ran into a problem where I need to compile mod security with DDISABLE_HTACCESS_CONFIG or may find an alternate solution, but I have looked in the mod_Security documentation up and down and cannot find an answer.

I'll explain my dilema, try to keep it short.

I host people on my pc, and in mod_security. You know the sec aduit log? Well in htaccess they can do:

SecAuditEngine On
SecAuditLog "C:\Apache2\www\badfile.php"

Exclamation This is not good. Mad You can inject PHP into the cookies or the GET data and then access the file right in my root directory! Plus people can go around and place sec logs all over the place. Not good........

I do not want to disable htaccess. I like users to be able to add handlers, and deny IPs, use mod rewrite and the like. Plus I tried to encourage some people to use their own sec filters, unfortunately this will be no more but what can be done besides shutting it down from htaccess... I suppose the audit log thing itself can be "removed" from the code but I have no idea how to go about doing this myself. I have been all over the documentation with no solution.

Quote:
Note
If you do not trust your users (e.g. running in a web hosting environment) then you should never allow them access to ModSecurity. The .htaccess facility is useful for limited administration control decentralisation, keeping ModSecurity configuration with the application code. But it is not meant to be used in situations when the users may want to subvert the configuration. If you are running a hostile environment you should turn off the .htaccess facility completely by custom-compiling ModSecurity with the -DDISABLE_HTACCESS_CONFIG switch.


If anyone could please assit me with a tutorial, or even compile mod security with this I would be very grateful. Or maybe just a solution to the secaduit problem...... I dont know what I can offer in return but I could link your site on my homepage or something when I do the update...

Note: My apache version is the 2.2.x from here.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2685
Location: Hilversum, NL, EU

PostPosted: Mon 08 May '06 12:44    Post subject: Reply with quote

I understand your issue.

I made a special build for you at removed
Please test it and tell me how it goes.

Steffen
Back to top
Jcink



Joined: 06 Mar 2006
Posts: 23

PostPosted: Tue 09 May '06 1:54    Post subject: Reply with quote

It worked. This solved my problem. I have added your link onto my main site as a thanks, I am extremely grateful for the fast response and solution to this.

Thank you so much for your help.
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules
Page 1 of 1