Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Need help... mod_security - security issue... php.... |
|
Author |
|
Jcink
Joined: 06 Mar 2006 Posts: 23
|
Posted: Mon 08 May '06 0:40 Post subject: Need help... mod_security - security issue... php.... |
|
|
Hello,
I am sorry but I am an extreme newbie at compiling and the like. I recently ran into a problem where I need to compile mod security with DDISABLE_HTACCESS_CONFIG or may find an alternate solution, but I have looked in the mod_Security documentation up and down and cannot find an answer.
I'll explain my dilema, try to keep it short.
I host people on my pc, and in mod_security. You know the sec aduit log? Well in htaccess they can do:
SecAuditEngine On
SecAuditLog "C:\Apache2\www\badfile.php"
This is not good. You can inject PHP into the cookies or the GET data and then access the file right in my root directory! Plus people can go around and place sec logs all over the place. Not good........
I do not want to disable htaccess. I like users to be able to add handlers, and deny IPs, use mod rewrite and the like. Plus I tried to encourage some people to use their own sec filters, unfortunately this will be no more but what can be done besides shutting it down from htaccess... I suppose the audit log thing itself can be "removed" from the code but I have no idea how to go about doing this myself. I have been all over the documentation with no solution.
Quote: | Note
If you do not trust your users (e.g. running in a web hosting environment) then you should never allow them access to ModSecurity. The .htaccess facility is useful for limited administration control decentralisation, keeping ModSecurity configuration with the application code. But it is not meant to be used in situations when the users may want to subvert the configuration. If you are running a hostile environment you should turn off the .htaccess facility completely by custom-compiling ModSecurity with the -DDISABLE_HTACCESS_CONFIG switch. |
If anyone could please assit me with a tutorial, or even compile mod security with this I would be very grateful. Or maybe just a solution to the secaduit problem...... I dont know what I can offer in return but I could link your site on my homepage or something when I do the update...
Note: My apache version is the 2.2.x from here. |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3090 Location: Hilversum, NL, EU
|
Posted: Mon 08 May '06 12:44 Post subject: |
|
|
I understand your issue.
I made a special build for you at removed
Please test it and tell me how it goes.
Steffen |
|
Back to top |
|
Jcink
Joined: 06 Mar 2006 Posts: 23
|
Posted: Tue 09 May '06 1:54 Post subject: |
|
|
It worked. This solved my problem. I have added your link onto my main site as a thanks, I am extremely grateful for the fast response and solution to this.
Thank you so much for your help. |
|
Back to top |
|
|
|
|
|
|