mod-security2

How to disable a specific mod_security rule in a specific directory?


I want to disable this rule:

[file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within ARGS:customize_changeset_uuid: a507417f-75f3-434e-ac8c-90b21b3b164d"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]

For the directory

/var/www/romanpastu/wp-admin

Where should the exception go? In my .htaccess? or the vhost file?

Cause nothing seems to be working.

I'm using apache2

I've tried adding the following in my virtualhost file. However, its still not working

<LocationMatch "/wp-admin/update.php">
    <IfModule security2_module>
        SecRuleRemoveById 981173
    </IfModule>
</LocationMatch>
<LocationMatch "/wp-admin/customize.php">
    <IfModule security2_module>
        SecRuleRemoveById 981173
    </IfModule>
</LocationMatch>

Solution

  • It should be added after the rule is defined in your config. So if you are defining your vhost (including removing above rule) and then load your ModSecurity rules later on in your config then that will not work - it needs to be the other way around.

    Also, unless ModSecurity was compiled with the --enable-htaccess-config setting (which is not by default), then you cannot alter ModSecurity rules in htaccess files.

    Additionally putting rules within LocationMatch can cause issues. And also wp-admin is exactly the sort of page you want to use ModSecuritg to protect against so carefully consider if you really want to turn off these rules. Please see also my answer to this question for some more information: Apache LocationMatch wildcard for ModSecurity on wordpress site.

    So I would suggest using the following instead to only turn this rule off for this argument that's causing you issues:

     SecRuleUpdateTargetById 981173 !ARGS:'customize_changeset_uuid'
    

    Note you may need to add similar exceptions if any other arguments cause problems.