Re: mod_security functionality bypass through .htaccess issue.

On 11/17/06, Ahmed Medhat <theprisonerofzenda@xxxxxxxxx> wrote:
> Hello,
>
> I accidently found that it could be available to de-activate mod_security in
> a certain directory by using a .htaccess like that...
>
> ## START ##
> <IfModule mod_security.c>
>     SecFilterEngine Off
>     SecFilterScanPOST Off
> </IfModule>
> ## END ##
>
> I believe it's something related to the "AllowOverride" directive from
> apache but im not exactly sure, the available arguments for this directive
> are "AuthConfig, FileInfo, Indexes, Limit, Options", I've tried hardly to
> find a way to not to disable the usage of .htaccess files and keep it's
> functionality but also to prevent it from being able to modify through it
> the functionality of mod_security.
>
> I'm sure you could help in this issue as it's a big pain for any server
> running apache in a shared vhosting environment.

Removing the "Options" part from the AllowOverride configuration
should do what you need to have done.

-- 
Ivan Ristic

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV