ModSecurity + OWASP breaks phpMyAdmin - OWASPv3.4 may fix this

dkzr

dkzr

Verified User
Joined
Oct 17, 2013
Messages
84
Location
The Netherlands
When you enable ModSecurity with the OWASP ruleset the phpMyAdmin (<server>/phpMyAdmin/) is broken by the OWASP rules. In version 3.4 of the OWASP rules a new file and variable is introduced: https://github.com/coreruleset/core...UEST-903.9008-PHPMYADMIN-EXCLUSION-RULES.conf

I have not tested this, v3.4 is not released yet.

Setting `crs_exclusions_phpmyadmin=1` in rule id 900130 should unbreak phpMyAdmin, but how to only set this variable for the main phpMyAdmin?
 
I've just added the following custom rule. It's a bit crude, but works for me :)

Replace <server name> with your servername.

Code: 
## OWASP v3.3 phpMyAdmin fix
SecRule SERVER_NAME "@streq <server name>" \
    "id:1001,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    chain"
    SecRule REQUEST_URI "@beginsWith /phpMyAdmin/" \
        "t:none,\
        ctl:ruleEngine=Off"
 
Peter Laws said:
@dkzr , where do we place this, is there a custom.conf file?
Click to expand...
Hi Peter,

You can create /usr/local/directadmin/custombuild/custom/modsecurity/conf/ and put custom configs there. I've created a 00-local.conf.main file and put my extra OWASP config options there.

When you rebuild the mod security config you should find that file copied to /etc/modsecurity.d/

As defined in /etc/httpd/conf/extra/httpd-modsecurity.conf the *.conf.main files are included first and then *.conf
 
@dkzr i have done what you suggested and created the 00-local.conf.main file in /usr/local/directadmin/custombuild/custom/modsecurity/conf/ but when I try to ./build mod_security it only gives me all the options available for custom build. I am a kind of lost here and not exactly sure on how to do it, can you clarify it for me and maybe even in Dutch??
 
You must log in or register to reply here.
Back
Top