Modsecurity Issues

2 posts by 2 authors in: Forums > CMS Builder
Last Post: June 10, 2013   (RSS)

By Dave - June 10, 2013

Hi Perch, 

I'd reply with this:

The administrative menu of our CMS lets us enter both raw PHP and MySQL code.  This is probably what's generating the false positives.

There's an .htaccess in the cms folder that already tries to disable mod_security but it looks like .htaccess files are being ignored on our server.  Here's the content of the .htaccess:

# disable mod_security (some of the admin menus allow you to define SQL which mod_security detects and then denied access to)
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

Can you give me instructions on disabling mod_security on a per-directory or per-host basis, or enable .htaccess files?  Or I can provide you with a list of hostnames and directories, but I'd rather not have to email support each time we setup a new host.  

Let me know what's easiest, thanks.

And include the url of one your /cmsAdmin/ folders so they can take a look.

Hope that helps! Let me know what they say, thanks!

Dave Edis - Senior Developer
interactivetools.com