关闭共享托管环境中页面的mod_security

Question

My page showing error forbidden access error, when I post some html and javascript mixed data by other page post method .

but when I open that page directly its appears correctly without any error.

I know this is server security related issue when I am posting data.

As I searched I found the solution of Turn off mod_security in . htaccess file .

But I want to do this just for this page not for my complete website.

My hosing environment is shared.but I can edit my . htaccess file.

Answer 1

Take a look at some mod_security and .htaccess tricks . There's a lot of different ways you can enable or disable mod_sceurity. The easiest may be to set the MODSEC_ENABLE environment variable to On or Off . You can use SetEnvIf to match against a number of things including the Request_URI :

SetEnvIf Request_URI your_page\.php$ MODSEC_ENABLE=Off

Or a number of pages:

SetEnvIf Request_URI ^/directory/file.*\.php$ MODSEC_ENABLE=Off

Or if you need to do something more complicated, like matching against a query string, using mod_rewrite :

RewriteEngine On
RewriteCond %{QUERY_STRING} example_param=example_value [NC]
RewriteRule ^path/your_file\.php$ - [E=MODSEC_ENABLE:Off]

Answer 2

Do you have the OWASP Core Rule set enabled? Check your Apache error log to see which rule is matching. You may find that it's blocking some of your legitimate users on other pages as well. Talk to your hosting provider about what rule set they are using and what they are doing about false positives.

---

To solve your immediate problem, you can prevent a URI from being blocked by adding a new SecRule (and you can do this in your .htaccess file.

SecRule REQUEST_URI "/your/uri" "phase:1,pass"

To limit this to POST requests, you could use REQUEST_LINE :

SecRule REQUEST_LINE "POST /your/uri" "phase:1,pass"

Depending on what rule is matching and blocking the request currently, you may have to change those to phase:2 or even add a second, identical rule with phase:2 .