Tuesday, September 15, 2009

ModSecurity and PHPMyAdmin

SkyHi @ Tuesday, September 15, 2009
Too many ModSecurity rules trip up PHPMyAdmin so I decided to find another way to protect it. I personally use the .htaccess password protection and then disable ModSecurity totally for this directory. It is also advisable to use a totally unique directory name so that it can’t be guessed.

Again this goes in modsecurity_crs_15_customrules.conf

<LocationMatch “^/mydbadmin234/”>
SecRuleEngine Off

I have just seen a post on the ModSecurity Mailing List where Yersinia Spiros has made a comment regarding this rule. He disagrees with switching off ModSecurity. I will try to clarify that I only recommend this for use in a single user environment. I use it on my personal install that accesses a developement database. The directory name is cryptic. The directory is not linked to from any site at all. There is a .htaccess password required to enter this directory and after that you still need to login to the server. This I feel is strong enough for a single user install of phpMyAdmin.

However if you are looking for a ruleset for ModSecurity on a shared environment such as a plesk install, Then Yersinia is absolutely correct and you shouldn’t use this method.

Here is a limited ruleset that will allow you to use the manual SQL tab. I will run some other tests later to find if anything else in phpMyAdmin is broken by ModSecurity.

<LocationMatch “/phpMyAdmin/sql.php”>
SecRuleRemoveById 959004
SecRuleRemoveById 959005
SecRuleRemoveById 959906

The downside to this rule is it switches off SQL Injection Attack protection, but I suppose as this particular part of phpMyAdmin is there just to execute SQL commands….
SecRuleEngine Off must work . Have you tried to put SecRuleEngine inside Directory:

<Directory /var/www/site/PHPMyAdmin>
SecRuleEngine Off

instead of LocationMatch ?

Referece: http://www.gray.me.uk/linux-administration-and-management/modsecurity-and-phpmyadmin