ModSecurity and PHPMyAdmin

Too many ModSecurity rules trip up PHPMyAdmin so I decided to find another way to protect it. I personally use the .htaccess password protection and then disable ModSecurity totally for this directory. It is also advisable to use a totally unique directory name so that it can’t be guessed.

Again this goes in modsecurity_crs_15_customrules.conf

<LocationMatch “^/mydbadmin234/”>
SecRuleEngine Off
</LocationMatch>

I have just seen a post on the ModSecurity Mailing List where Yersinia Spiros has made a comment regarding this rule. He disagrees with switching off ModSecurity. I will try to clarify that I only recommend this for use in a single user environment. I use it on my personal install that accesses a developement database. The directory name is cryptic. The directory is not linked to from any site at all. There is a .htaccess password required to enter this directory and after that you still need to login to the server. This I feel is strong enough for a single user install of phpMyAdmin.

However if you are looking for a ruleset for ModSecurity on a shared environment such as a plesk install, Then Yersinia is absolutely correct and you shouldn’t use this method.

Here is a limited ruleset that will allow you to use the manual SQL tab. I will run some other tests later to find if anything else in phpMyAdmin is broken by ModSecurity.

<LocationMatch “/phpMyAdmin/sql.php”>
SecRuleRemoveById 959004
SecRuleRemoveById 959005
SecRuleRemoveById 959906
</LocationMatch>

The downside to this rule is it switches off SQL Injection Attack protection, but I suppose as this particular part of phpMyAdmin is there just to execute SQL commands….

Be the first to comment

Leave a Reply

Your email address will not be published.


*