Too many ModSecurity rules trip up PHPMyAdmin so I decided to find another way to protect it. I personally use the .htaccess password protection and then disable ModSecurity totally for this directory. It is also advisable to use a totally unique directory name so that it can’t be guessed.
Again this goes in modsecurity_crs_15_customrules.conf
I have just seen a post on the ModSecurity Mailing List where Yersinia Spiros has made a comment regarding this rule. He disagrees with switching off ModSecurity. I will try to clarify that I only recommend this for use in a single user environment. I use it on my personal install that accesses a developement database. The directory name is cryptic. The directory is not linked to from any site at all. There is a .htaccess password required to enter this directory and after that you still need to login to the server. This I feel is strong enough for a single user install of phpMyAdmin.
However if you are looking for a ruleset for ModSecurity on a shared environment such as a plesk install, Then Yersinia is absolutely correct and you shouldn’t use this method.
Here is a limited ruleset that will allow you to use the manual SQL tab. I will run some other tests later to find if anything else in phpMyAdmin is broken by ModSecurity.
The downside to this rule is it switches off SQL Injection Attack protection, but I suppose as this particular part of phpMyAdmin is there just to execute SQL commands….
Leave a Reply