Removing modsecurity rule via .htaccess

Question

I get a 500 Internal Server Error when trying to save a file with some text that may resemble an sql query. So ModSecurity is blocking it:

[client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 500 (phase 2). Pattern match "(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\\\\(.*from)" at ARGS:description. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "359"] [id "300016"] [rev "2"] [msg "Generic SQL injection protection"] [severity "CRITICAL"] [hostname "xxxxxxxxxxxxx.net"] [uri "/app/3/admin/modules/product/product_a.php"] [unique_id "TzvCxkPj2kkAAH4WkMwAAAAE"]

So I create an .htaccess file on the folder /app/3/admin/modules/product/

<IfModule mod_security.c>
SecFilterRemove 300015
SecFilterRemove 300016
</IfModule>

But this is not solving the issue either. I am still getting a 500 code with log entries in apache's log file.

Any idea why this may not be working?

Answer 1

Is it really the saving of the file that is the problem? I find it hard to imagine, seeing as that isn't Apache's jurisdiction at atll. Isn't it rather the query being in a query string that is causing trouble?

You might be able to circumvent that e.g. by base64 encoding the query (if the 33% size increase doesn't test the URL's size limits), or storing the query in a session variable and passing only a unique random key pointing to the variable.

Edit: if you're really transmitting live SQL queries that you later execute - don't do it. It's exactly the reason why this mod_security filter exists.

either way, phpMyAdmin, a database management tool, has the same problem: It transmits live queries for running. There is a number of posts dealing with phpMyAdmin and mod_security. This one suggests a number of other filter IDs to disable. (Ideally, you would do this only for the one file that needs to receive the POST data.)