Introducing mod_security
Subject:   problem turning off rule selectively
Date:   2007-10-07 12:56:51
From:   SalemDesign
I am implementing a PHP web application on a shared hosting environment. The hosting service has implemented mod_security.

Unfortunately, some of the PHP in the app (a fairly popular shopping cart) is triggering mod_security when I try and save any settings in the cart admin interface.

With mod_security running, any time I try and save a change in the shopping cart admin interface, I get a 406 Not Acceptable error message.

And when I asked the hosting sevice to look in the logs, they found the following:

mod_security-action: 406
mod_security-message: Access denied with code 406. Pattern match "/bin/" at POST_PAYLOAD

And turning off mod_security using "SecFilterEngine off" allows us to save settings without any problem.

We didn't want to turn off mod_security entirely so we tried:

SecFilterEngine on
SecFilterSelective "POST_PAYLOAD" "/bin/" "allow,nolog"

But we still got the 406 Not Acceptable message.

The hosting service suggested:

SecFilterEngine on
SecFilterSelective ARGS "/bin/" "allow,nolog"
SecFilterSelective ARGS "/usr/bin/" "allow,nolog"

But than didn't work either. Obviously you cannot debug individual implementations but if you can see anything in our syntax that is incorrect, it would be appreciated. Or if there is some reason why this would not work in .htaccess?