[Owasp-modsecurity-core-rule-set] phpmyadmin usage via localhost interface through mod_security

Jason Brooks jason at mi-squared.com
Sat Oct 30 11:40:51 EDT 2010

Now I feel silly: because this only addresses part of the problem.   
The application I am running under apache ALSO has phpmyadmin embedded  
in it.  I need to also modify the CRS to allow direct phpmyadmin  
access via the standard use of a web browser (not port forwarding)

So to clarify, it looks like I need two answers:

1) how to enable/disable some or all of CRS based on the incoming  
interface, or ip address
2) how to enable/disable some or all of CRS based on the request url,  
or the request path.

I have only searched the archives for #1.  I will be searching for  
#2.  If there is already an answer to #2, I apologize in advance.


On Oct 30, 2010, at 8:34 AM, Jason Brooks wrote:

> Hello,
> I need to solve this problem, but don't quite grok the mod_security
> rules yet.  I am running CRS 2.0.5.
> I have enabled phpmyadmin only via the localhost interface
> That way the tool may only be used after port-forwarding through ssh.
> My trouble is that I get the messsge "You don't have permission to
> access /ppc/openemr/phpmyadmin/tbl_change.php on this server.".
> I am fairly certain this message is correct: the selection I make in
> phpmyadmin is indeed embedding sql into the request.  However, the
> solutions I find through google pretty much entirely disable sql
> injection checking.  I don't want this.
> I would like to simply disable sql injection checking for web server
> access via the localhost port.  Can anyone point me in the correct
> direction?
> I really appreciate your help in advance.
> --jason
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

More information about the Owasp-modsecurity-core-rule-set mailing list