Feb 102010

If you are receiving a modsec error in the apache error log;

[Wed Feb 10 02:02:32 2010] [error] [client] ModSecurity:
Access denied with code 500 (phase 2).
Pattern match "\\.php\\?.*loc=(http|https|ftp)\\:\\/" at REQUEST_URI.
[file "/usr/local/apache/conf/modsec2.user.conf"] [line "302"]
[hostname "domain.com"] [uri "/folder/file.php"]
[unique_id "S3JaCEPjyqQAAAOO2foAAAAY"]

and it does not give an ID number allowing you to whitelist the rule by ID as usual;

SecRuleRemoveById 300162 300163 300170

You can use the SecRuleRemoveByMsg instead to allow the addition of the rule to the whitelist

SecRuleRemoveByMsg "\.php\?.*loc=(http|https|ftp)\:\/"

 Posted by at 3:34 am