.htaccess and Apache ModSecurity

1
votes

I have this .htaccess

Options -Indexes

    RewriteEngine On
    RewriteBase /

    # Force to exclude the trailing slash
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.*)/$
    RewriteRule ^(.+)/$ $1 [R=307,L]

    # Restrict php files direct access
    # this part generate the problem
    RewriteCond %{THE_REQUEST} ^.+?\ [^?]+\.php[?\ ]
    RewriteRule \.php$ - [F] 

    # Allow any files or directories that exist to be displayed directly
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d

    RewriteRule ^(.*)$ index.php?$1 [QSA,L]

But the apache write me this:

ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/modsecurity/modsecurity_crs_30_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"]

How i must edit my htaccess? Thanks guys.

1
phpapache.htaccessmod-rewrite
security.stackexchange.com/q/38483hjpotter92
Mod security and htaccess are two different technics. Your rule matched OWASP ruleset in mod_sec, not in htaccessMuhammed
Thanks, but i can't edit the pache configuration of hosting. I have changed the version of php from 5.5 to 5.3sismi

1 Answers

0
votes

As the first comment has said that you have a ModSecurity rule blocking your request. If your hosting provider has enabled '--enable-htaccess-config' when building ModSecurity then you have access to disable that particular rule from an htaccess file. You can use something similar to the following:

<IfModule mod_security.c> SecRuleRemoveById 960032 </IfModule>

However, if your provider has not enabled this and you don't have access to any Apache configuration files (httpd.conf, etc). Then you will have to contact your hosting provider to fix the issue. Sorry