Disable ModSecurity for a specific URL
On a web site that is protected with ModSecurity, when admin edit HTML pages in admin area, ModSecurity falsely detect it as XSS attack.
What we can do is disable specific rules that create this false positive. But in this case, it is bceause HTML is submitted. This application normally done need HTML submitted on any other part of the site. So it is better just disable ModSecurity for the specific URL that cause this error.
To do this, add following code to Apache VirtualHost entry for this web site.
1 2 3 4 5 6 7 |
<If "%{REQUEST_URI} =~ m#/admin_area/manage_pages.php#"> SecRuleEngine Off </If> <If "%{REQUEST_URI} =~ m#/admin_area/edit_announcement.php#"> SecRuleEngine Off </If> |
This will disable ModSecurity for URLs /admin_area/manage_pages.php and /admin_area/edit_announcement.php