Disabling Apache’s Mod Security Rules

I tried upgrading phpMyAdmin to a new directory on a server, not using the built-in cPanel environment. It installed fine, but I couldn’t run certain SQL queries like DROP TABLE tablename; It would generate an Internal Server Error 500.

After some testing I realized that if I simply tried to access any url with the string “x=DROP TABLE abcxyz” the page would simply be an internal server error 500. To see if your server has mod_security enabled, create a test PHP page with hello world in it, call it test.php, and try to access yourdomain.com/test.php?x=DROP TABLE xyz (even if your script doesn’t do anything with the x variable.

To get around this for certain web applications (which are denied access from the public anyway with password protected directories), find the file /usr/local/apache/conf/modsec2/whitelist.conf and add this to it:

<LocationMatch /phpMyMyAdmin/*>
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
</LocationMatch>

You may replace the /phpMyAdmin/* part with any regular expression for a part of your site for which you would like mod_security turned off. If you cannot find whitelist.conf, you can try adding the same code to your httpd.conf (use updatedb and then locate httpd.conf to locate the file)

After you save the change, it might not take effect for a few minutes, or you might have to restart the web server!