can i disable ModSecurity rule via .htaccess?

Question

On new server for my website, a centOS, when i try to upload an image via PHP and the file name contains a special character, like "my'file.jpg", i get a forbidden page and i can't even try to handle the error via PHP

in log files i find

ModSecurity: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/etc/httpd/modsec/00_asl_zz_strict.conf"] [line "53"] [id "330793"] [rev "2"] [msg "Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 0, SM , IQ 1, IH 0, IP 0, FL 0"] [severity "CRITICAL"]

before contacting server support team i would like to know if i can disable this rule for some directories via .htaccess or via Plesk 12 panel

I tried to add this in .htaccess in root folder, found from a similar question, but I get an internal sever error page

<Directory /var/www/vhosts/mydomain.com/httpdocs/test-file-upl>
 <IfModule security2_module>
    SecRuleRemoveById 330793        
 </IfModule>
</Directory>

in logs i found

[core:alert] /var/www/vhosts/mydomain.com/httpdocs/.htaccess: <Directory not allowed here

the error seem to appear even if i delete the IfModule security2_module part

Answer 1

You can't use Directory directives in .htaccess files.

The scope of settings in .htaccess files is already defined by the directory the .htaccess file is found in.

In other words the settings in /var/www/vhosts/mydomain.com/httpdocs/.htaccess are valid for the directory /var/www/vhosts/mydomain.com/httpdocs/ and all subdirectories therein.

If you want to apply settings to /var/www/vhosts/mydomain.com/httpdocs/test-file-upl you'll need to put your settings in a /var/www/vhosts/mydomain.com/httpdocs/test-file-upl/.htaccess file instead, which would look like:

<IfModule security2_module>
    SecRuleRemoveById 330793        
</IfModule>

(Or even better, don't rely on .htaccess files at all and include your settings in your apache configuration files. )