Many instructions online indicate you should use an .htaccess file and add SecRuleEngine Off in it. However, any mod_security directives in an .htaccess file produced an “Internal Server Error”.

The solution was to give up on the .htaccess and simply add the following to the VHOST configuration (You do have a SEPARATE VHOST for administration of your server, right?):

#Allow phpmyadmin to work with mod_security setups
<IfModule mod_security2.c>
<LocationMatch "/tbl_change.php">
SecRuleRemoveById 950006
</LocationMatch>

<LocationMatch "/sql.php">
SecRuleRemoveById 950006
</LocationMatch>
</IfModule>

This allowed me to keep mod_security configuration intact for all my vhosts (customers), keep the config inside the VHOST I needed and to disable only ONE rule rather than turn them all off.

The “950006″ part is the rule that fired in my ruleset, which I disable. You can see that from the audit log of mod_security: Just try to delete a row in a table and see the log:

--deccca6c-H--
Message: Access denied with code 501 (phase 2). Pattern match ................. ..." at ARGS:sql_query. [id "950006"] [msg "System Command Injection. Matched signature <`.`id>"] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Stopwatch: 1228585827350597 5544 (2039 5155 -)
Producer: ModSecurity v2.1.2 (Apache 2.x)
Server: Apache