Holy recursion, Batman!
I claim you have something wrong with your mod_security rules. That kind of recursion seems to be unnecessary and will most likely cause some serious load for your server. Fix the rules and/or Apache config, and don't try to "fix" this problem with arbitrarily large numbers.
You could use the REQUEST_FILENAME variable instead of REQUEST_URI.
You are recommended not to directly edit the OWASP CRS rules themselves but instead to add extra rules to adjust them. This allows you to upgrade the CRS and still keep your rules. Here you could do this by adding the following config after you load all the OWASP CRS rules files to adjust this rule:
SecRuleUpdateTargetById 973338 REQUEST_FILENAME REQUEST_URI
However this will reduce this rule for all request when you may only want to do this for this one URL in which case a better method may be to turn this rule off only for this URL by adding the following rule before you load the OWASP CRS rules files (note the id needs to be unique so if you already have a rule 1 then pick a unique if here):
SecRule REQUEST_FILENAME chart.php "phase:2,nolog,id:1,ctl:ruleRemoveById=973338,pass"
And yes, before you ask, it is annoying that some overrides are specified after the rules and others, that use ctl, need to be specified before.
If you have multiple rules to disable you can use syntax like this:
SecRule REQUEST_FILENAME chart.php "phase:2,nolog,id:1,ctl:ruleRemoveById=973338,ctl:ruleRemoveById=973306,pass"
Best Answer
Using
REQUEST_HEADERS:Host
chained withREQUEST_URI
does the trick, but gets harder to maintain, if there are several sites that either need or don't need the exclusion. Therefore, an alternative solution would be disabling the rules on the Nginx configuration for the virtualhost, instead.It's possible to disable some rules using
modsecurity_rules
inside specificserver
&location
:The same is possible with Apache, too, as some Apache users may later find this question based on its title. With Apache, you can use
SecRuleRemoveById
/modsecurity_rules
directivesinside
VirtualHost
andLocation
orLocationMatch
:or, although not recommended, even with
.htaccess
: