Bug 244015

Summary: mod_security false positive: /etc-directory on a documentation wiki
Product: [Fedora] Fedora Reporter: Jari Turkia <redhat-bugzilla>
Component: mod_securityAssignee: Michael Fleming <mfleming+rpm>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 7CC: redhat-bugzilla
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-19 10:19:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jari Turkia 2007-06-13 12:22:59 UTC 
Description of problem:
mod_security returns a false positive for using /etc-directory. However, I'm
running an instance of Mediawiki to maintain system and network documentation.
It is full of directories and file names.

Version-Release number of selected component (if applicable):
mod_security-2.1.0-3.fc7

How reproducible:
Easily, every time.


Steps to Reproduce:
1. Install a wiki.
2. Attempt to save a page with string /etc in it. This is considered as a Remote
File Access Attempt and thus blocked.
  
Actual results:
Browser displaying 501 Method Not Implemented error.

/var/log/httpd/error_log entry:
[Wed Jun 13 15:11:34 2007] [error] [client x.x.x.x] ModSecurity: Access denied
with code 501 (phase 2). Pattern match
"(?:\\\\b(?:\\\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\\\.asa|httpd\\\\.conf|boot\\\\.ini)\\\\b|\\\\/etc\\\\/)"
at ARGS:wpTextbox1. [id "005"] [msg "Remote File Access Attempt. Matched
signature </etc/>"] [severity "CRITICAL"] [hostname "www."] [uri
"/wiki/index.php?title=&action=submit"] [unique_id "g@BbYsCoCAEAAFA@GScAAAAB"]

Expected results:
A saved page.

Additional info:
FC6 has a separate module for mod_security in Bugzilla. F7 does not. Suggest
adding such module into product.
Comment 1 Michael Fleming 2007-06-19 10:19:01 UTC 
This is the correct and expected behaviour of the modsecurity Core Rules and not
something specific to the package or Fedora - you might be wise to sign up for
the mailing list (or at least check the archives) at www.modsecurity.org

The app passed "/etc" as an ARG. which tripped up rule 005 in
modsecurity_crs_40_generic_attacks.conf.

You can add the following at a <Directory> level in your Apache config to stop
this for your wiki location (without disabling it globally and still catching
any bogus traffic..)

<Directory "/path/to/mediawiki">
SecRuleEngine DetectionOnly
SecAuditEngine Off # or RelevantOnly
</Directory>

You could comment the rule in modsecurity_crs_40_generic_attacks.conf, at a loss
of some protection all around (not advisable ;-))