Bug 494451

Summary: modsecurity broke web directory browsing
Product: Red Hat Enterprise Linux 5 Reporter: Philip Goisman <goisman>
Component: httpdAssignee: Joe Orton <jorton>
Status: CLOSED NOTABUG QA Contact: BaseOS QE <qe-baseos-auto>
Severity: high Docs Contact:
Priority: low    
Version: 5.3   
Target Milestone: rc   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-07 07:29:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Philip Goisman 2009-04-06 22:22:00 UTC 
Description of problem:A recent automatic redhat update to apache is not
allowing directory browsing.  I'm guessing it's the modsecurity module as
/etc/httpd/modsecurity.d/optional_rules was touched Friday, April 3 on all
my el5 systems.


Version-Release number of selected component (if applicable):
httpd-2.2.3-22.el5

How reproducible:
Anytime a user goes to a directory in their public_html directory they receive:

Access forbidden!

You don't have permission to access the requested directory. There is either no index document or the directory is read-protected.

If you think this is a server error, please contact the webmaster.

Error 403

www.physics.arizona.edu
Apache/2.2.0 (Fedora)




Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:
Prior to the recent automatic update, directory browsing was allowed in 
httpd.conf Options with Indexes and worked.  Our community expects it to work.

Additional info:
Comment 1 Philip Goisman 2009-04-06 23:59:34 UTC 
Whoops.  I didn't include the mod_security version.

It is mod_security-2.5.9-1.el5 and the update did occur Friday, Apr 3.
Comment 2 Joe Orton 2009-04-07 07:29:28 UTC 
Thanks for contacting us.

1) mod_security is not shipped in RHEL.

2) this:

www.physics.arizona.edu
Apache/2.2.0 (Fedora)

is not a RHEL server.  If you're running CentOS please report to a CentOS support forum.
Comment 3 Philip Goisman 2009-04-07 15:14:43 UTC 
No, we're not running CentOS.  We are running 
Red Hat Enterprise Linux Server release 5.3 (Tikanga).

But my apologies on thinking mod_security is RHEL.  I checked the
update log and the epel repository did the update.

Thanks.  Sorry for the trouble report.