Bug 244015 - mod_security false positive: /etc-directory on a documentation wiki
Summary: mod_security false positive: /etc-directory on a documentation wiki
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: mod_security
Version: 7
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Michael Fleming
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-13 12:22 UTC by Jari Turkia
Modified: 2007-11-30 22:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-06-19 10:19:01 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Jari Turkia 2007-06-13 12:22:59 UTC
Description of problem:
mod_security returns a false positive for using /etc-directory. However, I'm
running an instance of Mediawiki to maintain system and network documentation.
It is full of directories and file names.

Version-Release number of selected component (if applicable):
mod_security-2.1.0-3.fc7

How reproducible:
Easily, every time.


Steps to Reproduce:
1. Install a wiki.
2. Attempt to save a page with string /etc in it. This is considered as a Remote
File Access Attempt and thus blocked.
  
Actual results:
Browser displaying 501 Method Not Implemented error.

/var/log/httpd/error_log entry:
[Wed Jun 13 15:11:34 2007] [error] [client x.x.x.x] ModSecurity: Access denied
with code 501 (phase 2). Pattern match
"(?:\\\\b(?:\\\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\\\.asa|httpd\\\\.conf|boot\\\\.ini)\\\\b|\\\\/etc\\\\/)"
at ARGS:wpTextbox1. [id "005"] [msg "Remote File Access Attempt. Matched
signature </etc/>"] [severity "CRITICAL"] [hostname "www."] [uri
"/wiki/index.php?title=&action=submit"] [unique_id "g@BbYsCoCAEAAFA@GScAAAAB"]

Expected results:
A saved page.

Additional info:
FC6 has a separate module for mod_security in Bugzilla. F7 does not. Suggest
adding such module into product.

Comment 1 Michael Fleming 2007-06-19 10:19:01 UTC
This is the correct and expected behaviour of the modsecurity Core Rules and not
something specific to the package or Fedora - you might be wise to sign up for
the mailing list (or at least check the archives) at www.modsecurity.org

The app passed "/etc" as an ARG. which tripped up rule 005 in
modsecurity_crs_40_generic_attacks.conf.

You can add the following at a <Directory> level in your Apache config to stop
this for your wiki location (without disabling it globally and still catching
any bogus traffic..)

<Directory "/path/to/mediawiki">
SecRuleEngine DetectionOnly
SecAuditEngine Off # or RelevantOnly
</Directory>

You could comment the rule in modsecurity_crs_40_generic_attacks.conf, at a loss
of some protection all around (not advisable ;-))


Note You need to log in before you can comment on or make changes to this bug.