Description of problem: mod_security returns a false positive for using /etc-directory. However, I'm running an instance of Mediawiki to maintain system and network documentation. It is full of directories and file names. Version-Release number of selected component (if applicable): mod_security-2.1.0-3.fc7 How reproducible: Easily, every time. Steps to Reproduce: 1. Install a wiki. 2. Attempt to save a page with string /etc in it. This is considered as a Remote File Access Attempt and thus blocked. Actual results: Browser displaying 501 Method Not Implemented error. /var/log/httpd/error_log entry: [Wed Jun 13 15:11:34 2007] [error] [client x.x.x.x] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\\\b(?:\\\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\\\.asa|httpd\\\\.conf|boot\\\\.ini)\\\\b|\\\\/etc\\\\/)" at ARGS:wpTextbox1. [id "005"] [msg "Remote File Access Attempt. Matched signature </etc/>"] [severity "CRITICAL"] [hostname "www."] [uri "/wiki/index.php?title=&action=submit"] [unique_id "g@BbYsCoCAEAAFA@GScAAAAB"] Expected results: A saved page. Additional info: FC6 has a separate module for mod_security in Bugzilla. F7 does not. Suggest adding such module into product.
This is the correct and expected behaviour of the modsecurity Core Rules and not something specific to the package or Fedora - you might be wise to sign up for the mailing list (or at least check the archives) at www.modsecurity.org The app passed "/etc" as an ARG. which tripped up rule 005 in modsecurity_crs_40_generic_attacks.conf. You can add the following at a <Directory> level in your Apache config to stop this for your wiki location (without disabling it globally and still catching any bogus traffic..) <Directory "/path/to/mediawiki"> SecRuleEngine DetectionOnly SecAuditEngine Off # or RelevantOnly </Directory> You could comment the rule in modsecurity_crs_40_generic_attacks.conf, at a loss of some protection all around (not advisable ;-))