Red Hat Bugzilla – Bug 244015
mod_security false positive: /etc-directory on a documentation wiki
Last modified: 2007-11-30 17:12:07 EST
Description of problem:
mod_security returns a false positive for using /etc-directory. However, I'm
running an instance of Mediawiki to maintain system and network documentation.
It is full of directories and file names.
Version-Release number of selected component (if applicable):
Easily, every time.
Steps to Reproduce:
1. Install a wiki.
2. Attempt to save a page with string /etc in it. This is considered as a Remote
File Access Attempt and thus blocked.
Browser displaying 501 Method Not Implemented error.
[Wed Jun 13 15:11:34 2007] [error] [client x.x.x.x] ModSecurity: Access denied
with code 501 (phase 2). Pattern match
at ARGS:wpTextbox1. [id "005"] [msg "Remote File Access Attempt. Matched
signature </etc/>"] [severity "CRITICAL"] [hostname "www."] [uri
"/wiki/index.php?title=&action=submit"] [unique_id "g@BbYsCoCAEAAFA@GScAAAAB"]
A saved page.
FC6 has a separate module for mod_security in Bugzilla. F7 does not. Suggest
adding such module into product.
This is the correct and expected behaviour of the modsecurity Core Rules and not
something specific to the package or Fedora - you might be wise to sign up for
the mailing list (or at least check the archives) at www.modsecurity.org
The app passed "/etc" as an ARG. which tripped up rule 005 in
You can add the following at a <Directory> level in your Apache config to stop
this for your wiki location (without disabling it globally and still catching
any bogus traffic..)
SecAuditEngine Off # or RelevantOnly
You could comment the rule in modsecurity_crs_40_generic_attacks.conf, at a loss
of some protection all around (not advisable ;-))