Bug 244015 - mod_security false positive: /etc-directory on a documentation wiki
mod_security false positive: /etc-directory on a documentation wiki
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: mod_security (Show other bugs)
7
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Michael Fleming
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-13 08:22 EDT by Jari Turkia
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-19 06:19:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jari Turkia 2007-06-13 08:22:59 EDT
Description of problem:
mod_security returns a false positive for using /etc-directory. However, I'm
running an instance of Mediawiki to maintain system and network documentation.
It is full of directories and file names.

Version-Release number of selected component (if applicable):
mod_security-2.1.0-3.fc7

How reproducible:
Easily, every time.


Steps to Reproduce:
1. Install a wiki.
2. Attempt to save a page with string /etc in it. This is considered as a Remote
File Access Attempt and thus blocked.
  
Actual results:
Browser displaying 501 Method Not Implemented error.

/var/log/httpd/error_log entry:
[Wed Jun 13 15:11:34 2007] [error] [client x.x.x.x] ModSecurity: Access denied
with code 501 (phase 2). Pattern match
"(?:\\\\b(?:\\\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\\\.asa|httpd\\\\.conf|boot\\\\.ini)\\\\b|\\\\/etc\\\\/)"
at ARGS:wpTextbox1. [id "005"] [msg "Remote File Access Attempt. Matched
signature </etc/>"] [severity "CRITICAL"] [hostname "www."] [uri
"/wiki/index.php?title=&action=submit"] [unique_id "g@BbYsCoCAEAAFA@GScAAAAB"]

Expected results:
A saved page.

Additional info:
FC6 has a separate module for mod_security in Bugzilla. F7 does not. Suggest
adding such module into product.
Comment 1 Michael Fleming 2007-06-19 06:19:01 EDT
This is the correct and expected behaviour of the modsecurity Core Rules and not
something specific to the package or Fedora - you might be wise to sign up for
the mailing list (or at least check the archives) at www.modsecurity.org

The app passed "/etc" as an ARG. which tripped up rule 005 in
modsecurity_crs_40_generic_attacks.conf.

You can add the following at a <Directory> level in your Apache config to stop
this for your wiki location (without disabling it globally and still catching
any bogus traffic..)

<Directory "/path/to/mediawiki">
SecRuleEngine DetectionOnly
SecAuditEngine Off # or RelevantOnly
</Directory>

You could comment the rule in modsecurity_crs_40_generic_attacks.conf, at a loss
of some protection all around (not advisable ;-))

Note You need to log in before you can comment on or make changes to this bug.