Bug 494451 - modsecurity broke web directory browsing
modsecurity broke web directory browsing
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: httpd (Show other bugs)
i686 Linux
low Severity high
: rc
: ---
Assigned To: Joe Orton
Depends On:
  Show dependency treegraph
Reported: 2009-04-06 18:22 EDT by Philip Goisman
Modified: 2009-04-07 11:14 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-04-07 03:29:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Philip Goisman 2009-04-06 18:22:00 EDT
Description of problem:A recent automatic redhat update to apache is not
allowing directory browsing.  I'm guessing it's the modsecurity module as
/etc/httpd/modsecurity.d/optional_rules was touched Friday, April 3 on all
my el5 systems.

Version-Release number of selected component (if applicable):

How reproducible:
Anytime a user goes to a directory in their public_html directory they receive:

Access forbidden!

You don't have permission to access the requested directory. There is either no index document or the directory is read-protected.

If you think this is a server error, please contact the webmaster.

Error 403

Apache/2.2.0 (Fedora)

Steps to Reproduce:
Actual results:

Expected results:
Prior to the recent automatic update, directory browsing was allowed in 
httpd.conf Options with Indexes and worked.  Our community expects it to work.

Additional info:
Comment 1 Philip Goisman 2009-04-06 19:59:34 EDT
Whoops.  I didn't include the mod_security version.

It is mod_security-2.5.9-1.el5 and the update did occur Friday, Apr 3.
Comment 2 Joe Orton 2009-04-07 03:29:28 EDT
Thanks for contacting us.

1) mod_security is not shipped in RHEL.

2) this:

Apache/2.2.0 (Fedora)

is not a RHEL server.  If you're running CentOS please report to a CentOS support forum.
Comment 3 Philip Goisman 2009-04-07 11:14:43 EDT
No, we're not running CentOS.  We are running 
Red Hat Enterprise Linux Server release 5.3 (Tikanga).

But my apologies on thinking mod_security is RHEL.  I checked the
update log and the epel repository did the update.

Thanks.  Sorry for the trouble report.

Note You need to log in before you can comment on or make changes to this bug.