LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   apache / mod_security: fixing false positives (https://www.linuxquestions.org/questions/linux-server-73/apache-mod_security-fixing-false-positives-613609/)

jrtayloriv 01-14-2008 10:54 PM
apache / mod_security: fixing false positives
 
I am using Apache with mod_security and I got the following error today when I was trying to edit my wiki:

Quote:
[Mon Jan 14 22:30:03 2008] [error] [client 127.0.0.1] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\\\b(?:\\\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\\\.asa|httpd\\\\.conf|boot\\\\.ini)\ \\\b|\\\\/etc\\\\/)" at ARGS:wpTextbox1. [id "950005"] [msg "Remote File Access Attempt. Matched signature </etc/>"] [severity "CRITICAL"] [hostname "localhost"] [uri "/mediawiki/index.php?title=Linux_Random_Number_Generator&action=submit"] [unique_id "PhhjkkClkldfnG4B11x3AdAAC"]
This is because I was trying to post text that contained a description of how to access something in /etc on the wiki page (hence the Remote file Access Attempt. Matched signature: </etc/>

I looked through the mod_security rules and found that this was the culprit:

Quote:
# file injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt. Matched signature <%{TX.0}>',,id:'950005',severity:'2'"
I don't want to turn mod_security off, but i couldn't figure out how to go about fixing this from the documentation. I don't understand which part of this rule to modify to tell it to not apply it to anything mediawiki/*

Does anyone know how to turn this specific rule off just for the mediawiki portion of my site? That is, I want this rule to apply to every other portion of the site (where there will be no POST requests), except for on the wiki part.

unSpawn 01-15-2008 07:56 AM
Something like this:
Code:
<LocationMatch "/mediawiki/index.php.*">
SecFilterRemove 950005
</LocationMatch>

jrtayloriv 01-26-2008 10:51 PM
Sorry I took so long to respond. I recently just moved into a new home, and have been dealing with all of that.

Thank you very much for your response. I was reading some other documents and they said to create a separate rules file in the mod_security rules folder called 15_custom_rules.conf. Is this correct? Should I put what you suggested into that file, or into one of the already existing files?

Thanks,
jrtayloriv

diogot 03-01-2008 04:03 PM
I am using mod_security 2.1.2 with modsecurity-core-rules_2.1-1.5.1.tar.gz.

I create a modsecurity_crs_99_custom_rules.conf file with this content:

Code:
<LocationMatch "/mediawiki/index.php.*">
 SecRuleRemoveById 950005
 SecRuleRemoveById 950006
 </LocationMatch>
And the problem is solved!


All times are GMT -5. The time now is 08:06 AM.