I am using Apache with mod_security and I got the following error today when I was trying to edit my wiki:
Quote:
|
[Mon Jan 14 22:30:03 2008] [error] [client 127.0.0.1] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\\\b(?:\\\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\\\.asa|httpd\\\\.conf|boot\\\\.ini)\ \\\b|\\\\/etc\\\\/)" at ARGS:wpTextbox1. [id "950005"] [msg "Remote File Access Attempt. Matched signature </etc/>"] [severity "CRITICAL"] [hostname "localhost"] [uri "/mediawiki/index.php?title=Linux_Random_Number_Generator&action=submit"] [unique_id "PhhjkkClkldfnG4B11x3AdAAC"]
|
This is because I was trying to post text that contained a description of how to access something in /etc on the wiki page (hence the
Remote file Access Attempt. Matched signature: </etc/>
I looked through the mod_security rules and found that this was the culprit:
Quote:
# file injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt. Matched signature <%{TX.0}>',,id:'950005',severity:'2'"
|
I don't want to turn mod_security off, but i couldn't figure out how to go about fixing this from the documentation. I don't understand which part of this rule to modify to tell it to not apply it to anything mediawiki/*
Does anyone know how to turn this specific rule off just for the mediawiki portion of my site? That is, I want this rule to apply to every other portion of the site (where there will be no POST requests), except for on the wiki part.
