Prev: gnome-ppp error is now a kernel failure?
Next: Emacs24?
From: Todd A. Jacobs on 7 Mar 2010 16:20
I'm having a problem with modsecurity and moin-moin. The following rule
is preventing wiki pages with the word '/etc' from posting. I'd like to
find a way to disable this rule for just the wiki (e.g. not for the
whole site) but am not sure how to do that in a granular way.

It seems like a generally sensible rule, but makes it impossible to post
pages that reference the names of configuration files. That's obviously
not what I want.

The rule is:

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "@pm .www_acl .htpasswd .htaccess boot.ini httpd.conf /etc/ .htgroup global.asa .wwwacl" \
"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"
SecAction phase:2,pass,nolog,skipAfter:959005
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt',id:'950005',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
"phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt',id:'959005',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"

and is part of the standard modsecurity_crs_40_generic_attacks.conf
file. How can I override this rule for the just the wiki page contents?

--
"Oh, look: rocks!"
-- Doctor Who, "Destiny of the Daleks"


--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
Archive: http://lists.debian.org/20100307202236.GG25688(a)penguin.codegnome.org
 | 
Pages: 1
Prev: gnome-ppp error is now a kernel failure?
Next: Emacs24?